'[Qemu-devel] [Bug 1594394] [NEW] Using setreuid / setegid crashes x86_64 user-mode target'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qemu-devel
Subject:    [Qemu-devel] [Bug 1594394] [NEW] Using setreuid / setegid crashes x86_64 user-mode target
From:       Timothy Pearson <kb9vqf () pearsoncomputing ! net>
Date:       2016-06-20 14:01:24
Message-ID: 20160620140124.12349.60184.malonedeb () wampee ! canonical ! com
[Download RAW message or body]

Public bug reported:

When setreuid() or setegid() are called from x86_64 target code in user
mode, qemu crashes inside the NPTL signal handlers.  x86 targets do not
directly use a syscall to handle setreuid() / setegid(); instead the x86
NPTL implementation sets up a temporary data region in memory (__xidcmd)
and issues a signal (SIGRT1) to all threads, allowing the handler for
that signal to issue the syscall.  Under qemu, __xidcmd remains null
(see variable display below backtrace).

Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x3fff85c74fc0 (LWP 74517)]
0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, \
ctx=0x3fff85c71f90) at nptl-init.c:263 263     nptl-init.c: No such file or \
directory. (gdb) thread apply all bt

Thread 3 (Thread 0x3fff87e8efc0 (LWP 74515)):
#0  0x00000000601cc430 in syscall ()
#1  0x0000000060109080 in futex_wait (val=<optimized out>, ev=<optimized out>) at \
/build/qemu/util/qemu-thread-posix.c:292 #2  qemu_event_wait (ev=0x62367bb0 \
<rcu_call_ready_event>) at /build/qemu/util/qemu-thread-posix.c:399 #3  \
0x000000006010f73c in call_rcu_thread (opaque=<optimized out>) at \
/build/qemu/util/rcu.c:250 #4  0x0000000060176f8c in start_thread \
(arg=0x3fff87e8efc0) at pthread_create.c:336 #5  0x00000000601cebf4 in clone ()

Thread 2 (Thread 0x3fff85c74fc0 (LWP 74517)):
#0  0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, \
ctx=0x3fff85c71f90) at nptl-init.c:263 #1  <signal handler called>
#2  0x00000000601cc42c in syscall ()
#3  0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, \
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at \
/build/qemu/linux-user/syscall.c:748 #4  do_futex (val3=<optimized out>, \
uaddr2=275186650880, timeout=0, val=1129, op=128, uaddr=275186651116) at \
/build/qemu/linux-user/syscall.c:6201 #5  do_syscall (cpu_env=0x1000abfd350, \
num=<optimized out>, arg1=275186651116, arg2=<optimized out>, arg3=1129, arg4=0, \
arg5=275186650880, arg6=<optimized out>, arg7=0, arg8=0)  at \
/build/qemu/linux-user/syscall.c:10651 #6  0x00000000600347b8 in cpu_loop \
(env=0x1000abfd350) at /build/qemu/linux-user/main.c:317 #7  0x0000000060036ae0 in \
clone_func (arg=0x3fffc4c2ca38) at /build/qemu/linux-user/syscall.c:5445 #8  \
0x0000000060176f8c in start_thread (arg=0x3fff85c74fc0) at pthread_create.c:336 #9  \
0x00000000601cebf4 in clone ()

Thread 1 (Thread 0x1000aa05000 (LWP 74511)):
#0  0x00000000601cc430 in syscall ()
#1  0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, \
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at \
/build/qemu/linux-user/syscall.c:748 #2  do_futex (val3=<optimized out>, uaddr2=1, \
timeout=0, val=1, op=128, uaddr=275078324992) at \
/build/qemu/linux-user/syscall.c:6201 #3  do_syscall (cpu_env=0x1000aa23890, \
num=<optimized out>, arg1=275078324992, arg2=<optimized out>, arg3=1, arg4=0, arg5=1, \
arg6=<optimized out>, arg7=0, arg8=0) at /build/qemu/linux-user/syscall.c:10651 #4  \
0x00000000600347b8 in cpu_loop (env=0x1000aa23890) at \
/build/qemu/linux-user/main.c:317 #5  0x00000000600020e4 in main (argc=<optimized \
out>, argv=<optimized out>, envp=<optimized out>) at \
/build/qemu/linux-user/main.c:4779 (gdb) p __xidcmd
$1 = (struct xid_command *) 0x0

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1594394

Title:
  Using setreuid / setegid crashes x86_64 user-mode target

Status in QEMU:
  New

Bug description:
  When setreuid() or setegid() are called from x86_64 target code in
  user mode, qemu crashes inside the NPTL signal handlers.  x86 targets
  do not directly use a syscall to handle setreuid() / setegid();
  instead the x86 NPTL implementation sets up a temporary data region in
  memory (__xidcmd) and issues a signal (SIGRT1) to all threads,
  allowing the handler for that signal to issue the syscall.  Under
  qemu, __xidcmd remains null (see variable display below backtrace).

  Backtrace:
  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x3fff85c74fc0 (LWP 74517)]
  0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, \
ctx=0x3fff85c71f90) at nptl-init.c:263  263     nptl-init.c: No such file or \
directory.  (gdb) thread apply all bt

  Thread 3 (Thread 0x3fff87e8efc0 (LWP 74515)):
  #0  0x00000000601cc430 in syscall ()
  #1  0x0000000060109080 in futex_wait (val=<optimized out>, ev=<optimized out>) at \
/build/qemu/util/qemu-thread-posix.c:292  #2  qemu_event_wait (ev=0x62367bb0 \
<rcu_call_ready_event>) at /build/qemu/util/qemu-thread-posix.c:399  #3  \
0x000000006010f73c in call_rcu_thread (opaque=<optimized out>) at \
/build/qemu/util/rcu.c:250  #4  0x0000000060176f8c in start_thread \
(arg=0x3fff87e8efc0) at pthread_create.c:336  #5  0x00000000601cebf4 in clone ()

  Thread 2 (Thread 0x3fff85c74fc0 (LWP 74517)):
  #0  0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, \
ctx=0x3fff85c71f90) at nptl-init.c:263  #1  <signal handler called>
  #2  0x00000000601cc42c in syscall ()
  #3  0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, \
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at \
/build/qemu/linux-user/syscall.c:748  #4  do_futex (val3=<optimized out>, \
uaddr2=275186650880, timeout=0, val=1129, op=128, uaddr=275186651116) at \
/build/qemu/linux-user/syscall.c:6201  #5  do_syscall (cpu_env=0x1000abfd350, \
num=<optimized out>, arg1=275186651116, arg2=<optimized out>, arg3=1129, arg4=0, \
arg5=275186650880, arg6=<optimized out>, arg7=0, arg8=0)  at \
/build/qemu/linux-user/syscall.c:10651  #6  0x00000000600347b8 in cpu_loop \
(env=0x1000abfd350) at /build/qemu/linux-user/main.c:317  #7  0x0000000060036ae0 in \
clone_func (arg=0x3fffc4c2ca38) at /build/qemu/linux-user/syscall.c:5445  #8  \
0x0000000060176f8c in start_thread (arg=0x3fff85c74fc0) at pthread_create.c:336  #9  \
0x00000000601cebf4 in clone ()

  Thread 1 (Thread 0x1000aa05000 (LWP 74511)):
  #0  0x00000000601cc430 in syscall ()
  #1  0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, \
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at \
/build/qemu/linux-user/syscall.c:748  #2  do_futex (val3=<optimized out>, uaddr2=1, \
timeout=0, val=1, op=128, uaddr=275078324992) at \
/build/qemu/linux-user/syscall.c:6201  #3  do_syscall (cpu_env=0x1000aa23890, \
num=<optimized out>, arg1=275078324992, arg2=<optimized out>, arg3=1, arg4=0, arg5=1, \
arg6=<optimized out>, arg7=0, arg8=0) at /build/qemu/linux-user/syscall.c:10651  #4  \
0x00000000600347b8 in cpu_loop (env=0x1000aa23890) at \
/build/qemu/linux-user/main.c:317  #5  0x00000000600020e4 in main (argc=<optimized \
out>, argv=<optimized out>, envp=<optimized out>) at \
/build/qemu/linux-user/main.c:4779  (gdb) p __xidcmd
  $1 = (struct xid_command *) 0x0

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1594394/+subscriptions


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic