Using setreuid / setegid crashes x86_64 user-mode target
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Expired
|
Undecided
|
Unassigned |
Bug Description
When setreuid() or setegid() are called from x86_64 target code in user mode, qemu crashes inside the NPTL signal handlers. x86 targets do not directly use a syscall to handle setreuid() / setegid(); instead the x86 NPTL implementation sets up a temporary data region in memory (__xidcmd) and issues a signal (SIGRT1) to all threads, allowing the handler for that signal to issue the syscall. Under qemu, __xidcmd remains null (see variable display below backtrace).
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x3fff85c74fc0 (LWP 74517)]
0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, ctx=0x3fff85c71f90) at nptl-init.c:263
263 nptl-init.c: No such file or directory.
(gdb) thread apply all bt
Thread 3 (Thread 0x3fff87e8efc0 (LWP 74515)):
#0 0x00000000601cc430 in syscall ()
#1 0x0000000060109080 in futex_wait (val=<optimized out>, ev=<optimized out>) at /build/
#2 qemu_event_wait (ev=0x62367bb0 <rcu_call_
#3 0x000000006010f73c in call_rcu_thread (opaque=<optimized out>) at /build/
#4 0x0000000060176f8c in start_thread (arg=0x3fff87e8
#5 0x00000000601cebf4 in clone ()
Thread 2 (Thread 0x3fff85c74fc0 (LWP 74517)):
#0 0x000000006017491c in sighandler_setxid (sig=33, si=0x3fff85c72d08, ctx=0x3fff85c71f90) at nptl-init.c:263
#1 <signal handler called>
#2 0x00000000601cc42c in syscall ()
#3 0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at /build/
#4 do_futex (val3=<optimized out>, uaddr2=
#5 do_syscall (cpu_env=
at /build/
#6 0x00000000600347b8 in cpu_loop (env=0x1000abfd350) at /build/
#7 0x0000000060036ae0 in clone_func (arg=0x3fffc4c2
#8 0x0000000060176f8c in start_thread (arg=0x3fff85c7
#9 0x00000000601cebf4 in clone ()
Thread 1 (Thread 0x1000aa05000 (LWP 74511)):
#0 0x00000000601cc430 in syscall ()
#1 0x0000000060044b08 in safe_futex (val3=<optimized out>, uaddr2=0x0, timeout=<optimized out>, val=<optimized out>, op=128, uaddr=<optimized out>) at /build/
#2 do_futex (val3=<optimized out>, uaddr2=1, timeout=0, val=1, op=128, uaddr=275078324992) at /build/
#3 do_syscall (cpu_env=
#4 0x00000000600347b8 in cpu_loop (env=0x1000aa23890) at /build/
#5 0x00000000600020e4 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /build/
(gdb) p __xidcmd
$1 = (struct xid_command *) 0x0
https:/ /patches. linaro. org/patch/ 63313/ may be relevant here.