QEMU-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary?
@ 2018-02-14  8:30 Raphaël Hertzog
  2018-02-14 15:46 ` [Qemu-devel] [Bug 1749393] " Gérard Vidal
                   ` (13 more replies)
  0 siblings, 14 replies; 15+ messages in thread
From: Raphaël Hertzog @ 2018-02-14  8:30 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

In Debian unstable, we recently switched bash to be a PIE-compiled
binary (for hardening). Unfortunately this resulted in bash being broken
when run under qemu-user (for all target architectures, host being amd64
for me).

$ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

bash has its own malloc implementation based on sbrk():
https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

When we disable this internal implementation and rely on glibc's malloc,
then everything is fine. But it might be that glibc has a fallback when
sbrk() is not working properly and it might hide the underlying problem
in qemu-user.

This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

You can find the problematic bash binary in that .deb file:
http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

The version of qemu I have been using is 2.11 (Debian package qemu-user-
static version 1:2.11+dfsg-1) but I have had reports that the problem is
reproducible with older versions (back to 2.8 at least).

Here are the related Debian bug reports:
https://bugs.debian.org/889869
https://bugs.debian.org/865599

It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Qemu-devel] [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
@ 2018-02-14 15:46 ` Gérard Vidal
  2018-03-01 19:15 ` Peter Ogden
                   ` (12 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Gérard Vidal @ 2018-02-14 15:46 UTC (permalink / raw)
  To: qemu-devel

Affected by the same bug.
target architecture arm
host architecture amd64

bug message
bash: xmalloc: .././locale.c:****: cannot allocate 2 bytes (0 bytes allocated)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Qemu-devel] [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
  2018-02-14 15:46 ` [Qemu-devel] [Bug 1749393] " Gérard Vidal
@ 2018-03-01 19:15 ` Peter Ogden
  2018-03-15 11:39 ` Peter Maydell
                   ` (11 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Peter Ogden @ 2018-03-01 19:15 UTC (permalink / raw)
  To: qemu-devel

This appears to be a problem in all PIE-compiled executables that use
sbrk in qemu-user due to the way that position-independent code gets
mmapped into adjacent ranges meaning there is no room for expansion.
I've hacked my version of QEMU to force the program binary to mmap in a
different range allowing for the region to be resized which fixes this
issue. I don't know the most appropriate way to determine what range to
use in generate though.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Qemu-devel] [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
  2018-02-14 15:46 ` [Qemu-devel] [Bug 1749393] " Gérard Vidal
  2018-03-01 19:15 ` Peter Ogden
@ 2018-03-15 11:39 ` Peter Maydell
  2018-03-15 15:27 ` Matthias Klose
                   ` (10 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Peter Maydell @ 2018-03-15 11:39 UTC (permalink / raw)
  To: qemu-devel

** Tags added: arm linux-user

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Qemu-devel] [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (2 preceding siblings ...)
  2018-03-15 11:39 ` Peter Maydell
@ 2018-03-15 15:27 ` Matthias Klose
  2018-03-15 16:17 ` Peter Maydell
                   ` (9 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Matthias Klose @ 2018-03-15 15:27 UTC (permalink / raw)
  To: qemu-devel

** Also affects: qemu (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New
Status in qemu package in Ubuntu:
  New

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Qemu-devel] [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (3 preceding siblings ...)
  2018-03-15 15:27 ` Matthias Klose
@ 2018-03-15 16:17 ` Peter Maydell
  2018-03-15 17:56 ` Peter Ogden
                   ` (8 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Peter Maydell @ 2018-03-15 16:17 UTC (permalink / raw)
  To: qemu-devel

There seem to be two parts to this. Firstly, with a big reserved-region,
which is the default for 32-bit-guest-on-64-bit-host, this code in
main.c:

        if (reserved_va) {
            mmap_next_start = reserved_va;
        }

says to start trying for the next mmap address at the top of the
reserved section, which is typically right at the top of the guest's
address space. This means that for a PIE executable we'll try to load it
at a very high address, which then means there's no space above the data
section for the brk segment.

Secondly, for the no-reserved-region case (-R 0, or 64-on-64), we still
fail, but this time because we've chosen to mmap the dynamic interpreter
at an address just above the executable. Again, no space to expand the
data segment and brk fails.

Linux kernel commit a87938b2e246b81 message says something about there
being a guaranteed 128MB "gap" between data segment and stack on x86-64
which we're obviously not honourin; presumbably there's similar
requirements for other archs. (As an aside, is bash really happy with
only having perhaps 128MB of allocatable memory? Otherwise it really
ought to use mmap rather than brk for its allocator.)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New
Status in qemu package in Ubuntu:
  New

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Qemu-devel] [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (4 preceding siblings ...)
  2018-03-15 16:17 ` Peter Maydell
@ 2018-03-15 17:56 ` Peter Ogden
  2018-03-22 21:45 ` Launchpad Bug Tracker
                   ` (7 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Peter Ogden @ 2018-03-15 17:56 UTC (permalink / raw)
  To: qemu-devel

Could we over-allocate the data segment by
QEMU_DATA_SIZE/getrlimit(RLIMIT_DATA)/128 MB depending on what's set -
similar to how the stack size is managed?

My current workaround for aarch64 on x86-64 is to mmap a dynamic main
executable in some far-away part of the address space but I'm not sure
how to find somewhere suitable on a 32-bit host/guest.

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New
Status in qemu package in Ubuntu:
  New

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Qemu-devel] [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (5 preceding siblings ...)
  2018-03-15 17:56 ` Peter Ogden
@ 2018-03-22 21:45 ` Launchpad Bug Tracker
  2018-04-04 16:16 ` Matthias Klose
                   ` (6 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Launchpad Bug Tracker @ 2018-03-22 21:45 UTC (permalink / raw)
  To: qemu-devel

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: qemu (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New
Status in qemu package in Ubuntu:
  Confirmed

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Qemu-devel] [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (6 preceding siblings ...)
  2018-03-22 21:45 ` Launchpad Bug Tracker
@ 2018-04-04 16:16 ` Matthias Klose
  2020-01-17 23:52 ` Richard Henderson
                   ` (5 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Matthias Klose @ 2018-04-04 16:16 UTC (permalink / raw)
  To: qemu-devel

qemu patch proposed at http://lists.nongnu.org/archive/html/qemu-
devel/2018-03/msg04700.html

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New
Status in qemu package in Ubuntu:
  Confirmed

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions

^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (7 preceding siblings ...)
  2018-04-04 16:16 ` Matthias Klose
@ 2020-01-17 23:52 ` Richard Henderson
  2020-03-10  9:07 ` Laurent Vivier
                   ` (4 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Richard Henderson @ 2020-01-17 23:52 UTC (permalink / raw)
  To: qemu-devel

Another proposed patch:
https://patchew.org/QEMU/20200117230245.5040-1-richard.henderson@linaro.org/

** Changed in: qemu (Ubuntu)
     Assignee: (unassigned) => Richard Henderson (rth)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  New
Status in qemu package in Ubuntu:
  Confirmed

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (8 preceding siblings ...)
  2020-01-17 23:52 ` Richard Henderson
@ 2020-03-10  9:07 ` Laurent Vivier
  2020-04-30 13:34 ` Laurent Vivier
                   ` (3 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Laurent Vivier @ 2020-03-10  9:07 UTC (permalink / raw)
  To: qemu-devel

Fixed here:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6fd5944980f4

** Changed in: qemu
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  Fix Committed
Status in qemu package in Ubuntu:
  Confirmed

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (9 preceding siblings ...)
  2020-03-10  9:07 ` Laurent Vivier
@ 2020-04-30 13:34 ` Laurent Vivier
  2020-05-01  6:47 ` Christian Ehrhardt 
                   ` (2 subsequent siblings)
  13 siblings, 0 replies; 15+ messages in thread
From: Laurent Vivier @ 2020-04-30 13:34 UTC (permalink / raw)
  To: qemu-devel

** Changed in: qemu
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  Fix Released
Status in qemu package in Ubuntu:
  Confirmed

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (10 preceding siblings ...)
  2020-04-30 13:34 ` Laurent Vivier
@ 2020-05-01  6:47 ` Christian Ehrhardt 
  2020-06-17  7:52 ` Christian Ehrhardt 
  2020-08-01  5:05 ` Launchpad Bug Tracker
  13 siblings, 0 replies; 15+ messages in thread
From: Christian Ehrhardt  @ 2020-05-01  6:47 UTC (permalink / raw)
  To: qemu-devel

Will be merged in 20.10 with qemu >=5.0 where this came upstream.

** Tags added: qemu-20.10

** Changed in: qemu (Ubuntu)
       Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  Fix Released
Status in qemu package in Ubuntu:
  Triaged

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (11 preceding siblings ...)
  2020-05-01  6:47 ` Christian Ehrhardt 
@ 2020-06-17  7:52 ` Christian Ehrhardt 
  2020-08-01  5:05 ` Launchpad Bug Tracker
  13 siblings, 0 replies; 15+ messages in thread
From: Christian Ehrhardt  @ 2020-06-17  7:52 UTC (permalink / raw)
  To: qemu-devel

** Changed in: qemu (Ubuntu)
     Assignee: Richard Henderson (rth) => Christian Ehrhardt  (paelzer)

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  Fix Released
Status in qemu package in Ubuntu:
  Triaged

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [Bug 1749393] Re: sbrk() not working under qemu-user with a PIE-compiled binary?
  2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
                   ` (12 preceding siblings ...)
  2020-06-17  7:52 ` Christian Ehrhardt 
@ 2020-08-01  5:05 ` Launchpad Bug Tracker
  13 siblings, 0 replies; 15+ messages in thread
From: Launchpad Bug Tracker @ 2020-08-01  5:05 UTC (permalink / raw)
  To: qemu-devel

This bug was fixed in the package qemu - 1:5.0-5ubuntu3

---------------
qemu (1:5.0-5ubuntu3) groovy; urgency=medium

  * d/p/ubuntu/lp-1887763-*: fix TCG sizing that OOMed many small CI
    environments (LP: #1887763)
  * Pick further changes for groovy from debian/master since 5.0-5
    - ati-vga-check-mm_index-before-recursive-call-CVE-2020-13800.patch
      Closes: CVE-2020-13800, ati-vga allows guest OS users to trigger
      infinite recursion via a crafted mm_index value during
      ati_mm_read or ati_mm_write call.
    - revert-memory-accept-mismatching-sizes-in-memory_region_access_valid...patch
      Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu
      devices which uses min_access_size and max_access_size Memory API fields.
      Also closes: CVE-2020-13791
    - exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch
      CVE-2020-13659: address_space_map in exec.c can trigger
      a NULL pointer dereference related to BounceBuffer
    - megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch
      Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c
      has an OOB read via a crafted reply_queue_head field from a guest OS user
    - megasas-use-unsigned-type-for-positive-numeric-fields.patch
      fix other possible cases like in CVE-2020-13362 (#961887)
    - megasas-fix-possible-out-of-bounds-array-access.patch
      Some tracepoints use a guest-controlled value as an index into the
      mfi_frame_desc[] array. Thus a malicious guest could cause a very low
      impact OOB errors here
    - nbd-server-avoid-long-error-message-assertions-CVE-2020-10761.patch
      Closes: CVE-2020-10761, An assertion failure issue in the QEMU NBD Server.
      This flaw occurs when an nbd-client sends a spec-compliant request that is
      near the boundary of maximum permitted request length. A remote nbd-client
      could use this flaw to crash the qemu-nbd server resulting in a DoS.
    - es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch
      Closes: CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c does not
      properly validate the frame count, which allows guest OS users to trigger
      an out-of-bounds access during an es1370_write() operation
    - a few patches from the stable series:
      - fix-tulip-breakage.patch
        The tulip network driver in a qemu-system-hppa emulation is broken in
        the sense that bigger network packages aren't received any longer and
        thus even running e.g. "apt update" inside the VM fails. Fix this.
      - 9p-lock-directory-streams-with-a-CoMutex.patch
        Prevent deadlocks in 9pfs readdir code
      - net-do-not-include-a-newline-in-the-id-of-nic-device.patch
        Fix newline accidentally sneaked into id string of a nic
      - qemu-nbd-close-inherited-stderr.patch
      - virtio-balloon-fix-free-page-hinting-check-on-unreal.patch
      - virtio-balloon-fix-free-page-hinting-without-an-iothread.patch
      - virtio-balloon-unref-the-iothread-when-unrealizing.patch
    - acpi-tmr-allow-2-byte-reads.patch (Closes: #964247)
    - reapply CVE-2020-13253 fixed from upstream:
      sdcard-simplify-realize-a-bit.patch (preparation for the next patch)
      sdcard-dont-allow-invalid-SD-card-sizes.patch (half part of CVE-2020-13253)
      sdcard-update-coding-style-to-make-checkpatch-happy.patch (preparational)
      sdcard-dont-switch-to-ReceivingData-if-address-is-in..-CVE-2020-13253.patch
      Closes: #961297, CVE-2020-13253
    - linux-user-refactor-ipc-syscall-and-support-of-semtimedop.patch
      (Closes: #965109)
    - linux-user-add-netlink-RTM_SETLINK-command.patch (Closes: #964289)
    - d/control: since qemu-system-data now contains module(s),
      it can't be multi-arch. Ditto for qemu-block-extra.
    - qemu-system-foo: depend on exact version of qemu-system-data,
      due to the latter having modules
    - acpi-allow-accessing-acpi-cnt-register-by-byte.patch' (Closes: #964793)
      This is another incarnation of the recent bugfix which actually enabled
      memory access constraints, like #964247
    - acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch
      this replace acpi-allow-accessing-acpi-cnt-register-by-byte.patch
      and acpi-tmr-allow-2-byte-reads.patch, a more complete fix
    - xhci-fix-valid.max_access_size-to-access-address-registers.patch
      fix one more incarnation of the breakage after the CVE-2020-13754 fix
    - do not install outdated (0.12 and before) Changelog (Closes: #965381)
    - xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch
      ARM-only XGMAC NIC, possible buffer overflow during packet transmission
      Closes: CVE-2020-15863
    - sm501 OOB read/write due to integer overflow in sm501_2d_operation()
      List of patches:
       sm501-convert-printf-abort-to-qemu_log_mask.patch
       sm501-shorten-long-variable-names-in-sm501_2d_operation.patch
       sm501-use-BIT-macro-to-shorten-constant.patch
       sm501-clean-up-local-variables-in-sm501_2d_operation.patch
       sm501-replace-hand-written-implementation-with-pixman-CVE-2020-12829.patch
      Closes: #961451, CVE-2020-12829
    - riscv-allow-64-bit-access-to-SiFive-CLINT.patch
      another fix for revert-memory-accept-.. CVE-2020-13754
    - seabios-hppa-fno-ipa-sra.patch fix ftbfs with gcc-10

qemu (1:5.0-5ubuntu2) groovy; urgency=medium

  * No change rebuild against new libnettle8 and libhogweed6 ABI.

qemu (1:5.0-5ubuntu1) groovy; urgency=medium

  * Merge with Debian testing (LP: #1749393), remaining changes:
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-system-common.qemu-kvm.service: systemd unit to call
        qemu-kvm-init
      - d/qemu-system-common.install: install helper script
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
    - Distribution specific machine type (LP: 1304107 1621042)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types
      - d/qemu-system-x86.NEWS Info on fixed machine type definitions
        for host-phys-bits=true (LP: 1776189)
      - add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - provide pseries-bionic-2.11-sxxm type as convenience with all
        meltdown/spectre workarounds enabled by default. (LP: 1761372).
      - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
    - Enable nesting by default
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
        [ No more strictly needed, but required for backward compatibility ]
    - improved dependencies
      - Make qemu-system-common depend on qemu-block-extra
      - Make qemu-utils depend on qemu-block-extra
      - let qemu-utils recommend sharutils
    - arch aware kvm wrappers
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/control-in: Disable capstone disassembler library support (universe)
    - d/qemu-system-x86.README.Debian: add info about updated nesting changes
    - d/control*, d/rules: disable xen by default, but provide universe
      package qemu-system-x86-xen as alternative
      [includes --disable-xen for user-static builds]
    - d/control-in: disable pmem on ppc64 as it is currently considered
      experimental on that architecture (pmdk v1.8-1)
    - d/rules: makefile definitions can't be recursive - sys_systems for s390x
    - d/rules: report config log from the correct subdir
    - allow qemu to load old modules post upgrade (LP 1847361)
      - d/qemu-block-extra.*.in, d/qemu-system-gui.*.in: save shared objects on
        upgrade
      - d/rules: generate maintainer scripts matching package version on build
      - d/rules: enable --enable-module-upgrades where --enable-modules is set
    - d/p/ubuntu/lp-1835546-*: backport the s390x protvirt feature (LP 1835546)
    - d/control-in: disable rbd support unavailable on riscv (LP: 1872931)
    - debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that
      crashes it on shutdown (LP 1878973)
  * Dropped changes (no more needed)
    - d/qemu-system-common.maintscript: clean old sysv and upstart scripts
    - d/p/ubuntu/expose-vmx_qemu64cpu.patch: expose nested kvm by default
      in qemu64 cpu type.
    - d/control: avoid upgrade issues triggered by moving ivshmem tools after
      Debian. Fixed by bumping the related Breaks/Replaces to the
      Version Ubuntu introduced the change (LP 1862287)
  * Dropped changes (in Debian)
    - improved s390x support
    - d/binfmt-update-in: fix binfmt being called in some containers
      (LP 1840956)
    - qemu-system-x86-microvm package
      In addition to the generic multi-purpose qemu also provide a minimal
      feature binary that is loading faster for use cases with microvm machine
      type and qboot bios
      - d/control-in: add a new qemu-system-x86-microvm package
      - d/rules: add an extra config/build step to get the minimal qemu
    - Security and packaging fixes (LP 1872937)
      - arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch
      - net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch
        CVE-2020-10702
        CVE-2020-11102
      - fix external spice UI
        + install ui-spice-app.so in qemu-system-common
        + install ui-spice-app.so only if built, spice is optional
      - switch binfmt registration to use update-binfmts --[un]import (#866756)
      - qemu-system-gui: Multi-Arch=same, not foreign (#956763)
      - qemu-system-data: s/highcolor/hicolor/ (#955741)
    - enable riscv build (LP 1872931)
      [ changes picked from Debian ]
      - enable support for riscv64 hosts
      - only enable librbd on architectures where it is built
      - ceph: do not list librados-dev as we only use librbd-dev and the latter
        depends on the former
      - seccomp grew up, no need in versioned build-dep
      - enable seccomp only on architectures where it can be built
  * Dropped changes (upstream)
    - d/p/ubuntu/lp-1857033-*: add support for Cooper Lake cpu model
      (LP 1857033)
    - d/p/lp-1859527-*: avoid breakage on high virtqueue counts (LP 1859527)
    - d/p/ubuntu/vhost-user-gpu-Drop-trailing-json-comma.patch: fix parsing of
      vhost-user-gpu
    - d/p/ubuntu/lp-1847361-vhost-correctly-turn-on-VIRTIO_F_IOMMU_PLATFORM.patch:
      avoid unnecessary IOTLB transactions (LP 1866207)
    - d/p/stable/lp-1867519-*: Stabilize qemu 4.2 with upstream
      patches @qemu-stable (LP 1867519)
    - remove d/p/ubuntu/expose-vmx_qemu64cpu.patch: Stop adding VMX to qemu64
      to avoid broken nesting (LP 1868692)
    - d/p/ubuntu/lp-1871830-*: avoid crash when using QEMU_MODULE_DIR
      (LP 1871830)
    - d/p/ubuntu/lp-1872107*: fix migration while rebooting guests (LP 1872107)
    - d/p/ubuntu/lp-1872931-*: fix build on non KVM platforms
    - d/p/ubuntu/lp-1872945-*: fix riscv emulation errors that e.g. hung ssh
      and clobbered doubles (LP 1872945)
    - SECURITY UPDATE: DoS via integer overflow in ati_2d_blt()
      - debian/patches/ubuntu/CVE-2020-11869.patch: fix checks in
        ati_2d_blt() to avoid crash in hw/display/ati_2d.c.
      - CVE-2020-11869
    - d/p/ubuntu/lp-1805256*: Fixes for QEMU on aarch64 ARM hosts
      - async: use explicit memory barriers (LP 1805256)
      - aio-wait: delegate polling of main AioContext if BQL not held
    - d/p/ubuntu/lp-1882774-*: fix issues with VMX subfeatures on systems not
      supporting to set them (LP 1882774)
    - d/p/ubuntu/lp-1847361-modules-load-upgrade.patch: to fallback module
      load to a versioned path
  * Added Changes:
    - d/control: regenerate debian/control out of control-in
    - update d/p/ubuntu/lp-1835546-* to the final versions
      - 11 patches dropped as they are in 5.0
      - 20 patches updated to how they will be in 5.1
    - d/p/ubuntu/virtio-net-fix-rsc_ext-compat-handling.patch: fix
      FTBFS in groovy
    - Make qemu-system-x86-microvm a transitional package as the binary is now
      in qemu-system-x86 itself.
    - d/control-in: build-dep libcap is no more needed
    - d/rules: update arch aware kvm wrappers
    - d/qemu-system-x86.README.Debian: fix typo

qemu (1:5.0-5) unstable; urgency=medium

  * more binfmt-install updates
  * CVE-2020-10717 fix from upstream:
    virtiofsd-add-rlimit-nofile-NUM-option.patch (preparational) and
    virtiofsd-stay-below-fs.file-max-CVE-2020-10717.patch
    (Closes: #959746, CVE-2020-10717)
  * 2 patches from upstream/stable to fix io_uring fd set buildup:
    aio-posix-dont-duplicate-fd-handler-deletion-in-fdmon_io_uring_destroy.patch
    aio-posix-disable-fdmon-io_uring-when-GSource-is-used.patch
  * upstream stable fix: hostmem-dont-use-mbind-if-host-nodes-is-empty.patch
  * upstream stable fix:
    net-use-peer-when-purging-queue-in-qemu_flush_or_purge_queue_packets.patch

qemu (1:5.0-4) unstable; urgency=medium

  * fix binfmt registration (Closes: #959222)
  * disable PIE for user-static build on x32 too, not only i386

qemu (1:5.0-3) unstable; urgency=medium

  * do not explicitly enable -static-pie on non-i386 architectures.
    Apparenly only amd64 actually support -static-pie for now, and
    it is correctly detected.

qemu (1:5.0-2) unstable; urgency=medium

  * (temporarily) disable pie on i386 static build
    For now -static-pie fails on i386 with the following error message:
      /usr/bin/ld: /usr/lib/i386-linux-gnu/libc.a(memset_chk-nonshared.o):
          unsupported non-PIC call to IFUNC `memset'
  * install qemu-system docs in qemu-system-common, not qemu-system-data,
    since docs require ./configure run

qemu (1:5.0-1) unstable; urgency=medium

  * new upstream release (5.0)
    Closes: #958926
    Closes: CVE-2020-11869
  * refresh patches, remove patches applied upstream
  * do not mention openhackware, it is not used anymore
  * do not disable bluez (support removed)
  * new system arch "rx"
  * dont install qemu-doc.* for now,
    but install virtiofsd & qemu-storage-daemon
  * add shared-lib-without-dependency-information tag
    to qemu-user-static.lintian-overrides
  * add html docs to qemu-system-data (to /usr/share/doc/qemu-system-common)
  * do not install usr/share/doc/qemu/specs & usr/share/doc/qemu/tools
  * install qemu-user html docs for qemu-user & qemu-user-static
  * build hppa-firmware.img from roms/seabios-hppa
    (and Build-Depeds-Indep on gcc-hppa-linux-gnu)
  * enable liburing on linux (build-depend on liburing-dev)
  * add upstream signing-key.asc (Michael Roth <flukshun@gmail.com>)
  * build opensbi firmware
    (for riscv64 only, riscv32 is possible with compiler flags)
  * add source-level lintian-overrides for binaries-without-sources
    (lintian can't find sources for a few firmware images which are in roms/)

qemu (1:4.2-7) unstable; urgency=medium

  * qemu-system-gui: Multi-Arch=same, not foreign (Closes: #956763)
  * x32 arch is in the same family as i386 & x86_64, omit binfmt registration
  * check systemd-detect-virt before running update-binfmt
  * gluster is de-facto linux-only, do not build-depend on it on non-linux
  * virglrenderer is also essentially linux-specific
  * qemu-user-static does not depend on shlibs
  * disable parallel building of targets of d/rules
  * add lintian overrides (arch-dependent static binaries) for openbios binaries
  * separate binary-indep target into install-indep-prep and binary-indep
  * split out various components of qemu-system-data into independent
    build/install rules and add infrastructure for more components:
    x86-optionrom, sgabios, qboot, openbios, skiboot, palcode-clipper,
    slof, s390x-fw
  * iscsi-fix-heap-buffer-overflow-in-iscsi_aio_ioctl_cb.patch

qemu (1:4.2-6) unstable; urgency=medium

  * d/rules: fix FTBFS (brown-paper-bag bug) in last upload

qemu (1:4.2-5) unstable; urgency=medium

  * no error-out on address-of-packet-member in openbios
  * install ui-spice-app.so only if built, spice is optional
  * arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch -
    Closes: CVE-2020-10702, weak signature generation
    in Pointer Authentication support for ARM
  * (temporarily) enable seccomp only on architectures where it can be built
    (Closes: #956624)
  * seccomp has grown up, no need in versioned build-dep
  * do not list librados-dev in build-dep as we only use librbd-dev
    and the latter depends on the former
  * only enable librbd on architectures where it is buildable

qemu (1:4.2-4) unstable; urgency=medium

  [ Michael Tokarev ]
  * d/rules: build minimal configuration for qboot/microvm usage
  * set microvm to be the default machine type for microvm case
  * install ui-spice-app.so in qemu-system-common
  * do not depend on libattr-dev, functions are now in libc6 (Closes: #953910)
  * net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch
    (Closes: #956145, CVE-2020-11102, tulip nic buffer overflow)
  * qemu-system-data: s/highcolor/hicolor/ (Closes: #955741)
  * switch binfmt registration to use update-binfmts --[un]import
    (Closes: #866756)
  * build openbios-ppc & openbios-sparc binaries in qemu-system-data,
    and replace corresponding binary packages.
    Add gcc-sparc64-linux-gnu, fcode-utils & xsltproc to build-depend-indep
  * build and provide/replace qemu-slof too

  [ Aurelien Jarno ]
  * enable support for riscv64 hosts

 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 28 Jul
2020 13:21:31 +0200

** Changed in: qemu (Ubuntu)
       Status: Triaged => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10702

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10717

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10761

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11102

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11869

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12829

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13253

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13361

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13362

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13659

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13754

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13791

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13800

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15863

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1749393

Title:
  sbrk() not working under qemu-user with a PIE-compiled binary?

Status in QEMU:
  Fix Released
Status in qemu package in Ubuntu:
  Fix Released

Bug description:
  In Debian unstable, we recently switched bash to be a PIE-compiled
  binary (for hardening). Unfortunately this resulted in bash being
  broken when run under qemu-user (for all target architectures, host
  being amd64 for me).

  $ sudo chroot /srv/chroots/sid-i386/ qemu-i386-static /bin/bash
  bash: xmalloc: .././shell.c:1709: cannot allocate 10 bytes (0 bytes allocated)

  bash has its own malloc implementation based on sbrk():
  https://git.savannah.gnu.org/cgit/bash.git/tree/lib/malloc/malloc.c

  When we disable this internal implementation and rely on glibc's
  malloc, then everything is fine. But it might be that glibc has a
  fallback when sbrk() is not working properly and it might hide the
  underlying problem in qemu-user.

  This issue has also been reported to the bash upstream author and he suggested that the issue might be in qemu-user so I'm opening a ticket here. Here's the discussion with the bash upstream author:
  https://lists.gnu.org/archive/html/bug-bash/2018-02/threads.html#00080

  You can find the problematic bash binary in that .deb file:
  http://snapshot.debian.org/archive/debian/20180206T154716Z/pool/main/b/bash/bash_4.4.18-1_i386.deb

  The version of qemu I have been using is 2.11 (Debian package qemu-
  user-static version 1:2.11+dfsg-1) but I have had reports that the
  problem is reproducible with older versions (back to 2.8 at least).

  Here are the related Debian bug reports:
  https://bugs.debian.org/889869
  https://bugs.debian.org/865599

  It's worth noting that bash used to have this problem (when compiled as a PIE binary) even when run directly but then something got fixed in the kernel and now the problem only appears when run under qemu-user:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1518483

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1749393/+subscriptions


^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, back to index

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-14  8:30 [Qemu-devel] [Bug 1749393] [NEW] sbrk() not working under qemu-user with a PIE-compiled binary? Raphaël Hertzog
2018-02-14 15:46 ` [Qemu-devel] [Bug 1749393] " Gérard Vidal
2018-03-01 19:15 ` Peter Ogden
2018-03-15 11:39 ` Peter Maydell
2018-03-15 15:27 ` Matthias Klose
2018-03-15 16:17 ` Peter Maydell
2018-03-15 17:56 ` Peter Ogden
2018-03-22 21:45 ` Launchpad Bug Tracker
2018-04-04 16:16 ` Matthias Klose
2020-01-17 23:52 ` Richard Henderson
2020-03-10  9:07 ` Laurent Vivier
2020-04-30 13:34 ` Laurent Vivier
2020-05-01  6:47 ` Christian Ehrhardt 
2020-06-17  7:52 ` Christian Ehrhardt 
2020-08-01  5:05 ` Launchpad Bug Tracker

QEMU-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/qemu-devel/0 qemu-devel/git/0.git
	git clone --mirror https://lore.kernel.org/qemu-devel/1 qemu-devel/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 qemu-devel qemu-devel/ https://lore.kernel.org/qemu-devel \
		qemu-devel@nongnu.org
	public-inbox-index qemu-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.nongnu.qemu-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git