[Bug other/61895] New: libbacktrace crashes with bus error with empty file argv[0]

[Bug other/61895] New: libbacktrace crashes with bus error with empty file argv[0]

[vogt at linux dot vnet.ibm.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61895

            Bug ID: 61895
           Summary: libbacktrace crashes with bus error with empty file
                    argv[0]
           Product: gcc
           Version: 4.10.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: other
          Assignee: unassigned at gcc dot gnu.org
          Reporter: vogt at linux dot vnet.ibm.com

Docker uses a call of the exec family to start a new process with a bogus
argv[0] argument, i.e. argv[0] points to an empty file, not a real executable. 
libbacktrace opens the empty file, mmaps it and uses it without ever checking
the size of the file.  Eventually, libbacktrace causes a bus error (on s390x,
may be a different fault on other architectures) in elf.c:564:

  memcpy (&ehdr, ehdr_view.data, sizeof ehdr);

-----

The problem can be reproduced like this (it's probably possible to reproduce
this with a C program):

-- BEGIN exec.c --
#include <unistd.h>

int main(int argc, char *argv[])
{
    execv(argv[0], &argv[1]);
    return 1;       
}
-- END exec.c --

-- BEGIN hello.go --
package main
import "fmt"

func main() {
    fmt.Println("Hello!")
}
-- END hello.go --

$ gcc -o exec exec.c
$ gccgo -g -o hello hello.go
$ touch empty
$ ./exec ./hello $PWD/empty
Bus error (core dumped)

-----

Fix: libbacktrace needs to sanitize its input, i.e. the files it tries to open
in fileline_initialize().  Such a file must be at least as long as sizeof ehdr,
but there may be more places in the code that don't do size checking.  The
right approach might be something like this:

  descriptor = backtrace_open(...)
  if (descriptor >= 0)
    {
      if (!is_executable_valid(descriptor))
        {
          /* close descriptor */
          /* maybe emit an error message */
          /* try other files */
        }
    }

  int is_executable_valid(int descriptor)
  {
    ...
  }

[Bug other/61895] libbacktrace crashes with bus error with empty file argv[0]

[vogt at linux dot vnet.ibm.com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61895

--- Comment #1 from Dominik Vogt <vogt at linux dot vnet.ibm.com> ---
>   execv(argv[0], &argv[1]);
              ^^^       ^^^
               1         2

Sorry.

[Bug other/61895] libbacktrace crashes with bus error with empty file argv[0]

[ian at airs dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61895

Ian Lance Taylor <ian at airs dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2014-08-02
     Ever confirmed|0                           |1

--- Comment #2 from Ian Lance Taylor <ian at airs dot com> ---
I don't think changing libbacktrace is the right approach here.  I don't think
libbacktrace should ignore an existing file passed into it.  I'll fix this in
libgo.

[Bug other/61895] libbacktrace crashes with bus error with empty file argv[0]

[ian at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61895

--- Comment #4 from ian at gcc dot gnu.org <ian at gcc dot gnu.org> ---
Author: ian
Date: Sat Aug  2 00:54:15 2014
New Revision: 213513

URL: https://gcc.gnu.org/viewcvs?rev=213513&root=gcc&view=rev
Log:
    PR other/61895

runtime: Ignore small argv[0] file for backtrace.

Reportedly in some cases Docker starts processes with argv[0]
pointing to an empty file.  That would cause libgo to pass
that empty file to libbacktrace, which would then fail to do
any backtraces.  Everything should work fine if libbacktrace
falls back to /proc/self/exe.

This patch to libgo works around the problem by ignoring
argv[0] if it is a small file, or if stat fails.  This is not
a perfect fix but it's an unusual problem.

Modified:
    trunk/libgo/runtime/go-caller.c

[Bug other/61895] libbacktrace crashes with bus error with empty file argv[0]

[ian at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61895

--- Comment #3 from ian at gcc dot gnu.org <ian at gcc dot gnu.org> ---
Author: ian
Date: Sat Aug  2 00:53:58 2014
New Revision: 213512

URL: https://gcc.gnu.org/viewcvs?rev=213512&root=gcc&view=rev
Log:
    PR other/61895

runtime: Ignore small argv[0] file for backtrace.

Reportedly in some cases Docker starts processes with argv[0]
pointing to an empty file.  That would cause libgo to pass
that empty file to libbacktrace, which would then fail to do
any backtraces.  Everything should work fine if libbacktrace
falls back to /proc/self/exe.

This patch to libgo works around the problem by ignoring
argv[0] if it is a small file, or if stat fails.  This is not
a perfect fix but it's an unusual problem.

Modified:
    branches/gcc-4_9-branch/libgo/runtime/go-caller.c

[Bug other/61895] libbacktrace crashes with bus error with empty file argv[0]

[ian at airs dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61895

Ian Lance Taylor <ian at airs dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
            Version|4.10.0                      |4.9.2
         Resolution|---                         |FIXED

--- Comment #5 from Ian Lance Taylor <ian at airs dot com> ---
Fixed.