Bug 1688725
Summary: | 'import dmidecode' shouldn't access memory | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jaroslav Škarvada <jskarvad> | ||||
Component: | python-dmidecode | Assignee: | lijiang | ||||
Status: | CLOSED ERRATA | QA Contact: | Jeff Bastian <jbastian> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.6 | CC: | csnyder, jbastian, lijiang, olysonek, ruyang, rvr, tkasparek | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | python-dmidecode-3.12.2-4.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-03-31 19:59:47 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1711208 | ||||||
Attachments: |
|
Description
Jaroslav Škarvada
2019-03-14 10:24:53 UTC
Created attachment 1543976 [details]
Reproducer
The same problem happens on aarch64, so probably it shouldn't be shipped on non x86(64). It seems on RHEL-7 the spec has just: ExcludeArch: s390x I cannot see any exclude/exclusive keywordss on the RHEL-8, so the RHEL-8 is probably also affected. Maybe the dmidecode package is good for offline parsing, but just the 'import dmidecode' shouldn't access hardcoded memory addresses (see the reproducer). Ideally, the dmidecode module should not print anything to stdout/stderr under any circumstances. If it encounters an error, it should raise an exception instead. Also, IMHO it shouldn't do anything that requires privileges during import. (In reply to Ondřej Lysoněk from comment #6) > Ideally, the dmidecode module should not print anything to stdout/stderr > under any circumstances. If it encounters an error, it should raise an > exception instead. Also, IMHO it shouldn't do anything that requires > privileges during import. +1 it shouldn't access the memory even on x86 during the import, this could lead to the following when running the reprodcuer as non-privileged: ** COLLECTED WARNINGS ** /dev/mem (mmap): Operation not permitted This is known bug 1509938 and, unfortunately, it will not be fixed since upstream has abandoned python-dmidecode. We've been updating tools to use dmidecode directly instead of the python module. See the dependencies attached to bug 1509938. Ideally, dmidecode should be updated to have a machine-readable-output option like XML or JSON so that tools like subscription-manager and abrt do not need complex parsers. Historically, tools like dmidecode had to scrub through the first 1MB of RAM to find the SMBIOS (DMI) tables. Modern kernels export the tables in /sys/firmware/dmi/tables/* and /sys/firmware/dmi/entries/*, and dmidecode has been updated to read from /sys instead of /dev/mem. But since the module python-dmidecode was abandoned, it was never updated to read from /sys, hence we have these bugs. For rhel8, we have disabled build python-dmidecode package other than x86_64 architecture, please refer to the bz#1626424. Can we close this bug? Or also do the same things for rhel7, do you have any suggestions? Thanks. Hi, Jeff Also disable build this package other than x86_64 on rhel7.7, just like on rhel8. If you agree, i can add the devel_ack, can you help me add the qa_ack? Thanks. Hello Lianbo, I'm sorry, I didn't see your question in comment 11. We cannot disable the package in RHEL-7 / RHEL-ALT-7 or we will create repoclosure problems with rhn-client-tools and subscription-manager: ~]# repoquery --repofrompath RHEL-ALT-7.6,/mnt/engarchive2/released/RHEL-ALT-7/7.6/Server/aarch64/os/ --whatrequires python-dmidecode rhn-client-tools-0:2.0.2-24.el7.aarch64 subscription-manager-0:1.21.10-2.el7.aarch64 Instead, maybe we could modify python-dmidecode to just exit early if running on non-x86 architectures? This would prevent it from trying to access /dev/mem and failing. A better repoquery: ### RHEL-7.6 ~]# for A in ppc64 ppc64le s390x x86_64 ; do echo ::$A:: repoquery \ --repofrompath RHEL-7.6,http://download.devel.redhat.com/released/RHEL-7/7.6/Server/$A/os/ \ --repoid RHEL-7.6 \ --archlist ppc64,ppc64le,s390x,x86_64,noarch \ --whatrequires python-dmidecode echo done ::ppc64:: rhn-client-tools-0:2.0.2-24.el7.ppc64 ::ppc64le:: rhn-client-tools-0:2.0.2-24.el7.ppc64le subscription-manager-0:1.21.10-2.el7.ppc64le ::s390x:: ::x86_64:: rhn-client-tools-0:2.0.2-24.el7.x86_64 subscription-manager-0:1.21.10-2.el7.x86_64 ### RHEL-ALT-7.6 ~]# for A in aarch64 ppc64le s390x ; do echo ::$A:: repoquery \ --repofrompath RHEL-ALT-7.6,http://download.devel.redhat.com/released/RHEL-ALT-7/7.6/Server/$A/os \ --repoid RHEL-ALT-7.6 \ --archlist aarch64,ppc64le,s390x,noarch \ --whatrequires python-dmidecode echo done ::aarch64:: rhn-client-tools-0:2.0.2-24.el7.aarch64 subscription-manager-0:1.21.10-2.el7.aarch64 ::ppc64le:: rhn-client-tools-0:2.0.2-24.el7.ppc64le subscription-manager-0:1.21.10-2.el7.ppc64le ::s390x:: (In reply to Jeff Bastian from comment #12) > Hello Lianbo, > > I'm sorry, I didn't see your question in comment 11. > Don't worry. > We cannot disable the package in RHEL-7 / RHEL-ALT-7 or we will create > repoclosure problems with rhn-client-tools and subscription-manager: > OK, it seems that it has a dependency issue. Can we add them to the bug email list and discuss with them here? If they would like to get rid of the dependency, i will disable build this package, just like on rhel8. > ~]# repoquery --repofrompath > RHEL-ALT-7.6,/mnt/engarchive2/released/RHEL-ALT-7/7.6/Server/aarch64/os/ > --whatrequires python-dmidecode > rhn-client-tools-0:2.0.2-24.el7.aarch64 > subscription-manager-0:1.21.10-2.el7.aarch64 > > > Instead, maybe we could modify python-dmidecode to just exit early if > running on non-x86 architectures? This would prevent it from trying to > access /dev/mem and failing. If so, this won't need to consider about the dependency issue, but actually it doesn't get any information(correct result) for all operations. Thanks. Hi, Here is a build packages, please refer to the following link: build task: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=22919907 build packages: http://brew-task-repos.usersys.redhat.com/repos/official/python-dmidecode/3.12.2/4.el7/ Thanks. Verified with python-dmidecode-3.12.2-4.el7 :::::::::::: :: Before :: :::::::::::: [root@ibm-p8-kvm-03-guest-07 ~]# rpm -q python-dmidecode python-dmidecode-3.12.2-3.el7.ppc64le [root@ibm-p8-kvm-03-guest-07 ~]# python -c 'import dmidecode' ** COLLECTED WARNINGS ** /dev/mem (mmap): Operation not permitted No SMBIOS nor DMI entry point found, sorry. ** END OF WARNINGS ** [ 675.564531] Program python tried to access /dev/mem between f0000->100000. [root@ibm-p8-kvm-03-guest-07 ~]# ::::::::::: :: After :: ::::::::::: [root@ibm-p8-kvm-03-guest-07 ~]# rpm -q python-dmidecode python-dmidecode-3.12.2-4.el7.ppc64le [root@ibm-p8-kvm-03-guest-07 ~]# python -c 'import dmidecode' [root@ibm-p8-kvm-03-guest-07 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1096 |