QEMU

qemu-user fails to set up a reasonable brk for static-pie

Bug #1814128 reported by Szabolcs Nagy on 2019-01-31

This bug report is a duplicate of: Bug #1749393: sbrk() not working under qemu-user with a PIE-compiled binary?. Edit Remove

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	QEMU	New	Undecided	Unassigned

Bug Description

static pie binaries may not get a reasonable brk,
with glibc this means they crash in early tls setup code:
https://sourceware.org/bugzilla/show_bug.cgi?id=24152

qemu seems to put brk at the end of the data segment,
but if the stack starts (ends) right next to it then
allocation with brk fails.

in such situation i think qemu should arrange the
stack or brk to be elsewhere so there is plenty
space to grow (in case of glibc it's enough if tls
setup works: later allocations can fall back to mmap).

(ubuntu bionic x86_64 ldconfig.real from libc-bin package)
$ qemu-x86_64 -strace -d page /sbin/ldconfig.real
host mmap_min_addr=0x8000
guest_base 0x0
start end size prot
0000004000000000-00000040000f2000 00000000000f2000 r-x
00000040000f2000-00000040002f2000 0000000000200000 ---
00000040002f2000-00000040002fa000 0000000000008000 rw-
00000040002fa000-00000040002fb000 0000000000001000 ---
00000040002fb000-0000004000afb000 0000000000800000 rw-
start_brk 0x0000000000000000
end_code 0x00000040000f1ee8
start_code 0x0000004000000000
start_data 0x00000040002f2838
end_data 0x00000040002f8518
start_stack 0x0000004000afa130
brk 0x00000040002f9dd8
entry 0x0000004000009bc0
argv_start 0x0000004000afa138
env_start 0x0000004000afa148
auxv_start 0x0000004000afa280
28561 brk(NULL) = 0x00000040002fa000
28561 brk(0x00000040002fb1c0) = 0x00000040002fa000
--- SIGSEGV {si_signo=SIGSEGV, si_code=1, si_addr=0xffffffffffffffc0} ---
qemu: uncaught target signal 11 (Segmentation fault) - core dumped

$ readelf -hldSW /tmp/ldconfig.real
ELF Header:
  Magic: 7f 45 4c 46 02 01 01 03 00 00 00 00 00 00 00 00
  Class: ELF64
  Data: 2's complement, little endian
  Version: 1 (current)
  OS/ABI: UNIX - GNU
  ABI Version: 0
  Type: DYN (Shared object file)
  Machine: Advanced Micro Devices X86-64
  Version: 0x1
  Entry point address: 0x9bc0
  Start of program headers: 64 (bytes into file)
  Start of section headers: 1022920 (bytes into file)
  Flags: 0x0
  Size of this header: 64 (bytes)
  Size of program headers: 56 (bytes)
  Number of program headers: 8
  Size of section headers: 64 (bytes)
  Number of section headers: 38
  Section header string table index: 37

Section Headers:
[Nr] Name [ 0] [ 1] .note.ABI-tag [ 2] [ 3] .gnu.hash [ 4] .dynsym [ 5] .dynstr [ 6] .rela.dyn [ 7] .rela.plt [ 8] .init [ 9] .plt [10] .plt.got [11] .text [12] [13] [14] .fini [15] .rodata [16] .stapsdt.base [17] .eh_frame_hdr [18] .eh_frame [19] [20] .tdata [21] .tbss [22] .init_array [23] .fini_array [24] .data.rel.ro [25] .dynamic [26] .got [27] .got.plt [28] .data [29] [30] [31] __libc_atexit [32] [33] .bss [34] [35] .note.stapsdt [36] .gnu_debuglink [37] .shstrtab Key to Flags:
W (write), L (link C (compressed), l (large), Type Address Off Size ES Flg Lk Inf Al
NULL 0000000000000000 000000 000000 00 0 0 0
NOTE 0000000000000200 000200 000020 00 A 0 0 4
.note.gnu.build-id NOTE 0000000000000220 000220 000024 00 A 0 0 4
GNU_HASH 0000000000000248 000248 00001c 00 A 4 0 8
DYNSYM 0000000000000268 000268 000018 18 A 5 1 8
STRTAB 0000000000000280 000280 000001 00 A 0 0 1
RELA 0000000000000288 000288 008748 18 A 4 0 8
RELA 00000000000089d0 0089d0 000318 18 AI 4 27 8
PROGBITS 0000000000008ce8 008ce8 000017 00 AX 0 0 4
PROGBITS 0000000000008d00 008d00 000270 10 AX 0 0 16
PROGBITS 0000000000008f70 008f70 000060 08 AX 0 0 8
PROGBITS 0000000000008fd0 008fd0 0bd29c 00 AX 0 0 16
__libc_freeres_fn PROGBITS 00000000000c6270 0c6270 0016b3 00 AX 0 0 16
__libc_thread_freeres_fn PROGBITS 00000000000c7930 0c7930 00108f 00 AX 0 0 16
PROGBITS 00000000000c89c0 0c89c0 000009 00 AX 0 0 4
PROGBITS 00000000000c89e0 0c89e0 01af08 00 A 0 0 32
PROGBITS 00000000000e38e8 0e38e8 000001 00 A 0 0 1
PROGBITS 00000000000e38ec 0e38ec 001f94 00 A 0 0 4
PROGBITS 00000000000e5880 0e5880 00c5b8 00 A 0 0 8
.gcc_except_table PROGBITS 00000000000f1e38 0f1e38 0000b0 00 A 0 0 1
PROGBITS 00000000002f2838 0f2838 000028 00 WAT 0 0 8
NOBITS 00000000002f2860 0f2860 000040 00 WAT 0 0 8
INIT_ARRAY 00000000002f2860 0f2860 000010 08 WA 0 0 8
FINI_ARRAY 00000000002f2870 0f2870 000010 08 WA 0 0 8
PROGBITS 00000000002f2880 0f2880 0034c4 00 WA 0 0 32
DYNAMIC 00000000002f5d48 0f5d48 0001a0 10 WA 5 0 8
PROGBITS 00000000002f5ee8 0f5ee8 000110 08 WA 0 0 8
PROGBITS 00000000002f6000 0f6000 000148 08 WA 0 0 8
PROGBITS 00000000002f6160 0f6160 001bd4 00 WA 0 0 32
__libc_subfreeres PROGBITS 00000000002f7d38 0f7d38 000060 00 WA 0 0 8
__libc_IO_vtables PROGBITS 00000000002f7da0 0f7da0 000768 00 WA 0 0 32
PROGBITS 00000000002f8508 0f8508 000008 00 WA 0 0 8
__libc_thread_subfreeres PROGBITS 00000000002f8510 0f8510 000008 00 WA 0 0 8
NOBITS 00000000002f8520 0f8518 001890 00 WA 0 0 32
__libc_freeres_ptrs NOBITS 00000000002f9db0 0f8518 000028 00 WA 0 0 8
NOTE 0000000000000000 0f8518 0014cc 00 0 0 4
PROGBITS 0000000000000000 0f99e4 000034 00 0 0 4
STRTAB 0000000000000000 0f9a18 0001ab 00 0 0 1
A (alloc), X (execute), M (merge), S (strings), I (info),
order), O (extra OS processing required), G (group), T (TLS),
x (unknown), o (OS specific), E (exclude),
p (processor specific)

Program Headers:
  Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
  LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x0f1ee8 0x0f1ee8 R E 0x200000
  LOAD 0x0f2838 0x00000000002f2838 0x00000000002f2838 0x005ce0 0x0075a0 RW 0x200000
  DYNAMIC 0x0f5d48 0x00000000002f5d48 0x00000000002f5d48 0x0001a0 0x0001a0 RW 0x8
  NOTE 0x000200 0x0000000000000200 0x0000000000000200 0x000044 0x000044 R 0x4
  TLS 0x0f2838 0x00000000002f2838 0x00000000002f2838 0x000028 0x000068 R 0x8
  GNU_EH_FRAME 0x0e38ec 0x00000000000e38ec 0x00000000000e38ec 0x001f94 0x001f94 R 0x4
  GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10
  GNU_RELRO 0x0f2838 0x00000000002f2838 0x00000000002f2838 0x0037c8 0x0037c8 R 0x1

Section to Segment mapping:
  Segment Sections...
   00 .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .rela.dyn .rela.plt .init .plt .plt.got .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata .stapsdt.base .eh_frame_hdr .eh_frame .gcc_except_table
   01 .tdata .init_array .fini_array .data.rel.ro .dynamic .got .got.plt .data __libc_subfreeres __libc_IO_vtables __libc_atexit __libc_thread_subfreeres .bss __libc_freeres_ptrs
   02 .dynamic
   03 .note.ABI-tag .note.gnu.build-id
   04 .tdata .tbss
   05 .eh_frame_hdr
   06
   07 .tdata .init_array .fini_array .data.rel.ro .dynamic .got

Dynamic section at offset 0xf5d48 contains 22 entries:
Tag Type Name/Value
0x000000000000000c (INIT) 0x8ce8
0x000000000000000d (FINI) 0xc89c0
0x0000000000000019 (INIT_ARRAY) 0x2f2860
0x000000000000001b (INIT_ARRAYSZ) 16 (bytes)
0x000000000000001a (FINI_ARRAY) 0x2f2870
0x000000000000001c (FINI_ARRAYSZ) 16 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x248
0x0000000000000005 (STRTAB) 0x280
0x0000000000000006 (SYMTAB) 0x268
0x000000000000000a (STRSZ) 1 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x2f6000
0x0000000000000002 (PLTRELSZ) 792 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x89d0
0x0000000000000007 (RELA) 0x288
0x0000000000000008 (RELASZ) 34632 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffb (FLAGS_1) Flags: PIE
0x000000006ffffff9 (RELACOUNT) 1443
0x0000000000000000 (NULL) 0x0

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1749393 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.