Bug#907918: coreutils: chroot from 64 bits segfaults on older debootstrapped 64-bit distributions

[John Comeau]

Thank you Bernhard. That explains it perfectly, and no, I only
intended to file the bug once but was having problems. For me the
workaround of using 32-bit kernels serves the purpose but it's good to
know there's another for 64 bits.
On Wed, Sep 12, 2018 at 9:31 AM Bernhard Übelacker
 wrote:
>
> Hello John Comeau,
> I just tried to reproduce this crash and could
> get it just for a wheezy chroot:
>
>
> warning: Can't read pathname for load map: Eingabe-/Ausgabefehler.
> Core was generated by `/bin/bash -i'.
> Program terminated with signal 11, Segmentation fault.
> #0  0xff600400 in ?? ()
> (gdb) bt
> #0  0xff600400 in ?? ()
> #1  0x7fbd6eacefed in time () at 
> ../sysdeps/unix/sysv/linux/x86_64/time.S:36
> #2  0x00420086 in main (argc=2, argv=0x7ffefa085978, 
> env=0x7ffefa085990) at ../bash/shell.c:450
>
>
> In kernel log that access is also logged:
> kernel: bash[472] vsyscall attempted with vsyscall=none ip:ff600400 
> cs:33 sp:7ffefa085818 ax:ff600400 si:7ffefa086f20 di:0
>
>
> As far as I read this is a result of changing a special syscall
> interface that got used for performance reasons
> because of security concerns. (More details [1])
>
> At least as far as I have tested, all Debian kernels after
> Stretch release ( >= 4.10 ) behave that way, when using
> a libc that relies on the old interface.
>
> A workaround would be to boot linux with the kernel
> parameter vsyscall=emulate.
>
>
> Kind regards,
> Bernhard
>
> PS.: Was creating the same bug #907919 intentional or could that be closed?
>
>
> [1] https://sysdig.com/blog/troubleshooting-containers/



-- 
John Comeau KE5TFZ j...@unternet.net http://jc.unternet.net/
"A place for everything, and everything all over the place"

Bug#907918: coreutils: chroot from 64 bits segfaults on older debootstrapped 64-bit distributions

[Bernhard Übelacker]

Hello John Comeau,
I just tried to reproduce this crash and could
get it just for a wheezy chroot:


warning: Can't read pathname for load map: Eingabe-/Ausgabefehler.
Core was generated by `/bin/bash -i'.
Program terminated with signal 11, Segmentation fault.
#0  0xff600400 in ?? ()
(gdb) bt
#0  0xff600400 in ?? ()
#1  0x7fbd6eacefed in time () at ../sysdeps/unix/sysv/linux/x86_64/time.S:36
#2  0x00420086 in main (argc=2, argv=0x7ffefa085978, 
env=0x7ffefa085990) at ../bash/shell.c:450


In kernel log that access is also logged:
kernel: bash[472] vsyscall attempted with vsyscall=none ip:ff600400 
cs:33 sp:7ffefa085818 ax:ff600400 si:7ffefa086f20 di:0


As far as I read this is a result of changing a special syscall
interface that got used for performance reasons
because of security concerns. (More details [1])

At least as far as I have tested, all Debian kernels after
Stretch release ( >= 4.10 ) behave that way, when using
a libc that relies on the old interface.

A workaround would be to boot linux with the kernel
parameter vsyscall=emulate.


Kind regards,
Bernhard

PS.: Was creating the same bug #907919 intentional or could that be closed?


[1] https://sysdig.com/blog/troubleshooting-containers/

apt install mc htop lz4 systemd-coredump gdb debootstrap



wget 
http://192.168.178.25:/debian-9-stretch-deb.debian.org/pool/main/l/linux/linux-image-4.9.0-8-amd64_4.9.110-3+deb9u4_amd64.deb
dpkg -i linux-image-4.9.0-8-amd64_4.9.110-3+deb9u4_amd64.deb
wget 
http://snapshot.debian.org/archive/debian/20170203T152214Z/pool/main/l/linux-signed/linux-image-4.10.0-rc6-amd64_4.10%7Erc6-1%7Eexp2_amd64.deb
dpkg -i linux-image-4.10.0-rc6-amd64_4.10~rc6-1~exp2_amd64.deb
wget 
http://192.168.178.25:/debian-10-buster-deb.debian.org/pool/main/l/linux/linux-image-4.11.0-1-amd64_4.11.6-1_amd64.deb
dpkg -i linux-image-4.11.0-1-amd64_4.11.6-1_amd64.deb




debootstrap --arch=amd64 jessie /opt/jessie 
http://192.168.178.25:/debian-8-jessie-deb.debian.org/
chroot /opt/jessie
# no crash


##


debootstrap --arch=amd64 wheezy /opt/wheezy 
http://192.168.178.25:/debian-7-wheezy-deb.debian.org/
I: Installing core packages...
W: Failure trying to run: chroot "/opt/wheezy" dpkg --force-depends --install 
/var/cache/apt/archives/base-passwd_3.5.26_amd64.deb
W: See /opt/wheezy/debootstrap/debootstrap.log for details

dmesg -w -T
[Mi Sep 12 15:44:57 2018] dpkg[21278] vsyscall attempted with vsyscall=none 
ip:ff600400 cs:33 sp:7fff4d8e6588 ax:ff600400 si:428720 
di:7fff4d8e65a0
[Mi Sep 12 15:44:57 2018] dpkg[21278]: segfault at ff600400 ip 
ff600400 sp 7fff4d8e6588 error 15
[Mi Sep 12 15:44:57 2018] Code: Bad RIP value.

/opt/wheezy/debootstrap/debootstrap.log
2018-09-12 15:44:56 
URL:http://192.168.178.25:/debian-7-wheezy-deb.debian.org/pool/main/z/zlib/zlib1g_1.2.7.dfsg-13_amd64.deb
 [87392/87392] -> 
"/opt/wheezy//var/cache/apt/archives/partial/zlib1g_1%3a1.2.7.dfsg-13_amd64.deb"
 [1]
dpkg: warning: parsing file '/var/lib/dpkg/status' near line 5 package 'dpkg':
 missing description
dpkg: warning: parsing file '/var/lib/dpkg/status' near line 5 package 'dpkg':
 missing architecture
Segmentation fault (core dumped)


root@debian:~# chroot /opt/wheezy
Speicherzugriffsfehler (Speicherabzug geschrieben)

dmesg -w -T
[Mi Sep 12 15:47:39 2018] bash[21519] vsyscall attempted with vsyscall=none 
ip:ff600400 cs:33 sp:7ffe4c83ef68 ax:ff600400 si:7ffe4c83ff20 
di:0
[Mi Sep 12 15:47:39 2018] bash[21519]: segfault at ff600400 ip 
ff600400 sp 7ffe4c83ef68 error 15
[Mi Sep 12 15:47:39 2018] Code: Bad RIP value.


##


reboot # into 4.9.0


rm /opt/wheezy -rf
debootstrap --arch=amd64 wheezy /opt/wheezy 
http://192.168.178.25:/debian-7-wheezy-deb.debian.org/
mount -t proc proc /opt/wheezy/proc
chroot /opt/wheezy

# inside:
nano /etc/apt/sources.list
#deb-src http://192.168.178.25:/debian-7-wheezy-deb.debian.org wheezy 
main
apt-get update
apt-get install gdb strace libc6-dbg
apt-get build-dep bash
dpkg-reconfigure locales

mkdir /root/libc6/orig -p
cd/root/libc6/orig
apt-get source libc6

mkdir /root/bash/orig -p
cd/root/bash/orig
apt-get source bash
cd ..
cp -a orig try1
cd try1/bash-4.2+dfsg/
DEB_BUILD_OPTIONS="noopt nostrip" dpkg-buildpackage -b
cd ..
dpkg -i bash_4.2+dfsg-0.1+deb7u3_amd64.deb


##


root@debian:~# uname -a
Linux debian 4.18.0-1-amd64 #1 SMP Debian 4.18.6-1 (2018-09-06) x86_64 GNU/Linux

root@debian:~# chroot /opt/wheezy /usr/bin/strace /bin/bash -i 
execve("/bin/bash", ["/bin/bash", "-i"], [/* 11 vars */]) = 0
brk(0)  = 0x1894000
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7efea8656000
access("/etc/ld.so.preload", R_OK)  = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)  = 3

Bug#907918: coreutils: chroot from 64 bits segfaults on older debootstrapped 64-bit distributions

[John Comeau]

Package: coreutils
Version: 8.28-1
Severity: normal

Dear Maintainer,

   * What led up to the situation?

I debootstrapped 64-bit wheezy and jessie into /opt/wheezy and /opt/jessie,
respectively. I tried chroot into both and segfaulted.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

Works: `chroot /`, `chroot /opt/wheezy32`, `chroot /opt/jessie32` (which latter
two I debootstrapped with `--arch=i386`.

Segfaults: `chroot /opt/wheezy`, `chroot /opt/jessie`

   * What was the outcome of this action?

Segmentation fault

   * What outcome did you expect instead?

Bash prompt into chrooted directory


-- System Information:
Debian Release: buster/sid
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'testing'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.16.12-ideapad320 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages coreutils depends on:
ii  libacl1  2.2.52-3+b1
ii  libattr1 1:2.4.47-2+b2
ii  libc62.27-5
ii  libselinux1  2.8-1+b1

coreutils recommends no packages.

coreutils suggests no packages.

-- no debconf information