Re: [Libguestfs] libldm crashes in a linux-sandbox context

[Vincent MAILHOL]

Hi Richard and Lersek,

Thanks for your help on this issue and thanks for picking up my patch
and applying it upstream!

On Tue. 20 June 2023 à 17:10, Richard W.M. Jones  wrote:
> I think you've solved the problem now, but for future reference you
> can run:
>
>   $ virt-rescue

Perfect! This last comment was what I needed for my final investigation.

The UUID 65534 problem showed up again. Within the qemu VM, the active
user is indeed root.

However,

  $ ls -al /bin/mount
  -rwsr-xr-x 1 65534 65534 55528 May 30 15:42 /bin/mount

Where 65534 corresponds to the user "nobody" and the group "nogroup".
So the root cause was that the bazel sandbox created an environment in
which SUID programs had a different UID and GID than expected. The
guestfs-tools would just copy those IDs when creating the qemu rootfs.
Even if /bin/mount was executed as root, the SUID makes it run
effectively as nobody. This is kind of comical: it is the first time
that I see a SUID resulting in a drop of privilege ¯\_(ツ)_/¯.

At this point, I just gave up on using the bazel sandbox for the
particular target in which I need guestfs-tools.

For the record, and in case anyone has the same issue as I did and
find this thread, the sandbox can be disabled for a particular target
by using the "no-sandbox" tag. Example:

  genrule(
  name = "rootfs",
  srcs = ["rootfs.tar"],
  outs = ["rootfs.ext4"],
  tags = ["no-sandbox"],
  cmd = "virt-make-fs --format=raw --type=ext4 --size=+500M $< $@",
  )


Yours sincerely,
Vincent Mailhol

___
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs

[Libguestfs] [PATCH v3] ldmtool: fix NULL pointer dereference

[Vincent Mailhol]

If /sys/block can not be opened, get_devices() returns NULL.

cmdline() does not check this result and below code snippet:

  scanned = get_devices();
  devices = (gchar **) scanned->data;

results in a segmentation fault.

Add a check on scanned.

Relevant logs:

  Unable to open /sys/block: No such file or directory
  [0.777352] ldmtool[164]: segfault at 0 ip 563a225cd6a5 sp 
7ffe54965a60 error 4 in ldmtool[563a225cb000+3000]
  [0.778278] Code: 18 64 48 33 1c 25 28 00 00 00 75 5e 48 83 c4 28 5b 5d 41 
5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 e8 db fd ff ff <4c> 8b 20 
48 89 44 24 08 4c 89 e7 e8 0b e1 ff ff 45 31 c0 4c 89 e1

Fixes: 25d9635e4ee5 ("Add ldmtool")
Signed-off-by: Vincent Mailhol 
---

* Changelog *

v2 -> v3

  * Fix the From: tag (incorrect e-mail address, sorry for the noise).

v1 -> v2

  * Directly return FALSE instead of goto error. Jumping to the error
label bypasses jb's declaration thus resulting in an undefined
behavior.

---
 src/ldmtool.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/ldmtool.c b/src/ldmtool.c
index 6957c1a..dbe2c8c 100644
--- a/src/ldmtool.c
+++ b/src/ldmtool.c
@@ -746,6 +746,8 @@ cmdline(LDM * const ldm, gchar **devices,
 GArray * scanned = NULL;
 if (!devices) {
 scanned = get_devices();
+if (!scanned)
+return FALSE;
 devices = (gchar **) scanned->data;
 }
 
-- 
2.25.1

___
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs

[Libguestfs] [PATCH v2] ldmtool: fix NULL pointer dereference

[Vincent Mailhol]

From: Vincent Mailhol 

If /sys/block can not be opened, get_devices() returns NULL.

cmdline() does not check this result and below code snippet:

  scanned = get_devices();
  devices = (gchar **) scanned->data;

results in a segmentation fault.

Add a check on scanned.

Relevant logs:

  Unable to open /sys/block: No such file or directory
  [0.777352] ldmtool[164]: segfault at 0 ip 563a225cd6a5 sp 
7ffe54965a60 error 4 in ldmtool[563a225cb000+3000]
  [0.778278] Code: 18 64 48 33 1c 25 28 00 00 00 75 5e 48 83 c4 28 5b 5d 41 
5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 e8 db fd ff ff <4c> 8b 20 
48 89 44 24 08 4c 89 e7 e8 0b e1 ff ff 45 31 c0 4c 89 e1

Fixes: 25d9635e4ee5 ("Add ldmtool")
Signed-off-by: Vincent Mailhol 
---

* Changelog *

v1 -> v2

  * Directly return FALSE instead of goto error. Jumping to the error
label bypasses jb's declaration thus resulting in an undefined
behavior.

---
 src/ldmtool.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/ldmtool.c b/src/ldmtool.c
index 6957c1a..dbe2c8c 100644
--- a/src/ldmtool.c
+++ b/src/ldmtool.c
@@ -746,6 +746,8 @@ cmdline(LDM * const ldm, gchar **devices,
 GArray * scanned = NULL;
 if (!devices) {
 scanned = get_devices();
+if (!scanned)
+return FALSE;
 devices = (gchar **) scanned->data;
 }
 
-- 
2.25.1

___
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs

[Libguestfs] [PATCH v1] ldmtool: fix NULL pointer dereference

[Vincent Mailhol]

If /sys/block can not be opened, get_devices() returns NULL.

cmdline() does not check this result and below code snippet:

  scanned = get_devices();
  devices = (gchar **) scanned->data;

results in a segmentation fault.

Add a check on scanned.

Relevant logs:

  Unable to open /sys/block: No such file or directory
  [0.777352] ldmtool[164]: segfault at 0 ip 563a225cd6a5 sp 
7ffe54965a60 error 4 in ldmtool[563a225cb000+3000]
  [0.778278] Code: 18 64 48 33 1c 25 28 00 00 00 75 5e 48 83 c4 28 5b 5d 41 
5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 e8 db fd ff ff <4c> 8b 20 
48 89 44 24 08 4c 89 e7 e8 0b e1 ff ff 45 31 c0 4c 89 e1

Fixes: 25d9635e4ee5 ("Add ldmtool")
Signed-off-by: Vincent Mailhol 
---
This thread did not yet show-up in
  https://listman.redhat.com/archives/libguestfs/2023-June/subject.html
not sure why.

For this reason, I couln't add a link reference.
---
 src/ldmtool.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/ldmtool.c b/src/ldmtool.c
index 6957c1a..87aaccc 100644
--- a/src/ldmtool.c
+++ b/src/ldmtool.c
@@ -746,6 +746,8 @@ cmdline(LDM * const ldm, gchar **devices,
 GArray * scanned = NULL;
 if (!devices) {
 scanned = get_devices();
+if (!scanned)
+goto error;
 devices = (gchar **) scanned->data;
 }
 
-- 
2.25.1

___
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs

Re: [Libguestfs] libldm crashes in a linux-sandbox context

[Vincent MAILHOL]

On Fri. 16 juin 2023 at 16:34, Richard W.M. Jones  wrote:
(...)
> > Last thing, the segfault on ldmtool [1] still seems a valid issue.
> > Even if I now do have a workaround for my problem, that segfault might
> > be worth a bit more investigation.
>
> Yes that does look like a real problem.  Does it crash if you just run
> ldmtool as a normal command, nothing to do with libguestfs?  Might be
> a good idea to try to get a stack trace of the crash.

The fact is that it only crashes with the UUID 65534 in the qemu VM. I
am not sure what command line is passed to ldmtool for this crash to
occur.

I can help to gather information, but my biggest issue is that I do
not know how to interact with the VM under /tmp/.guestfs-1001/

  [0.777352] ldmtool[164]: segfault at 0 ip 563a225cd6a5 sp
7ffe54965a60 error 4 in ldmtool[563a225cb000+3000]
 ^^^
This smells like a NULL pointer dereference. The instruction pointer
being 563a225cd6a5, I installed libguestfs-tools-dbgsym and tried a:

  addr2line -e /usr/bin/ldmtool 564a892506a5

Results:

  ??:0

Without conviction, I also tried in GDB:

  $ gdb /usr/bin/ldmtool
  (...)
  Reading symbols from /usr/bin/ldmtool...
  Reading symbols from
/usr/lib/debug/.build-id/21/37b4a64903ebe427c242be08b8d496ba570583.debug...
  (gdb) info line *0x564a892506a5
  No line number information available for address 0x564a892506a5

Debug symbols are correctly installed but impossible to convert that
instruction pointer into a line number. It is as if the ldmtool on my
host and the ldmtool in the qemu VM were from a different build. I
tried to mount /tmp/.guestfs-1001/appliance.d/root but that disk image
did not contain ldmtool.

I am not sure how to generate a stack trace or a core dump within that
qemu VM. If you can tell me how to get an interactive prompt (or any
other guidance) I can try to collect more information.


Yours sincerely,
Vincent Mailhol

___
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs

Re: [Libguestfs] libldm crashes in a linux-sandbox context

[Vincent MAILHOL]

Hi Richard,

On Fri. 16 Jun. 2023 à 03:08, Richard W.M. Jones  wrote:
> On Thu, Jun 15, 2023 at 09:18:38PM +0900, Vincent Mailhol wrote:
> > Hello,
> >
> > I am using libguestfs in a Bazel's linux-sandbox environment[1].
> >
> > When executing in that sandbox environment, I got frequent crashes.
> >
> > Please find attached below the results of libguestfs-test-tool when
> > run into that linux-sandbox environment. The most relevant part seems
> > to be:
> >
> >   [0.797233] ldmtool[164]: segfault at 0 ip 564a892506a5 sp 
> > 7fff8ee5b900 error 4 in ldmtool[564a8924e000+3000]
> >   [0.798117] Code: 18 64 48 33 1c 25 28 00 00 00 75 5e 48 83 c4 28 5b 
> > 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 e8 db fd ff ff 
> > <4c> 8b 20 48 89 44 24 08 4c 89 e7 e8 0b e1 ff ff 45 31 c0 4c 89 e1
> >   /init: line 154:   164 Segmentation fault  ldmtool create all
> >
> > So the root cause seems to be around libldm. This mailing list seems
> > to cover both libguestfs and libldm, so hopefully, I am at the right
> > place to ask :)
> >
> > Needless to say, when run outside of the sandbox environment, no crash
> > were observed.
> >
> > [1] linux-sandbox.cc
> > Link: 
> > https://github.com/bazelbuild/bazel/blob/master/src/main/tools/linux-sandbox.cc
> >
> > ---
> ...
> > supermin: picked /sys/block/sdb/dev (8:16) as root device
> > supermin: creating /dev/root as block special 8:16
> > supermin: mounting new root on /root
> > [0.678248] EXT4-fs (sdb): mounting ext2 file system using the ext4 
> > subsystem
> > [0.679832] EXT4-fs (sdb): mounted filesystem without journal. Opts: . 
> > Quota mode: none.
> > supermin: deleting initramfs files
> > supermin: chroot
> > Starting /init script ...
> > mount: only root can use "--types" option (effective UID is 65534)
> > /init: line 38: /proc/cmdline: No such file or directory
> > mount: only root can use "--types" option (effective UID is 65534)
> > mount: only root can use "--options" option (effective UID is 65534)
> > mount: only root can use "--types" option (effective UID is 65534)
> > mount: only root can use "--types" option (effective UID is 65534)
> > mount: only root can use "--options" option (effective UID is 65534)
>
> It really goes wrong from here, where apparently it's not running as
> root (instead UID 65534), even though we're supposed to be running
> inside a Linux appliance virtual machine.
>
> Any idea why that would be?
>
> I looked at the sandbox and that would run the qemu process as UID
> "nobody" (which might be 65534).  However I don't understand why that
> would affect anything running on the new kernel inside the appliance.

And you were right. It was a fact that I got a crash in the sandbox
but did not outside of it and I jumped to the conclusion that the root
cause was linked to the sandbox.

I continued the analysis and looked at all the differences between a
successful libguestfs-test-tool log and the failed one. It turned out
that the sandbox was not the cause. The culprit turns out to be the
first line of the log: TMPDIR=/tmp.

If I force TMPDIR=/var/tmp, the problem disappears !!

This gave me a minimal reproducer:

  TMPDIR=/tmp/ libguestfs-test-tool

That one crashed outside the sandbox. Next, my attention went to this line:

  libguestfs: checking for previously cached test results of
/usr/bin/qemu-system-x86_64, in /tmp/.guestfs-1001

I did a:

  rm -rf /tmp/.guestfs-1001

and that solved my issue \o/

I still do not understand how I could get the issue of running of UID
65534 instead of root in the first place. I did other qemu
experimentation, so not sure how, but I somehow got a corrupted
environment under /tmp/.guestfs-1001.

Last thing, the segfault on ldmtool [1] still seems a valid issue.
Even if I now do have a workaround for my problem, that segfault might
be worth a bit more investigation.

Regardless, thanks a lot for your quick answer, that helped me to
continue the troubleshooting.

[1] ldmtool line 164
Link: https://github.com/mdbooth/libldm/blob/master/src/ldmtool.c#L164

___
Libguestfs mailing list
Libguestfs@redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs

[Libguestfs] libldm crashes in a linux-sandbox context

[Vincent Mailhol]

Hello,

I am using libguestfs in a Bazel's linux-sandbox environment[1].

When executing in that sandbox environment, I got frequent crashes.

Please find attached below the results of libguestfs-test-tool when
run into that linux-sandbox environment. The most relevant part seems
to be:

  [0.797233] ldmtool[164]: segfault at 0 ip 564a892506a5 sp 
7fff8ee5b900 error 4 in ldmtool[564a8924e000+3000]
  [0.798117] Code: 18 64 48 33 1c 25 28 00 00 00 75 5e 48 83 c4 28 5b 5d 41 
5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 00 e8 db fd ff ff <4c> 8b 20 
48 89 44 24 08 4c 89 e7 e8 0b e1 ff ff 45 31 c0 4c 89 e1
  /init: line 154:   164 Segmentation fault  ldmtool create all

So the root cause seems to be around libldm. This mailing list seems
to cover both libguestfs and libldm, so hopefully, I am at the right
place to ask :)

Needless to say, when run outside of the sandbox environment, no crash
were observed.

[1] linux-sandbox.cc
Link: 
https://github.com/bazelbuild/bazel/blob/master/src/main/tools/linux-sandbox.cc

---
 
 *IMPORTANT NOTICE
 *
 * When reporting bugs, include the COMPLETE, UNEDITED
 * output below in your bug report.
 *
 
TMPDIR=/tmp
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
SELinux: sh: 1: getenforce: not found
guestfs_get_append: (null)
guestfs_get_autosync: 1
guestfs_get_backend: direct
guestfs_get_backend_settings: []
guestfs_get_cachedir: /tmp
guestfs_get_hv: /usr/bin/qemu-system-x86_64
guestfs_get_memsize: 768
guestfs_get_network: 0
guestfs_get_path: /usr/lib/x86_64-linux-gnu/guestfs
guestfs_get_pgroup: 0
guestfs_get_program: libguestfs-test-tool
guestfs_get_recovery_proc: 1
guestfs_get_smp: 1
guestfs_get_sockdir: /tmp
guestfs_get_tmpdir: /tmp
guestfs_get_trace: 0
guestfs_get_verbose: 1
host_cpu: x86_64
Launching appliance, timeout set to 600 seconds.
libguestfs: launch: program=libguestfs-test-tool
libguestfs: launch: version=1.40.2
libguestfs: launch: backend registered: unix
libguestfs: launch: backend registered: uml
libguestfs: launch: backend registered: libvirt
libguestfs: launch: backend registered: direct
libguestfs: launch: backend=direct
libguestfs: launch: tmpdir=/tmp/libguestfsART0fq
libguestfs: launch: umask=0022
libguestfs: launch: euid=1001
libguestfs: begin building supermin appliance
libguestfs: run supermin
libguestfs: command: run: /usr/bin/supermin
libguestfs: command: run: \ --build
libguestfs: command: run: \ --verbose
libguestfs: command: run: \ --if-newer
libguestfs: command: run: \ --lock /tmp/.guestfs-1001/lock
libguestfs: command: run: \ --copy-kernel
libguestfs: command: run: \ -f ext2
libguestfs: command: run: \ --host-cpu x86_64
libguestfs: command: run: \ /usr/lib/x86_64-linux-gnu/guestfs/supermin.d
libguestfs: command: run: \ -o /tmp/.guestfs-1001/appliance.d
supermin: version: 5.1.20
supermin: package handler: debian/dpkg
supermin: acquiring lock on /tmp/.guestfs-1001/lock
supermin: if-newer: output does not need rebuilding
libguestfs: finished building supermin appliance
libguestfs: begin testing qemu features
libguestfs: checking for previously cached test results of 
/usr/bin/qemu-system-x86_64, in /tmp/.guestfs-1001
libguestfs: loading previously cached test results
libguestfs: qemu version: 4.2
libguestfs: qemu mandatory locking: yes
libguestfs: qemu KVM: enabled
libguestfs: finished testing qemu features
/usr/bin/qemu-system-x86_64 \
-global virtio-blk-pci.scsi=off \
-no-user-config \
-enable-fips \
-nodefaults \
-display none \
-machine accel=kvm:tcg \
-cpu host \
-m 768 \
-no-reboot \
-rtc driftfix=slew \
-no-hpet \
-global kvm-pit.lost_tick_policy=discard \
-kernel /tmp/.guestfs-1001/appliance.d/kernel \
-initrd /tmp/.guestfs-1001/appliance.d/initrd \
-object rng-random,filename=/dev/urandom,id=rng0 \
-device virtio-rng-pci,rng=rng0 \
-device virtio-scsi-pci,id=scsi \
-drive 
file=/tmp/libguestfsART0fq/scratch1.img,cache=unsafe,format=raw,id=hd0,if=none \
-device scsi-hd,drive=hd0 \
-drive 
file=/tmp/.guestfs-1001/appliance.d/root,snapshot=on,id=appliance,cache=unsafe,if=none,format=raw
 \
-device scsi-hd,drive=appliance \
-device virtio-serial-pci \
-serial stdio \
-device sga \
-chardev socket,path=/tmp/libguestfsx6wHdq/guestfsd.sock,id=channel0 \
-device virtserialport,chardev=channel0,name=org.libguestfs.channel.0 \
-append "panic=1 console=ttyS0 edd=off udevtimeout=6000 
udev.event-timeout=6000 no_timer_check printk.time=1 cgroup_disable=memory 
usbcore.nousb cryptomgr.notests tsc=reliable 8250.nr_uarts=1 root=/dev/sdb 
selinux=0 guestfs_verbose=1 TERM=linux"
libguestfs: responding to serial console Device Status Report
\x1b[1;256r\x1b[256;256H\x1b[6n
Google, Inc.
Serial Graphics Adapte