RootDirectory=, ProtectKernelTunables=yes cause "ERROR: AddressSanitizer: stack-buffer-overflow" #4567

evverx · 2016-11-04T09:13:41Z

How to reproduce:

mkdir /chroot
cp $(type -P busybox) /chroot

prepare-app /chroot # https://github.com/coreos/rkt/blob/aae6ea2b45091fbdd87973bffc5f872acd065139/stage1/prepare-app/prepare-app.c

cat <<'EOF' >/etc/systemd/system/hola.service
[Service]
ExecStart=/busybox id
RootDirectory=/chroot
ProtectKernelTunables=yes
EOF

systemctl start hola

Nov 03 14:41:08 busybox[213]: =================================================================
Nov 03 14:41:08 busybox[213]: ==213==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffecaaf1560 at pc 0x7f6d94be4aad bp 0x7ffecaaf1240 sp 0x7ffecaaf1230
Nov 03 14:41:08 busybox[213]: READ of size 1 at 0x7ffecaaf1560 thread T0 ((busybox))
Nov 03 14:41:08 systemd[1]: hola.service: Forked /busybox as 213
Nov 03 14:41:08 systemd[1]: hola.service: Changed failed -> running
Nov 03 14:41:08 systemd[1]: hola.service: Job hola.service/start finished, result=done
Nov 03 14:41:08 systemd[1]: Started hola.service.
Nov 03 14:41:09 busybox[213]:     #0 0x7f6d94be4aac in path_is_absolute src/basic/path-util.c:49
Nov 03 14:41:09 busybox[213]:     #1 0x7f6d94be4d7a in path_make_absolute_cwd src/basic/path-util.c:98
Nov 03 14:41:09 busybox[213]:     #2 0x7f6d94bd20f7 in chase_symlinks src/basic/fs-util.c:623
Nov 03 14:41:09 busybox[213]:     #3 0x55b31b0c9abc in chase_all_symlinks src/core/namespace.c:656
Nov 03 14:41:09 busybox[213]:     #4 0x55b31b0cb29e in setup_namespace src/core/namespace.c:807
Nov 03 14:41:09 busybox[213]:     #5 0x55b31b05bd5d in apply_mount_namespace src/core/execute.c:2051
Nov 03 14:41:09 busybox[213]:     #6 0x55b31b06031b in exec_child src/core/execute.c:2561
Nov 03 14:41:09 busybox[213]:     #7 0x55b31b062e20 in exec_spawn src/core/execute.c:2893
Nov 03 14:41:09 busybox[213]:     #8 0x55b31b01732d in service_spawn src/core/service.c:1351
Nov 03 14:41:09 busybox[213]:     #9 0x55b31b01a1a5 in service_enter_start src/core/service.c:1792
Nov 03 14:41:09 busybox[213]:     #10 0x55b31b01a75f in service_enter_start_pre src/core/service.c:1861
Nov 03 14:41:09 busybox[213]:     #11 0x55b31b01c59b in service_start src/core/service.c:2076
Nov 03 14:41:09 busybox[213]:     #12 0x55b31b0dea8b in unit_start src/core/unit.c:1590
Nov 03 14:41:09 busybox[213]:     #13 0x55b31b0f97c8 in job_perform_on_unit src/core/job.c:531
Nov 03 14:41:09 busybox[213]:     #14 0x55b31b0f9e84 in job_run_and_invalidate src/core/job.c:595
Nov 03 14:41:09 busybox[213]:     #15 0x55b31afd4fad in manager_dispatch_run_queue src/core/manager.c:1588
Nov 03 14:41:09 busybox[213]:     #16 0x7f6d94d885f4 in source_dispatch src/libsystemd/sd-event/sd-event.c:2299
Nov 03 14:41:09 busybox[213]:     #17 0x7f6d94d8ac82 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2626
Nov 03 14:41:09 busybox[213]:     #18 0x7f6d94d8b585 in sd_event_run src/libsystemd/sd-event/sd-event.c:2685
Nov 03 14:41:09 busybox[213]:     #19 0x55b31afda492 in manager_loop src/core/manager.c:2251
Nov 03 14:41:09 busybox[213]:     #20 0x55b31afc78c7 in main src/core/main.c:1899
Nov 03 14:41:09 busybox[213]:     #21 0x7f6d935e6730 in __libc_start_main (/lib64/libc.so.6+0x20730)
Nov 03 14:41:09 busybox[213]:     #22 0x55b31afbcb28 in _start (/usr/lib/systemd/systemd+0xc9b28)
Nov 03 14:41:09 busybox[213]: Address 0x7ffecaaf1560 is located in stack of thread T0 ((busybox)) at offset 448 in frame
Nov 03 14:41:09 busybox[213]:     #0 0x7f6d94bd1f30 in chase_symlinks src/basic/fs-util.c:601
Nov 03 14:41:09 busybox[213]:   This frame has 8 object(s):
Nov 03 14:41:09 busybox[213]:     [32, 36) 'fd'
Nov 03 14:41:09 busybox[213]:     [96, 100) 'child'
Nov 03 14:41:09 busybox[213]:     [160, 168) 'buffer'
Nov 03 14:41:09 busybox[213]:     [224, 232) 'done'
Nov 03 14:41:09 busybox[213]:     [288, 296) 'root'
Nov 03 14:41:09 busybox[213]:     [352, 360) 'first'
Nov 03 14:41:09 busybox[213]:     [416, 424) 'destination' <== Memory access at offset 448 overflows this variable
Nov 03 14:41:09 busybox[213]:     [480, 624) 'st'
Nov 03 14:41:09 busybox[213]: HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
Nov 03 14:41:09 busybox[213]:       (longjmp and C++ exceptions *are* supported)
Nov 03 14:41:09 busybox[213]: SUMMARY: AddressSanitizer: stack-buffer-overflow src/basic/path-util.c:49 in path_is_absolute
Nov 03 14:41:09 busybox[213]: Shadow bytes around the buggy address:
Nov 03 14:41:09 busybox[213]:   0x100059556250: 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 00 00 00 00
Nov 03 14:41:09 busybox[213]:   0x100059556260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Nov 03 14:41:09 busybox[213]:   0x100059556270: 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2
Nov 03 14:41:09 busybox[213]:   0x100059556280: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
Nov 03 14:41:09 busybox[213]:   0x100059556290: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
Nov 03 14:41:09 busybox[213]: =>0x1000595562a0: 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4[f2]f2 f2 f2
Nov 03 14:41:09 busybox[213]:   0x1000595562b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Nov 03 14:41:09 busybox[213]:   0x1000595562c0: 00 00 f4 f4 00 00 00 00 00 00 00 00 00 00 00 00
Nov 03 14:41:09 busybox[213]:   0x1000595562d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Nov 03 14:41:09 busybox[213]:   0x1000595562e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Nov 03 14:41:09 busybox[213]:   0x1000595562f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Nov 03 14:41:09 busybox[213]: Shadow byte legend (one shadow byte represents 8 application bytes):
Nov 03 14:41:09 busybox[213]:   Addressable:           00
Nov 03 14:41:09 busybox[213]:   Partially addressable: 01 02 03 04 05 06 07
Nov 03 14:41:09 busybox[213]:   Heap left redzone:       fa
Nov 03 14:41:09 busybox[213]:   Heap right redzone:      fb
Nov 03 14:41:09 busybox[213]:   Freed heap region:       fd
Nov 03 14:41:09 busybox[213]:   Stack left redzone:      f1
Nov 03 14:41:09 busybox[213]:   Stack mid redzone:       f2
Nov 03 14:41:09 busybox[213]:   Stack right redzone:     f3
Nov 03 14:41:09 busybox[213]:   Stack partial redzone:   f4
Nov 03 14:41:09 busybox[213]:   Stack after return:      f5
Nov 03 14:41:09 busybox[213]:   Stack use after scope:   f8
Nov 03 14:41:09 busybox[213]:   Global redzone:          f9
Nov 03 14:41:09 busybox[213]:   Global init order:       f6
Nov 03 14:41:09 busybox[213]:   Poisoned by user:        f7
Nov 03 14:41:09 busybox[213]:   Container overflow:      fc
Nov 03 14:41:09 busybox[213]:   Array cookie:            ac
Nov 03 14:41:09 busybox[213]:   Intra object redzone:    bb
Nov 03 14:41:09 busybox[213]:   ASan internal:           fe
Nov 03 14:41:09 busybox[213]:   Left alloca redzone:     ca
Nov 03 14:41:09 busybox[213]:   Right alloca redzone:    cb
Nov 03 14:41:09 busybox[213]: ==213==ABORTING
Nov 03 14:41:09 systemd[1]: hola.service: Child 213 belongs to hola.service
Nov 03 14:41:09 systemd[1]: hola.service: Main process exited, code=exited, status=1/FAILURE
Nov 03 14:41:09 systemd[1]: hola.service: Changed running -> failed
Nov 03 14:41:09 systemd[1]: hola.service: Unit entered failed state.
Nov 03 14:41:09 systemd[1]: hola.service: Failed with result 'exit-code'.

The text was updated successfully, but these errors were encountered:

evverx · 2016-11-05T20:49:00Z

So, actually this

index db9a7aa..ab136b0 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -196,7 +196,7 @@ static int append_target_mounts(BindMount **p, const char *root_directory, const
                  * declaration we do not support "-" at the beginning.
                  */
                 const TargetMount *m = &mounts[i];
-                const char *path = prefix_roota(root_directory, m->path);
+                const char *path = prefix_root(root_directory, m->path);

                 if (!path_is_absolute(path))
                         return -EINVAL;

fixes the stack-buffer-overflow (but introduces a memory leak, of course)
I think we should revert 11a30ce, f471b2a and b6c432c asap (and modify related commits)

cc @tixxdz

Instead of having two fields inside BindMount struct where one is stack based and the other one is heap, use one field to store the full path and updated it when we chase symlinks. This way we avoid dealing with both at the same time. This makes RootDirectory= works with ProtectKernelTunables=, ProtectControlGroups= and ProtectKernelModules=yes Fixes: systemd#4567

tixxdz · 2016-11-06T13:11:31Z

Sorry for the issue. @evverx I believe fixed in #4594 test with ProtectKernelModules=, ProtectKernelTunables=, and others the only failure for RootDirectory= now is when some paths that we assume are there do not exist. Let me fix that on top of this too.

evverx · 2016-11-06T17:01:21Z

and others the only failure for RootDirectory= now is when some paths that we assume are there do not exist.

I'm not sure. But seems like this never works (I checked there: #4588). This is why the rkt run prepare-app /root/directory.

Instead of having two fields inside BindMount struct where one is stack based and the other one is heap, use one field to store the full path and updated it when we chase symlinks. This way we avoid dealing with both at the same time. This makes RootDirectory= work with ProtectHome=, ProtectControlGroups= and ProtectKernelModules=yes Fixes: systemd#4567

Instead of having two fields inside BindMount struct where one is stack based and the other one is heap, use one field to store the full path and updated it when we chase symlinks. This way we avoid dealing with both at the same time. This makes RootDirectory= work with ProtectHome= and ProtectKernelModules=yes Fixes: systemd#4567

evverx · 2016-11-08T00:27:16Z

Something went wrong #4594 (comment)

                 Starting Application=rkt-inspect Image=coreos.com/rkt-inspect...
        [309106.757998] rkt-inspect[12]: *** Error in `(inspect)': double free or corruption (fasttop): 0x000055bbdd76c550 ***
        [FAILED] Failed to start Application=rkt-inspect Image=coreos.com/rkt-inspect.
        See 'systemctl status rkt-inspect.service' for details.
                 Stopping rkt-inspect Reaper...

evverx · 2016-11-08T02:42:23Z

I don't know how to reproduce. But I modified the rkt's build system a bit:

diff --git a/stage1/usr_from_src/usr_from_src.mk b/stage1/usr_from_src/usr_from_src.mk
index 9aa259c..408db88 100644
--- a/stage1/usr_from_src/usr_from_src.mk
+++ b/stage1/usr_from_src/usr_from_src.mk
@@ -99,7 +99,7 @@ $(call generate-stamp-rule,$(UFS_ROOTFS_STAMP),$(UFS_SYSTEMD_INSTALL_STAMP),$(S1
 # this installs systemd into temporary rootfs
 $(call generate-stamp-rule,$(UFS_SYSTEMD_INSTALL_STAMP),$(UFS_SYSTEMD_BUILD_STAMP),$(UFS_ROOTFSDIR), \
        $(call vb,v2,INSTALL,systemd) \
-       DESTDIR="$(abspath $(UFS_ROOTFSDIR))" $$(MAKE) -C "$(UFS_SYSTEMD_BUILDDIR)" V=0 install-strip $(call vl2,>/dev/null))
+       DESTDIR="$(abspath $(UFS_ROOTFSDIR))" $$(MAKE) -C "$(UFS_SYSTEMD_BUILDDIR)" V=0 install $(call vl2,>/dev/null))

Backtrace:

Thread 1 (Thread 0x7f824d68e940 (LWP 12)):
#0  0x00007f824c3ff6f5 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007f824c4012fa in __GI_abort () at abort.c:89
#2  0x00007f824c440670 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f824c557060 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007f824c448e0a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7f824c557128 "double free or corruption (fasttop)", action=3) at malloc.c:5004
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:3865
#5  0x00007f824c44c36c in __GI___libc_free (mem=<optimized out>) at malloc.c:2966
#6  0x000055d601c59b06 in setup_namespace (root_directory=<optimized out>, ns_info=<optimized out>, read_write_paths=<optimized out>, read_only_paths=<optimized out>, inaccessible_paths=<optimized out>,
    tmp_dir=<optimized out>, var_tmp_dir=<optimized out>, protect_home=<optimized out>, protect_system=<optimized out>, mount_flags=<optimized out>)
    at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/namespace.c:917
#7  0x000055d601c5d804 in apply_mount_namespace.lto_priv.476 (u=0x55d6032c6b00, context=0x55d6032c6f28, params=0x7ffe3c1df0b0, runtime=<optimized out>)
    at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2051
#8  0x000055d601c5c210 in exec_child (unit=unit@entry=0x55d6032c6b00, command=command@entry=0x55d6032837d0, context=context@entry=0x55d6032c6f28, params=params@entry=0x7ffe3c1df0b0,
    runtime=runtime@entry=0x0, dcreds=dcreds@entry=0x55d6032c7250, argv=0x55d6032895b0, socket_fd=-1, named_iofds=0x7ffe3c1defa0, fds=0x0, n_fds=0, files_env=0x55d6032c45c0,
    user_lookup_fd=<optimized out>, exit_status=0x7ffe3c1def50) at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2561
#9  0x000055d601cae17f in exec_spawn (unit=<optimized out>, command=0x55d6032837d0, context=<optimized out>, params=<optimized out>, runtime=0x0, dcreds=0x55d6032c7250, ret=0x7ffe3c1df0a0)
    at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2893
#10 0x000055d601c7cf32 in service_spawn.lto_priv.533 (s=<optimized out>, c=0x55d6032837d0, timeout=<optimized out>, flags=<optimized out>, _pid=0x7ffe3c1df1e4)
    at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1351
#11 0x000055d601cd001c in service_enter_start.lto_priv.532 (s=s@entry=0x55d6032c6b00) at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1792
#12 0x000055d601cd0458 in service_enter_start_pre (s=0x55d6032c6b00) at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1861
#13 service_start.lto_priv.72 (u=0x55d6032c6b00) at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:2076
#14 0x000055d601c7326a in unit_start (u=0x55d6032c6b00) at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/unit.c:1590
#15 job_perform_on_unit.lto_priv.573 (j=0x7ffe3c1df280) at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/job.c:531
#16 0x000055d601ca0208 in job_run_and_invalidate (j=<optimized out>) at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/job.c:595
#17 manager_dispatch_run_queue.lto_priv.588 (source=<optimized out>, userdata=<optimized out>, userdata=<optimized out>)
    at /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/manager.c:1588
#18 0x00007f824d2b04ad in ?? ()
#19 0x0000000000000000 in ?? ()

systemd/src/core/namespace.c

Line 917 in 453a9c7

free(m->path);

finish:
        for (m = mounts; m < mounts + n_mounts; m++)
                free(m->path);

        return r;

evverx · 2016-11-08T02:51:20Z

I've installed libasan to the container

        [317908.482343] rkt-inspect[19]: =================================================================
        [317908.483603] rkt-inspect[19]: ==19==ERROR: AddressSanitizer: attempting double-free on 0x60400002af90 in thread T0 ((inspect)):
        [317908.500816] rkt-inspect[19]:     #0 0x7fde048b6b00 in free (/lib64/libasan.so.3+0xc6b00)
        [317908.502889] rkt-inspect[19]:     #1 0x5599809ceb7f in setup_namespace /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/namespace.c:917
        [317908.503930] rkt-inspect[19]:     #2 0x5599809d6ccb in apply_mount_namespace.lto_priv.476 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2051
        [317908.504679] rkt-inspect[19]:     #3 0x5599809d38ce in exec_child /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2561
        [317908.505145] rkt-inspect[19]:     #4 0x559980a75b8a in exec_spawn /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2893
        [317908.505782] rkt-inspect[19]:     #5 0x559980a1287a in service_spawn.lto_priv.533 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1351
        [317908.506317] rkt-inspect[19]:     #6 0x559980ac1b26 in service_enter_start.lto_priv.532 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1792
        [317908.506740] rkt-inspect[19]:     #7 0x559980ac2497 in service_enter_start_pre /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1861
        [317908.507214] rkt-inspect[19]:     #8 0x559980ac2497 in service_start.lto_priv.72 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:2076
        [317908.507642] rkt-inspect[19]:     #9 0x5599809ffc4d in unit_start /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/unit.c:1590
        [317908.508106] rkt-inspect[19]:     #10 0x5599809ffc4d in job_perform_on_unit.lto_priv.573 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/job.c:531
        [317908.509126] rkt-inspect[19]:     #11 0x559980a574fb in job_run_and_invalidate /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/job.c:595
        [317908.510351] rkt-inspect[19]:     #12 0x559980a574fb in manager_dispatch_run_queue.lto_priv.588 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/manager.c:1588
        [317908.513253] rkt-inspect[19]:     #13 0x7fde0447c3d5 in source_dispatch.lto_priv.87 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/libsystemd/sd-event/sd-event.c:2307
        [317908.516971] rkt-inspect[19]:     #14 0x7fde04458bb3 in sd_event_dispatch /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/libsystemd/sd-event/sd-event.c:2626
        [317908.518110] rkt-inspect[19]:     #15 0x7fde0445dadd in sd_event_run /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/libsystemd/sd-event/sd-event.c:2685
        [317908.519049] rkt-inspect[19]:     #16 0x5599809df5d3 in manager_loop /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/manager.c:2251
        [317908.520009] rkt-inspect[19]:     #17 0x5599809df5d3 in main /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/main.c:1899
        [317908.520999] rkt-inspect[19]:     #18 0x7fde034e3730 in __libc_start_main (/lib64/libc.so.6+0x20730)
        [317908.521756] rkt-inspect[19]:     #19 0x5599809e0528 in _start (/usr/lib/systemd/systemd+0xcb528)
        [317908.522276] rkt-inspect[19]: 0x60400002af90 is located 0 bytes inside of 48-byte region [0x60400002af90,0x60400002afc0)
        [317908.522669] rkt-inspect[19]: freed by thread T0 ((inspect)) here:
        [317908.523031] rkt-inspect[19]:     #0 0x7fde048b6b00 in free (/lib64/libasan.so.3+0xc6b00)
        [317908.523521] rkt-inspect[19]:     #1 0x5599809ceb7f in setup_namespace /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/namespace.c:917
        [317908.523890] rkt-inspect[19]:     #2 0x5599809d6ccb in apply_mount_namespace.lto_priv.476 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2051
        [317908.524227] rkt-inspect[19]:     #3 0x5599809d38ce in exec_child /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2561
        [317908.524618] rkt-inspect[19]:     #4 0x559980a75b8a in exec_spawn /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/execute.c:2893
        [317908.524961] rkt-inspect[19]:     #5 0x559980a1287a in service_spawn.lto_priv.533 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1351
        [FAILED] Failed to start Application=rkt-inspect Image=coreos.com/rkt-inspect.
        See 'systemctl status rkt-inspect.service' for details.
        [317908.525521] rkt-inspect[19]:     #6 0x559980ac1b26 in service_enter_start.lto_priv.532 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1792
        [317908.525768] rkt-inspect[19]:     #7 0x559980ac2497 in service_enter_start_pre /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:1861
        [317908.525996] rkt-inspect[19]:     #8 0x559980ac2497 in service_start.lto_priv.72 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/service.c:2076
        [317908.526261] rkt-inspect[19]:     #9 0x5599809ffc4d in unit_start /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/unit.c:1590
        [317908.526502] rkt-inspect[19]:     #10 0x5599809ffc4d in job_perform_on_unit.lto_priv.573 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/job.c:531
        [317908.526697] rkt-inspect[19]:     #11 0x559980a574fb in job_run_and_invalidate /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/job.c:595
        [317908.526946] rkt-inspect[19]:     #12 0x559980a574fb in manager_dispatch_run_queue.lto_priv.588 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/manager.c:1588
        [317908.527573] rkt-inspect[19]:     #13 0x7fde0447c3d5 in source_dispatch.lto_priv.87 /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/libsystemd/sd-event/sd-event.c:2307
        [317908.527822] rkt-inspect[19]:     #14 0x7fde04458bb3 in sd_event_dispatch /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/libsystemd/sd-event/sd-event.c:2626
        [317908.528087] rkt-inspect[19]:     #15 0x7fde0445dadd in sd_event_run /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/libsystemd/sd-event/sd-event.c:2685
        [317908.528519] rkt-inspect[19]:     #16 0x5599809df5d3 in manager_loop /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/manager.c:2251
        [317908.528796] rkt-inspect[19]:     #17 0x5599809df5d3 in main /home/vagrant/rkt/build-rkt-1.18.0+git/tmp/usr_from_src/systemd/src/src/core/main.c:1899
        [317908.529311] rkt-inspect[19]:     #18 0x7fde034e3730 in __libc_start_main (/lib64/libc.so.6+0x20730)
        [317908.529527] rkt-inspect[19]: previously allocated by thread T0 ((inspect)) here:
        [317908.529937] rkt-inspect[19]:     #0 0x7fde048b6e60 in malloc (/lib64/libasan.so.3+0xc6e60)
        [317908.530054] rkt-inspect[19]:     #1 0x7fde0354afd9 in strdup (/lib64/libc.so.6+0x87fd9)
        [317908.530149] rkt-inspect[19]: SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free
        [317908.530233] rkt-inspect[19]: ==19==ABORTING

tixxdz · 2016-11-08T07:54:01Z

@evverx ok will make some time today, and check thanks

…s() fails This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count freed paths when chase_all_symlinks() fails and we do not return directly. Also go ahead and remove assert() checks against mount counts being zero. This does not make sense since we are explicitly decrementing and freeing mount paths which makes it easy to hit the assert. If users did provide a misconfigured paths then just log a debug message, ignore and continue. Note that if mount count is zero at the beginning, then we we never hit this code path. Fixes systemd#4567

tixxdz · 2016-11-08T12:43:15Z

@evverx that's embracing, a follow up fix is here #4619 that's definitely a fix, let me know if this fixes this issue, and thank you ;-)

tixxdz · 2016-11-08T12:47:54Z

btw it seems we didn't lookup on how to hookup rkt tests at least current rkt master or the ones that make sense for systemd

…s() fails This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count freed paths when chase_all_symlinks() fails and we do not return directly. Also go ahead and remove assert() checks against mount counts being zero. This does not make sense since we are explicitly decrementing and freeing mount paths which makes it easy to hit the assert. If users did provide a misconfigured paths then just log a debug message, ignore and continue. Note that if mount count is zero at the beginning, then we we never hit this code path. Fixes systemd#4567

This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count and free all paths that fail inside chase_all_symlinks(). Fixes systemd#4567

…() (#4619) This certainly fixes a bug that was introduced by PR #4594 that intended to fix #4567. The fix was not complete. This patch makes sure that we count and free all paths that fail inside chase_all_symlinks(). Fixes #4567

Instead of having two fields inside BindMount struct where one is stack based and the other one is heap, use one field to store the full path and updated it when we chase symlinks. This way we avoid dealing with both at the same time. This makes RootDirectory= work with ProtectHome= and ProtectKernelModules=yes Fixes: systemd/systemd#4567 (cherry picked from commit f0a4feb)

…() (#4619) This certainly fixes a bug that was introduced by PR systemd/systemd#4594 that intended to fix systemd/systemd#4567. The fix was not complete. This patch makes sure that we count and free all paths that fail inside chase_all_symlinks(). Fixes systemd/systemd#4567 (cherry picked from commit 1d54cd5)

evverx added the bug 🐛 Programming errors, that need preferential fixing label Nov 4, 2016

poettering added this to the v233 milestone Nov 4, 2016

This was referenced Nov 5, 2016

systemd not mounting PrivateTmp if process is chrooted #4587

Closed

RootDirectory fails maybe on some (or all) options that create a mount namespace #4588

Open

tixxdz mentioned this issue Nov 6, 2016

core: make RootDirectory= and ProtectKernelModules= work #4594

Merged

evverx added the has-pr label Nov 6, 2016

evverx closed this as completed in #4594 Nov 7, 2016

evverx reopened this Nov 8, 2016

tixxdz mentioned this issue Nov 8, 2016

core:namespace: make sure to count freed paths when chase_all_symlink… #4619

Merged

keszybz closed this as completed in #4619 Nov 10, 2016

lucab mentioned this issue Nov 28, 2016

rkt: misc systemd-related fixes rkt/rkt#3418

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RootDirectory=, ProtectKernelTunables=yes cause "ERROR: AddressSanitizer: stack-buffer-overflow" #4567

RootDirectory=, ProtectKernelTunables=yes cause "ERROR: AddressSanitizer: stack-buffer-overflow" #4567

evverx commented Nov 4, 2016 •

edited

evverx commented Nov 5, 2016 •

edited

tixxdz commented Nov 6, 2016 •

edited

evverx commented Nov 6, 2016

evverx commented Nov 8, 2016

evverx commented Nov 8, 2016

evverx commented Nov 8, 2016

tixxdz commented Nov 8, 2016

tixxdz commented Nov 8, 2016

tixxdz commented Nov 8, 2016 •

edited

RootDirectory=, ProtectKernelTunables=yes cause "ERROR: AddressSanitizer: stack-buffer-overflow" #4567

RootDirectory=, ProtectKernelTunables=yes cause "ERROR: AddressSanitizer: stack-buffer-overflow" #4567

Comments

evverx commented Nov 4, 2016 • edited

evverx commented Nov 5, 2016 • edited

tixxdz commented Nov 6, 2016 • edited

evverx commented Nov 6, 2016

evverx commented Nov 8, 2016

evverx commented Nov 8, 2016

evverx commented Nov 8, 2016

tixxdz commented Nov 8, 2016

tixxdz commented Nov 8, 2016

tixxdz commented Nov 8, 2016 • edited

evverx commented Nov 4, 2016 •

edited

evverx commented Nov 5, 2016 •

edited

tixxdz commented Nov 6, 2016 •

edited

tixxdz commented Nov 8, 2016 •

edited