[Qemu-devel] [Bug 1840252] [NEW] Infinite loop over ERANGE from getsocko

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1840252] [NEW] Infinite loop over ERANGE from getsocko

From:	Fritz Katze
Subject:	[Qemu-devel] [Bug 1840252] [NEW] Infinite loop over ERANGE from getsockopt
Date:	Thu, 15 Aug 2019 12:45:30 -0000

Public bug reported:

Host system: Ubuntu 18.04.3 AMD64
Qemu Version: qemu-arm-static --version
qemu-arm version 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.17)

Emulated System: 
Root file system taken from RaspberryPi 3 image
ubuntu-18.04.3-preinstalled-server-armhf+raspi3.img
from 
http://cdimage.ubuntu.com/releases/18.04/release/ubuntu-18.04.3-preinstalled-server-armhf+raspi3.img.xz.

Then using system-nspawn with with /usr/bin/qemu-arm-static copied in.

When executing commands like 
  dpkg -i (--force-all) <...>.deb
or
  tar tvf ..
or
  tar xvf ..
the hosting qemu-arm-static process goes into an infinite loop of getsockopt 
calls of the form:
getsockopt(12, SOL_SOCKET, SO_PEERSEC, 0x7fff7cac49d8, [4]) = -1 ERANGE 
(Numerical result out of range)
I assume that this is because of an infinite retry without checking the actual 
error code of the call.

strace:
openat(AT_FDCWD, "/lib/arm-linux-gnueabihf/librt.so.1", O_RDONLY|O_CLOEXEC) = 12
read(12, 
"\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\20\30\0\0004\0\0\0"..., 512) = 
512
lseek(12, 21236, SEEK_SET)              = 21236
read(12, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 
1240) = 1240
lseek(12, 20856, SEEK_SET)              = 20856
read(12, "A2\0\0\0aeabi\0\1(\0\0\0\0057-A\0\6\n\7A\10\1\t\2\n\4\22"..., 51) = 51
fstat(12, {st_mode=S_IFREG|0644, st_size=22476, ...}) = 0
mmap(0x7f419952c000, 90112, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_DENYWRIT
E, -1, 0) = 0x7f419952c000
mmap(0x7f419952c000, 90112, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 12, 0) = 0x
7f419952c000
mprotect(0x7f4199531000, 61440, PROT_NONE) = 0
mmap(0x7f4199540000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 12, 0x4000)
 = 0x7f4199540000
close(12)                               = 0
mprotect(0x7f4199540000, 4096, PROT_READ) = 0
mprotect(0x7f4199578000, 8192, PROT_READ) = 0
mmap(0x7f419957b000, 28672, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) 
= 0x7f419957b000
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], NULL, 8) = 0
rt_sigprocmask(SIG_SETMASK, [HUP USR1 USR2 PIPE ALRM CHLD TSTP URG VTALRM PROF 
WINCH IO], NULL, 8
) = 0
access("/etc/systemd/dont-synthesize-nobody", F_OK) = -1 ENOENT (No such file 
or directory)
getpid()                                = 26
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 12
getsockopt(12, SOL_SOCKET, SO_RCVBUF, [212992], [4]) = 0
setsockopt(12, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(12, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
getsockopt(12, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0
setsockopt(12, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation 
not permitted)
setsockopt(12, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
connect(12, {sa_family=AF_UNIX, sun_path="/run/dbus/system_bus_socket"}, 29) = 0
getsockopt(12, SOL_SOCKET, SO_PEERCRED, {pid=0, uid=0, gid=0}, [12]) = 0
getsockopt(12, SOL_SOCKET, SO_PEERSEC, 0x7fff7cac49d8, [4]) = -1 ERANGE 
(Numerical result out of 
range)

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1840252

Title:
  Infinite loop over  ERANGE from getsockopt

Status in QEMU:
  New

Bug description:
  Host system: Ubuntu 18.04.3 AMD64
  Qemu Version: qemu-arm-static --version
  qemu-arm version 2.11.1(Debian 1:2.11+dfsg-1ubuntu7.17)

  Emulated System: 
  Root file system taken from RaspberryPi 3 image
  ubuntu-18.04.3-preinstalled-server-armhf+raspi3.img
  from 
http://cdimage.ubuntu.com/releases/18.04/release/ubuntu-18.04.3-preinstalled-server-armhf+raspi3.img.xz.

  Then using system-nspawn with with /usr/bin/qemu-arm-static copied in.

  When executing commands like 
    dpkg -i (--force-all) <...>.deb
  or
    tar tvf ..
  or
    tar xvf ..
  the hosting qemu-arm-static process goes into an infinite loop of getsockopt 
calls of the form:
  getsockopt(12, SOL_SOCKET, SO_PEERSEC, 0x7fff7cac49d8, [4]) = -1 ERANGE 
(Numerical result out of range)
  I assume that this is because of an infinite retry without checking the 
actual error code of the call.

  strace:
  openat(AT_FDCWD, "/lib/arm-linux-gnueabihf/librt.so.1", O_RDONLY|O_CLOEXEC) = 
12
  read(12, 
"\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\20\30\0\0004\0\0\0"..., 512) = 
512
  lseek(12, 21236, SEEK_SET)              = 21236
  read(12, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1240) = 
1240
  lseek(12, 20856, SEEK_SET)              = 20856
  read(12, "A2\0\0\0aeabi\0\1(\0\0\0\0057-A\0\6\n\7A\10\1\t\2\n\4\22"..., 51) = 
51
  fstat(12, {st_mode=S_IFREG|0644, st_size=22476, ...}) = 0
  mmap(0x7f419952c000, 90112, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_DENYWRIT
  E, -1, 0) = 0x7f419952c000
  mmap(0x7f419952c000, 90112, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 12, 0) = 0x
  7f419952c000
  mprotect(0x7f4199531000, 61440, PROT_NONE) = 0
  mmap(0x7f4199540000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 12, 0x4000)
   = 0x7f4199540000
  close(12)                               = 0
  mprotect(0x7f4199540000, 4096, PROT_READ) = 0
  mprotect(0x7f4199578000, 8192, PROT_READ) = 0
  mmap(0x7f419957b000, 28672, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) 
  = 0x7f419957b000
  rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], NULL, 8) = 0
  rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], NULL, 8) = 0
  rt_sigprocmask(SIG_SETMASK, [HUP USR1 USR2 PIPE ALRM CHLD TSTP URG VTALRM 
PROF WINCH IO], NULL, 8
  ) = 0
  access("/etc/systemd/dont-synthesize-nobody", F_OK) = -1 ENOENT (No such file 
or directory)
  getpid()                                = 26
  socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 12
  getsockopt(12, SOL_SOCKET, SO_RCVBUF, [212992], [4]) = 0
  setsockopt(12, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM 
(Operation not permitted)
  setsockopt(12, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0
  getsockopt(12, SOL_SOCKET, SO_SNDBUF, [212992], [4]) = 0
  setsockopt(12, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM 
(Operation not permitted)
  setsockopt(12, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0
  connect(12, {sa_family=AF_UNIX, sun_path="/run/dbus/system_bus_socket"}, 29) 
= 0
  getsockopt(12, SOL_SOCKET, SO_PEERCRED, {pid=0, uid=0, gid=0}, [12]) = 0
  getsockopt(12, SOL_SOCKET, SO_PEERSEC, 0x7fff7cac49d8, [4]) = -1 ERANGE 
(Numerical result out of 
  range)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1840252/+subscriptions

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [Bug 1840252] [NEW] Infinite loop over ERANGE from getsockopt, Fritz Katze <=
- [Qemu-devel] [Bug 1840252] Re: Infinite loop over ERANGE from getsockopt, Peter Maydell, 2019/08/15
- [Qemu-devel] [Bug 1840252] Re: Infinite loop over ERANGE from getsockopt, Fritz Katze, 2019/08/15
- [Qemu-devel] [Bug 1840252] Re: Infinite loop over ERANGE from getsockopt, Fritz Katze, 2019/08/16

Prev by Date: Re: [Qemu-devel] [RFC PATCH v2 01/17] fuzz: Move initialization from main to qemu_init
Next by Date: [Qemu-devel] Running docker cross-tests with SELinux (was: Re: [PATCH v3 20/29] Include qemu/main-loop.h less)
Previous by thread: [Qemu-devel] [Bug 1840249] [NEW] Cancelling 'make docker-test-build' does not cancel running containers
Next by thread: [Qemu-devel] [Bug 1840252] Re: Infinite loop over ERANGE from getsockopt
Index(es):
- Date
- Thread