Bug 1368188

Summary: [abrt] systemtap-devel: get_privilege_credentials(): stap killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Philip Withnall <philip>
Component: systemtapAssignee: Frank Ch. Eigler <fche>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: brolley, dsmith, fche, jistone, lberk, mjw, scox, wcohen
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/c3f40cd778bb90db15a83ce6f514a8eb1ffa1876
Whiteboard: abrt_hash:f2b03595aec057ffb4e2f3b2139bdcb1ca885c27;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-18 20:36:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: namespaces
none
File: open_fds
none
File: proc_pid_status
none
File: var_log_messages none

Description Philip Withnall 2016-08-18 15:23:11 UTC 
Description of problem:
stap --unprivileged --ldd -o "some-file.log" -c "hitori" --rlimit-as=0 dunfell-record.stp

dunfell-record.stp is here: https://gitlab.com/pwithnall/dunfell/blob/master/record/dunfell-record.stp

Version-Release number of selected component:
systemtap-devel-3.0-3.fc24

Additional info:
reporter:       libreport-2.7.2
backtrace_rating: 4
cmdline:        stap --unprivileged --ldd -o dunfell-hitori-f3QnCY.log -c hitori --rlimit-as=0 /opt/gnome3/build/share/libdunfell-0/dunfell-record.stp
crash_function: get_privilege_credentials
executable:     /usr/bin/stap
global_pid:     16968
kernel:         4.6.4-301.fc24.x86_64
pkg_fingerprint: 73BD E983 81B4 6521
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            1000

Truncated backtrace:
Thread no. 1 (2 frames)
 #0 get_privilege_credentials at privilege.cxx:58
 #1 systemtap_session::check_options at session.cxx:1657
Comment 1 Philip Withnall 2016-08-18 15:23:20 UTC 
Created attachment 1191909 [details]
File: backtrace
Comment 2 Philip Withnall 2016-08-18 15:23:21 UTC 
Created attachment 1191910 [details]
File: cgroup
Comment 3 Philip Withnall 2016-08-18 15:23:23 UTC 
Created attachment 1191911 [details]
File: core_backtrace
Comment 4 Philip Withnall 2016-08-18 15:23:24 UTC 
Created attachment 1191912 [details]
File: dso_list
Comment 5 Philip Withnall 2016-08-18 15:23:26 UTC 
Created attachment 1191913 [details]
File: environ
Comment 6 Philip Withnall 2016-08-18 15:23:27 UTC 
Created attachment 1191914 [details]
File: exploitable
Comment 7 Philip Withnall 2016-08-18 15:23:29 UTC 
Created attachment 1191915 [details]
File: limits
Comment 8 Philip Withnall 2016-08-18 15:23:31 UTC 
Created attachment 1191916 [details]
File: maps
Comment 9 Philip Withnall 2016-08-18 15:23:32 UTC 
Created attachment 1191917 [details]
File: mountinfo
Comment 10 Philip Withnall 2016-08-18 15:23:33 UTC 
Created attachment 1191918 [details]
File: namespaces
Comment 11 Philip Withnall 2016-08-18 15:23:35 UTC 
Created attachment 1191919 [details]
File: open_fds
Comment 12 Philip Withnall 2016-08-18 15:23:36 UTC 
Created attachment 1191920 [details]
File: proc_pid_status
Comment 13 Philip Withnall 2016-08-18 15:23:38 UTC 
Created attachment 1191921 [details]
File: var_log_messages
Comment 14 Philip Withnall 2016-08-18 15:25:21 UTC 
Also reproducible using:
stap --unprivileged --ldd -o "some-file.log" -c "echo 'hi'" --rlimit-as=0 dunfell-record.stp

If I remove the --rlimit-as=0, I get:

> Using a compile server.
> std::bad_alloc
> Passes: via server failed.  Try again with another '-v' option.
> For users with the privilege level stapusr, the module created by compiling your script must be signed by a trusted systemtap compile-server.  [man stap-server]
> --use-server was automatically selected in order to request compilation by a compile-server.
Comment 15 Frank Ch. Eigler 2016-08-18 15:33:03 UTC 
The --rlimit-as=XXX value is for imposing emergency resource limits on the stap-related programs.  An outright crash for a minuscule limit such as =0 is not unexpected.
Comment 16 David Smith 2016-08-18 15:50:27 UTC 
(In reply to Philip Withnall from comment #14)
> Also reproducible using:
> stap --unprivileged --ldd -o "some-file.log" -c "echo 'hi'" --rlimit-as=0
> dunfell-record.stp
> 
> If I remove the --rlimit-as=0, I get:
> 
> > Using a compile server.
> > std::bad_alloc
> > Passes: via server failed.  Try again with another '-v' option.
> > For users with the privilege level stapusr, the module created by compiling your script must be signed by a trusted systemtap compile-server.  [man stap-server]
> > --use-server was automatically selected in order to request compilation by a compile-server.

What are you really trying to do here? Because you used '--unprivileged', you are running as 'stapusr', the lowest level of privilege. Those users can only run scripts "blessed" by a user with higher privilege and only probe their own processes.

Is that what you intended?

Perhaps you should join #systemtap on freenode or send an email to systemtap and we can start a conversation about how to go about what you are trying to accomplish.
Comment 17 Frank Ch. Eigler 2016-08-18 15:58:59 UTC 
(In reply to Philip Withnall from comment #14)
> Also reproducible using:
> stap --unprivileged --ldd -o "some-file.log" -c "echo 'hi'" --rlimit-as=0
> dunfell-record.stp
> 
> If I remove the --rlimit-as=0, I get:
> 
> > Using a compile server.
> > std::bad_alloc
> [...]

Ah, sorry, I missed this part.  The compile server probably has default rlimits that, if too small, could result in that std::bad_alloc.  Your stp script is not quite idiomatic (as small as possible), but also well within the range what defaults should be able to handle.  Will reopen this bug to track analysis of why that might have happened.
Comment 18 Philip Withnall 2016-08-18 16:04:15 UTC 
(In reply to Frank Ch. Eigler from comment #15)
> The --rlimit-as=XXX value is for imposing emergency resource limits on the
> stap-related programs.  An outright crash for a minuscule limit such as =0
> is not unexpected.

Ah, I misread `man stap` then, and assumed that --rlimit-as=0 imposed no limit, rather than a limit of zero.

However, running with --rlimit-as= (and no argument to it) gives another crash.
Comment 19 David Smith 2016-08-18 16:07:39 UTC 
(In reply to Philip Withnall from comment #18)
> (In reply to Frank Ch. Eigler from comment #15)
> > The --rlimit-as=XXX value is for imposing emergency resource limits on the
> > stap-related programs.  An outright crash for a minuscule limit such as =0
> > is not unexpected.
> 
> Ah, I misread `man stap` then, and assumed that --rlimit-as=0 imposed no
> limit, rather than a limit of zero.
> 
> However, running with --rlimit-as= (and no argument to it) gives another
> crash.

I don't think you did misread the man page:

       --rlimit-as=NUM
              Specify the maximum size of the process's  virtual  memory  (ad‐
              dress  space),  in bytes. If nothing is specified, no limits are
              imposed.

Perhaps we should also treat '--rlimit-as=0' as '--rlimit-as=' (i.e. no limits imposed).
Comment 20 David Smith 2016-08-18 20:36:32 UTC 
Commit cc72c6a updates the handling of the '--rlimit-*' options by requiring a value and giving a better error if the numeric conversion of the value fails. The man page was updated to remove that misleading "If nothing is specified, no limits are imposed." sentence.

In addition, Philip joined #systemtap on freenode and we figured out that his server '--rlimit-as' value in /var/lib/stap-server/.systemtap/rc wasn't big enough. After doubling it, everything works correctly.

So, I'm closing this one.