[Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?

From: Launchpad Bug Tracker <1749393@bugs.launchpad.net>
To: qemu-devel@nongnu.org
Subject: [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
Date: Sat, 01 Aug 2020 05:05:56 -0000	[thread overview]
Message-ID: <159625836082.31160.8655355779845819548.malone@ackee.canonical.com> (raw)
In-Reply-To: 151859702399.9461.6832978283203997178.malonedeb@chaenomeles.canonical.com

This bug was fixed in the package qemu - 1:5.0-5ubuntu3

---------------
qemu (1:5.0-5ubuntu3) groovy; urgency=medium

  * d/p/ubuntu/lp-1887763-*: fix TCG sizing that OOMed many small CI
    environments (LP: #1887763)
  * Pick further changes for groovy from debian/master since 5.0-5
    - ati-vga-check-mm_index-before-recursive-call-CVE-2020-13800.patch
      Closes: CVE-2020-13800, ati-vga allows guest OS users to trigger
      infinite recursion via a crafted mm_index value during
      ati_mm_read or ati_mm_write call.
    - revert-memory-accept-mismatching-sizes-in-memory_region_access_valid...patch
      Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu
      devices which uses min_access_size and max_access_size Memory API fields.
      Also closes: CVE-2020-13791
    - exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch
      CVE-2020-13659: address_space_map in exec.c can trigger
      a NULL pointer dereference related to BounceBuffer
    - megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch
      Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c
      has an OOB read via a crafted reply_queue_head field from a guest OS user
    - megasas-use-unsigned-type-for-positive-numeric-fields.patch
      fix other possible cases like in CVE-2020-13362 (#961887)
    - megasas-fix-possible-out-of-bounds-array-access.patch
      Some tracepoints use a guest-controlled value as an index into the
      mfi_frame_desc[] array. Thus a malicious guest could cause a very low
      impact OOB errors here
    - nbd-server-avoid-long-error-message-assertions-CVE-2020-10761.patch
      Closes: CVE-2020-10761, An assertion failure issue in the QEMU NBD Server.
      This flaw occurs when an nbd-client sends a spec-compliant request that is
      near the boundary of maximum permitted request length. A remote nbd-client
      could use this flaw to crash the qemu-nbd server resulting in a DoS.
    - es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch
      Closes: CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c does not
      properly validate the frame count, which allows guest OS users to trigger
      an out-of-bounds access during an es1370_write() operation
    - a few patches from the stable series:
      - fix-tulip-breakage.patch
        The tulip network driver in a qemu-system-hppa emulation is broken in
        the sense that bigger network packages aren't received any longer and
        thus even running e.g. "apt update" inside the VM fails. Fix this.
      - 9p-lock-directory-streams-with-a-CoMutex.patch
        Prevent deadlocks in 9pfs readdir code
      - net-do-not-include-a-newline-in-the-id-of-nic-device.patch
        Fix newline accidentally sneaked into id string of a nic
      - qemu-nbd-close-inherited-stderr.patch
      - virtio-balloon-fix-free-page-hinting-check-on-unreal.patch
      - virtio-balloon-fix-free-page-hinting-without-an-iothread.patch
      - virtio-balloon-unref-the-iothread-when-unrealizing.patch
    - acpi-tmr-allow-2-byte-reads.patch (Closes: #964247)
    - reapply CVE-2020-13253 fixed from upstream:
      sdcard-simplify-realize-a-bit.patch (preparation for the next patch)
      sdcard-dont-allow-invalid-SD-card-sizes.patch (half part of CVE-2020-13253)
      sdcard-update-coding-style-to-make-checkpatch-happy.patch (preparational)
      sdcard-dont-switch-to-ReceivingData-if-address-is-in..-CVE-2020-13253.patch
      Closes: #961297, CVE-2020-13253
    - linux-user-refactor-ipc-syscall-and-support-of-semtimedop.patch
      (Closes: #965109)
    - linux-user-add-netlink-RTM_SETLINK-command.patch (Closes: #964289)
    - d/control: since qemu-system-data now contains module(s),
      it can't be multi-arch. Ditto for qemu-block-extra.
    - qemu-system-foo: depend on exact version of qemu-system-data,
      due to the latter having modules
    - acpi-allow-accessing-acpi-cnt-register-by-byte.patch' (Closes: #964793)
      This is another incarnation of the recent bugfix which actually enabled
      memory access constraints, like #964247
    - acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch
      this replace acpi-allow-accessing-acpi-cnt-register-by-byte.patch
      and acpi-tmr-allow-2-byte-reads.patch, a more complete fix
    - xhci-fix-valid.max_access_size-to-access-address-registers.patch
      fix one more incarnation of the breakage after the CVE-2020-13754 fix
    - do not install outdated (0.12 and before) Changelog (Closes: #965381)
    - xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch
      ARM-only XGMAC NIC, possible buffer overflow during packet transmission
      Closes: CVE-2020-15863
    - sm501 OOB read/write due to integer overflow in sm501_2d_operation()
      List of patches:
       sm501-convert-printf-abort-to-qemu_log_mask.patch
       sm501-shorten-long-variable-names-in-sm501_2d_operation.patch
       sm501-use-BIT-macro-to-shorten-constant.patch
       sm501-clean-up-local-variables-in-sm501_2d_operation.patch
       sm501-replace-hand-written-implementation-with-pixman-CVE-2020-12829.patch
      Closes: #961451, CVE-2020-12829
    - riscv-allow-64-bit-access-to-SiFive-CLINT.patch
      another fix for revert-memory-accept-.. CVE-2020-13754
    - seabios-hppa-fno-ipa-sra.patch fix ftbfs with gcc-10

qemu (1:5.0-5ubuntu2) groovy; urgency=medium

  * No change rebuild against new libnettle8 and libhogweed6 ABI.

qemu (1:5.0-5ubuntu1) groovy; urgency=medium

  * Merge with Debian testing (LP: #1749393), remaining changes:
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-system-common.qemu-kvm.service: systemd unit to call
        qemu-kvm-init
      - d/qemu-system-common.install: install helper script
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
    - Distribution specific machine type (LP: 1304107 1621042)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types
      - d/qemu-system-x86.NEWS Info on fixed machine type definitions
        for host-phys-bits=true (LP: 1776189)
      - add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - provide pseries-bionic-2.11-sxxm type as convenience with all
        meltdown/spectre workarounds enabled by default. (LP: 1761372).
      - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
    - Enable nesting by default
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
        [ No more strictly needed, but required for backward compatibility ]
    - improved dependencies
      - Make qemu-system-common depend on qemu-block-extra
      - Make qemu-utils depend on qemu-block-extra
      - let qemu-utils recommend sharutils
    - arch aware kvm wrappers
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/control-in: Disable capstone disassembler library support (universe)
    - d/qemu-system-x86.README.Debian: add info about updated nesting changes
    - d/control*, d/rules: disable xen by default, but provide universe
      package qemu-system-x86-xen as alternative
      [includes --disable-xen for user-static builds]
    - d/control-in: disable pmem on ppc64 as it is currently considered
      experimental on that architecture (pmdk v1.8-1)
    - d/rules: makefile definitions can't be recursive - sys_systems for s390x
    - d/rules: report config log from the correct subdir
    - allow qemu to load old modules post upgrade (LP 1847361)
      - d/qemu-block-extra.*.in, d/qemu-system-gui.*.in: save shared objects on
        upgrade
      - d/rules: generate maintainer scripts matching package version on build
      - d/rules: enable --enable-module-upgrades where --enable-modules is set
    - d/p/ubuntu/lp-1835546-*: backport the s390x protvirt feature (LP 1835546)
    - d/control-in: disable rbd support unavailable on riscv (LP: 1872931)
    - debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that
      crashes it on shutdown (LP 1878973)
  * Dropped changes (no more needed)
    - d/qemu-system-common.maintscript: clean old sysv and upstart scripts
    - d/p/ubuntu/expose-vmx_qemu64cpu.patch: expose nested kvm by default
      in qemu64 cpu type.
    - d/control: avoid upgrade issues triggered by moving ivshmem tools after
      Debian. Fixed by bumping the related Breaks/Replaces to the
      Version Ubuntu introduced the change (LP 1862287)
  * Dropped changes (in Debian)
    - improved s390x support
    - d/binfmt-update-in: fix binfmt being called in some containers
      (LP 1840956)
    - qemu-system-x86-microvm package
      In addition to the generic multi-purpose qemu also provide a minimal
      feature binary that is loading faster for use cases with microvm machine
      type and qboot bios
      - d/control-in: add a new qemu-system-x86-microvm package
      - d/rules: add an extra config/build step to get the minimal qemu
    - Security and packaging fixes (LP 1872937)
      - arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch
      - net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch
        CVE-2020-10702
        CVE-2020-11102
      - fix external spice UI
        + install ui-spice-app.so in qemu-system-common
        + install ui-spice-app.so only if built, spice is optional
      - switch binfmt registration to use update-binfmts --[un]import (#866756)
      - qemu-system-gui: Multi-Arch=same, not foreign (#956763)
      - qemu-system-data: s/highcolor/hicolor/ (#955741)
    - enable riscv build (LP 1872931)
      [ changes picked from Debian ]
      - enable support for riscv64 hosts
      - only enable librbd on architectures where it is built
      - ceph: do not list librados-dev as we only use librbd-dev and the latter
        depends on the former
      - seccomp grew up, no need in versioned build-dep
      - enable seccomp only on architectures where it can be built
  * Dropped changes (upstream)
    - d/p/ubuntu/lp-1857033-*: add support for Cooper Lake cpu model
      (LP 1857033)
    - d/p/lp-1859527-*: avoid breakage on high virtqueue counts (LP 1859527)
    - d/p/ubuntu/vhost-user-gpu-Drop-trailing-json-comma.patch: fix parsing of
      vhost-user-gpu
    - d/p/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch:
      avoid unnecessary IOTLB transactions (LP 1866207)
    - d/p/stable/lp-1867519-*: Stabilize qemu 4.2 with upstream
      patches @qemu-stable (LP 1867519)
    - remove d/p/ubuntu/expose-vmx_qemu64cpu.patch: Stop adding VMX to qemu64
      to avoid broken nesting (LP 1868692)
    - d/p/ubuntu/lp-1871830-*: avoid crash when using QEMU_MODULE_DIR
      (LP 1871830)
    - d/p/ubuntu/lp-1872107*: fix migration while rebooting guests (LP 1872107)
    - d/p/ubuntu/lp-1872931-*: fix build on non KVM platforms
    - d/p/ubuntu/lp-1872945-*: fix riscv emulation errors that e.g. hung ssh
      and clobbered doubles (LP 1872945)
    - SECURITY UPDATE: DoS via integer overflow in ati_2d_blt()
      - debian/patches/ubuntu/CVE-2020-11869.patch: fix checks in
        ati_2d_blt() to avoid crash in hw/display/ati_2d.c.
      - CVE-2020-11869
    - d/p/ubuntu/lp-1805256*: Fixes for QEMU on aarch64 ARM hosts
      - async: use explicit memory barriers (LP 1805256)
      - aio-wait: delegate polling of main AioContext if BQL not held
    - d/p/ubuntu/lp-1882774-*: fix issues with VMX subfeatures on systems not
      supporting to set them (LP 1882774)
    - d/p/ubuntu/lp-1847361-modules-load-upgrade.patch: to fallback module
      load to a versioned path
  * Added Changes:
    - d/control: regenerate debian/control out of control-in
    - update d/p/ubuntu/lp-1835546-* to the final versions
      - 11 patches dropped as they are in 5.0
      - 20 patches updated to how they will be in 5.1
    - d/p/ubuntu/virtio-net-fix-rsc_ext-compat-handling.patch: fix
      FTBFS in groovy
    - Make qemu-system-x86-microvm a transitional package as the binary is now
      in qemu-system-x86 itself.
    - d/control-in: build-dep libcap is no more needed
    - d/rules: update arch aware kvm wrappers
    - d/qemu-system-x86.README.Debian: fix typo

qemu (1:5.0-5) unstable; urgency=medium

  * more binfmt-install updates
  * CVE-2020-10717 fix from upstream:
    virtiofsd-add-rlimit-nofile-NUM-option.patch (preparational) and
    virtiofsd-stay-below-fs.file-max-CVE-2020-10717.patch
    (Closes: #959746, CVE-2020-10717)
  * 2 patches from upstream/stable to fix io_uring fd set buildup:
    aio-posix-dont-duplicate-fd-handler-deletion-in-fdmon_io_uring_destroy.patch
    aio-posix-disable-fdmon-io_uring-when-GSource-is-used.patch
  * upstream stable fix: hostmem-dont-use-mbind-if-host-nodes-is-empty.patch
  * upstream stable fix:
    net-use-peer-when-purging-queue-in-qemu_flush_or_purge_queue_packets.patch

qemu (1:5.0-4) unstable; urgency=medium

  * fix binfmt registration (Closes: #959222)
  * disable PIE for user-static build on x32 too, not only i386

qemu (1:5.0-3) unstable; urgency=medium

  * do not explicitly enable -static-pie on non-i386 architectures.
    Apparenly only amd64 actually support -static-pie for now, and
    it is correctly detected.

qemu (1:5.0-2) unstable; urgency=medium

  * (temporarily) disable pie on i386 static build
    For now -static-pie fails on i386 with the following error message:
      /usr/bin/ld: /usr/lib/i386-linux-gnu/libc.a(memset_chk-nonshared.o):
          unsupported non-PIC call to IFUNC `memset'
  * install qemu-system docs in qemu-system-common, not qemu-system-data,
    since docs require ./configure run

qemu (1:5.0-1) unstable; urgency=medium

  * new upstream release (5.0)
    Closes: #958926
    Closes: CVE-2020-11869
  * refresh patches, remove patches applied upstream
  * do not mention openhackware, it is not used anymore
  * do not disable bluez (support removed)
  * new system arch "rx"
  * dont install qemu-doc.* for now,
    but install virtiofsd & qemu-storage-daemon
  * add shared-lib-without-dependency-information tag
    to qemu-user-static.lintian-overrides
  * add html docs to qemu-system-data (to /usr/share/doc/qemu-system-common)
  * do not install usr/share/doc/qemu/specs & usr/share/doc/qemu/tools
  * install qemu-user html docs for qemu-user & qemu-user-static
  * build hppa-firmware.img from roms/seabios-hppa
    (and Build-Depeds-Indep on gcc-hppa-linux-gnu)
  * enable liburing on linux (build-depend on liburing-dev)
  * add upstream signing-key.asc (Michael Roth <flukshun@gmail.com>)
  * build opensbi firmware
    (for riscv64 only, riscv32 is possible with compiler flags)
  * add source-level lintian-overrides for binaries-without-sources
    (lintian can't find sources for a few firmware images which are in roms/)

qemu (1:4.2-7) unstable; urgency=medium

  * qemu-system-gui: Multi-Arch=same, not foreign (Closes: #956763)
  * x32 arch is in the same family as i386 & x86_64, omit binfmt registration
  * check systemd-detect-virt before running update-binfmt
  * gluster is de-facto linux-only, do not build-depend on it on non-linux
  * virglrenderer is also essentially linux-specific
  * qemu-user-static does not depend on shlibs
  * disable parallel building of targets of d/rules
  * add lintian overrides (arch-dependent static binaries) for openbios binaries
  * separate binary-indep target into install-indep-prep and binary-indep
  * split out various components of qemu-system-data into independent
    build/install rules and add infrastructure for more components:
    x86-optionrom, sgabios, qboot, openbios, skiboot, palcode-clipper,
    slof, s390x-fw
  * iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch

qemu (1:4.2-6) unstable; urgency=medium

  * d/rules: fix FTBFS (brown-paper-bag bug) in last upload

qemu (1:4.2-5) unstable; urgency=medium

  * no error-out on address-of-packet-member in openbios
  * install ui-spice-app.so only if built, spice is optional
  * arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch -
    Closes: CVE-2020-10702, weak signature generation
    in Pointer Authentication support for ARM
  * (temporarily) enable seccomp only on architectures where it can be built
    (Closes: #956624)
  * seccomp has grown up, no need in versioned build-dep
  * do not list librados-dev in build-dep as we only use librbd-dev
    and the latter depends on the former
  * only enable librbd on architectures where it is buildable

qemu (1:4.2-4) unstable; urgency=medium

  [ Michael Tokarev ]
  * d/rules: build minimal configuration for qboot/microvm usage
  * set microvm to be the default machine type for microvm case
  * install ui-spice-app.so in qemu-system-common
  * do not depend on libattr-dev, functions are now in libc6 (Closes: #953910)
  * net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch
    (Closes: #956145, CVE-2020-11102, tulip nic buffer overflow)
  * qemu-system-data: s/highcolor/hicolor/ (Closes: #955741)
  * switch binfmt registration to use update-binfmts --[un]import
    (Closes: #866756)
  * build openbios-ppc & openbios-sparc binaries in qemu-system-data,
    and replace corresponding binary packages.
    Add gcc-sparc64-linux-gnu, fcode-utils & xsltproc to build-depend-indep
  * build and provide/replace qemu-slof too

  [ Aurelien Jarno ]
  * enable support for riscv64 hosts

 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 28 Jul
2020 13:21:31 +0200

** Changed in: qemu (Ubuntu)
       Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10702

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10717

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10761

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11102

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11869

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12829

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13253

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13361

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13362

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13659

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13754

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13791

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13800

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15863

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  Fix Released
Status in qemu package in Ubuntu:
  Fix Released

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions