Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(RHEL-46020) build systemd-executor statically #17

Merged
merged 3 commits into from
Jul 4, 2024
Merged

(RHEL-46020) build systemd-executor statically #17

merged 3 commits into from
Jul 4, 2024

Conversation

lnykryn
Copy link
Member

@lnykryn lnykryn commented Jul 3, 2024
edited by github-actions bot
Loading

No description provided.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 3, 2024
edited
Loading

Commit validation

Tracker - RHEL-46020

The following commits need an inspection

commit note
d645b5b - meson: rename libbasic to libbasic_static Missing upstream reference ‼️
6f9e8b0 - meson: build libsystemd-core via an intermediate static library Missing upstream reference ‼️
6a02e82 - meson: add option to build systemd-executor "statically" Missing upstream reference ‼️

Tracker validation

Success

🟢 Tracker RHEL-46020 has set desired product: rhel-10.0.beta
🟢 Tracker RHEL-46020 has set desired component: systemd
🟢 Tracker RHEL-46020 has been approved

Pull Request validation

Failed

🔴 Failed or pending checks - rpm-build:centos-stream-10-s390x[failure],rpm-build:centos-stream-10-ppc64le[failure],rpm-build:centos-stream-10-x86_64[failure],rpm-build:centos-stream-10-aarch64[failure]

Success

🟢 Review - Reviewed by a member
🟢 Approval - Changes were approved

keszybz added 2 commits July 3, 2024 18:26
@keszybz @lnykryn
meson: rename libbasic to libbasic_static
d645b5b 
Our variables for internal libraries are named 'libfoo' for the shared lib
variant, and 'libfoo_static' for the static lib variant. The only exception was
libbasic, because we didn't have a shared variant for it. But let's rename it
for consitency. This makes the build config easier to understand.

see currently unmerged systemd/systemd#33599

RHEL-only workaround

Resolves: RHEL-46020
@keszybz @lnykryn
meson: build libsystemd-core via an intermediate static library
6f9e8b0 
By itself, this is not useful. I'm making this a separate commit to
make debugging easier. It turns out that meson does static libraries
using references, so the "static library" a tiny stub stub that refers
to the object files on disk and this has negligible cost:
$ ls -lhd build/src/core/libsystemd-core-257.{a,so}
-rw-r--r-- 1 zbyszek zbyszek  36K Jul  3 16:54 build/src/core/libsystemd-core-257.a
-rwxr-xr-x 1 zbyszek zbyszek 6.1M Jul  3 16:54 build/src/core/libsystemd-core-257.so

see currently unmerged systemd/systemd#33599

RHEL-only workaround

Resolves: RHEL-46020
@lnykryn lnykryn force-pushed the static_executor branch from 1bb148c to 9615ba0 Compare July 3, 2024 16:30
@lnykryn
Copy link
Member Author

lnykryn commented Jul 3, 2024

We also need
-Dlink-executor-shared=false
in spec file

@github-actions github-actions bot changed the title build systemd-executor statically (RHEL-46020) build systemd-executor statically Jul 3, 2024
@keszybz @lnykryn
meson: add option to build systemd-executor "statically"
6a02e82 
The new link-executor-shared option is similar to the existing
link-udev-shared: when set to false, we link to the static versions of our
internal libraries.

The resulting exuctor binary is fairly large, about as large as libsystemd-core
(14 MB without lto, 8 with lto).

This is intended as a workaround for the fuckup with the pinned executor
binary:
when an upgrade is performed, the package manager will install new version of
the libraries and new version of the code, and some time later reexecute the
managers. This creates a window when the pinned executor binary will fail to
execute. There are two factors which make the issue easier to hit:

- when the distribution uses a finely-grained shared-lib-tag. E.g. Fedora
  uses version-release as the tag, which means that the issue occurs on
  every package upgrade. This is the right thing to do, because the
  ABI of our internal libraries is not stable at all, so replacing the
  library from a different version in place creates a window where our
  programs may crash or misbehave.

- when the distribution doesn't immediately reexec all the managers after
  upgrade. In early versions of systemd, we used to hammer the machine during
  upgrade, doing daemon-reexecs repeatedly. This works, but is ugly and
  wasteful. Doing the reexecs while the upgrade is in progres also creates a
  window where a mix of old and new configs or both is loaded. Users are
  particularly annoyed by those reloads if there is some issue in the
  configuration causing us to emit warnings on every reexec. Doing the
  reexecs once after the new configuration and libraries have been put
  in place is nicer.

The pinning of the executor binary breaks upgrades and in particular
it penalizes the distributions which make use of the features which
were previously added to avoid bugs and inefficiency during upgrades.

When the executor is linked statically, there is a smaller chance that it'll
fail to load libraries. The issue can still occur because other libraries, not
our own, are linked dynamically.

see currently unmerged systemd/systemd#33599

RHEL-only workaround

Resolves: RHEL-46020
@lnykryn lnykryn force-pushed the static_executor branch from 9615ba0 to 6a02e82 Compare July 3, 2024 16:37
msekletar
msekletar approved these changes Jul 3, 2024
View reviewed changes
Copy link
Member

@msekletar msekletar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I've tested it locally and it seems to work, i.e. systemd-executor is not linked against internal shared libraries.

[root@rhel10 ~]# ldd /usr/lib/systemd/systemd-executor
        linux-vdso.so.1 (0x0000ffffac6cc000)
        libpam.so.0 => /lib64/libpam.so.0 (0x0000ffffac660000)
        libseccomp.so.2 => /lib64/libseccomp.so.2 (0x0000ffffac620000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x0000ffffac5d0000)
        libacl.so.1 => /lib64/libacl.so.1 (0x0000ffffac5a0000)
        libaudit.so.1 => /lib64/libaudit.so.1 (0x0000ffffac540000)
        libblkid.so.1 => /lib64/libblkid.so.1 (0x0000ffffac4d0000)
        libm.so.6 => /lib64/libm.so.6 (0x0000ffffac420000)
        libmount.so.1 => /lib64/libmount.so.1 (0x0000ffffac390000)
        libcap.so.2 => /lib64/libcap.so.2 (0x0000ffffac360000)
        libcrypto.so.3 => /lib64/libcrypto.so.3 (0x0000ffffabe00000)
        libc.so.6 => /lib64/libc.so.6 (0x0000ffffabc40000)
        /lib/ld-linux-aarch64.so.1 (0x0000ffffac68f000)
        libeconf.so.0 => /lib64/libeconf.so.0 (0x0000ffffac330000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x0000ffffac260000)
        libattr.so.1 => /lib64/libattr.so.1 (0x0000ffffac230000)
        libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x0000ffffac200000)
        libz.so.1 => /lib64/libz.so.1 (0x0000ffffabbe0000)

dtardon
dtardon approved these changes Jul 4, 2024
View reviewed changes
Copy link
Member

@dtardon dtardon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lnykryn lnykryn merged commit f3b375d into redhat-plumbers:main Jul 4, 2024
23 of 27 checks passed
@jamacku jamacku added this to the RHEL-10.0.BETA milestone Jul 16, 2024
jamacku pushed a commit that referenced this pull request Jan 8, 2025
@bluca
creds: fix use-after-free in varlink interface
b342fb5 
All other usages of sd_varlink_call* do not free the json return parameter,
and it is owned by the varlink object instead. Do the same here.

TEST-54-CREDS.sh[1074]: ==1074==ERROR: AddressSanitizer: heap-use-after-free on address 0x50c00000095a at pc 0x55cf8cd18a0f bp 0x7ffd7b9d4f10 sp 0x7ffd7b9d4f08
TEST-54-CREDS.sh[1074]: READ of size 2 at 0x50c00000095a thread T0 ((sd-mkdcreds))
TEST-54-CREDS.sh[1074]:     #0 0x55cf8cd18a0e in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16
TEST-54-CREDS.sh[1074]:     #1 0x55cf8cd4cecb in varlink_clear_current /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:593:22
TEST-54-CREDS.sh[1074]:     #2 0x55cf8cd4975e in varlink_clear /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:614:9
TEST-54-CREDS.sh[1074]:     #3 0x55cf8cd3dc3c in varlink_destroy /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:651:9
TEST-54-CREDS.sh[1074]:     #4 0x55cf8cd3dc3c in sd_varlink_unref /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:657:1
TEST-54-CREDS.sh[1074]:     #5 0x55cf8cb47a82 in sd_varlink_unrefp /usr/src/debug/systemd/src/systemd/sd-varlink.h:279:1
TEST-54-CREDS.sh[1074]:     #6 0x55cf8cb47a82 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1
TEST-54-CREDS.sh[1074]:     #7 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29
TEST-54-CREDS.sh[1074]:     #8 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16
TEST-54-CREDS.sh[1074]:     #9 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29
TEST-54-CREDS.sh[1074]:     #10 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13
TEST-54-CREDS.sh[1074]:     #11 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21
TEST-54-CREDS.sh[1074]:     #12 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13
TEST-54-CREDS.sh[1074]:     #13 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13
TEST-54-CREDS.sh[1074]:     #14 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13
TEST-54-CREDS.sh[1074]:     #15 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05)
TEST-54-CREDS.sh[1074]:     #16 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05)
TEST-54-CREDS.sh[1074]:     #17 0x55cf8ca41cb4  (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222)
TEST-54-CREDS.sh[1074]: 0x50c00000095a is located 26 bytes inside of 120-byte region [0x50c000000940,0x50c0000009b8)
TEST-54-CREDS.sh[1074]: freed by thread T0 ((sd-mkdcreds)) here:
TEST-54-CREDS.sh[1074]:     #0 0x7f64b48d57ea in free (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd57ea) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e)
TEST-54-CREDS.sh[1074]:     #1 0x55cf8cd188ab in sd_json_variant_unref /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:895:25
TEST-54-CREDS.sh[1074]:     #2 0x55cf8cb47a4c in sd_json_variant_unrefp /usr/src/debug/systemd/src/systemd/sd-json.h:98:1
TEST-54-CREDS.sh[1074]:     #3 0x55cf8cb47a4c in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1660:1
TEST-54-CREDS.sh[1074]:     #4 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29
TEST-54-CREDS.sh[1074]:     #5 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16
TEST-54-CREDS.sh[1074]:     #6 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29
TEST-54-CREDS.sh[1074]:     #7 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13
TEST-54-CREDS.sh[1074]:     #8 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21
TEST-54-CREDS.sh[1074]:     #9 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13
TEST-54-CREDS.sh[1074]:     #10 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13
TEST-54-CREDS.sh[1074]:     #11 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13
TEST-54-CREDS.sh[1074]:     #12 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05)
TEST-54-CREDS.sh[1074]:     #13 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05)
TEST-54-CREDS.sh[1074]:     #14 0x55cf8ca41cb4  (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222)
TEST-54-CREDS.sh[1074]: previously allocated by thread T0 ((sd-mkdcreds)) here:
TEST-54-CREDS.sh[1074]:     #0 0x7f64b48d5a83 in malloc (/usr/lib/clang/19/lib/x86_64-redhat-linux-gnu/libclang_rt.asan.so+0xd5a83) (BuildId: c59bbd28ceb74038a60373d4a8cd4c258bcf0b4e)
TEST-54-CREDS.sh[1074]:     #1 0x55cf8cd16bb7 in malloc_multiply /usr/src/debug/systemd/src/basic/alloc-util.h:119:16
TEST-54-CREDS.sh[1074]:     #2 0x55cf8cd16bb7 in sd_json_variant_new_object /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:737:13
TEST-54-CREDS.sh[1074]:     #3 0x55cf8cd32e58 in json_parse_internal /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3161:29
TEST-54-CREDS.sh[1074]:     #4 0x55cf8cd37326 in sd_json_parse_with_source /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3408:16
TEST-54-CREDS.sh[1074]:     #5 0x55cf8cd37326 in sd_json_parse /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:3437:16
TEST-54-CREDS.sh[1074]:     #6 0x55cf8cd3f753 in varlink_parse_message /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:962:13
TEST-54-CREDS.sh[1074]:     #7 0x55cf8cd3f753 in sd_varlink_process /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:1466:13
TEST-54-CREDS.sh[1074]:     #8 0x55cf8cd4c0a9 in sd_varlink_call_full /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2160:21
TEST-54-CREDS.sh[1074]:     #9 0x55cf8cd4d617 in sd_varlink_callb_ap /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2237:16
TEST-54-CREDS.sh[1074]:     #10 0x55cf8cd4da3c in sd_varlink_callb /usr/src/debug/systemd/src/libsystemd/sd-varlink/sd-varlink.c:2251:13
TEST-54-CREDS.sh[1074]:     #11 0x55cf8cb47686 in ipc_decrypt_credential /usr/src/debug/systemd/src/shared/creds-util.c:1623:13
TEST-54-CREDS.sh[1074]:     #12 0x55cf8caca99a in maybe_decrypt_and_write_credential /usr/src/debug/systemd/src/core/exec-credential.c:486:29
TEST-54-CREDS.sh[1074]:     #13 0x55cf8cac790b in load_credential /usr/src/debug/systemd/src/core/exec-credential.c:713:16
TEST-54-CREDS.sh[1074]:     #14 0x55cf8cac5403 in acquire_credentials /usr/src/debug/systemd/src/core/exec-credential.c:819:29
TEST-54-CREDS.sh[1074]:     #15 0x55cf8cac5403 in setup_credentials_internal /usr/src/debug/systemd/src/core/exec-credential.c:1023:13
TEST-54-CREDS.sh[1074]:     #16 0x55cf8cac42d4 in exec_setup_credentials /usr/src/debug/systemd/src/core/exec-credential.c:1168:21
TEST-54-CREDS.sh[1074]:     #17 0x55cf8ca59569 in exec_invoke /usr/src/debug/systemd/src/core/exec-invoke.c:4866:13
TEST-54-CREDS.sh[1074]:     #18 0x55cf8ca428d8 in run /usr/src/debug/systemd/src/core/executor.c:244:13
TEST-54-CREDS.sh[1074]:     #19 0x55cf8ca428d8 in main /usr/src/debug/systemd/src/core/executor.c:275:13
TEST-54-CREDS.sh[1074]:     #20 0x7f64b40110c7 in __libc_start_call_main (/lib64/libc.so.6+0x40c7) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05)
TEST-54-CREDS.sh[1074]:     #21 0x7f64b401118a in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x418a) (BuildId: 159846287d47eef88f2a478f59803f6e8fc81d05)
TEST-54-CREDS.sh[1074]:     #22 0x55cf8ca41cb4  (/usr/lib/systemd/systemd-executor+0x124cb4) (BuildId: 24f2b1608c3aaee3226cdd14fa2b6e6741156222)
TEST-54-CREDS.sh[1074]: SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/systemd/src/libsystemd/sd-json/sd-json.c:887:16 in sd_json_variant_unref
TEST-54-CREDS.sh[1074]: Shadow bytes around the buggy address:
TEST-54-CREDS.sh[1074]:   0x50c000000680: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
TEST-54-CREDS.sh[1074]:   0x50c000000700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
TEST-54-CREDS.sh[1074]:   0x50c000000780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
TEST-54-CREDS.sh[1074]:   0x50c000000800: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
TEST-54-CREDS.sh[1074]:   0x50c000000880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
TEST-54-CREDS.sh[1074]: =>0x50c000000900: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
TEST-54-CREDS.sh[1074]:   0x50c000000980: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
TEST-54-CREDS.sh[1074]:   0x50c000000a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
TEST-54-CREDS.sh[1074]:   0x50c000000a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
TEST-54-CREDS.sh[1074]:   0x50c000000b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
TEST-54-CREDS.sh[1074]:   0x50c000000b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
TEST-54-CREDS.sh[1074]: Shadow byte legend (one shadow byte represents 8 application bytes):
TEST-54-CREDS.sh[1074]:   Addressable:           00
TEST-54-CREDS.sh[1074]:   Partially addressable: 01 02 03 04 05 06 07
TEST-54-CREDS.sh[1074]:   Heap left redzone:       fa
TEST-54-CREDS.sh[1074]:   Freed heap region:       fd
TEST-54-CREDS.sh[1074]:   Stack left redzone:      f1
TEST-54-CREDS.sh[1074]:   Stack mid redzone:       f2
TEST-54-CREDS.sh[1074]:   Stack right redzone:     f3
TEST-54-CREDS.sh[1074]:   Stack after return:      f5
TEST-54-CREDS.sh[1074]:   Stack use after scope:   f8
TEST-54-CREDS.sh[1074]:   Global redzone:          f9
TEST-54-CREDS.sh[1074]:   Global init order:       f6
TEST-54-CREDS.sh[1074]:   Poisoned by user:        f7
TEST-54-CREDS.sh[1074]:   Container overflow:      fc
TEST-54-CREDS.sh[1074]:   Array cookie:            ac
TEST-54-CREDS.sh[1074]:   Intra object redzone:    bb
TEST-54-CREDS.sh[1074]:   ASan internal:           fe
TEST-54-CREDS.sh[1074]:   Left alloca redzone:     ca
TEST-54-CREDS.sh[1074]:   Right alloca redzone:    cb

Follow-up for 2c3cbc5

(cherry picked from commit 842a674d4f7fb69af28e67f447c1250383e50f41)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dtardon dtardon dtardon approved these changes

@msekletar msekletar msekletar approved these changes

Assignees
No one assigned
Labels
pr/needs-ci released
Projects
None yet
Milestone
RHEL-10.0.BETA
Development

Successfully merging this pull request may close these issues.
5 participants
@lnykryn @msekletar @dtardon @jamacku @keszybz