Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <1647004D-764D-4A01-83F7-A5E3AD050A01@plan44.ch>
Date: Tue, 17 Sep 2024 12:37:01 +0200
From: Lukas Zeller <luz@...n44.ch>
To: Rich Felker <dalias@...c.org>,
 musl@...ts.openwall.com
Cc: alice <alice@...ya.dev>
Subject: Re: SIGSEGV/stack overflow in pthread_create - race condition?

Hello Rich,

bottom line: problem solved, you were right :-)

It was a use-after-free problem in libpagekite.

I created PRs on libpagekite [1] and openwrt packages [2] to fix it.

I was mostly mislead into "stack overflow" thinking by the gdb backtrace
artifacts looking like __clone() recursion and using that red herring
to search for other similar problems, some of which actually *were*
stack overflow related.

Thanks for the help and sorry for wasting some of your time.

Details for the record:

> On 13 Sep 2024, at 21:54, Rich Felker <dalias@...c.org> wrote:
> 
> [...]
> Can you dump the disassembly (disasm command) at the point of crash?
> That will show what's attempting to be accessed and what "type of
> segfault" it is.

Did that, eventually revealed the faulty access, which looks like this in C
(pkproto.c:765):

  /* Cleanup */
  free(copy);

  /* Pass judgement */
  if ('\0' == *public_domain) return pk_err_null(ERR_PARSE_NO_KITENAME);

Unfortunately, public_domain was a pointer into the `copy` buffer freed
on the line before. A very very short race window but apparently
together with the fact that 16 of these threads were fired up in rapid
succession it could obviously happen that the page got mapped away in
between.

Regarding the gdb bt artifact - before last night I had never thougt
about how difficult stack backtracing gets with the ARM link register
compared to traditional return-address-on-stack. And learned about
.cfi. Would it be possible to instrument clone.s with .cfi such
that gdb would realize that __clone is the origin of a new thread
on a new stack and there is nothing to backtrack beyond?
Probably a puzzle for another time...

Best Regards
Lukas

[1] https://github.com/pagekite/libpagekite/pull/79
[2] https://github.com/openwrt/packages/pull/24982

--
Lukas Zeller, plan44.ch
luz@...n44.ch - https://plan44.ch

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.