| Anonymous | Login | Signup for a new account | 2018-01-08 01:55 CET |  |
| All Projects | FPC | fpcprojects: fpprofiler | fpGUI | Lazarus: Packages, Patches | Lazarus CCR | Mantis | pas2js |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
| 0017806 | FPC | RTL | public | 2010-11-02 22:11 | 2013-04-24 11:28 | ||||||||
| Reporter | ZAN DoYe | ||||||||||||
| Assigned To | |||||||||||||
| Priority | normal | Severity | crash | Reproducibility | always | ||||||||
| Status | confirmed | Resolution | open | ||||||||||
| Platform | i386 | OS | archlinux | OS Version | 2.6.34 | ||||||||
| Product Version | 2.4.0 | Product Build | 2010/01/01 | ||||||||||
| Target Version | Fixed in Version | ||||||||||||
| Summary | 0017806: suid/sgid with dynamic lib cause program crash | ||||||||||||
| Description | non-root user run a suid/sgid program that use dynamic lib cause "Segmentation fault" | ||||||||||||
| Steps To Reproduce | function dlopen(name : pchar; mode: longint) : pointer; cdecl; external 'dl'; //this can be any lib. begin end. saveas crash.pas $fpc crash.pas $sudo chown root:root crash && sudo chmod 6755 crash $./crash It just causes "Segmentation fault" | ||||||||||||
| Tags | No tags attached. | ||||||||||||
| Fixed in Revision | |||||||||||||
| FPCOldBugId | 0 | ||||||||||||
| Attached Files | |||||||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0042673) Jonas Maebe (manager) 2010-11-02 22:29 |
Without the full source code of an example program that demonstrates the problem, there is nothing we can do. |
|
(0042674) ZAN DoYe (reporter) 2010-11-02 22:36 |
I've given source code in "Steps To Reproduce": function dlopen(name : pchar; mode: longint) : pointer; cdecl; external 'dl'; //this can be any lib. begin end. |
|
(0042675) Jonas Maebe (manager) 2010-11-02 22:44 edited on: 2010-11-02 23:01 |
It works fine for me under Fedora 13. It's probably due to SELinux or some other security setting on your system. Also try the same with this C program: int main() { return 0; } and compile it with gcc crash.c -o crash -ldl sudo chown root:root crash && sudo chmod 6755 crash See whether that crashes too. |
|
(0042677) ZAN DoYe (reporter) 2010-11-02 23:27 edited on: 2010-11-02 23:29 |
Dynamic libs works well with c. I tried to call some functions in the lib, all works well. But the fpc one crash the moment it start, even in the three-line program that I've reported. This is gdb snapshot: [kandu@bomb p]$ gdb bug GNU gdb (GDB) 7.2 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> [^] This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... [^] Reading symbols from /home/kandu/p/bug...done. (gdb) l 1 function dlopen(name : pchar; mode: longint) : pointer; cdecl; external 'dl'; 2 3 begin 4 end. (gdb) b *SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT Breakpoint 1 at 0x8048240 (gdb) r Starting program: /home/kandu/p/bug Breakpoint 1, 0x08048240 in SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT () (gdb) bt #0 0x08048240 in SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT () 0000001 0x080488de in SYSTEM_FPUGETRLIMIT$LONGINT$PRLIMIT$$LONGINT () 0000002 0x08061d79 in SYSTEM_CHECKINITIALSTKLEN$LONGWORD$$LONGWORD () 0000003 0x00000000 in ?? () (gdb) disassemble SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT Dump of assembler code for function SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT: => 0x08048240 <+0>: push %ebp 0x08048241 <+1>: mov %esp,%ebp 0x08048243 <+3>: sub $0x4,%esp 0x08048246 <+6>: push %ebx 0x08048247 <+7>: mov %edx,%ebx 0x08048249 <+9>: cmpl $0x0,0x80624c0 0x08048250 <+16>: jne 0x8048256 <SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT+22> 0x08048252 <+18>: int $0x80 0x08048254 <+20>: jmp 0x804825c <SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT+28> 0x08048256 <+22>: call *0x80624c4 0x0804825c <+28>: pop %ebx 0x0804825d <+29>: cmp $0xfffff001,%eax 0x08048262 <+34>: jb 0x8048270 <SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT+48> 0x08048264 <+36>: neg %eax 0x08048266 <+38>: call 0x8048150 <SYSTEM_SETERRNO$LONGINT> 0x0804826b <+43>: mov $0xffffffff,%eax 0x08048270 <+48>: leave 0x08048271 <+49>: ret End of assembler dump. (gdb) b *0x08048256 Breakpoint 2 at 0x8048256 (gdb) c Continuing. Breakpoint 2, 0x08048256 in SYSTEM_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT () (gdb) x/a 0x80624c4 0x80624c4 <TC_SYSTEM_PSYSINFO>: 0x5 (gdb) stepi 0x00000005 in ?? () (gdb) stepi Program received signal SIGSEGV, Segmentation fault. 0x00000005 in ?? () (gdb) |
|
(0042679) Jonas Maebe (manager) 2010-11-02 23:37 |
Looks like a problem with the detection of the kernel's "fast" syscall interface, although I have no idea why it would only cause problems with setuid root programs. Unfortunately, the person who added that support is no longer active. I hope that someone else is willing to look at this. |
|
(0042680) ZAN DoYe (reporter) 2010-11-03 00:33 |
I set env variable LD_LIBRARY_PATH to '/home/kandu/bin'. After I clean LD_LIBRARY_PATH env variable the program works. But It still confuse me because there is no lib in /home/kandu/bin. |
|
(0042699) Jonas Maebe (manager) 2010-11-03 09:58 |
That's double strange, because the man page of ld.so explicitly states that if a program is suid or sgid, then LD_LIBRARY_PATH is ignored. |
|
(0042706) Jonas Maebe (manager) 2010-11-03 12:03 |
Well, the fast syscall stuff is initialised by parsing envp, so the presence or absence of LD_LIBRARY_PATH can influence that (especially if it is somehow treated specially by the dynamic linker in this case). |
|
(0042835) Florian (administrator) 2010-11-06 20:21 |
Please post the output of uname -a and cat /proc/cpuinfo |
|
(0042946) ZAN DoYe (reporter) 2010-11-10 15:47 |
[kandu@bomb ~]$ uname -a Linux bomb 2.6.35-ARCH 0000001 SMP PREEMPT Sat Oct 30 19:57:05 UTC 2010 i686 AMD Phenom(tm) FX-5000 Quad-Core Processor AuthenticAMD GNU/Linux [kandu@bomb ~]$ cat /proc/cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 16 model : 4 model name : AMD Phenom(tm) FX-5000 Quad-Core Processor stepping : 2 cpu MHz : 2210.008 cache size : 512 KB physical id : 0 siblings : 4 core id : 0 cpu cores : 4 apicid : 0 initial apicid : 0 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt npt lbrv svm_lock nrip_save bogomips : 4421.18 clflush size : 64 cache_alignment : 64 address sizes : 48 bits physical, 48 bits virtual power management: ts ttp tm stc 100mhzsteps hwpstate processor : 1 vendor_id : AuthenticAMD cpu family : 16 model : 4 model name : AMD Phenom(tm) FX-5000 Quad-Core Processor stepping : 2 cpu MHz : 2210.008 cache size : 512 KB physical id : 0 siblings : 4 core id : 1 cpu cores : 4 apicid : 1 initial apicid : 1 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt npt lbrv svm_lock nrip_save bogomips : 4421.19 clflush size : 64 cache_alignment : 64 address sizes : 48 bits physical, 48 bits virtual power management: ts ttp tm stc 100mhzsteps hwpstate processor : 2 vendor_id : AuthenticAMD cpu family : 16 model : 4 model name : AMD Phenom(tm) FX-5000 Quad-Core Processor stepping : 2 cpu MHz : 2210.008 cache size : 512 KB physical id : 0 siblings : 4 core id : 2 cpu cores : 4 apicid : 2 initial apicid : 2 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt npt lbrv svm_lock nrip_save bogomips : 4421.21 clflush size : 64 cache_alignment : 64 address sizes : 48 bits physical, 48 bits virtual power management: ts ttp tm stc 100mhzsteps hwpstate processor : 3 vendor_id : AuthenticAMD cpu family : 16 model : 4 model name : AMD Phenom(tm) FX-5000 Quad-Core Processor stepping : 2 cpu MHz : 2210.008 cache size : 512 KB physical id : 0 siblings : 4 core id : 3 cpu cores : 4 apicid : 3 initial apicid : 3 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 5 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm 3dnowext 3dnow constant_tsc nonstop_tsc extd_apicid pni monitor cx16 popcnt lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt npt lbrv svm_lock nrip_save bogomips : 4421.20 clflush size : 64 cache_alignment : 64 address sizes : 48 bits physical, 48 bits virtual power management: ts ttp tm stc 100mhzsteps hwpstate |
|
(0055898) Marco van de Voort (manager) 2012-01-20 22:02 edited on: 2012-01-21 00:36 |
I can reproduce. When I set LD_LIBRARY_PATH to ~/bin (which contains no libraries) I get a segmentation fault. Without it is fine. From http://blogs.oracle.com/darcy/entry/purging_ld_library_path [^] :: "While the Solaris runtime linker applies more scrutiny to LD_LIBRARY_PATH in this case, on Linux glibc sets LD_LIBRARY_PATH to the empty string" Maybe its some environment manipulation that somehow clashes with the syscall check in syscall.inc which uses envp. Hmm, Traceback is still pointing to syscall though #0 0x00000005 in ?? () 0000001 0x080482b2 in SYSTEM_$$_FPSYSCALL$LONGINT$LONGINT$LONGINT$$LONGINT () 0000002 0x08048c3c in SYSTEM_$$_FPUGETRLIMIT$LONGINT$PRLIMIT$$LONGINT () 0000003 0x08066b39 in SYSTEM_$$_CHECKINITIALSTKLEN$LONGWORD$$LONGWORD () 0000004 0x08066bb4 in SYSTEM_$$_init () 0000005 0x0805cb22 in fpc_initializeunits () 0000006 0x08048128 in main () at sometest.pp:2 |
|
(0067122) Sergei Gorelkin (developer) 2013-04-23 16:54 |
I don't understand how this 'fast' syscall interface can work with shared libraries at all. It assumes that envp points to original stack location provided by kernel, which is only true for statically linked executables. In a dynamically linked executable or in a shared library, the dynamic interpreter is executed first. It can do arbitrary actions with environment *and* stack, after which envp is likely to point to some location provided by dynamic interpreter. After this, RTL will end up interpreting garbage as 'auxiliary vector array', and crash is just a matter of luck. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2010-11-02 22:11 | ZAN DoYe | New Issue | |
| 2010-11-02 22:29 | Jonas Maebe | Status | new => resolved |
| 2010-11-02 22:29 | Jonas Maebe | Resolution | open => unable to reproduce |
| 2010-11-02 22:29 | Jonas Maebe | Assigned To | => Jonas Maebe |
| 2010-11-02 22:29 | Jonas Maebe | Note Added: 0042673 | |
| 2010-11-02 22:36 | ZAN DoYe | Status | resolved => feedback |
| 2010-11-02 22:36 | ZAN DoYe | Resolution | unable to reproduce => reopened |
| 2010-11-02 22:36 | ZAN DoYe | Note Added: 0042674 | |
| 2010-11-02 22:44 | Jonas Maebe | Status | feedback => resolved |
| 2010-11-02 22:44 | Jonas Maebe | Resolution | reopened => unable to reproduce |
| 2010-11-02 22:44 | Jonas Maebe | Note Added: 0042675 | |
| 2010-11-02 23:01 | Jonas Maebe | Note Edited: 0042675 | |
| 2010-11-02 23:27 | ZAN DoYe | Status | resolved => feedback |
| 2010-11-02 23:27 | ZAN DoYe | Resolution | unable to reproduce => reopened |
| 2010-11-02 23:27 | ZAN DoYe | Note Added: 0042677 | |
| 2010-11-02 23:29 | ZAN DoYe | Note Edited: 0042677 | |
| 2010-11-02 23:30 | Jonas Maebe | FPCOldBugId | => 0 |
| 2010-11-02 23:30 | Jonas Maebe | Assigned To | Jonas Maebe => |
| 2010-11-02 23:30 | Jonas Maebe | Status | feedback => new |
| 2010-11-02 23:30 | Jonas Maebe | Resolution | reopened => open |
| 2010-11-02 23:37 | Jonas Maebe | Note Added: 0042679 | |
| 2010-11-03 00:33 | ZAN DoYe | Note Added: 0042680 | |
| 2010-11-03 09:58 | Jonas Maebe | Note Added: 0042699 | |
| 2010-11-03 12:03 | Jonas Maebe | Note Added: 0042706 | |
| 2010-11-06 20:21 | Florian | Note Added: 0042835 | |
| 2010-11-10 15:47 | ZAN DoYe | Note Added: 0042946 | |
| 2012-01-20 22:02 | Marco van de Voort | Note Added: 0055898 | |
| 2012-01-20 22:02 | Marco van de Voort | Status | new => confirmed |
| 2012-01-21 00:22 | Marco van de Voort | Note Edited: 0055898 | |
| 2012-01-21 00:33 | Marco van de Voort | Note Edited: 0055898 | |
| 2012-01-21 00:36 | Marco van de Voort | Note Edited: 0055898 | |
| 2013-04-23 16:54 | Sergei Gorelkin | Note Added: 0067122 | |
|
Issue History |
| Main | My View | View Issues | Change Log | Roadmap |
