[prev in list] [next in list] [prev in thread] [next in thread]
List: qemu-devel
Subject: [Qemu-devel] [Bug 1594394] [NEW] Using setreuid / setegid crashes x86_64 user-mode target
From: Timothy Pearson <kb9vqf () pearsoncomputing ! net>
Date: 2016-06-20 14:01:24
Message-ID: 20160620140124.12349.60184.malonedeb () wampee ! canonical ! com
[Download RAW message or body]
Public bug reported:
When setreuid() or setegid() are called from x86_64 target code in user
mode, qemu crashes inside the NPTL signal handlers. x86 targets do not
directly use a syscall to handle setreuid() / setegid(); instead the x86
NPTL implementation sets up a temporary data region in memory (__xidcmd)
and issues a signal (SIGRT1) to all threads, allowing the handler for
that signal to issue the syscall. Under qemu, __xidcmd remains null
(see variable display below backtrace).
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x3fff85c74fc0 (LWP 74517)]
0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, \
ctx=0x3fff85c71f90) at nptl-init.c:263 263 nptl-init.c: No such file or \
directory. (gdb) thread apply all bt
Thread 3 (Thread 0x3fff87e8efc0 (LWP 74515)):
#0 0x00000000601cc430 in syscall ()
#1 0x0000000060109080 in futex_wait (val=<optimized out>, ev=<optimized out>) at \
/build/qemu/util/qemu-thread-posix.c:292 #2 qemu_event_wait (ev=0x62367bb0 \
<rcu_call_ready_event>) at /build/qemu/util/qemu-thread-posix.c:399 #3 \
0x000000006010f73c in call_rcu_thread (opaque=<optimized out>) at \
/build/qemu/util/rcu.c:250 #4 0x0000000060176f8c in start_thread \
(arg=0x3fff87e8efc0) at pthread_create.c:336 #5 0x00000000601cebf4 in clone ()
Thread 2 (Thread 0x3fff85c74fc0 (LWP 74517)):
#0 0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, \
ctx=0x3fff85c71f90) at nptl-init.c:263 #1 <signal handler called>
#2 0x00000000601cc42c in syscall ()
#3 0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, \
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at \
/build/qemu/linux-user/syscall.c:748 #4 do_futex (val3=<optimized out>, \
uaddr2=275186650880, timeout=0, val=1129, op=128, uaddr=275186651116) at \
/build/qemu/linux-user/syscall.c:6201 #5 do_syscall (cpu_env=0x1000abfd350, \
num=<optimized out>, arg1=275186651116, arg2=<optimized out>, arg3=1129, arg4=0, \
arg5=275186650880, arg6=<optimized out>, arg7=0, arg8=0) at \
/build/qemu/linux-user/syscall.c:10651 #6 0x00000000600347b8 in cpu_loop \
(env=0x1000abfd350) at /build/qemu/linux-user/main.c:317 #7 0x0000000060036ae0 in \
clone_func (arg=0x3fffc4c2ca38) at /build/qemu/linux-user/syscall.c:5445 #8 \
0x0000000060176f8c in start_thread (arg=0x3fff85c74fc0) at pthread_create.c:336 #9 \
0x00000000601cebf4 in clone ()
Thread 1 (Thread 0x1000aa05000 (LWP 74511)):
#0 0x00000000601cc430 in syscall ()
#1 0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, \
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at \
/build/qemu/linux-user/syscall.c:748 #2 do_futex (val3=<optimized out>, uaddr2=1, \
timeout=0, val=1, op=128, uaddr=275078324992) at \
/build/qemu/linux-user/syscall.c:6201 #3 do_syscall (cpu_env=0x1000aa23890, \
num=<optimized out>, arg1=275078324992, arg2=<optimized out>, arg3=1, arg4=0, arg5=1, \
arg6=<optimized out>, arg7=0, arg8=0) at /build/qemu/linux-user/syscall.c:10651 #4 \
0x00000000600347b8 in cpu_loop (env=0x1000aa23890) at \
/build/qemu/linux-user/main.c:317 #5 0x00000000600020e4 in main (argc=<optimized \
out>, argv=<optimized out>, envp=<optimized out>) at \
/build/qemu/linux-user/main.c:4779 (gdb) p __xidcmd
$1 = (struct xid_command *) 0x0
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1594394
Title:
Using setreuid / setegid crashes x86_64 user-mode target
Status in QEMU:
New
Bug description:
When setreuid() or setegid() are called from x86_64 target code in
user mode, qemu crashes inside the NPTL signal handlers. x86 targets
do not directly use a syscall to handle setreuid() / setegid();
instead the x86 NPTL implementation sets up a temporary data region in
memory (__xidcmd) and issues a signal (SIGRT1) to all threads,
allowing the handler for that signal to issue the syscall. Under
qemu, __xidcmd remains null (see variable display below backtrace).
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x3fff85c74fc0 (LWP 74517)]
0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, \
ctx=0x3fff85c71f90) at nptl-init.c:263 263 nptl-init.c: No such file or \
directory. (gdb) thread apply all bt
Thread 3 (Thread 0x3fff87e8efc0 (LWP 74515)):
#0 0x00000000601cc430 in syscall ()
#1 0x0000000060109080 in futex_wait (val=<optimized out>, ev=<optimized out>) at \
/build/qemu/util/qemu-thread-posix.c:292 #2 qemu_event_wait (ev=0x62367bb0 \
<rcu_call_ready_event>) at /build/qemu/util/qemu-thread-posix.c:399 #3 \
0x000000006010f73c in call_rcu_thread (opaque=<optimized out>) at \
/build/qemu/util/rcu.c:250 #4 0x0000000060176f8c in start_thread \
(arg=0x3fff87e8efc0) at pthread_create.c:336 #5 0x00000000601cebf4 in clone ()
Thread 2 (Thread 0x3fff85c74fc0 (LWP 74517)):
#0 0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, \
ctx=0x3fff85c71f90) at nptl-init.c:263 #1 <signal handler called>
#2 0x00000000601cc42c in syscall ()
#3 0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, \
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at \
/build/qemu/linux-user/syscall.c:748 #4 do_futex (val3=<optimized out>, \
uaddr2=275186650880, timeout=0, val=1129, op=128, uaddr=275186651116) at \
/build/qemu/linux-user/syscall.c:6201 #5 do_syscall (cpu_env=0x1000abfd350, \
num=<optimized out>, arg1=275186651116, arg2=<optimized out>, arg3=1129, arg4=0, \
arg5=275186650880, arg6=<optimized out>, arg7=0, arg8=0) at \
/build/qemu/linux-user/syscall.c:10651 #6 0x00000000600347b8 in cpu_loop \
(env=0x1000abfd350) at /build/qemu/linux-user/main.c:317 #7 0x0000000060036ae0 in \
clone_func (arg=0x3fffc4c2ca38) at /build/qemu/linux-user/syscall.c:5445 #8 \
0x0000000060176f8c in start_thread (arg=0x3fff85c74fc0) at pthread_create.c:336 #9 \
0x00000000601cebf4 in clone ()
Thread 1 (Thread 0x1000aa05000 (LWP 74511)):
#0 0x00000000601cc430 in syscall ()
#1 0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, \
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at \
/build/qemu/linux-user/syscall.c:748 #2 do_futex (val3=<optimized out>, uaddr2=1, \
timeout=0, val=1, op=128, uaddr=275078324992) at \
/build/qemu/linux-user/syscall.c:6201 #3 do_syscall (cpu_env=0x1000aa23890, \
num=<optimized out>, arg1=275078324992, arg2=<optimized out>, arg3=1, arg4=0, arg5=1, \
arg6=<optimized out>, arg7=0, arg8=0) at /build/qemu/linux-user/syscall.c:10651 #4 \
0x00000000600347b8 in cpu_loop (env=0x1000aa23890) at \
/build/qemu/linux-user/main.c:317 #5 0x00000000600020e4 in main (argc=<optimized \
out>, argv=<optimized out>, envp=<optimized out>) at \
/build/qemu/linux-user/main.c:4779 (gdb) p __xidcmd
$1 = (struct xid_command *) 0x0
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1594394/+subscriptions
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic