From owner-freebsd-stable@freebsd.org Sat Aug 24 20:05:04 2019 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC7B4C95B8 for ; Sat, 24 Aug 2019 20:05:04 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (enterprise.ximalas.info [IPv6:2001:700:1100:1::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ximalas.info", Issuer "Hostmaster ximalas.info" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46G8Pq41yRz45bK for ; Sat, 24 Aug 2019 20:05:02 +0000 (UTC) (envelope-from trond.endrestol@ximalas.info) Received: from enterprise.ximalas.info (Ximalas@localhost [127.0.0.1]) by enterprise.ximalas.info (8.15.2/8.15.2) with ESMTPS id x7OK4nHp009724 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Sat, 24 Aug 2019 22:04:49 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ximalas.info; s=default; t=1566677089; bh=8dhfmTOINbyxa40p+ixHWBccLLvFvutPEf9ngu6Mw9U=; h=Date:From:To:Subject; b=LNDVzqcyXgQdhsl/7m/f00NiVzPORK6KMicHKh93WPA5xRXuTJSm/saYww8URe6z/ Dsz2zRWLF1iudDnkq1q4g9WztIbWIubzjdFrk4PHecUAei056Nxq5g7dmW+INA2I0T gsTnKHwA6VwjClVu7R9AnTX/qvN1lDWjO0KEmTTLYxUeJ7Cgh1ZMDlqKzAuhru8WZl k40Gxupd1hx7p4RFqcpH2N5M9kIDj4LP7WspnH8JkuSeSEYd3XSVhz22Mc5WQIS7TG ThExjMhdwLJHm4EuAZvGf5564ekNwVFAbJaHBZYoLux/ldCL0IvJwLk0D54T9kDCWt cTKX0tJm24tzQ== Received: from localhost (trond@localhost) by enterprise.ximalas.info (8.15.2/8.15.2/Submit) with ESMTP id x7OK4nxA009721 for ; Sat, 24 Aug 2019 22:04:49 +0200 (CEST) (envelope-from trond.endrestol@ximalas.info) X-Authentication-Warning: enterprise.ximalas.info: trond owned process doing -bs Date: Sat, 24 Aug 2019 22:04:49 +0200 (CEST) From: =?UTF-8?Q?Trond_Endrest=C3=B8l?= Sender: Trond.Endrestol@ximalas.info To: freebsd-stable@freebsd.org Subject: ntpd doesn't like ASLR on stable/12 post-r350672 Message-ID: User-Agent: Alpine 2.21.99999 (BSF 352 2019-06-22) OpenPGP: url=http://ximalas.info/about/tronds-openpgp-public-key MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-1.2 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,T_FILL_THIS_FORM_SHORT autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on enterprise.ximalas.info X-Rspamd-Queue-Id: 46G8Pq41yRz45bK X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=ximalas.info header.s=default header.b=LNDVzqcy; dmarc=pass (policy=none) header.from=ximalas.info; spf=pass (mx1.freebsd.org: domain of trond.endrestol@ximalas.info designates 2001:700:1100:1::8 as permitted sender) smtp.mailfrom=trond.endrestol@ximalas.info X-Spamd-Result: default: False [-5.91 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[ximalas.info:s=default]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[ximalas.info:+]; DMARC_POLICY_ALLOW(-0.50)[ximalas.info,none]; NEURAL_HAM_SHORT(-0.99)[-0.993,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:224, ipnet:2001:700::/32, country:NO]; IP_SCORE(-1.92)[ip: (-8.58), ipnet: 2001:700::/32(-0.59), asn: 224(-0.41), country: NO(-0.01)] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2019 20:05:04 -0000 Hi, I'm running stable/12 with ASLR enabled in /etc/sysctl.conf: kern.elf64.aslr.enable=1 kern.elf64.aslr.pie_enable=1 kern.elf32.aslr.enable=1 kern.elf32.aslr.pie_enable=1 After upgrading to anything after r350672, now at r351450, ntpd refuses to start at boot. Aug 24 21:25:42 HOSTNAME ntpd[5618]: ntpd 4.2.8p12-a (1): Starting Aug 24 21:25:43 HOSTNAME kernel: [406] pid 5619 (ntpd), jid 0, uid 123: exited on signal 11 Disabling ASLR, kern.elf64.aslr.enable=0, before starting ntpd manually is a workaround, but this is not viable in the long run. I tried changing command="/usr/sbin/${name}" to command="/usr/bin/proccontrol -m aslr -s disable /usr/sbin/${name}" in /etc/rc.d/ntpd, but that didn't go well. Running ntpd through gdb while ASLR was enabled, I narrowed it down to /usr/src/contrib/ntp/ntpd/ntpd.c:1001 ntp_rlimit(RLIMIT_STACK, DFLT_RLIMIT_STACK * 4096, 4096, "4k"); which calls /usr/src/contrib/ntp/ntpd/ntp_config.c:5211 and proceeds to /usr/src/contrib/ntp/ntpd/ntp_config.c:5254 if (-1 == getrlimit(RLIMIT_STACK, &rl)) { Single stepping from this point gave me: ==== (gdb) s _thr_rtld_set_flag (mask=1) at /usr/src/lib/libthr/thread/thr_rtld.c:171 171 { (gdb) 176 return (0); (gdb) _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:115 115 { (gdb) 120 curthread = _get_curthread(); (gdb) _get_curthread () at /usr/src/lib/libthr/arch/amd64/include/pthread_md.h:97 97 return (TCB_GET64(tcb_thread)); (gdb) _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:121 121 SAVE_ERRNO(); (gdb) 124 THR_CRITICAL_ENTER(curthread); (gdb) _thr_rwlock_tryrdlock (rwlock=, flags=0) at /usr/src/lib/libthr/thread/thr_umtx.h:192 192 (rwlock->rw_flags & URWLOCK_PREFER_READER) != 0) (gdb) 191 if ((flags & URWLOCK_PREFER_READER) != 0 || (gdb) 197 while (!(state & wrflags)) { (gdb) 201 if (atomic_cmpset_acq_32(&rwlock->rw_state, state, state + 1)) (gdb) atomic_cmpset_int (dst=, expect=, src=1) at /usr/obj/usr/src/amd64.amd64/tmp/usr/include/machine/atomic.h:220 220 ATOMIC_CMPSET(int); (gdb) _thr_rwlock_tryrdlock (rwlock=, flags=0) at /usr/src/lib/libthr/thread/thr_umtx.h:201 201 if (atomic_cmpset_acq_32(&rwlock->rw_state, state, state + 1)) (gdb) _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:127 127 curthread->rdlock_count++; (gdb) 128 RESTORE_ERRNO(); (gdb) 129 } (gdb) _thr_rtld_clr_flag (mask=1) at /usr/src/lib/libthr/thread/thr_rtld.c:181 181 { (gdb) 182 return (0); (gdb) _thr_rtld_lock_release (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:150 150 { (gdb) _get_curthread () at /usr/src/lib/libthr/arch/amd64/include/pthread_md.h:97 97 return (TCB_GET64(tcb_thread)); (gdb) _thr_rtld_lock_release (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:157 157 SAVE_ERRNO(); (gdb) 160 state = l->lock.rw_state; (gdb) 161 if (_thr_rwlock_unlock(&l->lock) == 0) { (gdb) _thr_rwlock_unlock (rwlock=0x80180d200) at /usr/src/lib/libthr/thread/thr_umtx.h:249 249 state = rwlock->rw_state; (gdb) 250 if ((state & URWLOCK_WRITE_OWNER) != 0) { (gdb) 256 if (__predict_false(URWLOCK_READER_COUNT(state) == 0)) (gdb) 260 URWLOCK_READER_COUNT(state) == 1)) { (gdb) 259 URWLOCK_READ_WAITERS)) != 0 && (gdb) 262 state, state - 1)) (gdb) 261 if (atomic_cmpset_rel_32(&rwlock->rw_state, (gdb) atomic_cmpset_int (dst=, expect=, src=0) at /usr/obj/usr/src/amd64.amd64/tmp/usr/include/machine/atomic.h:220 220 ATOMIC_CMPSET(int); (gdb) _thr_rwlock_unlock (rwlock=0x80180d200) at /usr/src/lib/libthr/thread/thr_umtx.h:261 261 if (atomic_cmpset_rel_32(&rwlock->rw_state, (gdb) _thr_rtld_lock_release (lock=) at /usr/src/lib/libthr/thread/thr_rtld.c:162 162 if ((state & URWLOCK_WRITE_OWNER) == 0) (gdb) 163 curthread->rdlock_count--; (gdb) 164 THR_CRITICAL_LEAVE(curthread); (gdb) _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:271 271 if (!THR_IN_CRITICAL(curthread)) { (gdb) 272 check_deferred_signal(curthread); (gdb) check_deferred_signal (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:332 332 if (__predict_true(curthread->deferred_siginfo.si_signo == 0 || (gdb) 351 } (gdb) _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:273 273 check_suspend(curthread); (gdb) check_suspend (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:358 358 if (__predict_true((curthread->flags & (gdb) 401 } (gdb) _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:274 274 check_cancel(curthread, NULL); (gdb) check_cancel (curthread=0x80864b000, ucp=0x0) at /usr/src/lib/libthr/thread/thr_sig.c:283 283 if (__predict_true(!curthread->cancel_pending || (gdb) _thr_ast (curthread=) at /usr/src/lib/libthr/thread/thr_sig.c:276 276 } (gdb) _thr_rtld_lock_release (lock=) at /usr/src/lib/libthr/thread/thr_rtld.c:166 166 RESTORE_ERRNO(); (gdb) 167 } (gdb) getrlimit () at getrlimit.S:3 3 RSYSCALL(getrlimit) (gdb) ntp_rlimit (rl_what=, rl_value=204800, rl_scale=, rl_sstr=) at /usr/src/contrib/ntp/ntpd/ntp_config.c:5257 5257 if (rl_value > rl.rlim_max) { (gdb) 5264 rl.rlim_cur = rl_value; (gdb) 5265 if (-1 == setrlimit(RLIMIT_STACK, &rl)) { (gdb) _thr_rtld_set_flag (mask=1) at /usr/src/lib/libthr/thread/thr_rtld.c:171 171 { (gdb) 176 return (0); (gdb) _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:115 115 { (gdb) 120 curthread = _get_curthread(); (gdb) _get_curthread () at /usr/src/lib/libthr/arch/amd64/include/pthread_md.h:97 97 return (TCB_GET64(tcb_thread)); (gdb) _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:121 121 SAVE_ERRNO(); (gdb) 124 THR_CRITICAL_ENTER(curthread); (gdb) _thr_rwlock_tryrdlock (rwlock=, flags=0) at /usr/src/lib/libthr/thread/thr_umtx.h:192 192 (rwlock->rw_flags & URWLOCK_PREFER_READER) != 0) (gdb) 191 if ((flags & URWLOCK_PREFER_READER) != 0 || (gdb) 197 while (!(state & wrflags)) { (gdb) 201 if (atomic_cmpset_acq_32(&rwlock->rw_state, state, state + 1)) (gdb) atomic_cmpset_int (dst=, expect=, src=1) at /usr/obj/usr/src/amd64.amd64/tmp/usr/include/machine/atomic.h:220 220 ATOMIC_CMPSET(int); (gdb) _thr_rwlock_tryrdlock (rwlock=, flags=0) at /usr/src/lib/libthr/thread/thr_umtx.h:201 201 if (atomic_cmpset_acq_32(&rwlock->rw_state, state, state + 1)) (gdb) _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:127 127 curthread->rdlock_count++; (gdb) 128 RESTORE_ERRNO(); (gdb) 129 } (gdb) _thr_rtld_clr_flag (mask=1) at /usr/src/lib/libthr/thread/thr_rtld.c:181 181 { (gdb) 182 return (0); (gdb) _thr_rtld_lock_release (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:150 150 { (gdb) _get_curthread () at /usr/src/lib/libthr/arch/amd64/include/pthread_md.h:97 97 return (TCB_GET64(tcb_thread)); (gdb) _thr_rtld_lock_release (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:157 157 SAVE_ERRNO(); (gdb) 160 state = l->lock.rw_state; (gdb) 161 if (_thr_rwlock_unlock(&l->lock) == 0) { (gdb) _thr_rwlock_unlock (rwlock=0x80180d200) at /usr/src/lib/libthr/thread/thr_umtx.h:249 249 state = rwlock->rw_state; (gdb) 250 if ((state & URWLOCK_WRITE_OWNER) != 0) { (gdb) 256 if (__predict_false(URWLOCK_READER_COUNT(state) == 0)) (gdb) 260 URWLOCK_READER_COUNT(state) == 1)) { (gdb) 259 URWLOCK_READ_WAITERS)) != 0 && (gdb) 262 state, state - 1)) (gdb) 261 if (atomic_cmpset_rel_32(&rwlock->rw_state, (gdb) atomic_cmpset_int (dst=, expect=, src=0) at /usr/obj/usr/src/amd64.amd64/tmp/usr/include/machine/atomic.h:220 220 ATOMIC_CMPSET(int); (gdb) _thr_rwlock_unlock (rwlock=0x80180d200) at /usr/src/lib/libthr/thread/thr_umtx.h:261 261 if (atomic_cmpset_rel_32(&rwlock->rw_state, (gdb) _thr_rtld_lock_release (lock=) at /usr/src/lib/libthr/thread/thr_rtld.c:162 162 if ((state & URWLOCK_WRITE_OWNER) == 0) (gdb) 163 curthread->rdlock_count--; (gdb) 164 THR_CRITICAL_LEAVE(curthread); (gdb) _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:271 271 if (!THR_IN_CRITICAL(curthread)) { (gdb) 272 check_deferred_signal(curthread); (gdb) check_deferred_signal (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:332 332 if (__predict_true(curthread->deferred_siginfo.si_signo == 0 || (gdb) 351 } (gdb) _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:273 273 check_suspend(curthread); (gdb) check_suspend (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:358 358 if (__predict_true((curthread->flags & (gdb) 401 } (gdb) _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:274 274 check_cancel(curthread, NULL); (gdb) check_cancel (curthread=0x80864b000, ucp=0x0) at /usr/src/lib/libthr/thread/thr_sig.c:283 283 if (__predict_true(!curthread->cancel_pending || (gdb) _thr_ast (curthread=) at /usr/src/lib/libthr/thread/thr_sig.c:276 276 } (gdb) _thr_rtld_lock_release (lock=) at /usr/src/lib/libthr/thread/thr_rtld.c:166 166 RESTORE_ERRNO(); (gdb) 167 } (gdb) setrlimit () at setrlimit.S:3 3 RSYSCALL(setrlimit) (gdb) Program received signal SIGSEGV, Segmentation fault. setrlimit () at setrlimit.S:3 3 RSYSCALL(setrlimit) (gdb) Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. (gdb) q ==== I'm sorry for the long post. Is there anything (else) I can do to further narrow it down? -- Trond.