Bug#1083095: marked as done (libc6: SIGSEGV in _dl_open on ARM64 (aarch64) at libc6 2.36-9+deb12u8 called by bash-static 5.2.15-2+b7)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 01 Nov 2024 22:17:08 +0000
with message-id <E1t6zx6-006Ctc-8C@fasolo.debian.org>
and subject line Bug#1083095: fixed in glibc 2.36-9+deb12u9
has caused the Debian Bug report #1083095,
regarding libc6: SIGSEGV in _dl_open on ARM64 (aarch64) at libc6 2.36-9+deb12u8 called by bash-static 5.2.15-2+b7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1083095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083095
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libc6: SIGSEGV in _dl_open on ARM64 (aarch64) at libc6 2.36-9+deb12u8 called by bash-static 5.2.15-2+b7
• From: Jingyuan Liang <jingyuanliang@google.com>
• Date: Tue, 01 Oct 2024 13:25:07 +0000
• Message-id: <172778910784.481422.17302186321965028928.reportbug@jingyuanliang.c.googlers.com>

Package: libc6
Version: 2.38-7+gl0
Severity: normal
X-Debbugs-Cc: jingyuanliang@google.com

Dear Maintainer,

The issue happened in a containerized context - the system information extracted below doesn't apply.

If you speak Docker, the build below is a reproduction of the issue; otherwise, just skip this.

```
FROM debian:bookworm-slim AS bash

RUN apt-get update && apt-get install -y --no-install-recommends --no-install-suggests bash-static

FROM gcr.io/distroless/base-debian12@sha256:6ae5fe659f28c6afe9cc2903aebc78a5c6ad3aaa3d9d0369760ac6aaea2529c8

COPY --from=bash /bin/bash-static /bin/bash

ENTRYPOINT ["/bin/bash"]
```

We're building containers by pulling certain packages / binaries from Debian without the full package manager. For this particular container, we've taken libc6 and bash-static plus a few more, but not all (and far from all) packages that would be seen on a regular system, and we execute bash-static inside the container. Recently, we found bash-static fails execution in recently built containers immediately at startup, on ARM (aarch64) only (works on amd64, didn't test other architectures), with SIGSEGV at startup. The ARM chip is an Ampere Altra. Upon investigation, we found it started failing since libc6 was bumped from 2.36-9+deb12u7 to 2.36-9+deb12u8, with bash-static not changed at 5.2.15-2+b7. Tracing the crash, it shows:

```
(gdb) bt
#0  0x00000000004e400c in kill ()
#1  0x0000000000452ab0 in kill_shell (sig=sig@entry=11) at .././sig.c:643
#2  0x0000000000452c34 in termsig_handler (sig=11) at .././sig.c:624
#3  0x0000000000452e60 in termsig_handler (sig=<optimized out>) at .././sig.c:581
#4  termsig_sighandler (sig=<optimized out>) at .././sig.c:558
#5  <signal handler called>
#6  0x0000000000000000 in ?? ()
#7  0x0000ffffb0c9a718 in _dl_open (file=0xffffb0b90650 "libnss_nis.so.2", mode=-2147483646, caller_dlopen=0xffffb0df2748 <module_load+152>, nsid=-2, argc=1, argv=0xffffd9762ef8, env=0xffffd9762f08)
    at ./elf/dl-open.c:830
#8  0x0000ffffb0e0eca0 in do_dlopen (ptr=ptr@entry=0xffffd97624e8) at ./elf/dl-libc.c:95
#9  0x0000ffffb0e0e8bc in __GI__dl_catch_exception (exception=exception@entry=0xffffd9762470, operate=0xffffb0e0ec54 <do_dlopen>, args=0xffffd97624e8) at ./elf/dl-error-skeleton.c:208
#10 0x0000ffffb0e0e980 in __GI__dl_catch_error (objname=0xffffd97624b8, errstring=0xffffd97624c0, mallocedp=0xffffd97624b7, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227
#11 0x0000ffffb0e0ebf8 in dlerror_run (operate=operate@entry=0xffffb0e0ec54 <do_dlopen>, args=args@entry=0xffffd97624e8) at ./elf/dl-libc.c:45
#12 0x0000ffffb0e0edf4 in __libc_dlopen_mode (name=<optimized out>, mode=<optimized out>) at ./elf/dl-libc.c:162
#13 0x0000ffffb0df2748 in module_load (module=0xffffb0b91fd0) at ./nss/nss_module.c:191
#14 0x0000ffffb0df2c58 in __nss_module_load (module=0xffffb0b91fd0) at ./nss/nss_module.c:310
#15 __nss_module_get_function (module=0xffffb0b91fd0, name=0xffffb0e96780 "setpwent") at ./nss/nss_module.c:336
#16 0x0000ffffb0e92834 in init_nss_interface () at nss_compat/compat-pwd.c:95
#17 init_nss_interface () at nss_compat/compat-pwd.c:91
#18 0x0000ffffb0e940b0 in _nss_compat_getpwuid_r (uid=0, pwd=0x62aeb8 <resbuf>, buffer=0x1c1845b0 "8\035a", buflen=1024, errnop=0x1c1837c0) at nss_compat/compat-pwd.c:1063
#19 0x000000000050aca4 in getpwuid_r ()
#20 0x000000000050a4e8 in getpwuid ()
#21 0x0000000000402590 in get_current_user_info () at .././shell.c:1902
#22 0x0000000000402adc in get_current_user_info () at .././shell.c:1937
#23 shell_initialize () at .././shell.c:1965
#24 0x0000000000400e8c in main (argc=1, argv=0xffffd9762ef8, env=<optimized out>) at .././shell.c:580
(gdb) frame 7
#7  0x0000ffffb0c9a718 in _dl_open (file=0xffffb0b90650 "libnss_nis.so.2", mode=-2147483646, caller_dlopen=0xffffb0df2748 <module_load+152>, nsid=-2, argc=1, argv=0xffffd9762ef8, env=0xffffd9762f08)
    at ./elf/dl-open.c:830
830	in ./elf/dl-open.c
(gdb) p (void*)_dl_load_lock
$1 = (void *) 0x0
(gdb) p _rtld_global
$2 = {_dl_ns = {{_ns_loaded = 0x0, _ns_nloaded = 0, _ns_main_searchlist = 0x0, _ns_global_scope_alloc = 0, _ns_global_scope_pending_adds = 0, libc_map = 0x0, _ns_unique_sym_table = {lock = {mutex = {__data = {
              __lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 1, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 16 times>, "\001", '\000' <repeats 30 times>,
            __align = 0}}, entries = 0x0, size = 0, n_elements = 0, free = 0x0}, _ns_debug = {base = {r_version = 0, r_map = 0x0, r_brk = 0, r_state = RT_CONSISTENT, r_ldbase = 0}, r_next = 0x0}}, {
      _ns_loaded = 0x0, _ns_nloaded = 0, _ns_main_searchlist = 0x0, _ns_global_scope_alloc = 0, _ns_global_scope_pending_adds = 0, libc_map = 0x0, _ns_unique_sym_table = {lock = {mutex = {__data = {__lock = 0,
              __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 47 times>, __align = 0}}, entries = 0x0, size = 0, n_elements = 0,
        free = 0x0}, _ns_debug = {base = {r_version = 0, r_map = 0x0, r_brk = 0, r_state = RT_CONSISTENT, r_ldbase = 0}, r_next = 0x0}} <repeats 15 times>}, _dl_nns = 1, _dl_load_lock = {mutex = {__data = {
        __lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 1, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 16 times>, "\001", '\000' <repeats 30 times>, __align = 0}},
  _dl_load_write_lock = {mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 1, __spins = 0, __list = {__prev = 0x0, __next = 0x0}},
      __size = '\000' <repeats 16 times>, "\001", '\000' <repeats 30 times>, __align = 0}}, _dl_load_tls_lock = {mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 1, __spins = 0,
        __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 16 times>, "\001", '\000' <repeats 30 times>, __align = 0}}, _dl_load_adds = 0, _dl_initfirst = 0x0, _dl_profile_map = 0x0,
  _dl_num_relocations = 0, _dl_num_cache_relocations = 0, _dl_all_dirs = 0x0, _dl_rtld_map = {l_addr = 0, l_name = 0x0, l_ld = 0x0, l_next = 0x0, l_prev = 0x0, l_real = 0x0, l_ns = 0, l_libname = 0x0, l_info = {
      0x0 <repeats 86 times>}, l_phdr = 0x0, l_entry = 0, l_phnum = 0, l_ldnum = 0, l_searchlist = {r_list = 0x0, r_nlist = 0}, l_symbolic_searchlist = {r_list = 0x0, r_nlist = 0}, l_loader = 0x0,
    l_versions = 0x0, l_nversions = 0, l_nbuckets = 0, l_gnu_bitmask_idxbits = 0, l_gnu_shift = 0, l_gnu_bitmask = 0x0, {l_gnu_buckets = 0x0, l_chain = 0x0}, {l_gnu_chain_zero = 0x0, l_buckets = 0x0},
    l_direct_opencount = 0, l_type = lt_executable, l_dt_relr_ref = 0, l_relocated = 0, l_init_called = 0, l_global = 0, l_reserved = 0, l_main_map = 0, l_visited = 0, l_map_used = 0, l_map_done = 0,
    l_phdr_allocated = 0, l_soname_added = 0, l_faked = 0, l_need_tls_init = 0, l_auditing = 0, l_audit_any_plt = 0, l_removed = 0, l_contiguous = 0, l_free_initfini = 0, l_ld_readonly = 0,
    l_find_object_processed = 0, l_nodelete_active = false, l_nodelete_pending = false, l_1_needed = 0, l_rpath_dirs = {dirs = 0x0, malloced = 0}, l_reloc_result = 0x0, l_versyms = 0x0, l_origin = 0x0,
    l_map_start = 0, l_map_end = 0, l_text_end = 0, l_scope_mem = {0x0, 0x0, 0x0, 0x0}, l_scope_max = 0, l_scope = 0x0, l_local_scope = {0x0, 0x0}, l_file_id = {dev = 0, ino = 0}, l_runpath_dirs = {dirs = 0x0,
      malloced = 0}, l_initfini = 0x0, l_init_called_next = 0x0, l_reldeps = 0x0, l_reldepsmax = 0, l_used = 0, l_feature_1 = 0, l_flags_1 = 0, l_flags = 0, l_idx = 0, l_mach = {plt = 0, tlsdesc_table = 0x0,
      bti_fail = false}, l_lookup_cache = {sym = 0x0, type_class = 0, value = 0x0, ret = 0x0}, l_tls_initimage = 0x0, l_tls_initimage_size = 0, l_tls_blocksize = 0, l_tls_align = 0, l_tls_firstbyte_offset = 0,
    l_tls_offset = 0, l_tls_modid = 0, l_tls_dtor_count = 0, l_relro_addr = 0, l_relro_size = 0, l_serial = 0}, _dl_rtld_auditstate = {{cookie = 0, bindflags = 0} <repeats 16 times>}, _dl_stack_flags = 6,
  _dl_tls_dtv_gaps = false, _dl_tls_max_dtv_idx = 0, _dl_tls_dtv_slotinfo_list = 0x0, _dl_tls_static_nelem = 0, _dl_tls_static_used = 0, _dl_tls_static_optional = 0, _dl_initial_dtv = 0x0,
  _dl_tls_generation = 0, _dl_scope_free_list = 0x0, _dl_stack_used = {next = 0x0, prev = 0x0}, _dl_stack_user = {next = 0x0, prev = 0x0}, _dl_stack_cache = {next = 0x0, prev = 0x0}, _dl_stack_cache_actsize = 0,
  _dl_in_flight_stack = 0, _dl_stack_cache_lock = 0}
(gdb) info locals
args = {file = 0x400280 <_init> "\037 \003\325\375{\277\251\375\003", mode = -646569360, caller_dlopen = 0xffffb0d5a228 <_IO_str_init_static_internal+68>, map = 0xffffb0b90644, nsid = 0,
  original_global_scope_pending_adds = 3648397984, libc_already_loaded = 255, worker_continue = 255, argc = -1328203540, argv = 0xf, env = 0xf}
exception = {objname = 0x1c183740 "\260[b", errstring = 0x0, message_buffer = 0xffffd9762870 ""}
errcode = <optimized out>
__PRETTY_FUNCTION__ = "_dl_open"
(gdb)
```

I'm not familiar with glibc code so I don't know how to interpret this, but I noticed that 2.36-9+deb12u8 introduced several ARM changes. I wonder if they could be related?

Thanks.

-- System Information:
Debian Release: rodete
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.9.10-1rodete5-amd64 (SMP w/128 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libc6 depends on:
ii  libgcc-s1  14-20240201-3

Versions of packages libc6 recommends:
ii  libidn2-0  2.3.7-2

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.86
pn  glibc-doc              <none>
ii  libc-l10n              2.38-7+gl0
pn  libnss-nis             <none>
pn  libnss-nisplus         <none>
ii  locales                2.38-7+gl0

-- debconf information excluded

--- End Message ---

--- Begin Message ---

• To: 1083095-close@bugs.debian.org
• Subject: Bug#1083095: fixed in glibc 2.36-9+deb12u9
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 01 Nov 2024 22:17:08 +0000
• Message-id: <E1t6zx6-006Ctc-8C@fasolo.debian.org>
• Reply-to: Aurelien Jarno <aurel32@debian.org>

Source: glibc
Source-Version: 2.36-9+deb12u9
Done: Aurelien Jarno <aurel32@debian.org>

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1083095@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 01 Nov 2024 13:42:20 +0100
Source: glibc
Architecture: source
Version: 2.36-9+deb12u9
Distribution: bookworm
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1083095
Changes:
 glibc (2.36-9+deb12u9) bookworm; urgency=medium
 .
   * debian/testsuite-xfail-debian.mk: mark tst-support_descriptors as XFAIL,
     due to sbuild bug #1070003.
   * debian/patches/localedata/git-locale-hr_HR-euro.diff: change Croatian
     locale to use Euro as currency.
   * debian/patches/git-updates.diff: update from upstream stable branch:
     - resolv: do not ignore short error responses (as generated by e.g.
       Unbound) to avoid timeouts.
     - resolv: fix timeouts when single-request mode is enabled in resolv.conf.
     - resolv: fix reloading resolv.conf when a nameserver has been
       automatically switched to single-request mode.
     - mremap(): fix support for the MREMAP_DONTUNMAP option.
     - fortification: fix name space violation in fortify wrappers.
     - vfscanf(): fix matches longer than INT_MAX.
     - ungetc(): fix uninitialized read when putting into unused streams.
     - ungetc(): fix backup buffer leak on program exit.
   * patches/arm64/local-revert-aarch64-check-kernel-version-for-sve-ifuncs.diff:
     revert upstream commit as it changes the GLIBC_PRIVATE ABI, causing
     crashes with static binaries using dlopened NSS functions.  Closes:
     #1083095.
Checksums-Sha1:
 602587334f4a56a0c5b5b5d4bb88fbd335a1de9a 9761 glibc_2.36-9+deb12u9.dsc
 931480db5505601a0a9d6388cfaa4cba0d5cf838 892656 glibc_2.36-9+deb12u9.debian.tar.xz
 ebcadf22c13bb20e68f8f37eca9a7b136b59cccc 11367 glibc_2.36-9+deb12u9_source.buildinfo
Checksums-Sha256:
 0775314ade7742f0bbb9daeb712239e8d1b0baa080e4fa06a96345fa69ac28a2 9761 glibc_2.36-9+deb12u9.dsc
 e56d10d96ac452db8feb7af7a97ed3b5c0118930a949d73b9dcd5975847983f1 892656 glibc_2.36-9+deb12u9.debian.tar.xz
 386040e4d7eac08079acd4a45d926fa00868a98902f1e1a5560268add2978549 11367 glibc_2.36-9+deb12u9_source.buildinfo
Files:
 a27200d1e6d203a74ec47fa6e3c876be 9761 libs required glibc_2.36-9+deb12u9.dsc
 413e706bdb845da9579634cd9156c8e6 892656 libs required glibc_2.36-9+deb12u9.debian.tar.xz
 6717c5596907cf5d288aa1b818268b59 11367 libs required glibc_2.36-9+deb12u9_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmckzXQACgkQE4jA+Jno
M2vYtBAAmqJX4aIKQTz98wkmcX9OWWnMpRp9uqozgQD13eAV//MGUkZ4SsV9w0e7
NrbkNWsehp4Mvq2anstpjtF4XvWbXY4FSTlltFu5QV5x9TBSl+f1ujoj+NvKSsSw
rv2Mo6du13koXPJqedPXs5SQ8hsFvnUjWITFnkl0tZXZcc3pCxDh15P6dUKJna/7
cGm4tl2nKvwtBpj1LP8Mo1E8r2OFwg2x89OZ5GuxKVIhzCiaMayPaS5BsgZwtRxG
k0L/biX859ZOZjECPiJUjXUxionByZTPgG2hBHq0yzYxn8cUebYns98Q7JDwz0lY
s8gWoyBWUT2ZuYQzkk0DI73C1bUu9fLQdm/mzyMbDwrGvycmbqXTD7gYQC92aJE8
ymDC2z/W8bY6LzM6M1k74LgUABRU7QKPnTHBWp5wbFUayG+9yRcJaNRvFsLd+bj8
9KNGT3Ef+z/SZXEwfbDqIN0qlmiJ28BbnSGPj2xgAErljEgKGpBiwA38urrCvr7A
SEZXCmubU16RbcKsXkA4xf8iENuLJ7hQqzr/GlkJSCegucnR7Rsr2IJw/BjIdpbe
eohOZlncGQRDO+9kcN1ETVTv3bnAciGtN8Ww19WLGdwlrwSBvWX5FDtTxT8ODq1S
hOG5eO+QWWLqLCOf+kgQHTtW94Yr8SkoyvbsP+wxqm32tqgH21o=
=jJx6
-----END PGP SIGNATURE-----

Attachment: pgpyYLVJmA27g.pgp
Description: PGP signature

--- End Message ---