UML kernel built in Intrepid SEGFAULTs immediately with buffer overflow (UML bug)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Distributor ID: Ubuntu
Description: Ubuntu intrepid (development branch)
Release: 8.10
Codename: intrepid
GCC Version: 4:4.3.1-1ubuntu2
First time noticed in alpha6 in KVM, now the real system has the same problem (both x86)
UML kernel built using Intrepid tools does not boot:
rtg$ Downloads/
Locating the bottom of the address space ... 0x0
Locating the top of the address space ... 0xc0000000
Core dump limits :
soft - 0
hard - NONE
Checking that ptrace can change system call numbers...OK
Checking syscall emulation patch for ptrace...OK
Checking advanced syscall emulation patch for ptrace...OK
Checking for tmpfs mount on /dev/shm...OK
Checking PROT_EXEC mmap in /dev/shm/...OK
Checking for the skas3 patch in the host:
- /proc/mm...not found: No such file or directory
- PTRACE_
- PTRACE_LDT...not found
UML running in SKAS0 mode
Adding 15499264 bytes to physical memory to account for exec-shield gap
*** buffer overflow detected ***: Downloads/
======= Backtrace: =========
/lib/tls/
/lib/tls/
/lib/tls/
/lib/tls/
Downloads/
======= Memory map: ========
00000000-00001000 rwxp 00000000 00:00 0
08048000-08278000 rwxp 00000000 fe:04 4604241 /home/rtg/
08278000-0828d000 rwxp 08278000 00:00 0
09134000-09155000 rwxp 09134000 00:00 0 [heap]
09155000-10f10000 rwxs 0110d000 00:14 135092 /dev/shm/
b7e3f000-b7e4c000 r-xp 00000000 fe:00 40978 /lib/libgcc_s.so.1
b7e4c000-b7e4d000 r-xp 0000c000 fe:00 40978 /lib/libgcc_s.so.1
b7e4d000-b7e4e000 rwxp 0000d000 fe:00 40978 /lib/libgcc_s.so.1
b7e4e000-b7e53000 rwxp b7e4e000 00:00 0
b7e53000-b7fab000 r-xp 00000000 fe:00 41590 /lib/tls/
b7fab000-b7fad000 r-xp 00158000 fe:00 41590 /lib/tls/
b7fad000-b7fae000 rwxp 0015a000 fe:00 41590 /lib/tls/
b7fae000-b7fb1000 rwxp b7fae000 00:00 0
b7fb1000-b7fb3000 r-xp 00000000 fe:00 41610 /lib/tls/
b7fb3000-b7fb4000 r-xp 00001000 fe:00 41610 /lib/tls/
b7fb4000-b7fb5000 rwxp 00002000 fe:00 41610 /lib/tls/
b7fb5000-b7fb7000 rwxp b7fb5000 00:00 0
b7fb7000-b7fd1000 r-xp 00000000 fe:00 41116 /lib/ld-2.8.90.so
b7fd1000-b7fd2000 r-xp b7fd1000 00:00 0 [vdso]
b7fd2000-b7fd3000 r-xp 0001a000 fe:00 41116 /lib/ld-2.8.90.so
b7fd3000-b7fd4000 rwxp 0001b000 fe:00 41116 /lib/ld-2.8.90.so
bfabf000-bfad4000 rwxp bffeb000 00:00 0 [stack]
Segmentation fault
The same kernel built on Hardy boots properly in Hardy and Intrepid.
The reason of such crash is invalid size of array holding the socket name. The structure sockaddr_un contains sun_path of 108 chars long while os_create_
Built a debug version:
rtg$ gdb ./linux gnu.org/ licenses/ gpl.html> rtg/test. img Downloads/ Linux/linux- 2.6.27. 1/linux ubda=/home/ rtg/test. img os-Linux/ sys-i386/ task_size. c:31 os-Linux/ sys-i386/ task_size. c:31 os-Linux/ sys-i386/ task_size. c:100 kernel/ um_arch. c:277 os-Linux/ main.c: 150
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) set args ubda=/home/
(gdb) run
Starting program: /home/rtg/
Locating the bottom of the address space ...
Program received signal SIGSEGV, Segmentation fault.
0x08087451 in page_ok (page=0) at arch/um/
31 n = *address;
(gdb) l
26 * still in the kernel area. As a sanity check, we'll fail if
27 * the mmap succeeds, but gives us an address different from
28 * what we wanted.
29 */
30 if (setjmp(buf) == 0)
31 n = *address;
32 else {
33 mapped = mmap(address, UM_KERN_PAGE_SIZE,
34 PROT_READ | PROT_WRITE,
35 MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
(gdb) bt
#0 0x08087451 in page_ok (page=0) at arch/um/
#1 0x08087691 in os_get_top_address () at arch/um/
#2 0x0804b7f1 in linux_main (argc=2, argv=0xbfa2d734) at arch/um/
#3 0x0804cdf0 in main (argc=2, argv=0xbfa2d734, envp=0xbfa2d740) at arch/um/
(gdb)
The crash happens upon n=*address assignment when address equals to 0x0. Actually running both uml kernels in gdb produce this result while hardy one operates fine when running outside of debugger.