Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
On Mon, 2013-04-22 at 11:01 +, Thorsten Glaser wrote: Adam D. Barratt dixit: Apparently it never reached the list. At least it's not in my -release mail I’ve searched for it too, and could not find it in either archive I tried (l.d.o and GMane). Can you please just resend the mail, and put the bug on Cc? Any news? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Adam D. Barratt dixit: Any news? I didn’t hear anything. If needed, I’ll try to pick the fix from upstream and NMU to t-p-u, although I’m not too sure about the procedure (I know there’s mails to the bug and to d-release involved, and an upload (with testing or t-p-u in the changelog entry?), but not in what order; NMUing would complicate this so I had hoped for Antonin to do it). bye, //mirabilos -- “Having a smoking section in a restaurant is like having a peeing section in a swimming pool.” -- Edward Burr -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Adam D. Barratt dixit: Apparently it never reached the list. At least it's not in my -release mail I’ve searched for it too, and could not find it in either archive I tried (l.d.o and GMane). Can you please just resend the mail, and put the bug on Cc? Thanks, //mirabilos -- “It is inappropriate to require that a time represented as seconds since the Epoch precisely represent the number of seconds between the referenced time and the Epoch.” -- IEEE Std 1003.1b-1993 (POSIX) Section B.2.2.2 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
On Mon, 14 Jan 2013, Petr Stehlik wrote: I am all for putting together 0.9.15 for sid. ping? bye, //mirabilos -- «MyISAM tables -will- get corrupted eventually. This is a fact of life. » “mysql is about as much database as ms access” – “MSSQL at least descends from a database” “it's a rebranded SyBase” “MySQL however was born from a flatfile and went downhill from there” – “at least jetDB doesn’t claim to be a database” (#nosec)‣‣‣ Please let MySQL and MariaDB finally die! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Thorsten Glaser píše v St 10. 04. 2013 v 12:48 +0200: On Mon, 14 Jan 2013, Petr Stehlik wrote: I am all for putting together 0.9.15 for sid. ping? My fault, haven't had time to release new version yet. Will do it in less than 5 days, I promise. Petr -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Petr Stehlik dixit: In the very dark past NatFeats were meant to be called even from user space but later it was decided to use NatFeats from the kernel space only. Whatever needs to call host should use a device driver for that. But there’s no device driver (or even procfs entry) to figure out whether the system’s virtualised… Granted, this is probably not that important. Thanks for fixing (need still to test it… too few time…) the crash, though. I can live with that and will just drop the idea to patch imvirt. what you were trying was sort of NatFeat mis-use, anyway. Is user-space program supposed to do HW detection in Linux? I doubt it. Let the kernel detect hardware for you and then check /proc/hardware or so. From what I understand, in Linux, user space is supposed to do everything ;-) They used to have a webserver in the kernel, though. In my specific case, just detect whether it’s emulated or not. Antonin Kral is (or has always been) a DD. Oh. Sorry for the mis-understanding, then. I am all for putting together 0.9.15 for sid. Great! bye, //mirabilos -- „nein: BerliOS und Sourceforge sind Plattformen für Projekte, github ist eine Plattform für Einzelkämpfer“ -- dieses Zitat ist ein Beweis dafür, daß auch ein blindes Huhn mal ein Korn findet, bzw. – in diesem Fall – Recht haben kann -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Package: aranym
Version: 0.9.14-2
Severity: grave
Tags: security
Justification: user security hole
When running the program whose source code follows below
the report, compiled with the following command:
gcc -Os -fno-asynchronous-unwind-tables \
-fno-stack-protector -static -o nfimvirt \
nfimvirt.c nfimvrth.S
Inside a Debian/m68k guest on ARAnyM running on Debian sid,
the guest crashes the virtualisation:
Gotcha! Illegal memory access. Atari PC = $8468
If the Full History was enabled you would see the last 20 instructions here.
The program is intended to use NatFeat, as per the specs,
to figure out whether it runs under emulation or not. The
severity stems from this virtualisation escape: an error
or SIGILL or SIGBUS would be an acceptable failure mode,
but the guest must not DoS the emulation (this would make
offering Debian Porterboxen impossible, for one).
This is not exactly a new issue, I think Wouter reported
similar findings in the imvirt wishlist bugreport.
#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.11.1).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `#!/bin/sh' line above, then type `sh FILE'.
#
lock_dir=_sh29846
# Made on 2013-01-13 18:48 UTC by r...@ara4.mirbsd.org.
# Source directory was `/root'.
#
# Existing files will *not* be overwritten, unless `-c' is specified.
#
# This shar contains:
# length mode name
# -- -- --
# 2779 -rw-r--r-- nfimvirt.c
#447 -rw-r--r-- nfimvrth.S
#
MD5SUM=${MD5SUM-md5sum}
f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
test -n ${f} md5check=true || md5check=false
${md5check} || \
echo 'Note: not verifying md5sums. Consider installing GNU coreutils.'
if test X$1 = X-c
then keep_file=''
else keep_file=true
fi
echo=echo
save_IFS=${IFS}
IFS=${IFS}:
gettext_dir=
locale_dir=
set_echo=false
for dir in $PATH
do
if test -f $dir/gettext \
($dir/gettext --version /dev/null 21)
then
case `$dir/gettext --version 21 | sed 1q` in
*GNU*) gettext_dir=$dir
set_echo=true
break ;;
esac
fi
done
if ${set_echo}
then
set_echo=false
for dir in $PATH
do
if test -f $dir/shar \
($dir/shar --print-text-domain-dir /dev/null 21)
then
locale_dir=`$dir/shar --print-text-domain-dir`
set_echo=true
break
fi
done
if ${set_echo}
then
TEXTDOMAINDIR=$locale_dir
export TEXTDOMAINDIR
TEXTDOMAIN=sharutils
export TEXTDOMAIN
echo=$gettext_dir/gettext -s
fi
fi
IFS=$save_IFS
if (echo testing\c; echo 1,2,3) | grep c /dev/null
then if (echo -n test; echo 1,2,3) | grep n /dev/null
then shar_n= shar_c='
'
else shar_n=-n shar_c= ; fi
else shar_n= shar_c='\c' ; fi
f=shar-touch.$$
st1=200112312359.59
st2=123123592001.59
st2tr=123123592001.5 # old SysV 14-char limit
st3=1231235901
if touch -am -t ${st1} ${f} /dev/null 21 \
test ! -f ${st1} test -f ${f}; then
shar_touch='touch -am -t $1$2$3$4$5$6.$7 $8'
elif touch -am ${st2} ${f} /dev/null 21 \
test ! -f ${st2} test ! -f ${st2tr} test -f ${f}; then
shar_touch='touch -am $3$4$5$6$1$2.$7 $8'
elif touch -am ${st3} ${f} /dev/null 21 \
test ! -f ${st3} test -f ${f}; then
shar_touch='touch -am $3$4$5$6$2 $8'
else
shar_touch=:
echo
${echo} 'WARNING: not restoring timestamps. Consider getting and
installing GNU `touch'\'', distributed in GNU coreutils...'
echo
fi
rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
#
if test ! -d ${lock_dir} ; then :
else ${echo} lock directory ${lock_dir} exists
exit 1
fi
if mkdir ${lock_dir}
then ${echo} x - created lock directory ${lock_dir}.
else ${echo} x - failed to create lock directory ${lock_dir}.
exit 1
fi
# = nfimvirt.c ==
if test -n ${keep_file} test -f 'nfimvirt.c'
then
${echo} x - SKIPPING nfimvirt.c (file already exists)
else
${echo} x - extracting nfimvirt.c (text)
sed 's/^X//' 'SHAR_EOF' 'nfimvirt.c'
#include sys/types.h
#include sys/mman.h
#include err.h
#include signal.h
#include stdarg.h
#include stdint.h
#include stdio.h
#include unistd.h
X
#ifndef __GNUC__
#error This file makes use of GNU C extensions.
#endif
X
extern long nf_get_id_asm(const char *feature_name)
X asm(nf_get_id_asm)
X __attribute__((__cdecl__, __regparm__(0)));
extern long nf_call_asm(unsigned long feature_id, ...)
X asm(nf_call_asm)
X __attribute__((__cdecl__, __regparm__(0)));
X
volatile sig_atomic_t got_sigill;
X
void sigill_handler(int sigraised);
long nf_get_id(const char *feature_name);
X
#define nf_call2(id, subid, ...) __extension__({\
X long nf_call2_res; \
X unsigned long nf_call2_fid; \
X \
X if (got_sigill) \
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Dixi quod… Inside a Debian/m68k guest on ARAnyM running on Debian sid, Easy reproducer, under XFree86: wget -O mirnitrd https://www.freewrt.org/~tg/f/mirnitrd-nfimvirt mv mirnitrd-nfimvirt mirnitrd wget -O vmlinuz https://www.freewrt.org/~tg/f/vmlinuz-3.8.0-rc3+m68k-queue+atari-84299-g3f4758a or: wget -O vmlinuz https://www.freewrt.org/~tg/f/20121227/vmlinuz-3.2.0-4-atari wget https://www.freewrt.org/~tg/f/mirnitrd.nym aranym-mmu -l -c mirnitrd.nym Then click into the SDL window, press Alt-F2 and run /nfimvirt with no arguments. bye, //mirabilos -- Natureshadow Oh, ich hab mim Bauch Mittelklick gemacht, als ich nach dem Kaffee gegriffen habe… mirabilos Cool, ich hab ne neue eMail-Signatur Natureshadow Sag doch sowas nich, wenn ich den Kaffee in der Hand habe! Gib mir nen Lappen! Schnell! Das kommt aber nicht mit in die Signatur! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Thorsten Glaser píše v Ne 13. 01. 2013 v 19:12 +: Then click into the SDL window, press Alt-F2 and run /nfimvirt with no arguments. #1 0x081212b9 in safe_strncpy (dest=0xb0cc , src=0x9005b25d Address 0x9005b25d out of bounds, size=80) at /usr/include/i386-linux-gnu/bits/string3.h:121 #2 0x08108f6f in Atari2HostSafeStrncpy (count=80, source=optimized out, dest=0xb0cc ) at ./src/include/natfeats.h:58 #3 nf_get_id (stack=4018990244) at ./src/./natfeats.cpp:26 #4 0x08151bd6 in m68k_natfeat_id () at ./src/uae_cpu/newcpu.cpp:1367 #5 0x080b6bc8 in op_7300_0_ff(unsigned int) () Could you show me the source code of nfimvirt, please? Seems like it passed in an invalid pointer. You do know it needs to pass in physical (not MMU mapped) addresses, right? Petr -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Petr Stehlik dixit: Could you show me the source code of nfimvirt, please? Seems like it I attached it. passed in an invalid pointer. You do know it needs to pass in physical (not MMU mapped) addresses, right? The specs specifically say the contrary: they must be in virtual addresses, but still in physical memory: “On emulators implementing MMU and where physical addresses differ from logical addresses, the memory that will be accessed by native features uses the logical addresses (that is, exactly the same memory than that seen by the CPU).” However: “All 68k memory accessed during the execution of a native function, either directly (the stack), or indirectly (following pointers) must reside in physical memory before the native function is called.” – I added a call to mlock() before the NatFeat calls to ensure that. Nevertheless, a user-space application absolutely MUST NOT crash the emulator. Throw a SIGBUS if you must. @Debian: I suggest we tag this wheezy-ignore, because ⓐ it’s not a regression, ⓑ the impact is low, and ⓒ some MIPS machines have (had?) similar issues, so we have precedent. bye, //mirabilos -- ☎ Natureshadow Ich glaub ich hab mir grad mit dem [Ham]Burger die Nase abge‐ putzt… mirabilos Ich glaub ich hab ne neue eMail-Signatur Natureshadow Scheiße, warum passiert mir sowas immer, wenn ich mit dir spre‐ che? *hust* Das war Schnodderburger… *hust* -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Thorsten Glaser píše v Ne 13. 01. 2013 v 21:37 +: Could you show me the source code of nfimvirt, please? Seems like it I attached it. Thanks passed in an invalid pointer. You do know it needs to pass in physical (not MMU mapped) addresses, right? The specs specifically say the contrary: they must be in virtual addresses, but still in physical memory: specs is probably incorrect :-/ Where did you get the following quotes from? “On emulators implementing MMU and where physical addresses differ from logical addresses, the memory that will be accessed by native features uses the logical addresses (that is, exactly the same memory than that seen by the CPU).” However: “All 68k memory accessed during the execution of a native function, either directly (the stack), or indirectly (following pointers) must reside in physical memory before the native function is called.” – I added a call to mlock() before the NatFeat calls to ensure that. Nevertheless, a user-space application absolutely MUST NOT crash the emulator. Throw a SIGBUS if you must. I agree. Thus I have just fixed it (fix available in ARAnyM CVS, file src/include/natfeat.h). @Debian: I suggest we tag this wheezy-ignore, because ⓐ it’s not a regression, ⓑ the impact is low, and ⓒ some MIPS machines have (had?) similar issues, so we have precedent. I suppose the maintainer could grab the patch from CVS and apply it to ARAnyM in wheezy? Or I may prepare a 0.9.15 release of ARAnyM... Petr -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Petr Stehlik dixit: The specs specifically say the contrary: they must be in virtual addresses, but still in physical memory: specs is probably incorrect :-/ Where did you get the following quotes from? http://wiki.aranym.org/natfeats/proposal “On emulators implementing MMU and where physical addresses differ from logical addresses, the memory that will be accessed by native features uses the logical addresses (that is, exactly the same memory than that seen by the CPU).” I just looked around for a way to get the physical address of locked memory from user-space in Linux, but there doesn’t appear to be one, besides maybe /proc/$$/pagemap but cat(1) hangs when I try to read it, so effectively none. For detecting whether we run under virtualisation, this would have been the way to go. Too bad if the specs are “incorrect” ☹ Nevertheless, a user-space application absolutely MUST NOT crash the emulator. Throw a SIGBUS if you must. I agree. Thus I have just fixed it (fix available in ARAnyM CVS, file src/include/natfeat.h). Thanks! I suppose the maintainer could grab the patch from CVS and apply it to ARAnyM in wheezy? Or I may prepare a 0.9.15 release of ARAnyM... I can probably NMU it, the maintainer isn’t a DD IIRC. Antonin, is that okay with you? .oO(We probably should also talk anyway whether you’d want me to comaintain this…) I think that, since a newer upstream version is in sid anyway, we have to go through testing-proposed-updates already, so maybe putting together a 0.9.15 with all fixes would be good, which we can add to unstable, and I’ll apply the fix on top of 0.9.13 in wheezy? bye, //mirabilos -- ☎ Natureshadow Ich glaub ich hab mir grad mit dem [Ham]Burger die Nase abge‐ putzt… mirabilos Ich glaub ich hab ne neue eMail-Signatur Natureshadow Scheiße, warum passiert mir sowas immer, wenn ich mit dir spre‐ che? *hust* Das war Schnodderburger… *hust* -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698064: aranym: crashes from guest userspace when NatFeat is queried
Thorsten Glaser píše v Ne 13. 01. 2013 v 22:32 +: The specs specifically say the contrary: they must be in virtual addresses, but still in physical memory: specs is probably incorrect :-/ Where did you get the following quotes from? http://wiki.aranym.org/natfeats/proposal proposal... Those were just ideas. The final implementation is different. Documentation needs to be corrected. For detecting whether we run under virtualisation, this would have been the way to go. In the very dark past NatFeats were meant to be called even from user space but later it was decided to use NatFeats from the kernel space only. Whatever needs to call host should use a device driver for that. And kernel space can work with physical (non-mapped) memory addresses easily thus providing the host with real contiguous memory blocks to read from/write to. Thanks to that host can use fast memcpy() when exchanging data with the guest. With logical (MMU mapped) addresses this wouldn't be possible because contiguous memory blocks would not be guaranteed. Too bad if the specs are “incorrect” ☹ what you were trying was sort of NatFeat mis-use, anyway. Is user-space program supposed to do HW detection in Linux? I doubt it. Let the kernel detect hardware for you and then check /proc/hardware or so. I suppose the maintainer could grab the patch from CVS and apply it to ARAnyM in wheezy? Or I may prepare a 0.9.15 release of ARAnyM... I can probably NMU it, the maintainer isn’t a DD IIRC. Antonin Kral is (or has always been) a DD. I think that, since a newer upstream version is in sid anyway, we have to go through testing-proposed-updates already, so maybe putting together a 0.9.15 with all fixes would be good, which we can add to unstable, and I’ll apply the fix on top of 0.9.13 in wheezy? I am all for putting together 0.9.15 for sid. Petr -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
