Bug#679377: Segmentation fault when initramfs is booting

To: Jordi Pujol <jordipujolp@gmail.com>, 679377@bugs.debian.org, Stefan Lippers-Hollmann <s.L-H@gmx.de>
Subject: Bug#679377: Segmentation fault when initramfs is booting
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Sun, 08 Jul 2012 01:55:10 +0400
Message-id: <[🔎] 4FF8B03E.9030002@msgid.tls.msk.ru>
Reply-to: Michael Tokarev <mjt@tls.msk.ru>, 679377@bugs.debian.org
In-reply-to: <[🔎] 201207051312.42206.jordipujolp@gmail.com>
References: <201206281114.23231.jordipujolp@gmail.com> <[🔎] 4FF46A7E.4040104@msgid.tls.msk.ru> <[🔎] 201207051312.42206.jordipujolp@gmail.com>

retitle 679377 busybox awk segfaults when called from ash and no PATH set (eg initramfs /init)
tags 679377 + pending
thanks

On 05.07.2012 15:12, Jordi Pujol wrote:
[]
>>> the patch "shell-ash-export-HOME.patch" causes a segmentation fault when
>>> initramfs boots,
>>> I believe that this fault occurs the first time that initramfs looks for
>>> some executable in the initramfs filesystem,

Big thanks to Denys Vlasenko, the issue has been identified.

awk applet, when initializes, converts environment variables
into awk internal variables, and while doing this, it temporary
replaces the equal sign (=) in ther with a null byte (\0).

awk applet is marked as NOEXEC, ie, it is okay to run it directly
from shell just by calling appropriate awk_main() routine, without
executing any external program.

When ash tries to run such applet, it initializes environment
variables first, and calls the applet's main() function.

The patch in question exports PATH variable with its default
value. But this value is stored in a global CONSTANT variable
(marked as "const"). All other exported variables are
in malloc'ed memory.

Also, when awk is run as a separate command, the kernel sets
environment variables to be completely writable.

So this very case - calling awk applet from ash when no
PATH variable has been set - is the only case when ONE
environment variable - PATH - is not writable. And when
awk applet initializes and tries to replace "=" with "\0",
it segfaults.

I added a temporary workaround to this patch - making
the default PATH variable to be non-const, ie, writable,
this way awk will be able to write to it. No other parts
of the code tries to write to it, so it is a safe change.

I can't drop this patch now, since it is too risky change
at this stage in wheezy release. This rather obscure
case were difficult enough to debug, and I don't want
to introduce another obscure issue in some other component
while wheezy is frozen.

By the way, the same issue can be reproduced much, much
more easily:

$ env -i /bin/busybox ash -c awk
Segmentation fault

That was the missing part: no environment variables are
set, including $PATH.

Thanks,

/mjt

Reply to:

Follow-Ups:
- Processed: Re: Bug#679377: Segmentation fault when initramfs is booting
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#679377: Segmentation fault when initramfs is booting
  - From: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>

References:
- Bug#679377: Segmentation fault when initramfs is booting
  - From: Michael Tokarev <mjt@tls.msk.ru>
- Bug#679377: Segmentation fault when initramfs is booting
  - From: Jordi Pujol <jordipujolp@gmail.com>

Prev by Date: Bug#680668: Updating chinese-t-desktop in tasksel for Wheezy.
Next by Date: Processed: Re: Bug#679377: Segmentation fault when initramfs is booting
Previous by thread: Bug#679377: Segmentation fault when initramfs is booting
Next by thread: Processed: Re: Bug#679377: Segmentation fault when initramfs is booting
Index(es):
- Date
- Thread