Opened 10 months ago

Last modified 2 months ago

#24454 needs_information defect

sandbox failure on arm64

Reported by: weasel Owned by: nickm
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.3.2.5-alpha
Severity: Normal Keywords: 033-must, crash, sandbox, 033-triage-20180320, 033-included-20180320, 034-deferred-20180602, 035-removed-20180711
Cc: Actual Points:
Parent ID: Points:
Reviewer: ahf Sponsor:

Description

With #24424 fixed, Tor builds but it still does not run:

$ ./src/or/tor Sandbox 1
Nov 28 08:35:29.521 [notice] Tor 0.3.2.5-alpha (git-d499a5a708f7298b) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.0g, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.3.2.
Nov 28 08:35:29.521 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Nov 28 08:35:29.521 [notice] This version is not a stable Tor release. Expect more bugs than usual.
Nov 28 08:35:29.521 [notice] Configuration file "/usr/local/etc/tor/torrc" not present, using reasonable defaults.
Nov 28 08:35:29.525 [notice] Scheduler type KIST has been enabled.
Nov 28 08:35:29.525 [notice] Opening Socks listener on 127.0.0.1:9050
Nov 28 08:35:30.000 [notice] Bootstrapped 0%: Starting

============================================================ T= 1511858130
(Sandbox) Caught a bad syscall attempt (syscall unlinkat)
./src/or/tor(+0x1aa4ac)[0xaaaaccfd54ac]
linux-vdso.so.1(__kernel_rt_sigreturn+0x0)[0xffff8806e6c0]
/lib/aarch64-linux-gnu/libc.so.6(unlink+0x14)[0xffff87a4953c]

under strace:

$ strace -f ./src/or/tor DisableDebuggerAttachment 0 Sandbox 1
[...]
getpid()                                = 25468
getpid()                                = 25468
write(1, "Nov 28 08:36:05.000 [notice] Boo"..., 55Nov 28 08:36:05.000 [notice] Bootstrapped 0%: Starting
) = 55
unlinkat(AT_FDCWD, "/home/weasel/.tor/key-pinning-entries", 0) = -1 ENETDOWN (Network is down)
--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0xffffa45d253c, si_syscall=__NR_unlinkat, si_arch=AUDIT_ARCH_AARCH64} ---
write(1, "\n==============================="..., 64
============================================================ T=) = 64
write(1, " 1511858165", 11 1511858165)             = 11
write(1, "\n", 1
)                       = 1
write(1, "(Sandbox) Caught a bad syscall a"..., 48(Sandbox) Caught a bad syscall attempt (syscall ) = 48
[..]

Child Tickets

Change History (26)

comment:1 Changed 10 months ago by weasel

With this, it finally bootstraps.

--- /home/weasel/sandbox.c      2017-11-28 08:24:23.807897308 +0000                  
+++ src/common/sandbox.c        2017-11-28 08:40:18.205657824 +0000
@@ -258,7 +258,12 @@
     SCMP_SYS(recvmsg),
     SCMP_SYS(recvfrom),
     SCMP_SYS(sendto),
-    SCMP_SYS(unlink)
+    SCMP_SYS(unlink),
+    SCMP_SYS(unlinkat),
+    SCMP_SYS(newfstatat),
+    SCMP_SYS(openat),
+    SCMP_SYS(ppoll),
+    SCMP_SYS(renameat)
 };
 
 /* These macros help avoid the error where the number of filters we add on a

Note that I don't think this patch should be applied as is. (It allows openat unrestricted for instance.)

comment:2 Changed 10 months ago by catalyst

Milestone: Tor: 0.3.2.x-final

comment:3 Changed 10 months ago by nickm

Owner: set to nickm
Status: newaccepted

comment:4 Changed 9 months ago by nickm

Milestone: Tor: 0.3.2.x-finalTor: 0.3.3.x-final

comment:5 Changed 7 months ago by nickm

Keywords: 033-maybe-must added

Mark some tickets as possibly belonging in 033-must.

comment:6 Changed 7 months ago by nickm

Keywords: 033-must added; 033-maybe-must removed

move 033-maybe-must into 033-must

comment:7 Changed 7 months ago by bundesgebaermutter

Will this also work on 32-bit ARM?

comment:8 Changed 6 months ago by nickm

Keywords: crash sandbox added

comment:9 Changed 6 months ago by nickm

So, we can allow unlinkat and newfstatat and ppoll without additional trouble. And I *hope* that the #24315 change will resolve the openat issue.

I have a branch bug24454_029, incorporating my patch for #25313, that allows these syscalls.

The renameat() issue is trickier, and might require that we reproduce some of the logic behind the openat() changes in #24315. Tell me, do you know what options the renameat() code in libc is using? Is it always passing AT_FDCWD like the openat() code uses, or is it doing something more complicated?

comment:10 Changed 6 months ago by nickm

Keywords: 033-triage-20180320 added

Marking all tickets reached by current round of 033 triage.

comment:11 Changed 6 months ago by nickm

Keywords: 033-included-20180320 added

Mark 033-must tickets as triaged-in for 0.3.3

comment:12 Changed 6 months ago by nickm

Status: acceptedneeds_review

My branch bug24454_029 now has fixes for both parts of this issue, but I won't be sure it's actually fixed until we try building and running it on arm64.

comment:13 Changed 6 months ago by nickm

(If this doesn't fix it for you, weasel, could you post the exact orconfig.h file that configure generates on this platform, and the exact version of glibc that it uses?)

comment:14 Changed 6 months ago by dgoulet

Reviewer: ahf

Reviewer assignment for week 02/04/2018

comment:16 Changed 6 months ago by ahf

Got an arm64 machine up and running:

For the patches to compile and build I had to cherry-pick 15b41fa6ae6a1356d5453242ccb7d7d301dd5e67 from #24424

When the patches is applied Tor no longer crashes with the sandbox error above, but things are a bit fishy:

$ ./src/or/tor Sandbox 1
Apr 05 20:52:43.368 [notice] Tor 0.2.9.15-dev (git-30bad392315558e7) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.0h and Zlib 1.2.8.
Apr 05 20:52:43.368 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Apr 05 20:52:43.368 [notice] Configuration file "/usr/local/etc/tor/torrc" not present, using reasonable defaults.
Apr 05 20:52:43.386 [notice] Opening Socks listener on 127.0.0.1:9050
Apr 05 20:52:43.000 [notice] Bootstrapped 0%: Starting
Apr 05 20:52:45.000 [warn] Error replacing "/home/ahf/.tor/cached-microdescs": Function not implemented
Apr 05 20:52:45.000 [warn] Error rebuilding microdescriptor cache: Function not implemented
Apr 05 20:52:45.000 [warn] Error replacing "/home/ahf/.tor/cached-microdescs": Function not implemented
Apr 05 20:52:45.000 [warn] Error rebuilding microdescriptor cache: Function not implemented
Apr 05 20:52:45.000 [notice] Bootstrapped 5%: Connecting to directory server
Apr 05 20:52:45.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Apr 05 20:52:45.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
Apr 05 20:52:45.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
Apr 05 20:52:45.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
Apr 05 20:52:47.000 [warn] Error replacing "/home/ahf/.tor/unverified-microdesc-consensus": Function not implemented
Apr 05 20:52:47.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
Apr 05 20:52:47.000 [warn] Error replacing "/home/ahf/.tor/state": Function not implemented
Apr 05 20:52:47.000 [warn] Unable to write state to file "/home/ahf/.tor/state"; will try again later
Apr 05 20:52:47.000 [notice] Bootstrapped 40%: Loading authority key certs
Apr 05 20:52:47.000 [warn] Error replacing "/home/ahf/.tor/cached-certs": Function not implemented
Apr 05 20:52:47.000 [warn] Error writing certificates to disk.
Apr 05 20:52:48.000 [warn] Failed to unlink /home/ahf/.tor/unverified-microdesc-consensus: No such file or directory
Apr 05 20:52:48.000 [warn] Error replacing "/home/ahf/.tor/cached-microdesc-consensus": Function not implemented
Apr 05 20:52:48.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Apr 05 20:52:48.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Apr 05 20:52:48.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Apr 05 20:52:49.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Apr 05 20:52:49.000 [notice] Bootstrapped 100%: Done
^CApr 05 20:52:52.000 [notice] Interrupt: exiting cleanly.
Apr 05 20:52:52.000 [warn] Error replacing "/home/ahf/.tor/state": Function not implemented
Apr 05 20:52:52.000 [warn] Unable to write state to file "/home/ahf/.tor/state"; will try again later

comment:17 Changed 6 months ago by ahf

Running Tor in strace reveals:

syscall_0xffffd845(0xffffad185396, 0xffffad1853c8, 0x2f680000000000, 0x8080800000000000, 0x682f000000000000, 0x80afe8) = -1 (errno 38)
write(1, 0xfffff33fd978, 117Apr 05 21:06:33.000 [warn] Error replacing "/home/ahf/.tor/unverified-microdesc-consensus": Function not implemented

comment:18 Changed 6 months ago by ahf

Status: needs_reviewneeds_information

comment:19 Changed 6 months ago by nickm

ooh, ENOSYS. That means that the syscall actually doesn't exist. Huh! If we're not using syscall wrong, that means that the rename() syscall doesn't actually exist in this kernel, and renameat() is being used because it's the only choice.

comment:20 Changed 6 months ago by ahf

The kernel version is:

Linux rpi3 4.15.0-2-arm64 #1 SMP Debian 4.15.11-1 (2018-03-20) aarch64 GNU/Linux

comment:21 Changed 6 months ago by ahf

The glibc implementation of the rename() wrapper is:

/* Rename the file OLD to NEW.  */
int
rename (const char *old, const char *new)
{
#if defined (__NR_rename)
  return INLINE_SYSCALL_CALL (rename, old, new);
#elif defined (__NR_renameat)
  return INLINE_SYSCALL_CALL (renameat, AT_FDCWD, old, AT_FDCWD, new);
#else
  return INLINE_SYSCALL_CALL (renameat2, AT_FDCWD, old, AT_FDCWD, new, 0);
#endif
}

comment:22 Changed 6 months ago by nickm

Hmm. I am thinking about deferring this to 0.3.4, since it is apparently not _our_ regression, and since it's probably going to take a bunch of fiddly cross-platform testing.

Any objections?

comment:23 Changed 6 months ago by ahf

OK with me.

comment:24 Changed 6 months ago by asn

Milestone: Tor: 0.3.3.x-finalTor: 0.3.4.x-final

Triaging this out of 033 due to above discussion. Please revert if not right.

comment:25 Changed 4 months ago by nickm

Keywords: 034-deferred-20180602 added
Milestone: Tor: 0.3.4.x-finalTor: 0.3.5.x-final

Deferring non-must tickets to 0.3.5

comment:26 Changed 2 months ago by nickm

Keywords: 035-removed-20180711 added
Milestone: Tor: 0.3.5.x-finalTor: unspecified

These tickets are being triaged out of 0.3.5. The ones marked "035-roadmap-proposed" may return.

Note: See TracTickets for help on using tickets.