Bug#837665: lsh-utils: FTBFS with bindnow and PIE enabled
Magnus Holmgren writes: > The problem rather seems to be the missing #include "lsh_string.h". Implicit > declarations probably are extra bad with -fPIE. Thanks! I just tried compiling after ./configure --with-tcpwrappers. Which results in an warning on lsh_get_cstring being undeclared. It compiles without warnings after adding that missing include. (Apparently no warnings about the incorrect UNUSED...). Let me see if I can understand the way it fails (the fix, adding the missing include, is the same either way, of course). lsh_get_cstring returns a pointer, while an implicitly declared function will be assumed to return int. And on x86_64, int is of a smaller size than a pointer, so it's a very real difference. And the compiler is free to ignore the high part, so it compiles it to something like call lsh_get_cstring mov %eax, %edx ;; pass 32-bit return value as argument for next call ... setup other args for the call ... call request_init while with a correct declaration, it must generate mov %rax, %rdx ;; copy all 64 bits The 32-bit mov above doesn't leave the high half of %rdx unchanged, instead, it is always cleared. Which means that the above code will work nonetheless in case all pointers occuring at runtime happen to have the high 32-bits all zeros. In this case, memory for strings are always allocated using malloc. So my guess is that traditionally, malloc returns small addresses if possible, while -fPIE implies that memory returned by malloc is mapped at randomized locations where the high 32 bits are almost never zero? Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance.
Bug#837665: lsh-utils: FTBFS with bindnow and PIE enabled
tisdag 11 oktober 2016 kl. 15:53:34 CEST skrev Niels Möller: > I see one other odd thing when reading this code. The UNUSED declaration > of the first argument is wrong; maybe recent gcc omits code related to > that argument? You could try deleting that, and see if it makes a > difference. The problem rather seems to be the missing #include "lsh_string.h". Implicit declarations probably are extra bad with -fPIE. -- Magnus Holmgrenholmg...@debian.org Debian Developer signature.asc Description: This is a digitally signed message part.
Bug#837665: lsh-utils: FTBFS with bindnow and PIE enabled
Steve Beattie writes:
> This is an issue for lsh-utils in Ubuntu as well. I attempted to
> manually reproduce the lsh-2-test failure and this is the backtrace I
> got when the lsh server segv'ed:
Thanks alot! This narrows it down quite a bit.
> (gdb) bt full
> #0 __strncpy_sse2_unaligned () at
> ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
> No locals.
> #1 0x7fb1fe1ec0aa in ?? () from /lib/x86_64-linux-gnu/libwrap.so.0
> No symbol table info available.
> #2 0x7fb1fe1ec2c9 in request_init () from
> /lib/x86_64-linux-gnu/libwrap.so.0
> No symbol table info available.
> #3 0x557c03c3abaa in do_tcp_wrapper (s=0x557c045eba20, a=0x557c045ec740,
> c=0x557c045ec7c0, e=) at io_commands.c:347
> lv = 0x557c045ec740
> res = {fd = -1, user = '\000' , daemon =
> "unknown", '\000' , pid = "15613\000\000\000\000", client
> = {{
> name = '\000' , addr = '\000' times>, sin = 0x0, unit = 0x0, request = 0x7ffc87252000}}, server = {{
> name = '\000' , addr = '\000' times>, sin = 0x0, unit = 0x0, request = 0x7ffc87252000}}, sink = 0x0,
> hostname = 0x0, hostaddr = 0x0, cleanup = 0x0, config = 0x0}
> #4 0x557c03c382ab in do_listen_callback (s=0x557c045ec370, fd= out>) at io.c:769
> self = 0x557c045ec370
> peer = {ss_family = 2,
> __ss_padding = "\266\n\177\000\000\001", '\000' ,
> "\a\000\000\000\000\000\000\000\201J\305\003|U\000\000\360\303^\004|U",
> '\000' , "\001", '\000' ,
> "\360$%\207\374\177\000\000\001\000\000\000\000\000\000\000\003\000\000\000\374\177\000\000$\000\000\000\000\000\000\000\b\000\000\000\000\000\000",
> __ss_align = 140722575844800}
> addr_len = 16
> conn =
I see nothing obviously wrong here, except that I don't understand where
gdb picks up the peer, addr_len and conn variables at the end.
I would probably be helpful to add a break point on do_tcp_wrapper and
examine the variables.
Assuming that the bug is not inside tcpwrappers itself, I think the most
likely way this can crash is if the service name,
lsh_get_cstring(self->name), is NULL when passed to request_init, since
that's the only pointer argument to the function. It shouldn't be NULL,
of course.
I see one other odd thing when reading this code. The UNUSED declaration
of the first argument is wrong; maybe recent gcc omits code related to
that argument? You could try deleting that, and see if it makes a
difference.
It may also be useful to run lshd under valgrind, in case the crash is
caused by some earlier invalid memory accesses.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
Bug#837665: lsh-utils: FTBFS with bindnow and PIE enabled
Hi,
This is an issue for lsh-utils in Ubuntu as well. I attempted to
manually reproduce the lsh-2-test failure and this is the backtrace I
got when the lsh server segv'ed:
Program received signal SIGSEGV, Segmentation fault.
__strncpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
296 ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or
directory.
(gdb) bt full
#0 __strncpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
No locals.
#1 0x7fb1fe1ec0aa in ?? () from /lib/x86_64-linux-gnu/libwrap.so.0
No symbol table info available.
#2 0x7fb1fe1ec2c9 in request_init () from
/lib/x86_64-linux-gnu/libwrap.so.0
No symbol table info available.
#3 0x557c03c3abaa in do_tcp_wrapper (s=0x557c045eba20, a=0x557c045ec740,
c=0x557c045ec7c0, e=) at io_commands.c:347
lv = 0x557c045ec740
res = {fd = -1, user = '\000' , daemon = "unknown",
'\000' , pid = "15613\000\000\000\000", client = {{
name = '\000' , addr = '\000' , sin = 0x0, unit = 0x0, request = 0x7ffc87252000}}, server = {{
name = '\000' , addr = '\000' , sin = 0x0, unit = 0x0, request = 0x7ffc87252000}}, sink = 0x0,
hostname = 0x0, hostaddr = 0x0, cleanup = 0x0, config = 0x0}
#4 0x557c03c382ab in do_listen_callback (s=0x557c045ec370, fd=) at io.c:769
self = 0x557c045ec370
peer = {ss_family = 2,
__ss_padding = "\266\n\177\000\000\001", '\000' ,
"\a\000\000\000\000\000\000\000\201J\305\003|U\000\000\360\303^\004|U", '\000'
, "\001", '\000' ,
"\360$%\207\374\177\000\000\001\000\000\000\000\000\000\000\003\000\000\000\374\177\000\000$\000\000\000\000\000\000\000\b\000\000\000\000\000\000",
__ss_align = 140722575844800}
addr_len = 16
conn =
#5 0x557c03c370f7 in lsh_oop_fd_read_callback (s=,
fileno=, event=, data=0x557c045ec3f0) at io.c:146
fd = 0x557c045ec3f0
#6 0x7fb1fddc522c in oop_sys_run_once () from /usr/lib/liboop.so.4
No symbol table info available.
#7 0x7fb1fddc5559 in oop_sys_run () from /usr/lib/liboop.so.4
No symbol table info available.
#8 0x557c03c37700 in io_run () at io.c:367
res =
#9 0x557c03c29f2a in main (argc=, argv=) at
lshd.c:1278
mode = DAEMON_NORMAL
resources = 0x557c045d0010
keys = 0x557c045d0050
fds =
r = {rlim_cur = 18446744073709551615, rlim_max = 18446744073709551615}
Thanks!
--
Steve Beattie
http://NxNW.org/~steve/
signature.asc
Description: PGP signature
Bug#837665: lsh-utils: FTBFS with bindnow and PIE enabled
Balint Reczey writes: > The rebuild tested if packages are ready for a transition > enabling PIE and bindnow for amd64. > > For more information about the changes to sid's dpkg and GCC please > visit: > https://wiki.debian.org/Hardening/PIEByDefaultTransition > > Relevant part (hopefully): > ... > Testing lshd > lshd pid: 28352 > Testing /<>/src/testsuite/rapid7-ssh-pdu/001.pdu > ./rapid7-lshd-test: 20: kill: No such process > > Server died Some kind of backtrace or the like would help to understand why the server (lshd) died unexpectedly). I don't fully understand what "bindnow" means here. Only related known problem I'm aware of is nettle's use of ifunc, which doesn't work quite as expected. Use of ifunc was disabled in nettle-3.2, but breaks --enable-fat builds of nettle-3.1 and 3.1.1; they crash if dlopen:ed with RTLD_NOW. lsh itself does nothing special as far as I'm aware. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance.
Bug#837665: lsh-utils: FTBFS with bindnow and PIE enabled
Hi Maintainer I'm seeing the same behaviour in Ubuntu Yakkety where PIE is enabled by default on amd64. With the patch below in place, the tests complete normally and the build is successful. --- a/debian/rules +++ b/debian/rules @@ -34,7 +34,7 @@ --enable-agent-forward --enable-ipv6 --enable-utmp \ --with-zlib --with-tcpwrappers --with-sshd1=/usr/sbin/sshd \ --with-x XAUTH_PROGRAM=/usr/bin/xauth \ -$(shell DEB_LDFLAGS_MAINT_PREPEND="-Wl,-z,defs -Wl,--as-needed" dpkg-buildflags --export=configure) +$(shell DEB_LDFLAGS_MAINT_PREPEND="-Wl,-z,defs -Wl,--as-needed" DEB_CFLAGS_MAINT_APPEND="-no-pie" dpkg-buildflags --export=configure) build: build-stamp build-stamp: config.status I am not proposing this as a solution, I am only confirming that it is related to PIE. Regards Graham
Bug#837665: lsh-utils: FTBFS with bindnow and PIE enabled
Source: lsh-utils Version: 2.1-9 Severity: important User: bal...@balintreczey.hu Usertags: pie-bindnow-20160906 Justification: FTBFS on amd64 with extra hardening Hi, During a rebuild of all packages in sid, your package failed to build on amd64 with patched GCC and dpkg. The rebuild tested if packages are ready for a transition enabling PIE and bindnow for amd64. For more information about the changes to sid's dpkg and GCC please visit: https://wiki.debian.org/Hardening/PIEByDefaultTransition Relevant part (hopefully): ... Testing lshd lshd pid: 28352 Testing /<>/src/testsuite/rapid7-ssh-pdu/001.pdu ./rapid7-lshd-test: 20: kill: No such process Server died ./rapid7-lshd-test: 1: kill: No such process FAIL: rapid7-lshd lsh, test login, login-auth-mode lshd pid: 28374 cmp: EOF on test.out2 lsh-login-test: Error, files are different. ./login-auth-test: 1: kill: No such process FAIL: login-auth lshd, no-auth-test lshd: All user authentication methods disabled. Try `lshd --help' or `lshd --usage' for more information. PASS: lshd-no-auth Testing lshd with random input lshd pid: 28406 Trying seed 1 ./lshd-random-input-test: 21: kill: No such process Server died ./lshd-random-input-test: 1: kill: No such process FAIL: lshd-random-input = 22 of 51 tests failed = ... The full build log is available from: https://people.debian.org/~rbalint/build-logs/pie-bindnow-20160906/lsh-utils_2.1-9_amd64.build.gz Thanks, Balint
