Re: ni_pledge kills Linux binary and crashes system

Fri, 06 Nov 2015 11:33:06 -0800 

Am 11/05/15 um 17:56 schrieb Theo de Raadt:

To isolate it, can you try changing your shell to something from ports
and see if it does the same?

panic: ni_pledge

running process is sh

trace:
panic
pledge_namei
namei
emul_find
linux_elf_probe
exec_elf32_makecmds
check_exec
sys_execve
syscall


This diff might help.  That specific panic was put into pledge for
the specific purpose of finding such missing initializations as we
transition towards tighter namei handling in pledge.

Index: compat/common/compat_util.c
===================================================================
RCS file: /cvs/src/sys/compat/common/compat_util.c,v
retrieving revision 1.16
diff -u -p -u -r1.16 compat_util.c
--- compat/common/compat_util.c 14 Mar 2015 03:38:46 -0000      1.16
+++ compat/common/compat_util.c 5 Nov 2015 16:54:54 -0000
@@ -105,6 +105,7 @@ emul_find(struct proc *p, caddr_t *sgp,
                *cp = '\0';

                NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, buf, p);
+               nid.ni_pledge = PLEDGE_EXEC;

                if ((error = namei(&nd)) != 0)
                        goto bad;
@@ -112,6 +113,7 @@ emul_find(struct proc *p, caddr_t *sgp,
                *cp = '/';
        } else {
                NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, buf, p);
+               nid.ni_pledge = PLEDGE_EXEC;

                if ((error = namei(&nd)) != 0)
                        goto bad;
@@ -126,6 +128,7 @@ emul_find(struct proc *p, caddr_t *sgp,
                 */
                /* XXX: prototype should have const here for NDINIT */
                NDINIT(&ndroot, LOOKUP, FOLLOW, UIO_SYSSPACE, prefix, p);
+               nid.ni_pledge = PLEDGE_EXEC;

                if ((error = namei(&ndroot)) != 0)
                        goto bad2;
With the patch I was able to use ktrace / kdump. The program crashes the system reliably. Here is the result: 

 30829          EMUL  "native"
 30829 ktrace   RET   ktrace 0
 30829 ktrace   CALL  execve(0xcf7f0830,0xcf7f0780,0xcf7f0788)
 30829 ktrace   NAMI  "/usr/local/bin/textmaker12"
 30829 ktrace   NAMI  "/bin/sh"
 30829 ktrace   ARGS
        [0] = "/bin/sh"
        [1] = "/usr/local/bin/textmaker12"
 30829          EMUL  "native"
 30829 sh       RET   execve 0
 30829 sh       CALL  mprotect(0x340f3000,0x2000,0x1<PROT_READ>)
 30829 sh       RET   mprotect 0
 30829 sh       CALL  kbind(0,0,0,0x140eec8b)
 30829 sh       RET   kbind 0
 30829 sh       CALL  sysctl(6.7<hw.pagesize>,0x34101584,0xcf7d7c2c,0,0)
 30829 sh       RET   sysctl 0
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2045644800/0x79ee1000
 30829 sh       CALL  mprotect(0x79ee1000,0x1000,0x1<PROT_READ>)
 30829 sh       RET   mprotect 0
 30829 sh       CALL  pledge(0x340edebc,0)
30829 sh STRU pledge request="stdio rpath wpath cpath fattr flock getpw proc exec tty" 
 30829 sh       RET   pledge 0
 30829 sh       CALL  readlink(0x340f0301,0xcf7d7a88,63)
 30829 sh       NAMI  "/etc/malloc.conf"
 30829 sh       RET   readlink -1 errno 2 No such file or directory
 30829 sh       CALL  issetugid()
 30829 sh       RET   issetugid 0
 30829 sh       CALL  getentropy(0xcf7d79d0,40)
 30829 sh       RET   getentropy 0
30829 sh CALL mmap(0,0x448,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2114609152/0x81f5a000
 30829 sh       CALL  minherit(0x81f5a000,0x448,MAP_INHERIT_ZERO)
 30829 sh       RET   minherit 0
30829 sh CALL mmap(0,0x3000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2144292864/0x7fcf5000
 30829 sh       CALL  mprotect(0x7fcf5000,0x1000,0<PROT_NONE>)
 30829 sh       RET   mprotect 0
 30829 sh       CALL  mprotect(0x7fcf7000,0x1000,0<PROT_NONE>)
 30829 sh       RET   mprotect 0
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2111733760/0x7dde8000
 30829 sh       CALL  mprotect(0x340fe000,0x1000,0x1<PROT_READ>)
 30829 sh       RET   mprotect 0
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 1969307648/0x75614000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2114015232/0x81feb000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2126782464/0x813be000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2116661248/0x7e29b000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2060804096/0x7ad56000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 1994530816/0x76e22000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2084450304/0x83c1d000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2046881792/0x7a00f000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 1963028480/0x75017000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2132033536/0x80ebc000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2104254464/0x8293a000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2067447808/0x7b3ac000
 30829 sh       CALL  sigaction(SIGINT,0x340f8290,0xcf7d7b1c)
30829 sh STRU struct sigaction { handler=SIG_IGN, mask=0<>, flags=0<> } 30829 sh STRU struct sigaction { handler=SIG_DFL, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
 30829 sh       CALL  sigaction(SIGINT,0xcf7d7b1c,0)
30829 sh STRU struct sigaction { handler=0x14116b80, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
 30829 sh       CALL  sigaction(SIGQUIT,0x340f8290,0xcf7d7b1c)
30829 sh STRU struct sigaction { handler=SIG_IGN, mask=0<>, flags=0<> } 30829 sh STRU struct sigaction { handler=SIG_DFL, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
 30829 sh       CALL  sigaction(SIGQUIT,0xcf7d7b1c,0)
30829 sh STRU struct sigaction { handler=0x14116b80, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
 30829 sh       CALL  sigaction(SIGTERM,0x340f8290,0xcf7d7b1c)
30829 sh STRU struct sigaction { handler=SIG_IGN, mask=0<>, flags=0<> } 30829 sh STRU struct sigaction { handler=SIG_DFL, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
 30829 sh       CALL  sigaction(SIGTERM,0xcf7d7b1c,0)
30829 sh STRU struct sigaction { handler=0x14116b80, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
 30829 sh       CALL  sigaction(SIGHUP,0x340f8290,0xcf7d7b1c)
30829 sh STRU struct sigaction { handler=SIG_IGN, mask=0<>, flags=0<> } 30829 sh STRU struct sigaction { handler=SIG_DFL, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
 30829 sh       CALL  sigaction(SIGHUP,0xcf7d7b1c,0)
30829 sh STRU struct sigaction { handler=0x14116b80, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2065858560/0x7b228000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2067103744/0x7b358000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2144948224/0x7fd95000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2115592192/0x81e6a000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2106769408/0x826d4000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2128248832/0x81258000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2073444352/0x7b964000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 1985314816/0x76558000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2090287104/0x7c974000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 1979621376/0x75fea000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2114502656/0x7e08c000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 1962278912/0x74f60000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2005983232/0x7790e000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2129375232/0x81145000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2134364160/0x80c83000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2069700608/0x7b5d2000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2130268160/0x8106b000
 30829 sh       CALL  stat(0x81145bad,0xcf7d798c)
 30829 sh       NAMI  "/var/mail/sw"
30829 sh STRU struct stat { dev=1028, ino=649602, mode=-rw------- , nlink=1, uid=1000<"sw">, gid=1000<"sw">, rdev=2593256, atime=1444914614<"Oct 15 15:10:14 2015">, mtime=1446816774<"Nov 6 14:32:54 2015">, ctime=1446816833<"Nov 6 14:33:53 2015">.424053819, size=27983, blocks=56, blksize=16384, flags=0x0, gen=0x0 } 
 30829 sh       RET   stat 0
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap -2084413440/0x83c26000
 30829 sh       CALL  getpid()
 30829 sh       RET   getpid 30829/0x786d
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2128293888/0x7edb3000
 30829 sh       CALL  __getcwd(0x7b5d2808,1024)
 30829 sh       RET   __getcwd 9
 30829 sh       CALL  getppid()
 30829 sh       RET   getppid 28735/0x703f
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2050895872/0x7a3e3000
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 1951875072/0x74574000
 30829 sh       CALL  gettimeofday(0xcf7d7650,0)
30829 sh STRU struct timeval { 1446816871<"Nov 6 14:34:31 2015">.613393 } 
 30829 sh       RET   gettimeofday 0
 30829 sh       CALL  gettimeofday(0xcf7d76c0,0)
30829 sh STRU struct timeval { 1446816871<"Nov 6 14:34:31 2015">.613406 } 
 30829 sh       RET   gettimeofday 0
 30829 sh       CALL  geteuid()
 30829 sh       RET   geteuid 1000<"sw">
 30829 sh       CALL  getuid()
 30829 sh       RET   getuid 1000<"sw">
 30829 sh       CALL  getgid()
 30829 sh       RET   getgid 1000<"sw">
 30829 sh       CALL  getegid()
 30829 sh       RET   getegid 1000<"sw">
 30829 sh       CALL  open(0xcf7d7e14,0<O_RDONLY>)
 30829 sh       NAMI  "/usr/local/bin/textmaker12"
 30829 sh       RET   open 3
 30829 sh       CALL  fcntl(3,F_DUPFD,0xa)
 30829 sh       RET   fcntl 10/0xa
 30829 sh       CALL  close(3)
 30829 sh       RET   close 0
 30829 sh       CALL  fcntl(10,F_SETFD,FD_CLOEXEC)
 30829 sh       RET   fcntl 0
 30829 sh       CALL  fstat(0,0xcf7d7ba8)
30829 sh STRU struct stat { dev=1024, ino=494197, mode=crw--w---- , nlink=1, uid=1000<"sw">, gid=4<"tty">, rdev=1280, atime=1446816871<"Nov 6 14:34:31 2015">.611633214, mtime=1446816871<"Nov 6 14:34:31 2015">.611633214, ctime=1446816871<"Nov 6 14:34:31 2015">.611633214, size=0, blocks=0, blksize=65536, flags=0x0, gen=0x0 } 
 30829 sh       RET   fstat 0
 30829 sh       CALL  sigprocmask(SIG_SETMASK,0<>)
 30829 sh       RET   sigprocmask 0<>
 30829 sh       CALL  sigaction(SIGCHLD,0x340f8290,0xcf7d7b0c)
30829 sh STRU struct sigaction { handler=SIG_IGN, mask=0<>, flags=0<> } 30829 sh STRU struct sigaction { handler=SIG_DFL, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
 30829 sh       CALL  sigaction(SIGCHLD,0xcf7d7b0c,0)
30829 sh STRU struct sigaction { handler=0x14116b80, mask=0<>, flags=0<> } 
 30829 sh       RET   sigaction 0
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 1977139200/0x75d8c000
 30829 sh       CALL  read(10,0x813be838,0x200)
 30829 sh       GIO   fd 10 read 82 bytes
       "#!/bin/sh
        # A script to run TextMaker.
        /usr/local/share/office2012/textmaker "$@"
       "
 30829 sh       RET   read 82/0x52
30829 sh CALL mmap(0,0x1000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0) 
 30829 sh       RET   mmap 2012594176/0x77f5c000
 30829 sh       CALL  stat(0x7b3ac288,0xcf7d784c)
 30829 sh       NAMI  "/usr/local/share/office2012/textmaker"
30829 sh STRU struct stat { dev=1029, ino=735390, mode=-rwxr-xr-x , nlink=1, uid=0<"root">, gid=0<"wheel">, rdev=2987496, atime=1446046872<"Oct 28 16:41:12 2015">.696320992, mtime=1440403722<"Aug 24 10:08:42 2015">, ctime=1444936032<"Oct 15 21:07:12 2015">.455290691, size=13214020, blocks=25856, blksize=16384, flags=0x0, gen=0x0 } 
 30829 sh       RET   stat 0
 30829 sh       CALL  access(0x7b3ac288,0x1<X_OK>)
 30829 sh       NAMI  "/usr/local/share/office2012/textmaker"
 30829 sh       RET   access 0
 30829 sh       CALL  sigprocmask(SIG_BLOCK,0x80000<SIGCHLD>)
 30829 sh       RET   sigprocmask 0<>
 30829 sh       CALL  fork()
 30829 sh       RET   fork 23850/0x5d2a
 30829 sh       CALL  sigsuspend(0<>)

Reply via email to