mkinitramfs --help > Core dumped

Bug #1577460 reported by bugproxy on 2016-05-02
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
High
Unassigned
glibc (Ubuntu)
Critical
Adam Conrad
Xenial
High
Adam Conrad
Yakkety
Undecided
Unassigned
util-linux (Ubuntu)
High
Dimitri John Ledkov
Xenial
High
Dimitri John Ledkov
Yakkety
High
Dimitri John Ledkov

Bug Description

[Testcase]
* $ LC_ALL=fo_FOO.UTF-8 getopt -o c:d:ko:r:v -n /usr/sbin/mkinitramfs -- --help
Expected result:
  /usr/sbin/mkinitramfs: unrecognized option '--help'
   --
  Exit code 1
Current result:
  Segmentation fault
  Exit code 139.

There are two bugs in play here. glibc bug was fixed, and util-linux bug needs an upload still.

Problem Description
==============================
root@zlin060:~# mkinitramfs --help
Segmentation fault (core dumped)
W: non-GNU getopt
root@zlin060:~#

== Comment: #9 - Heinz-Werner Seeck <email address hidden> - 2016-05-02 10:09:34 ==
With Ubuntu 14.40 login via ssh:

Following cmd :
'getopt -o c:d:ko:r:v -n /usr/sbin/mkinitramfs -- --help'

Following call-stack occured (creates coredump):

#0 __strncmp_c (s1=0x2e6575634a500a6d <error: Cannot access memory at address 0x2e6575634a500a6d>,
    s1@entry=0x2e6575634a500a6a <error: Cannot access memory at address 0x2e6575634a500a6a>,
    s2=0x3fff7fff7ae "p", s2@entry=0x3fff7fff7ab "gelp", n=n@entry=4) at ../string/strncmp.c:44
#1 0x000003ff7e9d4252 in _getopt_internal_r (argc=<optimized out>, argv=0x40,
    optstring=0x200000030 <error: Cannot access memory at address 0x200000030>, longopts=<optimized out>,
    longind=<optimized out>, long_only=0, d=0x3ff7ea8c330 <getopt_data>, posixly_correct=0) at getopt.c:546
#2 0x000003ff7e9d51f2 in _getopt_internal (argc=<optimized out>, argv=<optimized out>,
    optstring=<optimized out>, longopts=<optimized out>, longind=0x3fff7ffe674, long_only=0, posixly_correct=0)
    at getopt.c:1175
#3 0x000003ff7e9d52b6 in getopt_long (argc=<optimized out>, argv=<optimized out>, options=<optimized out>,
    long_options=<optimized out>, opt_index=0x3fff7ffe674) at getopt1.c:65
#4 0x000002aa236821d8 in ?? ()
#5 0x000002aa23681c22 in main ()

CVE References

bugproxy (bugproxy) on 2016-05-02
tags: added: architecture-s39064 bugnameltc-140845 severity-medium targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1577460/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment

------- Comment From <email address hidden> 2016-05-02 12:38 EDT-------
Viktor Mihajlovski 2016-05-02 11:14:29 EDT :

OK, got it. My client Ubuntu was on German locale "de_DE.UTF8" but the
server has only the English locales installed.
If I unset all LC_* environment variables and rerun the command I see no
coredump.
So the issue is that getopt (and maybe other binaries) have an issue if an
non-existent locale is requested. It should definitely not dump core in such
a situation.

affects: ubuntu → util-linux (Ubuntu)
Dimitri John Ledkov (xnox) wrote :

"With Ubuntu 14.40 login via ssh:" doesn't make sense at all =) There is no such thing as 14.40 release of Ubuntu. Sounds like miss-typed 14.04, however 14.04 doesn't exist for s390x, and the bug report is for s390x. So we guess it's for 16.04. But that's mostly irrelevant misleading details.

The bug is valid, and reproducible on other architectures. This is not s390x specific.

Running locale-gen and/or installer relevant langpacks (e.g. german langpack) but getopt really should not segfault like that, as it's common for user to have locales, that are not available on the target server.

Changed in util-linux (Ubuntu):
importance: Undecided → Critical
Changed in util-linux (Ubuntu Xenial):
importance: Undecided → High
Changed in util-linux (Ubuntu):
status: New → Confirmed
Changed in util-linux (Ubuntu Xenial):
status: New → Confirmed
affects: util-linux (Ubuntu) → glibc (Ubuntu)
Changed in glibc (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → Adam Conrad (adconrad)
Changed in glibc (Ubuntu Xenial):
assignee: nobody → Adam Conrad (adconrad)
dann frazier (dannf) on 2016-05-05
Changed in ubuntu-z-systems:
status: New → Confirmed
importance: Undecided → High
bugproxy (bugproxy) on 2016-05-25
tags: added: targetmilestone-inin16041
removed: targetmilestone-inin---
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-08-29 05:04 EDT-------
I updated a system to 16.04.1 latest. Issue still occurs:

Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-34-generic s390x)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Mon Aug 29 10:57:38 2016 from 9.152.99.191
root@s8330032:~# mkinitramfs --help
Segmentation fault
W: non-GNU getopt
root@s8330032:~#

Martin Pitt (pitti) wrote :

I've tried (in vain so far) to understand what's going on and how this is related to the locale-langpack/ search path patch.

Tested/reproduced with

  LC_ALL=fo_FOO gdb --args getopt -o c:d:ko:r:v -n /usr/sbin/mkinitramfs -- --help

Some observations:

 * This crash doesn't happen with looking up LC_MESSAGES, only in this getopt case with LC_IDENTIFICATION. The mere presence of /usr/lib/locale/fo_FOO/LC_IDENTIFICATION in the search path causes this crash. If *only* /usr/lib/locale/fo/LC_IDENTIFICATION gets added (and not also the more specific fo_FOO one) then things still work.

 * In all cases the returned list from _nl_make_l10nflist() was correct in memory, so I suppose this triggers some bug (insufficiently large buffer or so) somewhere else. Nevertheless we need to be bug compatible with that.

During that I also noticed some bugs in the patch:

     malloc (sizeof (*retval) + (__argz_count (dirlist, dirlist_len)
- * (1 << pop (mask))
+ * 2 * (1 << pop (mask))

We shouldn't allocate 2* the number here, just argz_count() + 1, as we are only adding one more search path.

Also we should correctly interleave lookups in /usr/share/locale-langpack/ with /usr/share/locale wrt. the mask -- i. e. we should *first* check if there is a more specific locale (with territory, encoding, etc.) in /usr/share/locale-langpack/ and then check more generic locales in both places.

But if I just fix these two bugs, then getopt still crashes on getting too many LC_IDENTIFICATION search paths. So one proposal would be to only do the locale-langpack/ lookup for LC_MESSAGES, not for any other category; our langpacks only ship LC_MESSAGES anyway, so we make the scope of this small enough to avoid triggering the crash.

Martin Pitt (pitti) wrote :

The above attachment just limits the alternative locale dir to LC_MESSAGES (not sure if that's the most elegant method, I didn't see any better one). This keeps the current behaviour of translation lookups; fixing the two unrelated bugs above might be too intrusive at this point for yakkety, and correctly interleaving is actually remarkably difficult due to the painful structure of the code.

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.24-3ubuntu1

---------------
glibc (2.24-3ubuntu1) yakkety; urgency=medium

  * Merge with 2.24 from Debian sid, bringing in minor packaging changes and
    upstream updates, including the security fix for CVE-2016-6323 on ARMv7.
  * debian/patches/ubuntu/local-altlocaledir.diff: Updated to latest version
    from Martin that limits scope to LC_MESSAGES, fixing segv (LP: #1577460)
  * debian/testsuite-xfail-debian.mk: Allow nptl/tst-signal6 to fail on ARM.

 -- Adam Conrad <email address hidden> Wed, 05 Oct 2016 14:25:57 -0600

Changed in glibc (Ubuntu):
status: Confirmed → Fix Released

Hello bugproxy, or anyone else affected,

Accepted glibc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/glibc/2.23-0ubuntu4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in glibc (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed
Adam Conrad (adconrad) wrote :

Verified that the 2.23-0ubuntu4 binaries in xenial-proposed resolve this issue.

tags: added: verification-done
removed: verification-needed
Changed in ubuntu-z-systems:
status: Confirmed → Fix Committed

------- Comment From <email address hidden> 2016-10-19 05:49 EDT-------
I can not confirm that. I updated xenial with all pkgs of -proposed today. Problem still persists.

------- Comment From <email address hidden> 2016-10-19 05:55 EDT-------
root@r3515003:~# uname -a
Linux r3515003 4.4.0-44-generic #64-Ubuntu SMP Mon Oct 17 08:45:23 UTC 2016 s390x s390x s390x GNU/Linux
root@r3515003:~# dpkg -s libc6
Package: libc6
Status: install ok installed
Priority: required
Section: libs
Installed-Size: 10213
Maintainer: Ubuntu Developers <email address hidden>
Architecture: s390x
Multi-Arch: same
Source: glibc
Version: 2.23-0ubuntu4
Replaces: libc6-s390x
Depends: libgcc1
Suggests: glibc-doc, debconf | debconf-2.0, locales
Breaks: hurd (<< 1:0.5.git20140203-1), libtirpc1 (<< 0.2.3), locales (<< 2.23), locales-all (<< 2.23), nscd (<< 2.23)
Conffiles:
/etc/ld.so.conf.d/s390x-linux-gnu.conf f9eee62c2c5a6b58373b2f613b5334be
Description: GNU C Library: Shared libraries
Contains the standard libraries that are used by nearly all programs on
the system. This package includes shared versions of the standard C library
and the standard math library, as well as many others.
Homepage: http://www.gnu.org/software/libc/libc.html
Original-Maintainer: GNU Libc Maintainers <email address hidden>

Adam Conrad (adconrad) wrote :

Thorsten, I can't reproduce this segv with the -proposed binaries installed. Do you have a new recipe for reproduction?

Adam Conrad (adconrad) wrote :

Oh, hrm. No, I can reproduce it now. How odd. I swear I couldn't just a few days ago.

tags: added: verification-failed
removed: verification-done
Adam Conrad (adconrad) wrote :

Ahh, and this is why. I was previously testing with "de_DE", and today tested with "de_DE.UTF-8":

(xenial-amd64)root@nosferatu:~# dpkg -l libc6 | grep ^i
ii libc6:amd64 2.23-0ubuntu3 amd64 GNU C Library: Shared libraries
(xenial-amd64)root@nosferatu:~# mkinitramfs --help
/usr/sbin/mkinitramfs: unrecognized option '--help'
W: non-GNU getopt
(xenial-amd64)root@nosferatu:~# LANG=de_DE mkinitramfs --help
Segmentation fault (core dumped)
W: non-GNU getopt
(xenial-amd64)root@nosferatu:~# LANG=de_DE.UTF-8 mkinitramfs --help
Segmentation fault (core dumped)
W: non-GNU getopt
(xenial-amd64)root@nosferatu:~# apt-get update && apt-get install libc6
[...]
(xenial-amd64)root@nosferatu:~# dpkg -l libc6 | grep ^i
ii libc6:amd64 2.23-0ubuntu4 amd64 GNU C Library: Shared libraries
(xenial-amd64)root@nosferatu:~# mkinitramfs --help
/usr/sbin/mkinitramfs: unrecognized option '--help'
W: non-GNU getopt
(xenial-amd64)root@nosferatu:~# LANG=de_DE mkinitramfs --help
/usr/sbin/mkinitramfs: unrecognized option '--help'
W: non-GNU getopt
(xenial-amd64)root@nosferatu:~# LANG=de_DE.UTF-8 mkinitramfs --help
Segmentation fault (core dumped)
W: non-GNU getopt

Anders Kaseorg (andersk) wrote :

I can still reproduce this on 16.10 fully updated with libc6:amd64 2.24-3ubuntu1, so the Ubuntu task should probably be reopened.

$ LANG=de_DE mkinitramfs --help
Segmentation fault (core dumped)
W: non-GNU getopt
$ LANG=de_DE getopt -o c -- --help
Segmentation fault (core dumped)

Anders Kaseorg (andersk) wrote :

This is a util-linux bug, not a glibc bug. I have sent this patch upstream.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.23-0ubuntu4

---------------
glibc (2.23-0ubuntu4) xenial; urgency=medium

  * debian/rules.d/tarball.mk: Apply --no-renames to make the diff readable.
  * debian/patches/git-updates.diff: Update from release/2.23/master branch:
    - Include fix for potential makecontext() hang on ARMv7 (CVE-2016-6323)
    - Include fix for SEGV in sock_eq with nss_hesiod module (LP: #1571456)
    - Include malloc fixes, addressing multithread deadlocks (LP: #1630302)
    - debian/patches/hurd-i386/cvs-libpthread.so.diff: Dropped, upstreamed.
    - debian/patches/any/submitted-argp-attribute.diff: Dropped, upstreamed.
    - debian/patches/hurd-i386/tg-hurdsig-fixes-2.diff: Rebased to upstream.
  * debian/patches/ubuntu/local-altlocaledir.diff: Updated to latest version
    from Martin that limits scope to LC_MESSAGES, fixing segv (LP: #1577460)
  * debian/patches/any/cvs-cos-precision.diff: Fix cos() bugs (LP: #1614966)
  * debian/testsuite-xfail-debian.mk: Allow nptl/tst-signal6 to fail on ARM.

 -- Adam Conrad <email address hidden> Fri, 14 Oct 2016 00:00:34 -0600

Changed in glibc (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for glibc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released

------- Comment From <email address hidden> 2016-10-26 05:07 EDT-------
Bug reopened-> problem still exit on Xenial with glibc:2.23-0ubuntu4

Changed in ubuntu-z-systems:
status: Fix Released → In Progress

The attachment "fixed debian/patches/ubuntu/local-altlocaledir.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Dimitri John Ledkov (xnox) wrote :

glibc (2.24-3ubuntu1) yakkety; urgency=medium

  * Merge with 2.24 from Debian sid, bringing in minor packaging changes and
    upstream updates, including the security fix for CVE-2016-6323 on ARMv7.
  * debian/patches/ubuntu/local-altlocaledir.diff: Updated to latest version
    from Martin that limits scope to LC_MESSAGES, fixing segv (LP: #1577460)
  * debian/testsuite-xfail-debian.mk: Allow nptl/tst-signal6 to fail on ARM.

 -- Adam Conrad <email address hidden> Wed, 05 Oct 2016 14:25:57 -0600

description: updated
Changed in util-linux (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Dimitri John Ledkov (xnox)
milestone: none → ubuntu-17.01
Changed in util-linux (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Dimitri John Ledkov (xnox)
milestone: none → ubuntu-16.04.2
Changed in glibc (Ubuntu Yakkety):
status: New → Fix Released
Changed in util-linux (Ubuntu Yakkety):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Dimitri John Ledkov (xnox)
milestone: none → yakkety-updates
Changed in util-linux (Ubuntu):
status: Triaged → Fix Released
Dimitri John Ledkov (xnox) wrote :

Fix for util-linux is staged in the bileto PPA, currently undergoing testing.

https://bileto.ubuntu.com/#/ticket/2309

Fix is available during this time from ephemeral PPA at https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2309

Changed in util-linux (Ubuntu Xenial):
status: Triaged → In Progress
Changed in util-linux (Ubuntu Yakkety):
status: Triaged → In Progress

Hello bugproxy, or anyone else affected,

Accepted util-linux into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.28.2-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in util-linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Changed in util-linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Andy Whitcroft (apw) wrote :

Hello bugproxy, or anyone else affected,

Accepted util-linux into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.27.1-6ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Dimitri John Ledkov (xnox) wrote :

Reproduced the crash in xenial and yakkety schroots; observed that updating util-linux to version from proposed resolves the issue as per test case.

tags: added: verification-done
removed: verification-failed

------- Comment From <email address hidden> 2017-01-09 09:00 EDT-------
Tested on xenial (up to date):

1. faulty as expected with util-linux 2.27.1-6ubuntu3.1
root@s8330003:~# LANG=de_DE.UTF-8 mkinitramfs --help
Segmentation fault
W: non-GNU getopt
root@s8330003:~# dpkg -s util-linux |grep Version
Version: 2.27.1-6ubuntu3.1
root@s8330003:~#

2. Fix working as expected with util-linux 2.27.1-6ubuntu3.2
root@s8330005:~# LANG=de_DE.UTF-8 mkinitramfs --help
/usr/sbin/mkinitramfs: unrecognized option '--help'
W: non-GNU getopt
root@s8330005:~# dpkg -s util-linux |grep Version
Version: 2.27.1-6ubuntu3.2
root@s8330005:~#

Fix for xenial should be promoted to xenial-updates.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package util-linux - 2.27.1-6ubuntu3.2

---------------
util-linux (2.27.1-6ubuntu3.2) xenial; urgency=medium

  * Cherrypick upstream fix to prevent segfaults in getopt by ensuring
    that options array is correctly terminated. LP: #1577460

 -- Dimitri John Ledkov <email address hidden> Fri, 16 Dec 2016 14:49:06 +0000

Changed in util-linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package util-linux - 2.28.2-1ubuntu1.1

---------------
util-linux (2.28.2-1ubuntu1.1) yakkety; urgency=medium

  * Cherrypick upstream fix to prevent segfaults in getopt by ensuring
    that options array is correctly terminated. LP: #1577460

 -- Dimitri John Ledkov <email address hidden> Fri, 16 Dec 2016 14:27:53 +0000

Changed in util-linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2017-01-25 06:34 EDT-------
IBM Bugzilla -> closed

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers