FS#57336 - [linux] chroot to centos 6 64bit is failing with segfault

Attached to Project: Arch Linux
Opened by Nishant Varma (nishantvarma) - Friday, 02 February 2018, 14:41 GMT
Last edited by Jan Alexander Steffens (heftig) - Sunday, 18 February 2018, 08:06 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 15
Private No

Details

Description:


Additional info:

* package version(s)
Kernel: 4.15.0-1-ARCH

* config and/or log files etc.

Complete!
/usr/share/lxc/templates/lxc-centos: line 405: 10316 Segmentation fault (core dumped) chroot $INSTALL_ROOT rpm --quiet -q yum 2> /dev/null
Reinstalling packages ...
mkdir: cannot create directory ‘/var/cache/lxc/centos/x86_64/6/partial/etc/yum.repos.disabled’: File exists
mv: cannot stat '/var/cache/lxc/centos/x86_64/6/partial/etc/yum.repos.d/*.repo': No such file or directory
mknod: /var/cache/lxc/centos/x86_64/6/partial//var/cache/lxc/centos/x86_64/6/partial/dev/null: File exists
mknod: /var/cache/lxc/centos/x86_64/6/partial//var/cache/lxc/centos/x86_64/6/partial/dev/urandom: File exists
/usr/share/lxc/templates/lxc-centos: line 405: 10330 Segmentation fault (core dumped) chroot $INSTALL_ROOT $YUM0 install $PKG_LIST
Failed to download the rootfs, aborting.
Failed to download 'CentOS base'
failed to install CentOS
lxc-create: centos-6.7-64bit: lxccontainer.c: create_run_template: 1473 container creation template for centos-6.7-64bit failed
lxc-create: centos-6.7-64bit: tools/lxc_create.c: main: 329 Error creating container centos-6.7-64bit


Steps to reproduce:

sudo lxc-create -n centos-6.7-64bit --template centos -- --release 6 --arch x86_64

Prerequisites:

yum

The yum installation fails from AUR. You need to modify the PKGBUILD to use:

source=("https://src.fedoraproject.org/repo/pkgs/yum/yum-3.4.3.tar.gz/7c8ea8beba5b4e7fe0c215e4ebaa26ed/yum-3.4.3.tar.gz"
"yum.patch::http://localhost:8000/yum-HEAD.patch"
'remove-init-dir-makefile.patch')
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Sunday, 18 February 2018, 08:06 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.15.3-2
Comment by Nishant Varma (nishantvarma) - Friday, 02 February 2018, 15:17 GMT
Here is the traceback of strace chroot:

execve("/usr/sbin/chroot", ["chroot", "/home/nishant/work/centos-6.7-64"...], 0x7ffe00fa4398 /* 28 vars */) = 0
brk(NULL) = 0x56096962b000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=307049, ...}) = 0
mmap(NULL, 307049, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3e5fe69000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\20\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2065784, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3e5fe67000
mmap(NULL, 3893488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3e5f8d9000
mprotect(0x7f3e5fa87000, 2093056, PROT_NONE) = 0
mmap(0x7f3e5fc86000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ad000) = 0x7f3e5fc86000
mmap(0x7f3e5fc8c000, 14576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3e5fc8c000
close(3) = 0
arch_prctl(ARCH_SET_FS, 0x7f3e5fe68500) = 0
mprotect(0x7f3e5fc86000, 16384, PROT_READ) = 0
mprotect(0x560968654000, 4096, PROT_READ) = 0
mprotect(0x7f3e5feb4000, 4096, PROT_READ) = 0
munmap(0x7f3e5fe69000, 307049) = 0
brk(NULL) = 0x56096962b000
brk(0x56096964c000) = 0x56096964c000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1682192, ...}) = 0
mmap(NULL, 1682192, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3e5fccc000
close(3) = 0
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/nishant", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
lstat("/home/nishant/work", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/nishant/work/centos-6.7-64bit", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/nishant/work/centos-6.7-64bit/rootfs", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
chroot("/home/nishant/work/centos-6.7-64bit/rootfs") = 0
chdir("/") = 0
execve("/bin/bash", ["/bin/bash", "-i"], 0x7fff6f1964a0 /* 28 vars */) = 0
brk(NULL) = 0x15d1000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f456d607000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=49283, ...}) = 0
mmap(NULL, 49283, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f456d5fa000
close(3) = 0
open("/lib64/libtinfo.so.5", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\310\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=132408, ...}) = 0
mmap(NULL, 2228832, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f456d1c7000
mprotect(0x7f456d1e4000, 2093056, PROT_NONE) = 0
mmap(0x7f456d3e3000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c000) = 0x7f456d3e3000
mmap(0x7f456d3e7000, 608, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f456d3e7000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=20024, ...}) = 0
mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f456cfc3000
mprotect(0x7f456cfc5000, 2097152, PROT_NONE) = 0
mmap(0x7f456d1c5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f456d1c5000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\356\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1924768, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f456d5f9000
mmap(NULL, 3750184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f456cc2f000
mprotect(0x7f456cdb9000, 2097152, PROT_NONE) = 0
mmap(0x7f456cfb9000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18a000) = 0x7f456cfb9000
mmap(0x7f456cfbf000, 14632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f456cfbf000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f456d5f8000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f456d5f7000
arch_prctl(ARCH_SET_FS, 0x7f456d5f8700) = 0
mprotect(0x7f456cfb9000, 16384, PROT_READ) = 0
mprotect(0x7f456d1c5000, 4096, PROT_READ) = 0
mprotect(0x7f456d608000, 4096, PROT_READ) = 0
munmap(0x7f456d5fa000, 49283) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/dev/tty", O_RDWR|O_NONBLOCK) = -1 ENOENT (No such file or directory)
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
brk(NULL) = 0x15d1000
brk(0x15f3000) = 0x15f3000
readlink("/proc/self/fd/0", 0x15d1010, 4095) = -1 ENOENT (No such file or directory)
fstat(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 6), ...}) = 0
stat("/dev/pts", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
open("/dev/pts", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
getdents(3, /* 2 entries */, 32768) = 48
getdents(3, /* 0 entries */, 32768) = 0
close(3) = 0
open("/dev", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
getdents(3, /* 5 entries */, 32768) = 128
getdents(3, /* 0 entries */, 32768) = 0
close(3) = 0
open("/dev", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
getdents(3, /* 5 entries */, 32768) = 128
stat("/dev/..", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/dev/pts", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/dev/shm", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/dev/initctl", {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
stat("/dev/.", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getdents(3, /* 0 entries */, 32768) = 0
close(3) = 0
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=99174448, ...}) = 0
mmap(NULL, 99174448, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4566d9a000
close(3) = 0
getuid() = 0
getgid() = 0
geteuid() = 0
getegid() = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xffffffffff600400} ---
+++ killed by SIGSEGV (core dumped) +++
segmentation fault sudo strace chroot ~/work/centos-6.7-64bit/rootfs
Comment by Nishant Varma (nishantvarma) - Friday, 02 February 2018, 16:35 GMT
Can someone please change this to Testing? This issue is not happening when I removed Testing.
Comment by Eli Schwartz (eschwartz) - Sunday, 04 February 2018, 04:02 GMT
Can you please stop uploading and linking to files on shady thirdparty file hosts? This bugtracker is perfectly capable of hosting file attachments, without requiring sites that threaten to delete files after a couple months and throttle the download either way if you don't pay money.
Comment by Nishant Varma (nishantvarma) - Sunday, 04 February 2018, 11:47 GMT
The patch file's copy.
Comment by Nishant Varma (nishantvarma) - Friday, 09 February 2018, 18:50 GMT
This issue is happening in the stable repository ever since Kernel 4.15 has come in.

Centos 6.x 32 Bit just works (with linux32 chroot)
Centos 7.x 64 Bit just works

It will be nice to know if there is a way to make it work without a Kernel recompilation.
I can update that information into the Chroot Wiki as well.
Comment by Doug Newgard (Scimmia) - Friday, 09 February 2018, 19:02 GMT
This is apparently because vsyscall no longer defaults to emulation, which is good from a security standpoint.

-CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_X86_VSYSCALL_EMULATION is not set
Comment by Matteo Italia (cvtsi2sd) - Monday, 12 February 2018, 09:44 GMT
Besides the fact that I'm not particularly convinced about the extra security gain (AFAIK legacy vsyscalls can only do ''time'', ''gettimeofday'' and ''getcpu'', which I wouldn't say are particularly juicy targets for an attacker exploiting a buffer overflow), this breaks chroots and legacy applications without any useful diagnostics; we wasted a good afternoon trying to debug this issue before finding out about the change in the kernel configuration.

You should really consider re-enabling it, possibly leaving it off by default ( FS#57462  suggests ''CONFIG_X86_VSYSCALL_EMULATION=y'' but with ''CONFIG_LEGACY_VSYSCALL_NONE=y''), which:
* by default at least spits out a useful error message instead of a bare segfault;
* if the user needs to use legacy applications/chroots, he/she can re-enable the vsyscall support simply by adding an option to the kernel command line, which is way easier than having to recompile the kernel at every update.
Comment by Nishant Varma (nishantvarma) - Monday, 12 February 2018, 11:01 GMT
Do you mean at this moment kernel command line of vsyscall=emulate wouldn't work? I tested that and it didn't work. If above change will thrown an error message + optional kernel command line support, then that would be nice!

Comment by Matteo Italia (cvtsi2sd) - Monday, 12 February 2018, 11:09 GMT
Yep, the current configuration disables completely the support for vsyscall emulation, so the page where those trampolines are expected to be simply isn't ever mapped in memory, hence applications just segfaults when trying to access it.

With the suggested changes above, the kernel would always map that page, with trampolines to "error message + quit" if no option is specified (which is still not *too* bad, at least the user gets notified of what's wrong and how to fix it) and with the vsyscall emulation trampolines if the appropriate option is enabled on the kernel command line.

That being said, I'm actually inclined towards just leaving it enabled as it was in 4.14 - IMHO the security implications are minimal, and the tinfoil-hat inclined can always disable it from the kernel command line, while the rest of us who need containers, chroots and legacy applications to work can avoid the hassle of fiddling with GRUB configuration.
Comment by Mauro Santos (R00KIE) - Monday, 12 February 2018, 11:43 GMT
Having to fiddle with the bootloader configuration is fine by me, it's a set once and forget thing. On the other hand having to recompile the kernel or reboot to 4.14 (1) to use a chroot is not practical.

(1) For now, in time a new lts will replace 4.14 and the new lts might also have vsyscall completely disabled.
Comment by Matteo Beniamino (mbeniamino) - Friday, 16 February 2018, 07:27 GMT
Same here, there are some use cases for which enabling vsyscall emulation makes sense (old tools and containers, for instance). In my case an old crosscompiler I'm still using for development segfaults with newer kernels without any clear warning to help tracing back the reason. Also, to my understanding, the feature is not unsafe per-se, but it just offers a hypothetical way to escalate a bug somewhere else, so IMHO it makes sense to allow the user to at least opt-in via a kernel command line switch, if not even leaving it enabled by default.
Comment by loqs (loqs) - Saturday, 17 February 2018, 23:47 GMT
Can you test if this is fixed in linux 4.15.3-2 / linux 4.15.4-1 which have CONFIG_X86_VSYSCALL_EMULATION=y
Comment by Doug Newgard (Scimmia) - Sunday, 18 February 2018, 00:14 GMT
You'll probably still need the kernel command line option to turn it on.
Comment by Nishant Varma (nishantvarma) - Sunday, 18 February 2018, 07:21 GMT
With vsyscall=emulate, it works fine now. Thanks all, Scimmia especially for kicking off this thread! How do we resolve this with the proper solution?
Comment by Jan Alexander Steffens (heftig) - Sunday, 18 February 2018, 08:05 GMT
vsyscall=emulate is the proper solution.

Loading...