Your message dated Wed, 24 Apr 2013 09:02:33 +0000 with message-id <[email protected]> and subject line Bug#698064: fixed in aranym 0.9.13-4 has caused the Debian Bug report #698064, regarding aranym: crashes from guest userspace when NatFeat is queried to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 698064: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698064 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: aranym Version: 0.9.14-2 Severity: grave Tags: security Justification: user security hole When running the program whose source code follows below the report, compiled with the following command: gcc -Os -fno-asynchronous-unwind-tables \ -fno-stack-protector -static -o nfimvirt \ nfimvirt.c nfimvrth.S Inside a Debian/m68k guest on ARAnyM running on Debian sid, the guest crashes the virtualisation: Gotcha! Illegal memory access. Atari PC = $80000468 If the Full History was enabled you would see the last 20 instructions here. The program is intended to use NatFeat, as per the specs, to figure out whether it runs under emulation or not. The severity stems from this virtualisation escape: an error or SIGILL or SIGBUS would be an acceptable failure mode, but the guest must not DoS the emulation (this would make offering Debian Porterboxen impossible, for one). This is not exactly a new issue, I think Wouter reported similar findings in the imvirt wishlist bugreport. #!/bin/sh # This is a shell archive (produced by GNU sharutils 4.11.1). # To extract the files from this archive, save it to some FILE, remove # everything before the `#!/bin/sh' line above, then type `sh FILE'. # lock_dir=_sh29846 # Made on 2013-01-13 18:48 UTC by <[email protected]>. # Source directory was `/root'. # # Existing files will *not* be overwritten, unless `-c' is specified. # # This shar contains: # length mode name # ------ ---------- ------------------------------------------ # 2779 -rw-r--r-- nfimvirt.c # 447 -rw-r--r-- nfimvrth.S # MD5SUM=${MD5SUM-md5sum} f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'` test -n "${f}" && md5check=true || md5check=false ${md5check} || \ echo 'Note: not verifying md5sums. Consider installing GNU coreutils.' if test "X$1" = "X-c" then keep_file='' else keep_file=true fi echo=echo save_IFS="${IFS}" IFS="${IFS}:" gettext_dir= locale_dir= set_echo=false for dir in $PATH do if test -f $dir/gettext \ && ($dir/gettext --version >/dev/null 2>&1) then case `$dir/gettext --version 2>&1 | sed 1q` in *GNU*) gettext_dir=$dir set_echo=true break ;; esac fi done if ${set_echo} then set_echo=false for dir in $PATH do if test -f $dir/shar \ && ($dir/shar --print-text-domain-dir >/dev/null 2>&1) then locale_dir=`$dir/shar --print-text-domain-dir` set_echo=true break fi done if ${set_echo} then TEXTDOMAINDIR=$locale_dir export TEXTDOMAINDIR TEXTDOMAIN=sharutils export TEXTDOMAIN echo="$gettext_dir/gettext -s" fi fi IFS="$save_IFS" if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null then if (echo -n test; echo 1,2,3) | grep n >/dev/null then shar_n= shar_c=' ' else shar_n=-n shar_c= ; fi else shar_n= shar_c='\c' ; fi f=shar-touch.$$ st1=200112312359.59 st2=123123592001.59 st2tr=123123592001.5 # old SysV 14-char limit st3=1231235901 if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \ test ! -f ${st1} && test -f ${f}; then shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"' elif touch -am ${st2} ${f} >/dev/null 2>&1 && \ test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"' elif touch -am ${st3} ${f} >/dev/null 2>&1 && \ test ! -f ${st3} && test -f ${f}; then shar_touch='touch -am $3$4$5$6$2 "$8"' else shar_touch=: echo ${echo} 'WARNING: not restoring timestamps. Consider getting and installing GNU `touch'\'', distributed in GNU coreutils...' echo fi rm -f ${st1} ${st2} ${st2tr} ${st3} ${f} # if test ! -d ${lock_dir} ; then : else ${echo} "lock directory ${lock_dir} exists" exit 1 fi if mkdir ${lock_dir} then ${echo} "x - created lock directory ${lock_dir}." else ${echo} "x - failed to create lock directory ${lock_dir}." exit 1 fi # ============= nfimvirt.c ============== if test -n "${keep_file}" && test -f 'nfimvirt.c' then ${echo} "x - SKIPPING nfimvirt.c (file already exists)" else ${echo} "x - extracting nfimvirt.c (text)" sed 's/^X//' << 'SHAR_EOF' > 'nfimvirt.c' && #include <sys/types.h> #include <sys/mman.h> #include <err.h> #include <signal.h> #include <stdarg.h> #include <stdint.h> #include <stdio.h> #include <unistd.h> X #ifndef __GNUC__ #error This file makes use of GNU C extensions. #endif X extern long nf_get_id_asm(const char *feature_name) X asm("nf_get_id_asm") X __attribute__((__cdecl__, __regparm__(0))); extern long nf_call_asm(unsigned long feature_id, ...) X asm("nf_call_asm") X __attribute__((__cdecl__, __regparm__(0))); X volatile sig_atomic_t got_sigill; X void sigill_handler(int sigraised); long nf_get_id(const char *feature_name); X #define nf_call2(id, subid, ...) __extension__({ \ X long nf_call2_res; \ X unsigned long nf_call2_fid; \ X \ X if (got_sigill) \ X errx(2, "nf_call2: previous unhandled SIGILL"); \ X nf_call2_fid = (unsigned long)(id) | (unsigned long)(subid); \ X nf_call2_res = nf_call_asm(nf_call2_fid, ## __VA_ARGS__); \ X if (got_sigill) \ X errx(2, "nf_call2: SIGILL for %08lX", nf_call2_fid); \ X (nf_call2_res); \ }) X #ifdef __KLIBC__ void err(int, const char *, ...) X __attribute__((__noreturn__, __format__(__printf__, 2, 3))); void errx(int, const char *, ...) X __attribute__((__noreturn__, __format__(__printf__, 2, 3))); #endif X int main(void) { X long NF_NAME, NF_VERSION, sres; X char *buf; X unsigned long bufsz = 0, ures; X int pgsz; X X if ((pgsz = getpagesize()) <= 0 || pgsz > 0x10000000) X err(2, "getpagesize() returned %d", pgsz); X while (bufsz < 4096) X bufsz += pgsz; X if ((buf = mmap(NULL, (size_t)bufsz, PROT_READ | PROT_WRITE, X MAP_ANON | MAP_PRIVATE, 0, (off_t)0)) == MAP_FAILED) X err(2, "mmap() %lu bytes failed", bufsz); X if (mlock(buf, bufsz)) X err(2, "mlock() failed"); X X got_sigill = 0; X if (signal(SIGILL, sigill_handler) == SIG_ERR) X err(2, "cannot install SIGILL handler"); X X if ((NF_NAME = nf_get_id("NF_NAME")) == -1L) { X printf("Physical (no NatFeat)\n"); X return (0); X } X if ((NF_VERSION = nf_get_id("NF_VERSION")) == -1L) { X printf("Ambiguous (broken NatFeat)\n"); X return (1); X } X X sres = nf_call2(NF_VERSION, 0); X ures = nf_call2(NF_NAME, 0, buf, bufsz); X buf[bufsz - 1] = 0; X printf("NatFeat v%d.%d (Emulator%s: %s)", (int)((sres >> 16) & 0xFFFF), X (int)(sres & 0xFFFF), ures >= bufsz ? " (truncated)" : "", buf); X ures = nf_call2(NF_NAME, 1, buf, bufsz); X buf[bufsz - 1] = 0; X printf(" on%s: %s\n", ures >= bufsz ? " (truncated)" : "", buf); X X /* munlock, munmap, signal */ X X return (0); } X long nf_get_id(const char *feature_name) { X long res; X X if (got_sigill) X errx(2, "nf_get_id: previous unhandled SIGILL"); X res = nf_get_id_asm(feature_name); X if (got_sigill) { X got_sigill = 0; X return (-1L); X } X return (res & 0xFFF00000); } X void sigill_handler(int sigraised __attribute__((__unused__))) { X got_sigill = 1; } SHAR_EOF (set 20 13 01 13 18 41 08 'nfimvirt.c' eval "${shar_touch}") && \ chmod 0644 'nfimvirt.c' if test $? -ne 0 then ${echo} "restore of nfimvirt.c failed" fi if ${md5check} then ( ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'nfimvirt.c': 'MD5 check failed' ) << \SHAR_EOF 4715c8dcdd33d3297720a5e0617501ba nfimvirt.c SHAR_EOF else test `LC_ALL=C wc -c < 'nfimvirt.c'` -ne 2779 && \ ${echo} "restoration warning: size of 'nfimvirt.c' is not 2779" fi fi # ============= nfimvrth.S ============== if test -n "${keep_file}" && test -f 'nfimvrth.S' then ${echo} "x - SKIPPING nfimvrth.S (file already exists)" else ${echo} "x - extracting nfimvrth.S (text)" sed 's/^X//' << 'SHAR_EOF' > 'nfimvrth.S' && X .text X X .p2align 2 X .globl nf_get_id_asm #ifdef __ELF__ X .type nf_get_id_asm,@function #endif nf_get_id_asm: X .byte 0x73 /* NatFeat */ X .byte 0x00 /* nf_get_id */ X rts #ifdef __ELF__ X .size nf_get_id_asm, . - nf_get_id_asm #endif X X .p2align 2 X .globl nf_call_asm #ifdef __ELF__ X .type nf_call_asm,@function #endif nf_call_asm: X .byte 0x73 /* NatFeat */ X .byte 0x01 /* nf_call */ X rts #ifdef __ELF__ X .size nf_call_asm, . - nf_call_asm #endif SHAR_EOF (set 20 13 01 13 18 08 36 'nfimvrth.S' eval "${shar_touch}") && \ chmod 0644 'nfimvrth.S' if test $? -ne 0 then ${echo} "restore of nfimvrth.S failed" fi if ${md5check} then ( ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'nfimvrth.S': 'MD5 check failed' ) << \SHAR_EOF c0e9906c254931d54f4716dcb42271c9 nfimvrth.S SHAR_EOF else test `LC_ALL=C wc -c < 'nfimvrth.S'` -ne 447 && \ ${echo} "restoration warning: size of 'nfimvrth.S' is not 447" fi fi if rm -fr ${lock_dir} then ${echo} "x - removed lock directory ${lock_dir}." else ${echo} "x - failed to remove lock directory ${lock_dir}." exit 1 fi exit 0 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/mksh Versions of packages aranym depends on: ii libc6 2.13-38 ii libgcc1 1:4.7.2-4 ii libgmp10 2:5.0.5+dfsg-2 ii libmpfr4 3.1.0-5 ii libsdl-image1.2 1.2.12-2 ii libsdl1.2debian 1.2.15-5 ii libstdc++6 4.7.2-4 ii libusb-1.0-0 2:1.0.12-2 ii libx11-6 2:1.5.0-1 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages aranym recommends: ii bridge-utils 1.5-6 ii uml-utilities 20070815-1.3 aranym suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: aranym Source-Version: 0.9.13-4 We believe that the bug you reported is fixed in the latest version of aranym, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antonin Kral <[email protected]> (supplier of updated aranym package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 24 Apr 2013 08:56:45 +0200 Source: aranym Binary: aranym Architecture: amd64 i386 source Version: 0.9.13-4 Distribution: testing-proposed-updates Urgency: low Maintainer: Antonin Kral <[email protected]> Changed-By: Antonin Kral <[email protected]> Closes: 698064 Description: aranym - Atari Running on Any Machine Changes: aranym (0.9.13-4) testing-proposed-updates; urgency=low . * cherrypick patch for NatFeast problem (Closes: #698064) to get ARAnyM to wheezy Checksums-Sha1: bca4ce4bd143a6dd6f2064980038a7c54dede9d0 1150 aranym_0.9.13-4.dsc f503ef7bd3691c929c5e841f52820d9ee40759c5 8903 aranym_0.9.13-4.debian.tar.gz 5828325869870577225d75dcc9b71b61f7b60657 1924390 aranym_0.9.13-4_i386.deb f87549269e7187664dbeb86f5b5461101e6f9d5c 1457190 aranym_0.9.13-4_amd64.deb Checksums-Sha256: 41d85ce78c6e16b292a6c91bc19c2a3fae1aac8ec336256b9c9ced9b83f1e2ee 1150 aranym_0.9.13-4.dsc 80c656426459c06662f35a4fbe3a7d4067eacc03d99a80ea77be947bfae6debe 8903 aranym_0.9.13-4.debian.tar.gz b4490c45ccd207a05ddddfb0435166e4815fa882e5cf39f2aa0e922019d0f992 1924390 aranym_0.9.13-4_i386.deb 466655c8a4ad74850ff1c1018b13727f446833d0c31e69569afc2992f929c902 1457190 aranym_0.9.13-4_amd64.deb Files: 9f3a97b92942d9715b4f7cc850b4ff1c 1150 otherosfs extra aranym_0.9.13-4.dsc fa7627cf5010e5ca33bb2909a2d478cf 8903 otherosfs extra aranym_0.9.13-4.debian.tar.gz 8d5cc00367bcf27150325834582bf909 1924390 otherosfs extra aranym_0.9.13-4_i386.deb ab94c81f2c9cfe0a8451ec8d29ec83f8 1457190 otherosfs extra aranym_0.9.13-4_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlF3jlgACgkQluuhBRvyMFpWAwCfW4U+lJvoA+M6fiw4Cs/4TQFD 7GAAn3Qbpz9F/mWsprz5WI35dVvj9i5c =VoMa -----END PGP SIGNATURE-----
--- End Message ---

