[Qemu-devel] [Bug 1594394] [NEW] Using setreuid / setegid crashes x86_64 user-mode target

Mon, 20 Jun 2016 07:18:21 -0700 

Public bug reported:

When setreuid() or setegid() are called from x86_64 target code in user
mode, qemu crashes inside the NPTL signal handlers.  x86 targets do not
directly use a syscall to handle setreuid() / setegid(); instead the x86
NPTL implementation sets up a temporary data region in memory (__xidcmd)
and issues a signal (SIGRT1) to all threads, allowing the handler for
that signal to issue the syscall.  Under qemu, __xidcmd remains null
(see variable display below backtrace).

Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x3fff85c74fc0 (LWP 74517)]
0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, 
ctx=0x3fff85c71f90) at nptl-init.c:263
263     nptl-init.c: No such file or directory.
(gdb) thread apply all bt

Thread 3 (Thread 0x3fff87e8efc0 (LWP 74515)):
#0  0x00000000601cc430 in syscall ()
#1  0x0000000060109080 in futex_wait (val=<optimized out>, ev=<optimized out>) 
at /build/qemu/util/qemu-thread-posix.c:292
#2  qemu_event_wait (ev=0x62367bb0 <rcu_call_ready_event>) at 
/build/qemu/util/qemu-thread-posix.c:399
#3  0x000000006010f73c in call_rcu_thread (opaque=<optimized out>) at 
/build/qemu/util/rcu.c:250
#4  0x0000000060176f8c in start_thread (arg=0x3fff87e8efc0) at 
pthread_create.c:336
#5  0x00000000601cebf4 in clone ()

Thread 2 (Thread 0x3fff85c74fc0 (LWP 74517)):
#0  0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, 
ctx=0x3fff85c71f90) at nptl-init.c:263
#1  <signal handler called>
#2  0x00000000601cc42c in syscall ()
#3  0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, 
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at 
/build/qemu/linux-user/syscall.c:748
#4  do_futex (val3=<optimized out>, uaddr2=275186650880, timeout=0, val=1129, 
op=128, uaddr=275186651116) at /build/qemu/linux-user/syscall.c:6201
#5  do_syscall (cpu_env=0x1000abfd350, num=<optimized out>, arg1=275186651116, 
arg2=<optimized out>, arg3=1129, arg4=0, arg5=275186650880, arg6=<optimized 
out>, arg7=0, arg8=0)
    at /build/qemu/linux-user/syscall.c:10651
#6  0x00000000600347b8 in cpu_loop (env=0x1000abfd350) at 
/build/qemu/linux-user/main.c:317
#7  0x0000000060036ae0 in clone_func (arg=0x3fffc4c2ca38) at 
/build/qemu/linux-user/syscall.c:5445
#8  0x0000000060176f8c in start_thread (arg=0x3fff85c74fc0) at 
pthread_create.c:336
#9  0x00000000601cebf4 in clone ()

Thread 1 (Thread 0x1000aa05000 (LWP 74511)):
#0  0x00000000601cc430 in syscall ()
#1  0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, 
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at 
/build/qemu/linux-user/syscall.c:748
#2  do_futex (val3=<optimized out>, uaddr2=1, timeout=0, val=1, op=128, 
uaddr=275078324992) at /build/qemu/linux-user/syscall.c:6201
#3  do_syscall (cpu_env=0x1000aa23890, num=<optimized out>, arg1=275078324992, 
arg2=<optimized out>, arg3=1, arg4=0, arg5=1, arg6=<optimized out>, arg7=0, 
arg8=0) at /build/qemu/linux-user/syscall.c:10651
#4  0x00000000600347b8 in cpu_loop (env=0x1000aa23890) at 
/build/qemu/linux-user/main.c:317
#5  0x00000000600020e4 in main (argc=<optimized out>, argv=<optimized out>, 
envp=<optimized out>) at /build/qemu/linux-user/main.c:4779
(gdb) p __xidcmd
$1 = (struct xid_command *) 0x0

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1594394

Title:
  Using setreuid / setegid crashes x86_64 user-mode target

Status in QEMU:
  New

Bug description:
  When setreuid() or setegid() are called from x86_64 target code in
  user mode, qemu crashes inside the NPTL signal handlers.  x86 targets
  do not directly use a syscall to handle setreuid() / setegid();
  instead the x86 NPTL implementation sets up a temporary data region in
  memory (__xidcmd) and issues a signal (SIGRT1) to all threads,
  allowing the handler for that signal to issue the syscall.  Under
  qemu, __xidcmd remains null (see variable display below backtrace).

  Backtrace:
  Program received signal SIGSEGV, Segmentation fault.
  [Switching to Thread 0x3fff85c74fc0 (LWP 74517)]
  0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, 
ctx=0x3fff85c71f90) at nptl-init.c:263
  263     nptl-init.c: No such file or directory.
  (gdb) thread apply all bt

  Thread 3 (Thread 0x3fff87e8efc0 (LWP 74515)):
  #0  0x00000000601cc430 in syscall ()
  #1  0x0000000060109080 in futex_wait (val=<optimized out>, ev=<optimized 
out>) at /build/qemu/util/qemu-thread-posix.c:292
  #2  qemu_event_wait (ev=0x62367bb0 <rcu_call_ready_event>) at 
/build/qemu/util/qemu-thread-posix.c:399
  #3  0x000000006010f73c in call_rcu_thread (opaque=<optimized out>) at 
/build/qemu/util/rcu.c:250
  #4  0x0000000060176f8c in start_thread (arg=0x3fff87e8efc0) at 
pthread_create.c:336
  #5  0x00000000601cebf4 in clone ()

  Thread 2 (Thread 0x3fff85c74fc0 (LWP 74517)):
  #0  0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, 
ctx=0x3fff85c71f90) at nptl-init.c:263
  #1  <signal handler called>
  #2  0x00000000601cc42c in syscall ()
  #3  0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, 
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at 
/build/qemu/linux-user/syscall.c:748
  #4  do_futex (val3=<optimized out>, uaddr2=275186650880, timeout=0, val=1129, 
op=128, uaddr=275186651116) at /build/qemu/linux-user/syscall.c:6201
  #5  do_syscall (cpu_env=0x1000abfd350, num=<optimized out>, 
arg1=275186651116, arg2=<optimized out>, arg3=1129, arg4=0, arg5=275186650880, 
arg6=<optimized out>, arg7=0, arg8=0)
      at /build/qemu/linux-user/syscall.c:10651
  #6  0x00000000600347b8 in cpu_loop (env=0x1000abfd350) at 
/build/qemu/linux-user/main.c:317
  #7  0x0000000060036ae0 in clone_func (arg=0x3fffc4c2ca38) at 
/build/qemu/linux-user/syscall.c:5445
  #8  0x0000000060176f8c in start_thread (arg=0x3fff85c74fc0) at 
pthread_create.c:336
  #9  0x00000000601cebf4 in clone ()

  Thread 1 (Thread 0x1000aa05000 (LWP 74511)):
  #0  0x00000000601cc430 in syscall ()
  #1  0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, 
timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at 
/build/qemu/linux-user/syscall.c:748
  #2  do_futex (val3=<optimized out>, uaddr2=1, timeout=0, val=1, op=128, 
uaddr=275078324992) at /build/qemu/linux-user/syscall.c:6201
  #3  do_syscall (cpu_env=0x1000aa23890, num=<optimized out>, 
arg1=275078324992, arg2=<optimized out>, arg3=1, arg4=0, arg5=1, 
arg6=<optimized out>, arg7=0, arg8=0) at /build/qemu/linux-user/syscall.c:10651
  #4  0x00000000600347b8 in cpu_loop (env=0x1000aa23890) at 
/build/qemu/linux-user/main.c:317
  #5  0x00000000600020e4 in main (argc=<optimized out>, argv=<optimized out>, 
envp=<optimized out>) at /build/qemu/linux-user/main.c:4779
  (gdb) p __xidcmd
  $1 = (struct xid_command *) 0x0

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1594394/+subscriptions

Reply via email to