lshw crashes with SEGV in privileged containers

Bug #1699161 reported by Christian Reis on 2017-06-20
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lshw (Debian)
New
Unknown
lshw (Ubuntu)
Medium
Unassigned
Xenial
Medium
Eric Desrochers
Zesty
Medium
Eric Desrochers
Artful
Medium
Eric Desrochers
Bionic
Medium
Unassigned

Bug Description

[Impact]

 * lshw crashes with SEGV in privileged containers, unless you disable the 'usb' test: $ lshw -disable usb

[Test Case]

## Create a privileged container. ##
$ lxc launch ubuntu:16.04 priv -c security.privileged=true
Creating priv
Starting priv

## Execute lshw inside the privileged container. ##
$ lxc exec priv bash
root@priv:~#

root@priv:~#lshw
Segmentation fault

[Regression Potential]

 * Risks of regression are low.

 * I have tested lshw inside containers (unprivileges/privileges) and baremetal with success connecting different types of usb device : webcam, usb keys, ... The usb output of lshw cmd is shown as expected, but this time without segfaulting when container in privilege mode.

 * Basically, the code look if both files doesn't exists

#define PROCBUSUSBDEVICES "/proc/bus/usb/devices"
#define SYSKERNELDEBUGUSBDEVICES "/sys/kernel/debug/usb/devices"
...
  if (!exists(SYSKERNELDEBUGUSBDEVICES) && !exists(PROCBUSUSBDEVICES))
__return false;

I kept the above in place.

But what if only 1 of the 2 files exists ?

For that reason I added an extra verification if SYSKERNELDEBUGUSBDEVICES exist -> fopen SYSKERNELDEBUGUSBDEVICES.

and

if fopen SYSKERNELDEBUGUSBDEVICES fails and PROCBUSUSBDEVICES exist then -> fopen "PROCBUSUSBDEVICES"

The code first look for SYSKERNELDEBUGUSBDEVICES and if it fails it jump to PROCBUSUSBDEVICES.

But if PROCBUSUSBDEVICES fails there was no mechanism to skip, thus segfault.

I also added another if statement in case PROCBUSUSBDEVICES fails like in this situation (no such file or directory) in privileged container, same as if SYSKERNELDEBUGUSBDEVICES can't be opened to force to jump on trying PROCBUSUSBDEVICES.

[Other Info]

 * PR :
   https://ezix.org/src/pkg/lshw/pulls/9

 * Upstream Commit:
   https://ezix.org/src/pkg/lshw/commit/7b99d35064230f908551ba65c29264d90f49f246

 * This bug doesn't affect Trusty in privileged container. (The code is a bit different in Trusty/lshw package. It basically doesn't rely on SYSKERNELDEBUGUSBDEVICES, meaning that it is only validating if PROCBUSUSBDEVICES exist or not and react accordingly).

 * Only affect Xenial and late.

 * The bug has been introduced upstream after this specific commit :
   https://ezix.org/src/pkg/lshw/commit/9f05be36f7ce6117731e312053d1ec91348a3051

* This particular bug isn't reproducible in Debian (tested with sid in privileged mode) container image because both files doesn't exist in their image, thus making the lshw stop here :

  if (!exists(SYSKERNELDEBUGUSBDEVICES) && !exists(PROCBUSUSBDEVICES))
  return false;

With that being said, I filed a debian bug anyway mentioning that it would be great for them to merge the upstream PR since Ubuntu is merging/syncing from them, and it won't hurt debian lshw package, if they change or not their image behavior one day. Even if not necessary fixing an actual debian/lshw bug.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878792

** Discussion with apw on #ubuntu-release **
[10:45:45] <apw> slashd, artful is open for SRUs, when BB opens it will start from whatever is in A
[11:13:49] <apw> -propsoed gets copied to bb-proposed too yes

[Original Description]
When running lshw in a Xenial container, I'm getting a segmentation fault. I'll attach the apport crash dump.

```
stgraber@castiana:~$ lxc launch ubuntu:16.04 priv -c security.privileged=true
Creating priv
Starting priv

stgraber@castiana:~$ lxc exec priv bash
root@priv:~# lshw
Segmentation fault
root@priv:~#
```

[strace of lshw]
open("/usr/share/hwdata/usb.ids", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/usb.ids", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/usb.ids", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/local/share/usb.ids", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/lshw-common/usb.ids", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/usb.ids", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/sys/kernel/debug/usb/devices", O_RDONLY) = -1 EACCES (Permission denied)
open("/proc/bus/usb/devices", O_RDONLY) = -1 ENOENT (No such file or directory)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
+++ killed by SIGSEGV +++
Segmentation fault

Christian Reis (kiko) wrote :
Changed in lxd (Ubuntu):
assignee: nobody → Rafael David Tinoco (inaddy)
status: New → Confirmed
Christian Reis (kiko) wrote :

However, lshw -disable USB does work fine.

According to this core:

(gdb) bt
#0 _IO_feof (fp=fp@entry=0x0) at feof.c:35
#1 0x000000000045dd88 in scan_usb (n=...) at usb.cc:383
#2 0x0000000000418279 in scan_system (system=...) at main.cc:113
#3 0x0000000000404571 in main (argc=1, argv=0x7ffc719cb4d8) at lshw.cc:238

The crash has happened when scanning from USB:

usbdevices = fopen(SYSKERNELDEBUGUSBDEVICES, "r");
if(!usbdevices)
__usbdevices = fopen(PROCBUSUSBDEVICES, "r");

while(!feof(usbdevices))
{

It is likely that it couldn't open one of these files:

#define PROCBUSUSBDEVICES "/proc/bus/usb/devices"
#define SYSKERNELDEBUGUSBDEVICES "/sys/kernel/debug/usb/devices"

Because of permission, since there was already check if the files existed before the code bellow:

if (!exists(SYSKERNELDEBUGUSBDEVICES) && !exists(PROCBUSUSBDEVICES))
__return false;

Code Problem (so far): code doesn't check if the second opening was successful before moving on. If SYSKERNELDEBUGUSBDEVICES exists but can't be opened AND PROCBUSUSBDEVICE doesn't exist, it will still try to open it not checking if it could.

Christian Reis (kiko) wrote :

In this container there is no /proc/bus/usb, and while /sys/kernel is present, I can't even list it:

  root@maas3:~# ls -l /sys/kernel/
  ls: cannot open directory '/sys/kernel/': Permission denied

summary: - lshw crashes with SEGV
+ lshw crashes with SEGV in unprivileged container

Unable to reproduce in a normal unprivileged container:
```
stgraber@castiana:~$ lxc launch ubuntu:16.04 unpriv
Creating unpriv
Starting unpriv
stgraber@castiana:~$ lxc exec unpriv bash
root@unpriv:~# ls -lh /sys/kernel/
total 0
drwxr-xr-x 2 nobody nogroup 0 Jun 26 06:32 boot_params
drwx------ 38 nobody nogroup 0 Jun 24 14:56 debug
-r--r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 fscaps
drwxr-xr-x 2 nobody nogroup 0 Jun 26 06:32 iommu_groups
drwxr-xr-x 38 nobody nogroup 0 Jun 26 06:32 irq
-r--r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 kexec_crash_loaded
-rw-r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 kexec_crash_size
-r--r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 kexec_loaded
drwxr-xr-x 2 nobody nogroup 0 Jun 26 06:32 livepatch
drwxr-xr-x 6 nobody nogroup 0 Jun 26 06:32 mm
-r--r--r-- 1 nobody nogroup 516 Jun 26 06:32 notes
-rw-r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 profiling
-rw-r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 rcu_expedited
-rw-r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 rcu_normal
drwxr-xr-x 4 nobody nogroup 0 Jun 24 14:55 security
drwxr-xr-x 140 nobody nogroup 0 Jun 26 06:32 slab
dr-xr-xr-x 2 nobody nogroup 0 Jun 26 06:33 tracing
-rw-r--r-- 1 nobody nogroup 4.0K Jun 24 14:55 uevent_helper
-r--r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 uevent_seqnum
-r--r--r-- 1 nobody nogroup 4.0K Jun 26 06:32 vmcoreinfo
root@unpriv:~# lshw >/dev/null
root@unpriv:~# echo $?
0
root@unpriv:~#
```

But I can reproduce it in a privileged container where lshw is seen attempting to access /sys/kernel/debug/usb/devices and /proc/bus/usb/devices. The former is denied as all debugfs access should be in privileged containers, the latter doesn't exist.

So this is a lshw bug. It shouldn't just crash when the kernel denies it access to a path. I'd instead expect it to skip the particular subsystem.

affects: lxd (Ubuntu) → lshw (Ubuntu)
summary: - lshw crashes with SEGV in unprivileged container
+ lshw crashes with SEGV in privileged containers
description: updated
description: updated
Stéphane Graber (stgraber) wrote :

Updated the description with more details, re-assigned to the lshw package.

Changed in lshw (Ubuntu):
importance: Undecided → Medium
tags: added: foundations-engine
Eric Desrochers (slashd) wrote :

Update:

I've been asked to look at this problem

It does segfault on Xenial, but it is also reproducible using Zesty privileged container.

In fact, it is a behavior not yet reported nor fix upstream. I can confirm it by having tested the reproducer against the latest and greatest compiled by hand lshw binary using Xenial privileged container.

It tries to open '/sys/kernel/debug/usb/devices' that exist but doesn't have permission to be fopen and then try '/proc/bus/usb/devices' which doesn't exist. I agree with Rafael that there must be a better mechanism to be protected against this situation.

--
root@priv:/tmp/lshw# ls -altr /proc/bus/usb/devices
ls: cannot access '/proc/bus/usb/devices': No such file or directory

root@priv:/tmp/lshw# ls -altr /sys/kernel/debug/usb/devices
-r--r--r-- 1 root root 0 Oct 11 11:19 /sys/kernel/debug/usb/devices

root@priv:/tmp/lshw# cat /sys/kernel/debug/usb/devices
cat: /sys/kernel/debug/usb/devices: Permission denied
---

So this look like it'll need to be fix upstream first.
I'll start to look at it.

I tried to create a new ticket with ezIX without success, their tracker is giving me errors.
I have emailed Lyonel Vincent, so he can hopefully file the bug on our behalf.

- Eric

Changed in lshw (Ubuntu Zesty):
status: New → Confirmed
Changed in lshw (Ubuntu Xenial):
status: New → Confirmed
Eric Desrochers (slashd) wrote :

I just sent a proposal patch to Lyonel Vincent, since I couldn't create a bug properly in their tracker.

Waiting for him to review the proposal patch.

- Eric

Eric Desrochers (slashd) on 2017-10-11
Changed in lshw (Ubuntu Artful):
assignee: Rafael David Tinoco (inaddy) → Eric Desrochers (slashd)
Eric Desrochers (slashd) on 2017-10-11
Changed in lshw (Ubuntu Artful):
status: Confirmed → In Progress
Dan Streetman (ddstreet) on 2017-10-11
Changed in lshw (Ubuntu Xenial):
assignee: nobody → Dan Streetman (ddstreet)
Changed in lshw (Ubuntu Zesty):
assignee: nobody → Dan Streetman (ddstreet)
importance: Undecided → Medium
Changed in lshw (Ubuntu Xenial):
importance: Undecided → Medium
Eric Desrochers (slashd) on 2017-10-11
Changed in lshw (Ubuntu Trusty):
importance: Undecided → Medium
assignee: nobody → Dan Streetman (ddstreet)
status: New → Confirmed
Eric Desrochers (slashd) on 2017-10-12
description: updated
Eric Desrochers (slashd) on 2017-10-13
no longer affects: lshw (Ubuntu Trusty)
description: updated
Eric Desrochers (slashd) on 2017-10-13
description: updated
Eric Desrochers (slashd) on 2017-10-13
Changed in lshw (Ubuntu Artful):
assignee: Eric Desrochers (slashd) → Dan Streetman (ddstreet)
status: In Progress → Confirmed
Eric Desrochers (slashd) on 2017-10-16
description: updated
Eric Desrochers (slashd) on 2017-10-16
description: updated
description: updated
Eric Desrochers (slashd) on 2017-10-17
description: updated
tags: added: sts-sru-needed
Eric Desrochers (slashd) on 2017-10-17
description: updated
Changed in lshw (Debian):
status: Unknown → New
Eric Desrochers (slashd) on 2017-10-23
description: updated
Changed in lshw (Ubuntu Artful):
status: Confirmed → In Progress
assignee: Dan Streetman (ddstreet) → Eric Desrochers (slashd)
Eric Desrochers (slashd) on 2017-10-23
description: updated
Eric Desrochers (slashd) wrote :

Debdiff for artful

Eric Desrochers (slashd) wrote :

Debdiff for zesty

Changed in lshw (Ubuntu Zesty):
assignee: Dan Streetman (ddstreet) → Eric Desrochers (slashd)
status: Confirmed → In Progress
Eric Desrochers (slashd) wrote :

1) Sponsored for Artful (now consider stable)[1] and Zesty.
2) Xenial SRU will have to wait (LP: #1471983) is completed.

- Eric

[1] - ** Discussion with apw on #ubuntu-release **
[10:45:45] <apw> slashd, artful is open for SRUs, when BB opens it will start from whatever is in A
[11:13:49] <apw> -propsoed gets copied to bb-proposed too yes

tags: added: patch

Hello Christian, or anyone else affected,

Accepted lshw into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lshw/02.18-0.1ubuntu4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lshw (Ubuntu Artful):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-artful
Changed in lshw (Ubuntu Zesty):
status: In Progress → Fix Committed
tags: added: verification-needed-zesty
Brian Murray (brian-murray) wrote :

Hello Christian, or anyone else affected,

Accepted lshw into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lshw/02.18-0.1ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Eric Desrochers (slashd) wrote :

### VERIFICATION ARTFUL ###

* With current artful-updates package.
root@privlshwA:~# dpkg -l | grep -i lshw
ii lshw 02.18-0.1ubuntu3 amd64 information about hardware configuration

root@privlshwA:~# lshw
Segmentation fault (core dumped)

* With current artful-proposed package.

root@privlshwA:~# dpkg -l | grep -i lshw
ii lshw 02.18-0.1ubuntu4 amd64 information about hardware configuration

root@privlshwA:~# lshw
...
        *-usb
             description: USB controller
             product: Sunrise Point-LP USB 3.0 xHCI Controller
             vendor: Intel Corporation
             physical id: 14
             bus info: pci@0000:00:14.0
             version: 21
             width: 64 bits
             clock: 33MHz
             capabilities: pm msi xhci bus_master cap_list
             configuration: driver=xhci_hcd latency=0
             resources: irq:120 memory:ec120000-ec12ffff
...

tags: added: verification-done-artful
removed: verification-needed-artful
Eric Desrochers (slashd) wrote :

### VERIFICATION ZESTY ###

* With current artful-updates package.
root@privlshwZ:~# dpkg -l | grep -i lshw
ii lshw 02.18-0.1ubuntu3 amd64 information about hardware configuration

root@privlshwZ:~# lshw
Segmentation fault (core dumped)

* With current artful-proposed package.

root@privlshwZ:~# dpkg -l | grep -i lshw
ii lshw 02.18-0.1ubuntu3.1 amd64 information about hardware configuration

root@privlshwZ:~# lshw
...
        *-usb
             description: USB controller
             product: Sunrise Point-LP USB 3.0 xHCI Controller
             vendor: Intel Corporation
             physical id: 14
             bus info: pci@0000:00:14.0
             version: 21
             width: 64 bits
             clock: 33MHz
             capabilities: pm msi xhci bus_master cap_list
             configuration: driver=xhci_hcd latency=0
             resources: irq:120 memory:ec120000-ec12ffff
...

tags: added: verification-done-zesty
removed: verification-needed-zesty
Changed in lshw (Ubuntu Bionic):
assignee: Eric Desrochers (slashd) → nobody
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lshw - 02.18-0.1ubuntu4

---------------
lshw (02.18-0.1ubuntu4) artful; urgency=medium

  * d/p/fix-segfault-in-privileged-containers.patch:
    Fix lshw crashes with SEGV in privileged containers (LP: #1699161)
    (cherry-picked from EZix upstream commit [7b99d35])

 -- Eric Desrochers <email address hidden> Mon, 23 Oct 2017 10:25:52 -0400

Changed in lshw (Ubuntu Bionic):
status: In Progress → Fix Released
Eric Desrochers (slashd) on 2017-10-30
Changed in lshw (Ubuntu Xenial):
assignee: Dan Streetman (ddstreet) → Eric Desrochers (slashd)
Eric Desrochers (slashd) wrote :

debdiff for Xenial

Eric Desrochers (slashd) on 2017-10-30
Changed in lshw (Ubuntu Xenial):
status: Confirmed → In Progress
Eric Desrochers (slashd) wrote :

(re: comment #12)

Now that SRU for lshw(LP: #1471983) is completed.
Sponsored done for Xenial.

- Eric

Brian Murray (brian-murray) wrote :

Could you confirm that lshw still works in unprivileged containers? After that's done I'd feel good about releasing this SRU.

Brian Murray (brian-murray) wrote :

Hello Christian, or anyone else affected,

Accepted lshw into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lshw/02.17-1.1ubuntu3.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lshw (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Eric Desrochers (slashd) wrote :

(As requested by bdmurray)

## VERIFICATION ZESTY WITH UNPRIVILEGED CONTAINER ##

#lxc launch ubuntu:17.04 unprivZ -c security.privileged=false
Creating unprivZ
Starting unprivZ

# apt-cache policy lshw
lshw:
  Installed: 02.18-0.1ubuntu3.1
  Candidate: 02.18-0.1ubuntu3.1
  Version table:
 *** 02.18-0.1ubuntu3.1 500
        500 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages

Result : lshw works

## VERIFICATION ARTFUL WITH UNPRIVILEGED CONTAINER ##

#lxc launch ubuntu:17.10 unprivA -c security.privileged=false
Creating unprivA
Starting unprivA

# apt-cache policy lshw
lshw:
  Installed: 02.18-0.1ubuntu4
  Candidate: 02.18-0.1ubuntu4
  Version table:
 *** 02.18-0.1ubuntu4 500
        500 http://archive.ubuntu.com/ubuntu artful-proposed/main amd64 Packages

Result : lshw works

Eric Desrochers (slashd) wrote :

### VERIFICATION XENIAL ####

For package - lshw 02.17-1.1ubuntu3.4

[Privileged container]

# lxc launch ubuntu:16.04 privX -c security.privileged=true

Result: lshw work and no longer segfault

[Unprivileged container]

# lxc launch ubuntu:16.04 unprivX -c security.privileged=false

Result: lshw work as usual

tags: added: verification-done-xenial
removed: verification-needed-xenial
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lshw - 02.18-0.1ubuntu3.1

---------------
lshw (02.18-0.1ubuntu3.1) zesty; urgency=medium

  * d/p/fix-segfault-in-privileged-containers.patch:
    Fix lshw crashes with SEGV in privileged containers (LP: #1699161)
    (cherry-picked from EZix upstream commit [7b99d35])

 -- Eric Desrochers <email address hidden> Mon, 23 Oct 2017 10:25:52 -0400

Changed in lshw (Ubuntu Zesty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for lshw has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lshw - 02.18-0.1ubuntu4

---------------
lshw (02.18-0.1ubuntu4) artful; urgency=medium

  * d/p/fix-segfault-in-privileged-containers.patch:
    Fix lshw crashes with SEGV in privileged containers (LP: #1699161)
    (cherry-picked from EZix upstream commit [7b99d35])

 -- Eric Desrochers <email address hidden> Mon, 23 Oct 2017 10:25:52 -0400

Changed in lshw (Ubuntu Artful):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lshw - 02.17-1.1ubuntu3.4

---------------
lshw (02.17-1.1ubuntu3.4) xenial; urgency=medium

  * d/p/fix-segfault-in-privileged-containers.patch:
    Fix lshw crashes with SEGV in privileged containers (LP: #1699161)
    (cherry-picked from EZix upstream commit [7b99d35])

 -- Eric Desrochers <email address hidden> Mon, 30 Oct 2017 07:39:31 -0400

Changed in lshw (Ubuntu Xenial):
status: Fix Committed → Fix Released
tags: added: sts-sru-done
removed: sts-sru-needed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.