Ubuntu
faketime package

proposed-migration for faketime 0.9.10-2.1ubuntu1

Bug #2059078 reported by Steve Langasek
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bash (Ubuntu)
Fix Released
Undecided
Unassigned
faketime (Ubuntu)
New
Undecided
Unassigned
Ubuntu ubuntu-24.04-beta
sssd (Ubuntu)
New
Undecided
Unassigned

Bug Description

faketime 0.9.10-2.1ubuntu1 is stuck in -proposed with build failures on armhf.

On armhf, the testsuite confusingly fails with a stack smash error. But this error happens in bash, which isn't even meant to be the process under test.

Minimal reproducer:
# LD_PRELOAD=./src/libfaketime.so.1 bash -c 'exit 0'
*** stack smashing detected ***: terminated
Aborted (core dumped)
#

Confusingly, ltrace shows different results for the newly-built binary than from one built without 64-bit time_t.

# LD_PRELOAD=./src/libfaketime.so.1 ltrace --library '*faketime*' bash -c 'exit 0'
bash->getrandom(0x1f3bf08, 1, 0x9683b0, 0) = 0xc8202
bash->getrandom(0xc8203, 0xf7fad53c, 1023, 0xf7eef801) = 0xc8202
*** stack smashing detected ***: terminated
--- SIGABRT (Aborted) ---
+++ killed by SIGABRT +++
# LD_PRELOAD=/usr/lib/arm-linux-gnueabihf/faketime/libfaketime.so.1 ltrace --library '*faketime*' bash -c 'exit 0'
bash->gettimeofday(0x8b07a0, 0) = 0
bash->getpid() = 819717
bash->gettimeofday(0xffb88714, 0) = 0
bash->getpid() = 819717
bash->gettimeofday(0xffb8871c, 0) = 0
bash->getpid() = 819717
+++ exited (status 0) +++
#

Unsetting -DFAKE_RANDOM in debian/rules does not fix the problem however.

So simply loading the LD_PRELOAD library without executing it seems to be enough to break bash.

See original description

CVE References

Steve Langasek (vorlon)
Changed in faketime (Ubuntu):
assignee: nobody → Steve Langasek (vorlon)
assignee: Steve Langasek (vorlon) → nobody
Steve Langasek (vorlon)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

Unsurprisingly, there are some symbol differences.

# diff -u <(objdump -T /usr/lib/arm-linux-gnueabihf/faketime/libfaketime.so.1 | grep '\.text' | cut -b34- | sort -u) <(objdump -T ./src/libfaketime.so.1 | grep '\.text' | cut -b34- | sort -u)@@ -1,50 +1,51 @@
 Base __clock_gettime
+Base __clock_gettime64
+Base __clock_nanosleep_time64
+Base __fstat64_time64
 Base __ftime
+Base __futimens64
 Base __fxstat
 Base __fxstat64
 Base __fxstatat
 Base __fxstatat64
 Base __gettimeofday
+Base __lstat64_time64
 Base __lxstat
 Base __lxstat64
+Base __nanosleep64
+Base __ppoll64
+Base __pselect64
+Base __select64
+Base __sem_timedwait64
+Base __stat64_time64
 Base __time
+Base __time64
+Base __timerfd_gettime64
+Base __timerfd_settime64
+Base __timespec_get64
+Base __utimensat64
 Base __xstat
 Base __xstat64
 Base alarm
-Base clock_gettime
-Base clock_nanosleep
 Base epoll_pwait
 Base epoll_wait
-Base fstat
 Base ftime
-Base futimens
 Base getentropy
 Base getpid
 Base getrandom
 Base gettimeofday
 Base lock_for_stat
-Base lstat
-Base nanosleep
 Base needs_forced_monotonic_fix
 Base poll
-Base ppoll
-Base pselect
 Base pthread_cond_destroy
 Base pthread_cond_init
 Base pthread_cond_timedwait
 Base read_config_file
-Base select
-Base sem_timedwait
 Base sleep
-Base stat
-Base time
-Base timerfd_gettime
-Base timerfd_settime
-Base timespec_get
+Base statx
 Base unlock_for_stat
 Base usleep
 Base utime
-Base utimensat
 Base utimes
 GLIBC_2.2) timer_gettime
 GLIBC_2.2) timer_settime
#

One or more of these functions may be broken under TIME_BITS=64. But we don't get far enough to figure that out?

tags: added: time-t
Revision history for this message
Simon Chopin (schopin) wrote :

The failure is because bash, for some reason, still links against gettimeofday rather than __gettimeofday64, and calls that to seed its internal random number generator. I still can't figure out why it's using the old version, though.

ubuntu@noble-armhf:~$ readelf -W -s a.out | grep timeof # a simple test program that just calls gettimeofday()
     9: 00000000 0 FUNC GLOBAL DEFAULT UND __gettimeofday64@GLIBC_2.34 (2)
    98: 00000000 0 FUNC GLOBAL DEFAULT UND __gettimeofday64@GLIBC_2.34
ubuntu@noble-armhf:~$ readelf -W -s /bin/bash | grep timeof
   105: 00000000 0 FUNC GLOBAL DEFAULT UND gettimeofday@GLIBC_2.4 (2)

faketime redefines gettimeofday, except that it uses the timeval definition from glibc which is of course using 64bit time_t. Mayhem ensues.

Revision history for this message
Simon Chopin (schopin) wrote :

Oh, hang on. The bash build has apparently been uploaded just a day after the t64 gcc, which means gcc was presumably still building when the bash build started:

gcc-13 armhf 13.2.0-13ubuntu1 (from the bash build logs)

A bash rebuild should "fix" this somewhat. Well, at least a little bit.

Revision history for this message
Simon Chopin (schopin) wrote :

What now remains to be done is to heavily patch faketime to, when on armhf:

1/ use the proper symbols from glibc (e.g. __clock_gettime64 instead of __clock_gettime)
2/ expose those symbols instead of the legacy 32-bit ones.

Brian Murray (brian-murray)
Changed in faketime (Ubuntu):
milestone: none → ubuntu-24.04-beta
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I added an sssd task due to the workaround we had to add to it in https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2058576 (we don't install faketime). Should faketime be fixed, then we can revert that change in sssd.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bash - 5.2.21-2ubuntu4

---------------
bash (5.2.21-2ubuntu4) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- Steve Langasek <email address hidden> Sun, 31 Mar 2024 08:41:03 +0000

Changed in bash (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.