[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode targ
From: |
Steve Dodd |
Subject: |
[Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode target |
Date: |
Thu, 06 Aug 2020 20:53:55 -0000 |
Sorry, lost your reply in amongst the chaos of my life! OK, quick test
case (type at command line, don't run as script!), host arch is x86-64,
you need qemu-user-static installed..
wget
https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-armhf-root.tar.xz
sudo -s
mkdir armcont
cd armcont
tar xf ../bionic-server-cloudimg-armhf-root.tar.xz
cp /usr/bin/qemu-arm-static armcont/usr/bin/
rm armcont/etc/resolv.conf; cp /etc/resolv.conf armcont/etc/
systemd-nspawn -D armcont/
do-release-upgrade -d # may need to drop the "-d" once 20.04.1 is released
Yields:
qemu:handle_cpu_signal received signal outside vCPU context @
pc=0x601540af
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1594394
Title:
Using setreuid / setegid crashes x86_64 user-mode target
Status in QEMU:
New
Bug description:
When setreuid() or setegid() are called from x86_64 target code in
user mode, qemu crashes inside the NPTL signal handlers. x86 targets
do not directly use a syscall to handle setreuid() / setegid();
instead the x86 NPTL implementation sets up a temporary data region in
memory (__xidcmd) and issues a signal (SIGRT1) to all threads,
allowing the handler for that signal to issue the syscall. Under
qemu, __xidcmd remains null (see variable display below backtrace).
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x3fff85c74fc0 (LWP 74517)]
0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08,
ctx=0x3fff85c71f90) at nptl-init.c:263
263 nptl-init.c: No such file or directory.
(gdb) thread apply all bt
Thread 3 (Thread 0x3fff87e8efc0 (LWP 74515)):
#0 0x00000000601cc430 in syscall ()
#1 0x0000000060109080 in futex_wait (val=<optimized out>, ev=<optimized
out>) at /build/qemu/util/qemu-thread-posix.c:292
#2 qemu_event_wait (ev=0x62367bb0 <rcu_call_ready_event>) at
/build/qemu/util/qemu-thread-posix.c:399
#3 0x000000006010f73c in call_rcu_thread (opaque=<optimized out>) at
/build/qemu/util/rcu.c:250
#4 0x0000000060176f8c in start_thread (arg=0x3fff87e8efc0) at
pthread_create.c:336
#5 0x00000000601cebf4 in clone ()
Thread 2 (Thread 0x3fff85c74fc0 (LWP 74517)):
#0 0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08,
ctx=0x3fff85c71f90) at nptl-init.c:263
#1 <signal handler called>
#2 0x00000000601cc42c in syscall ()
#3 0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0,
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at
/build/qemu/linux-user/syscall.c:748
#4 do_futex (val3=<optimized out>, uaddr2=275186650880, timeout=0, val=1129,
op=128, uaddr=275186651116) at /build/qemu/linux-user/syscall.c:6201
#5 do_syscall (cpu_env=0x1000abfd350, num=<optimized out>,
arg1=275186651116, arg2=<optimized out>, arg3=1129, arg4=0, arg5=275186650880,
arg6=<optimized out>, arg7=0, arg8=0)
at /build/qemu/linux-user/syscall.c:10651
#6 0x00000000600347b8 in cpu_loop (env=0x1000abfd350) at
/build/qemu/linux-user/main.c:317
#7 0x0000000060036ae0 in clone_func (arg=0x3fffc4c2ca38) at
/build/qemu/linux-user/syscall.c:5445
#8 0x0000000060176f8c in start_thread (arg=0x3fff85c74fc0) at
pthread_create.c:336
#9 0x00000000601cebf4 in clone ()
Thread 1 (Thread 0x1000aa05000 (LWP 74511)):
#0 0x00000000601cc430 in syscall ()
#1 0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0,
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at
/build/qemu/linux-user/syscall.c:748
#2 do_futex (val3=<optimized out>, uaddr2=1, timeout=0, val=1, op=128,
uaddr=275078324992) at /build/qemu/linux-user/syscall.c:6201
#3 do_syscall (cpu_env=0x1000aa23890, num=<optimized out>,
arg1=275078324992, arg2=<optimized out>, arg3=1, arg4=0, arg5=1,
arg6=<optimized out>, arg7=0, arg8=0) at /build/qemu/linux-user/syscall.c:10651
#4 0x00000000600347b8 in cpu_loop (env=0x1000aa23890) at
/build/qemu/linux-user/main.c:317
#5 0x00000000600020e4 in main (argc=<optimized out>, argv=<optimized out>,
envp=<optimized out>) at /build/qemu/linux-user/main.c:4779
(gdb) p __xidcmd
$1 = (struct xid_command *) 0x0
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1594394/+subscriptions
- [Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode target, Steve Dodd, 2020/08/06
- [Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode target,
Steve Dodd <=
- [Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode target, Steve Dodd, 2020/08/06
- [Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode target, Steve Dodd, 2020/08/06
- [Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode target, Steve Dodd, 2020/08/10
- [Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode target, Steve Dodd, 2020/08/10
- [Bug 1594394] Re: Using setreuid / setegid crashes x86_64 user-mode target, Peter Maydell, 2020/08/10