Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad putenv interaction between fakeroot and perl #11375

Open
p5pRT opened this issue May 23, 2011 · 6 comments
Open

Bad putenv interaction between fakeroot and perl #11375

p5pRT opened this issue May 23, 2011 · 6 comments
Labels
distro-gnu type-core

Comments

@p5pRT
Copy link

p5pRT commented May 23, 2011

Migrated from rt.perl.org#91452 (status was 'open')

Searchable as RT91452$
@p5pRT
Copy link
Author

p5pRT commented May 23, 2011

From samuel.thibault@ens-lyon.org

Created by samuel.thibault@ens-lyon.org

Hello,

When using perl within a fakeroot, I am sometimes getting

*** glibc detected *** /usr/bin/perl​: free()​: invalid pointer​: 0x01026000 ***

for instance when running perldoc. This is in perl_destruct​:

  for (i = 0; environ[i]; i++)
  safesysfree(environ[i]);

  /* Must use safesysfree() when working with environ. */
  safesysfree(environ);

It is trying to free the environ that glibc has settled. What happens is
a bad putenv interaction between perl and fakeroot.

When running as a non-embedded interpreter, perl assumes that it is the
only part of the process which will call putenv, and thus use its own
implementation. This is however not true when being run under fakeroot,
and its LD_PRELOADed library​: when perldoc drops its privileges,
fakeroot records the id in a FAKEROOTUID environment variable by calling
putenv(). Luckily enough, there is very often room for this additional
environment variable, and thus putenv()'s realloc does not change the
value of the `environ' variable. But without luck, there is no such
room, and `environ' changes. Because the perl interpreter assumes that
`environ' being different from `PL_origenviron' means it has called its
own putenv implementation, perl then tries to free the libc-provided
environment. Thus the crash.

Samuel

Perl Info 

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.10.1:

Configured by Debian Project at Sun Jan 23 12:14:30 UTC 2011.

Summary of my perl5 (revision 5 version 10 subversion 1) configuration:
   
  Platform:
    osname=gnu, osvers=0.3, archname=i486-gnu-thread-multi
    uname='gnu mozart 0.3 gnu-mach 1.3.99hurd-0.3 i686-at386 gnu '
    config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=i486-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.1 -Dsitearch=/usr/local/lib/perl/5.10.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.1 -Dd_dosuid -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=y, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include',
    optimize='-O2 -g',
    cppflags='-D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.4.5', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=4
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lcrypt
    perllibs=-ldl -lm -lpthread -lcrypt
    libc=, so=so, useshrplib=true, libperl=libperl.so.5.10.1
    gnulibc_version='2.11.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib -fstack-protector'

Locally applied patches:
    DEBPKG:debian/arm_thread_stress_timeout - http://bugs.debian.org/501970 Raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build hosts
    DEBPKG:debian/cpan_config_path - Set location of CPAN::Config to /etc/perl as /usr may not be writable.
    DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
    DEBPKG:debian/db_file_ver - http://bugs.debian.org/340047 Remove overly restrictive DB_File version check.
    DEBPKG:debian/doc_info - Replace generic man(1) instructions with Debian-specific information.
    DEBPKG:debian/enc2xs_inc - http://bugs.debian.org/290336 Tweak enc2xs to follow symlinks and ignore missing @INC directories.
    DEBPKG:debian/errno_ver - http://bugs.debian.org/343351 Remove Errno version check due to upgrade problems with long-running processes.
    DEBPKG:debian/extutils_hacks - Various debian-specific ExtUtils changes
    DEBPKG:debian/fakeroot - Postpone LD_LIBRARY_PATH evaluation to the binary targets.
    DEBPKG:debian/instmodsh_doc - Debian policy doesn't install .packlist files for core or vendor.
    DEBPKG:debian/ld_run_path - Remove standard libs from LD_RUN_PATH as per Debian policy.
    DEBPKG:debian/libnet_config_path - Set location of libnet.cfg to /etc/perl/Net as /usr may not be writable.
    DEBPKG:debian/m68k_thread_stress - http://bugs.debian.org/495826 Disable some threads tests on m68k for now due to missing TLS.
    DEBPKG:debian/mod_paths - Tweak @INC ordering for Debian
    DEBPKG:debian/module_build_man_extensions - http://bugs.debian.org/479460 Adjust Module::Build manual page extensions for the Debian Perl policy
    DEBPKG:debian/perl_synopsis - http://bugs.debian.org/278323 Rearrange perl.pod
    DEBPKG:debian/prune_libs - http://bugs.debian.org/128355 Prune the list of libraries wanted to what we actually need.
    DEBPKG:debian/use_gdbm - Explicitly link against -lgdbm_compat in ODBM_File/NDBM_File. 
    DEBPKG:fixes/assorted_docs - http://bugs.debian.org/443733 [384f06a] Math::BigInt::CalcEmu documentation grammar fix
    DEBPKG:fixes/net_smtp_docs - http://bugs.debian.org/100195 [rt.cpan.org #36038] Document the Net::SMTP 'Port' option
    DEBPKG:fixes/processPL - http://bugs.debian.org/357264 [rt.cpan.org #17224] Always use PERLRUNINST when building perl modules.
    DEBPKG:debian/perlivp - http://bugs.debian.org/510895 Make perlivp skip include directories in /usr/local
    DEBPKG:fixes/pod2man-index-backslash - http://bugs.debian.org/521256 Escape backslashes in .IX entries
    DEBPKG:debian/disable-zlib-bundling - Disable zlib bundling in Compress::Raw::Zlib
    DEBPKG:fixes/kfreebsd_cppsymbols - http://bugs.debian.org/533098 [3b910a0] Add gcc predefined macros to $Config{cppsymbols} on GNU/kFreeBSD.
    DEBPKG:debian/cpanplus_definstalldirs - http://bugs.debian.org/533707 Configure CPANPLUS to use the site directories by default.
    DEBPKG:debian/cpanplus_config_path - Save local versions of CPANPLUS::Config::System into /etc/perl.
    DEBPKG:fixes/kfreebsd-filecopy-pipes - http://bugs.debian.org/537555 [16f708c] Fix File::Copy::copy with pipes on GNU/kFreeBSD
    DEBPKG:fixes/anon-tmpfile-dir - http://bugs.debian.org/528544 [perl #66452] Honor TMPDIR when open()ing an anonymous temporary file
    DEBPKG:fixes/abstract-sockets - http://bugs.debian.org/329291 [89904c0] Add support for Abstract namespace sockets.
    DEBPKG:fixes/hurd_cppsymbols - http://bugs.debian.org/544307 [eeb92b7] Add gcc predefined macros to $Config{cppsymbols} on GNU/Hurd.
    DEBPKG:fixes/autodie-flock - http://bugs.debian.org/543731 Allow for flock returning EAGAIN instead of EWOULDBLOCK on linux/parisc
    DEBPKG:fixes/archive-tar-instance-error - http://bugs.debian.org/539355 [rt.cpan.org #48879] Separate Archive::Tar instance error strings from each other
    DEBPKG:fixes/positive-gpos - http://bugs.debian.org/545234 [perl #69056] [c584a96] Fix \\G crash on first match
    DEBPKG:debian/devel-ppport-ia64-optim - http://bugs.debian.org/548943 Work around an ICE on ia64
    DEBPKG:fixes/trie-logic-match - http://bugs.debian.org/552291 [perl #69973] [0abd0d7] Fix a DoS in Unicode processing [CVE-2009-3626]
    DEBPKG:fixes/hppa-thread-eagain - http://bugs.debian.org/554218 make the threads-shared test suite more robust, fixing failures on hppa
    DEBPKG:fixes/crash-on-undefined-destroy - http://bugs.debian.org/564074 [perl #71952] [1f15e67] Fix a NULL pointer dereference when looking for a DESTROY method
    DEBPKG:fixes/tainted-errno - http://bugs.debian.org/574129 [perl #61976] [be1cf43] fix an errno stringification bug in taint mode
    DEBPKG:fixes/safe-upgrade - http://bugs.debian.org/582978 Upgrade Safe.pm to 2.25, fixing CVE-2010-1974
    DEBPKG:fixes/tell-crash - http://bugs.debian.org/578577 [f4817f3] Fix a tell() crash on bad arguments.
    DEBPKG:fixes/format-write-crash - http://bugs.debian.org/579537 [perl #22977] [421f30e] Fix a crash in format/write
    DEBPKG:fixes/arm-alignment - http://bugs.debian.org/289884 [f1c7503] Prevent gcc from optimizing the alignment test away on armel
    DEBPKG:fixes/fcgi-test - Fix a failure in CGI/t/fast.t when FCGI is installed
    DEBPKG:fixes/hurd-ccflags - http://bugs.debian.org/587901 Make hints/gnu.sh append to $ccflags rather than overriding them
    DEBPKG:debian/squelch-locale-warnings - http://bugs.debian.org/508764 Squelch locale warnings in Debian package maintainer scripts
    DEBPKG:fixes/lc-numeric-docs - http://bugs.debian.org/379329 [perl #78452] [903eb63] LC_NUMERIC documentation fixes
    DEBPKG:fixes/lc-numeric-sprintf - http://bugs.debian.org/601549 [perl #78632] [b3fd614] Fix sprintf not to ignore LC_NUMERIC with constants
    DEBPKG:fixes/concat-stack-corruption - http://bugs.debian.org/596105 [perl #78674] [e3393f5] Fix stack pointer corruption in pp_concat() with 'use encoding'
    DEBPKG:fixes/cgi-multiline-header - http://bugs.debian.org/606995 [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities
    DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17 in patchlevel.h


@INC for perl 5.10.1:
    /etc/perl
    /usr/local/lib/perl/5.10.1
    /usr/local/share/perl/5.10.1
    /usr/lib/perl5
    /usr/share/perl5
    /usr/lib/perl/5.10
    /usr/share/perl/5.10
    /usr/local/lib/site_perl
    .


Environment for perl 5.10.1:
    HOME=/home/buildd
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/buildd/bin:/usr/local/bin:/usr/bin:/bin:/usr/games
    PERL_BADLANG (unset)
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Dec 5, 2011

From samuel.thibault@ens-lyon.org

Hello,

No news about this bug?

I was advised to provide a testcase that would fail on Linux too, here
is one, which behaves quite like libfakeroot​: it redirects chmod into
something that uses putenv.

$ gcc test.c -o libtest.so -fPIC -shared
$ LD_PRELOAD=$PWD/libtest.so perl
chmod 0644, "test.c"
putting environment
*** glibc detected *** perl​: munmap_chunk()​: invalid pointer​:
0x00007fff3cd57df0 ***
======= Backtrace​: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x72606)[0x7f3b8b81c606]
/usr/lib/libperl.so.5.14(perl_destruct+0x1e2d)[0x7f3b8c21d97d] perl(main+0x111)[0x400eb1]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f3b8b7c8ead] perl[0x400f21]
etc.

Samuel

@p5pRT
Copy link
Author

p5pRT commented Dec 5, 2011

From samuel.thibault@ens-lyon.org

#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <dlfcn.h>

int chmod(const char *path, mode_t mode) {
  char c[16];
  int i;
  int (*real_chmod) (const char *path, mode_t mode);
  printf("putting environment\n");
  for (i=0; i < 100; i++) {
  snprintf(c, sizeof(c), "FOO%d=bar", c);
  putenv(c);
  }
  real_chmod = dlsym(RTLD_NEXT, "chmod");
  return real_chmod(path, mode);
}

@p5pRT
Copy link
Author

p5pRT commented Dec 6, 2011

@jkeenan - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Dec 6, 2011

From samuel.thibault@ens-lyon.org

Samuel Thibault, le Mon 05 Dec 2011 00​:39​:03 +0100, a écrit :

$ gcc test.c -o libtest.so -fPIC -shared
$ LD_PRELOAD=$PWD/libtest.so perl
chmod 0644, "test.c"
putting environment
*** glibc detected *** perl​: munmap_chunk()​: invalid pointer​:
0x00007fff3cd57df0 ***
======= Backtrace​: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x72606)[0x7f3b8b81c606]
/usr/lib/libperl.so.5.14(perl_destruct+0x1e2d)[0x7f3b8c21d97d] perl(main+0x111)[0x400eb1]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f3b8b7c8ead] perl[0x400f21]
etc.

Interesting. Actually I meant the attached testcase​: FOO0 to FOO100
variables, to make sure the environment gets reallocated, but it
happened to trigger the bug on my box with just one variable. Anyway,
here is a stronger test.

Samuel

@p5pRT
Copy link
Author

p5pRT commented Dec 6, 2011

From samuel.thibault@ens-lyon.org

#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <dlfcn.h>

int chmod(const char *path, mode_t mode) {
  char c[16];
  int i;
  int (*real_chmod) (const char *path, mode_t mode);
  printf("putting environment\n");
  for (i=0; i < 100; i++) {
  snprintf(c, sizeof(c), "FOO%d=bar", i);
  putenv(c);
  }
  real_chmod = dlsym(RTLD_NEXT, "chmod");
  return real_chmod(path, mode);
}

@xenu xenu removed the affects-5.10 label Nov 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-gnu type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT