Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-23472

glibc: Binaries linked against libcap and libasan crash due to stack smashing on ppc64le due prctl change in glibc

XMLWordPrintable

    • glibc-2.34-101.el9
    • None
    • None
    • Patch
    • 1
    • rhel-sst-pt-libraries
    • ssg_platform_tools
    • 2
    • 4
    • 1
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Libraries Sprint 1
    • Release Note Not Required
    • ppc64le
    • None

      What were you trying to do that didn't work?

      While upgrading our ppc64le CI job in systemd upstream (from C8S to C9S), a part of our test suite started failing, more specifically the part that builds "regression fuzzers" that are built with ASan and UBSan. After some playing around I managed to minimize the reproducer to a simple hello world program, that crashes when linked against libcap and libasan.
       

      Please provide the package NVR for which bug is seen:

      libcap-2.48-9.el9.ppc64le
      libasan-11.4.1-3.el9.ppc64le
      gcc-11.4.1-3.el9.ppc64le

      How reproducible:

      always

      Steps to reproduce

      # cat test.c
#include <stdio.h>

int main(void) {
        puts("Hello world");
        return 0;
}
# gcc -o test test.c -lcap
# ./test 
Hello world
# gcc -o test test.c -lcap -fsanitize=address
# ulimit -c unlimited
# ASAN_OPTIONS=madv_dontdump=1:disable_coredump=0 ./test 
*** stack smashing detected ***: terminated
Aborted (core dumped)
# coredumpctl info
           PID: 67958 (test)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 6 (ABRT)
     Timestamp: Wed 2024-01-31 10:12:30 EST (10s ago)
  Command Line: ./test
    Executable: /root/test
 Control Group: /user.slice/user-0.slice/session-2.scope
          Unit: session-2.scope
         Slice: user-0.slice
       Session: 2
     Owner UID: 0 (root)
       Boot ID: b7c9073c1f084b7cbfa0361ea6c72106
    Machine ID: 275f6d73cbdd46f7a5c7920d8eed8cc2
      Hostname: xxx.redhat.com
       Storage: /var/lib/systemd/coredump/core.test.0.b7c9073c1f084b7cbfa0361ea6c72106.67958.1706713950000000.zst (present)
  Size on Disk: 492.2K
       Message: Process 67958 (test) of user 0 dumped core.
                
                Stack trace of thread 67958:
                #0  0x00007ffff731b70c __pthread_kill_implementation (libc.so.6 + 0xab70c)
                #1  0x00007ffff72bac1c raise (libc.so.6 + 0x4ac1c)
                #2  0x00007ffff729c460 abort (libc.so.6 + 0x2c460)
                #3  0x00007ffff73083e0 __libc_message (libc.so.6 + 0x983e0)
                #4  0x00007ffff73de204 __fortify_fail (libc.so.6 + 0x16e204)
                #5  0x00007ffff73de1d0 __stack_chk_fail (libc.so.6 + 0x16e1d0)
                #6  0x00007ffff75713f0 __interceptor_prctl (libasan.so.6 + 0x713f0)
                #7  0x00007ffff74d3934 cap_get_bound (libcap.so.2 + 0x3934)
                #8  0x00007ffff74d25ec n/a (libcap.so.2 + 0x25ec)
                #9  0x00007ffff7f97ba0 call_init (ld64.so.2 + 0x7ba0)
                #10 0x00007ffff7fc3dbc _dl_start_user (ld64.so.2 + 0x33dbc)
                ELF object binary architecture: PowerPC64

      From what I've seen so far in our CIs this is limited only to ppc64le (x86_64 and aarch64 work fine).

              pfrankli Patsy Griffin
              fsumsalrh Frantisek Sumsal
              Platform Tools - Libraries Bot Platform Tools - Libraries Bot
              Sergey Kolosov Sergey Kolosov
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: