From owner-freebsd-stable@freebsd.org Sat Aug 24 20:41:24 2019 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A2B5FCA98F for ; Sat, 24 Aug 2019 20:41:24 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46G9Cl3YK5z47xS for ; Sat, 24 Aug 2019 20:41:23 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id x7OKfFTn084840 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Sat, 24 Aug 2019 23:41:18 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua x7OKfFTn084840 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id x7OKfE22084839; Sat, 24 Aug 2019 23:41:14 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 24 Aug 2019 23:41:14 +0300 From: Konstantin Belousov To: Trond =?utf-8?Q?Endrest=C3=B8l?= Cc: freebsd-stable@freebsd.org Subject: Re: ntpd doesn't like ASLR on stable/12 post-r350672 Message-ID: <20190824204114.GG71821@kib.kiev.ua> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED,T_FILL_THIS_FORM_SHORT autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-Rspamd-Queue-Id: 46G9Cl3YK5z47xS X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=gmail.com (policy=none); spf=softfail (mx1.freebsd.org: 2001:470:d5e7:1::1 is neither permitted nor denied by domain of kostikbel@gmail.com) smtp.mailfrom=kostikbel@gmail.com X-Spamd-Result: default: False [-2.98 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.980,0]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(0.00)[ip: (-2.59), ipnet: 2001:470::/32(-4.44), asn: 6939(-3.06), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; FREEMAIL_ENVFROM(0.00)[gmail.com]; DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Aug 2019 20:41:24 -0000 On Sat, Aug 24, 2019 at 10:04:49PM +0200, Trond Endrestøl wrote: > Hi, > > I'm running stable/12 with ASLR enabled in /etc/sysctl.conf: > > kern.elf64.aslr.enable=1 > kern.elf64.aslr.pie_enable=1 > kern.elf32.aslr.enable=1 > kern.elf32.aslr.pie_enable=1 > > After upgrading to anything after r350672, now at r351450, ntpd > refuses to start at boot. > > Aug 24 21:25:42 HOSTNAME ntpd[5618]: ntpd 4.2.8p12-a (1): Starting > Aug 24 21:25:43 HOSTNAME kernel: [406] pid 5619 (ntpd), jid 0, uid 123: exited on signal 11 > > Disabling ASLR, kern.elf64.aslr.enable=0, before starting ntpd > manually is a workaround, but this is not viable in the long run. Why ? > > I tried changing command="/usr/sbin/${name}" to > command="/usr/bin/proccontrol -m aslr -s disable /usr/sbin/${name}" in > /etc/rc.d/ntpd, but that didn't go well. If you set kern.elf64.aslr.stack_gap to zero, does it help ? > > Running ntpd through gdb while ASLR was enabled, I narrowed it down to > /usr/src/contrib/ntp/ntpd/ntpd.c:1001 > > ntp_rlimit(RLIMIT_STACK, DFLT_RLIMIT_STACK * 4096, 4096, "4k"); > > which calls /usr/src/contrib/ntp/ntpd/ntp_config.c:5211 and proceeds > to /usr/src/contrib/ntp/ntpd/ntp_config.c:5254 > > if (-1 == getrlimit(RLIMIT_STACK, &rl)) { > > Single stepping from this point gave me: > > ==== > > (gdb) s > _thr_rtld_set_flag (mask=1) at /usr/src/lib/libthr/thread/thr_rtld.c:171 > 171 { > (gdb) > 176 return (0); > (gdb) > _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:115 > 115 { > (gdb) > 120 curthread = _get_curthread(); > (gdb) > _get_curthread () at /usr/src/lib/libthr/arch/amd64/include/pthread_md.h:97 > 97 return (TCB_GET64(tcb_thread)); > (gdb) > _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:121 > 121 SAVE_ERRNO(); > (gdb) > 124 THR_CRITICAL_ENTER(curthread); > (gdb) > _thr_rwlock_tryrdlock (rwlock=, flags=0) at /usr/src/lib/libthr/thread/thr_umtx.h:192 > 192 (rwlock->rw_flags & URWLOCK_PREFER_READER) != 0) > (gdb) > 191 if ((flags & URWLOCK_PREFER_READER) != 0 || > (gdb) > 197 while (!(state & wrflags)) { > (gdb) > 201 if (atomic_cmpset_acq_32(&rwlock->rw_state, state, state + 1)) > (gdb) > atomic_cmpset_int (dst=, expect=, src=1) at /usr/obj/usr/src/amd64.amd64/tmp/usr/include/machine/atomic.h:220 > 220 ATOMIC_CMPSET(int); > (gdb) > _thr_rwlock_tryrdlock (rwlock=, flags=0) at /usr/src/lib/libthr/thread/thr_umtx.h:201 > 201 if (atomic_cmpset_acq_32(&rwlock->rw_state, state, state + 1)) > (gdb) > _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:127 > 127 curthread->rdlock_count++; > (gdb) > 128 RESTORE_ERRNO(); > (gdb) > 129 } > (gdb) > _thr_rtld_clr_flag (mask=1) at /usr/src/lib/libthr/thread/thr_rtld.c:181 > 181 { > (gdb) > 182 return (0); > (gdb) > _thr_rtld_lock_release (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:150 > 150 { > (gdb) > _get_curthread () at /usr/src/lib/libthr/arch/amd64/include/pthread_md.h:97 > 97 return (TCB_GET64(tcb_thread)); > (gdb) > _thr_rtld_lock_release (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:157 > 157 SAVE_ERRNO(); > (gdb) > 160 state = l->lock.rw_state; > (gdb) > 161 if (_thr_rwlock_unlock(&l->lock) == 0) { > (gdb) > _thr_rwlock_unlock (rwlock=0x80180d200) at /usr/src/lib/libthr/thread/thr_umtx.h:249 > 249 state = rwlock->rw_state; > (gdb) > 250 if ((state & URWLOCK_WRITE_OWNER) != 0) { > (gdb) > 256 if (__predict_false(URWLOCK_READER_COUNT(state) == 0)) > (gdb) > 260 URWLOCK_READER_COUNT(state) == 1)) > { > (gdb) > 259 URWLOCK_READ_WAITERS)) != 0 && > (gdb) > 262 state, state - 1)) > (gdb) > 261 if (atomic_cmpset_rel_32(&rwlock->rw_state, > (gdb) > atomic_cmpset_int (dst=, expect=, src=0) at /usr/obj/usr/src/amd64.amd64/tmp/usr/include/machine/atomic.h:220 > 220 ATOMIC_CMPSET(int); > (gdb) > _thr_rwlock_unlock (rwlock=0x80180d200) at /usr/src/lib/libthr/thread/thr_umtx.h:261 > 261 if (atomic_cmpset_rel_32(&rwlock->rw_state, > (gdb) > _thr_rtld_lock_release (lock=) at /usr/src/lib/libthr/thread/thr_rtld.c:162 > 162 if ((state & URWLOCK_WRITE_OWNER) == 0) > (gdb) > 163 curthread->rdlock_count--; > (gdb) > 164 THR_CRITICAL_LEAVE(curthread); > (gdb) > _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:271 > 271 if (!THR_IN_CRITICAL(curthread)) { > (gdb) > 272 check_deferred_signal(curthread); > (gdb) > check_deferred_signal (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:332 > 332 if (__predict_true(curthread->deferred_siginfo.si_signo == 0 || > (gdb) > 351 } > (gdb) > _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:273 > 273 check_suspend(curthread); > (gdb) > check_suspend (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:358 > 358 if (__predict_true((curthread->flags & > (gdb) > 401 } > (gdb) > _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:274 > 274 check_cancel(curthread, NULL); > (gdb) > check_cancel (curthread=0x80864b000, ucp=0x0) at /usr/src/lib/libthr/thread/thr_sig.c:283 > 283 if (__predict_true(!curthread->cancel_pending || > (gdb) > _thr_ast (curthread=) at /usr/src/lib/libthr/thread/thr_sig.c:276 > 276 } > (gdb) > _thr_rtld_lock_release (lock=) at /usr/src/lib/libthr/thread/thr_rtld.c:166 > 166 RESTORE_ERRNO(); > (gdb) > 167 } > (gdb) > getrlimit () at getrlimit.S:3 > 3 RSYSCALL(getrlimit) > (gdb) > ntp_rlimit (rl_what=, rl_value=204800, rl_scale=, rl_sstr=) at /usr/src/contrib/ntp/ntpd/ntp_config.c:5257 > 5257 if (rl_value > rl.rlim_max) { > (gdb) > 5264 rl.rlim_cur = rl_value; > (gdb) > 5265 if (-1 == setrlimit(RLIMIT_STACK, &rl)) { > (gdb) > _thr_rtld_set_flag (mask=1) at /usr/src/lib/libthr/thread/thr_rtld.c:171 > 171 { > (gdb) > 176 return (0); > (gdb) > _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:115 > 115 { > (gdb) > 120 curthread = _get_curthread(); > (gdb) > _get_curthread () at /usr/src/lib/libthr/arch/amd64/include/pthread_md.h:97 > 97 return (TCB_GET64(tcb_thread)); > (gdb) > _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:121 > 121 SAVE_ERRNO(); > (gdb) > 124 THR_CRITICAL_ENTER(curthread); > (gdb) > _thr_rwlock_tryrdlock (rwlock=, flags=0) at /usr/src/lib/libthr/thread/thr_umtx.h:192 > 192 (rwlock->rw_flags & URWLOCK_PREFER_READER) != 0) > (gdb) > 191 if ((flags & URWLOCK_PREFER_READER) != 0 || > (gdb) > 197 while (!(state & wrflags)) { > (gdb) > 201 if (atomic_cmpset_acq_32(&rwlock->rw_state, state, state + 1)) > (gdb) > atomic_cmpset_int (dst=, expect=, src=1) at /usr/obj/usr/src/amd64.amd64/tmp/usr/include/machine/atomic.h:220 > 220 ATOMIC_CMPSET(int); > (gdb) > _thr_rwlock_tryrdlock (rwlock=, flags=0) at /usr/src/lib/libthr/thread/thr_umtx.h:201 > 201 if (atomic_cmpset_acq_32(&rwlock->rw_state, state, state + 1)) > (gdb) > _thr_rtld_rlock_acquire (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:127 > 127 curthread->rdlock_count++; > (gdb) > 128 RESTORE_ERRNO(); > (gdb) > 129 } > (gdb) > _thr_rtld_clr_flag (mask=1) at /usr/src/lib/libthr/thread/thr_rtld.c:181 > 181 { > (gdb) > 182 return (0); > (gdb) > _thr_rtld_lock_release (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:150 > 150 { > (gdb) > _get_curthread () at /usr/src/lib/libthr/arch/amd64/include/pthread_md.h:97 > 97 return (TCB_GET64(tcb_thread)); > (gdb) > _thr_rtld_lock_release (lock=0x80180d200) at /usr/src/lib/libthr/thread/thr_rtld.c:157 > 157 SAVE_ERRNO(); > (gdb) > 160 state = l->lock.rw_state; > (gdb) > 161 if (_thr_rwlock_unlock(&l->lock) == 0) { > (gdb) > _thr_rwlock_unlock (rwlock=0x80180d200) at /usr/src/lib/libthr/thread/thr_umtx.h:249 > 249 state = rwlock->rw_state; > (gdb) > 250 if ((state & URWLOCK_WRITE_OWNER) != 0) { > (gdb) > 256 if (__predict_false(URWLOCK_READER_COUNT(state) == 0)) > (gdb) > 260 URWLOCK_READER_COUNT(state) == 1)) { > (gdb) > 259 URWLOCK_READ_WAITERS)) != 0 && > (gdb) > 262 state, state - 1)) > (gdb) > 261 if (atomic_cmpset_rel_32(&rwlock->rw_state, > (gdb) > atomic_cmpset_int (dst=, expect=, src=0) at /usr/obj/usr/src/amd64.amd64/tmp/usr/include/machine/atomic.h:220 > 220 ATOMIC_CMPSET(int); > (gdb) > _thr_rwlock_unlock (rwlock=0x80180d200) at /usr/src/lib/libthr/thread/thr_umtx.h:261 > 261 if (atomic_cmpset_rel_32(&rwlock->rw_state, > (gdb) > _thr_rtld_lock_release (lock=) at /usr/src/lib/libthr/thread/thr_rtld.c:162 > 162 if ((state & URWLOCK_WRITE_OWNER) == 0) > (gdb) > 163 curthread->rdlock_count--; > (gdb) > 164 THR_CRITICAL_LEAVE(curthread); > (gdb) > _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:271 > 271 if (!THR_IN_CRITICAL(curthread)) { > (gdb) > 272 check_deferred_signal(curthread); > (gdb) > check_deferred_signal (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:332 > 332 if > (__predict_true(curthread->deferred_siginfo.si_signo == 0 || > (gdb) > 351 } > (gdb) > _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:273 > 273 check_suspend(curthread); > (gdb) > check_suspend (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:358 > 358 if (__predict_true((curthread->flags & > (gdb) > 401 } > (gdb) > _thr_ast (curthread=0x80864b000) at /usr/src/lib/libthr/thread/thr_sig.c:274 > 274 check_cancel(curthread, NULL); > (gdb) > check_cancel (curthread=0x80864b000, ucp=0x0) at /usr/src/lib/libthr/thread/thr_sig.c:283 > 283 if (__predict_true(!curthread->cancel_pending || > (gdb) > _thr_ast (curthread=) at /usr/src/lib/libthr/thread/thr_sig.c:276 > 276 } > (gdb) > _thr_rtld_lock_release (lock=) at /usr/src/lib/libthr/thread/thr_rtld.c:166 > 166 RESTORE_ERRNO(); > (gdb) > 167 } > (gdb) > setrlimit () at setrlimit.S:3 > 3 RSYSCALL(setrlimit) > (gdb) > > Program received signal SIGSEGV, Segmentation fault. > setrlimit () at setrlimit.S:3 > 3 RSYSCALL(setrlimit) > (gdb) > > Program terminated with signal SIGSEGV, Segmentation fault. > The program no longer exists. > (gdb) q > > ==== > > I'm sorry for the long post. Is there anything (else) I can do to > further narrow it down? > > -- > Trond. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"