[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1
From: |
Julien Moutinho |
Subject: |
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c |
Date: |
Mon, 4 Oct 2021 23:28:55 +0200 |
On Okt 04 2021, Chet Ramey wrote:
> I suspect this is a buffer overflow introduced between systemd-247 and
> systemd-249. It's not caught when building bash without the bash malloc
> because the default libc malloc probably doesn't do the bounds checking
> the bash malloc does, even without malloc debugging turned on.
Chet, thanks for you detailed analysis,
I've opened an issue to get some inputs from systemd's devs:
https://github.com/systemd/systemd/issues/20931
Le lun. 04 oct. 2021 22h44 +0200, Andreas Schwab a écrit :
> If it's a buffer overflow, then valgrind should be able to catch it
> (when bash is configured --without-bash-malloc). valgrind's bounds
> checking is much more advanced than what a checking malloc can do.
Andreas, just to confirm that so far I'm unable to get a crash or error
when using --without-bash-malloc, even in valgrind (but I'm a newbie at
valgrind).
# systemd-run --pipe -p DynamicUser=1 -E LD_LIBRARY_PATH=$(nix-store -q $(which
systemctl))/lib -pBindReadOnlyPaths={/etc,/nix,/run} -p RootDirectory=/run/bash
-- $(readlink $(which valgrind)) --trace-children=yes -- $(readlink -e
bash5-without-bash-malloc/bin/bash) --norc -c $(readlink $(which id))
> Running as unit: run-u3128.service
> ==669426== Memcheck, a memory error detector
> ==669426== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==669426== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
> ==669426== Command:
> /nix/store/2kw8gj9lm1kn6zbpw5nf68h7msm1y716-bash-5.1-p8/bin/bash --norc -c
> /nix/store/j93py7g2fd0qmxq5q2mhnvc6ziijkjb8-coreutils-8.32/bin/id
> ==669426==
> ==669426== Memcheck, a memory error detector
> ==669426== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==669426== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
> ==669426== Command:
> /nix/store/j93py7g2fd0qmxq5q2mhnvc6ziijkjb8-coreutils-8.32/bin/id
> ==669426==
> ==669426==
> ==669426== HEAP SUMMARY:
> ==669426== in use at exit: 3,550 bytes in 10 blocks
> ==669426== total heap usage: 903 allocs, 893 frees, 5,165,001 bytes
> allocated
> ==669426==
> ==669426== LEAK SUMMARY:
> ==669426== definitely lost: 0 bytes in 0 blocks
> ==669426== indirectly lost: 0 bytes in 0 blocks
> ==669426== possibly lost: 0 bytes in 0 blocks
> ==669426== still reachable: 3,446 bytes in 9 blocks
> ==669426== suppressed: 104 bytes in 1 blocks
> ==669426== Rerun with --leak-check=full to see details of leaked memory
> ==669426==
> ==669426== For lists of detected and suppressed errors, rerun with: -s
> ==669426== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
# systemd-run --pipe -p DynamicUser=1 -E LD_LIBRARY_PATH=$(nix-store -q $(which
systemctl))/lib -pBindReadOnlyPaths={/etc,/nix,/run} -p RootDirectory=/run/bash
-- $(readlink -e bash5-without-bash-malloc/bin/bash) --norc -c $(readlink
$(which id))
> Running as unit: run-u3109.service
> uid=62878(run-u3109) gid=62878(run-u3109) groups=62878(run-u3109)
- Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, (continued)
- Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Chet Ramey, 2021/10/04
- Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Andreas Schwab, 2021/10/04
- Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Chet Ramey, 2021/10/04
- Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Andreas Schwab, 2021/10/04
- Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Chet Ramey, 2021/10/04
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Julien Moutinho, 2021/10/04
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Chet Ramey, 2021/10/04
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Dominique Martinet, 2021/10/04
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Chet Ramey, 2021/10/04
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Dominique Martinet, 2021/10/04
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Chet Ramey, 2021/10/04
Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c, Dominique Martinet, 2021/10/05