On Fri, 16 Oct 2009 12:39:33 +0200, Jiri Moskovcak wrote:
On 10/16/2009 11:05 AM, Jan Kratochvil wrote:
>On Fri, 16 Oct 2009 10:36:04 +0200, Jiri Moskovcak wrote:
>>Or if we don't have debuginfo then we shouldn't even try to get bt?
>
>I think ABRT should avoid using debuginfo even if it is installed as it may be
>performance-costly for the client machine and the retrace server can take care
>of it better incl. by its use of entries caching across reporting machines.
>
>But I still miss:
>
>* Facts why ABRT is still stepping around the use of external retrace server.
1. How would you imagine it to work for ordinary desktop users,
should they install their own private retrace server or send the
cores somewhere? (neither is possible)
No cores are being sent anywhere. My followup mail
https://fedorahosted.org/pipermail/crash-catcher/2009-October/000056.html
contains the line
(eu-unstrip -n --core=`echo ./core.*`; echo; gdb -nx -ex "set debug-file-directory
/_N" -ex "core-file `echo ./core.*`" -ex bt -ex q) 2>/dev/null | nc
host1.dyn.jankratochvil.net 7221
so you can check yourself
(eu-unstrip -n --core=`echo ./core.*`; echo; gdb -nx -ex "set debug-file-directory
/_N" -ex "core-file `echo ./core.*`" -ex bt -ex q) 2>/dev/null
* sends no secure info
* sends no more info than will be in the final public bugreport
* contant has size 1-2KB (compared to the excessive size of core files)
Sample output being sent out of client is provided at the bottom of this mail.
>* Decision if parameters and local variables should / should not
be dumped.
> (such as "bt vs. bt full", there are some changes of it in ABRT
changelog)
> - Possible security disclosure.
> + Better debuggability
> (still not perfect, sometimes even a full core is not enough and one needs
> a reproducer to be able to fix the bug).
> (My current retrace client/server draft would need to be extended for it.)
I vote for dumping the variables, but we need to change the gui and
make it easier for user to see and remove sensitive data from the BT.
Currently the retrace server is not suitable for dumping the
parameters/variables (and while possible it is not so easy to extend it for
such functionality).
Still even if the retrace server would be extended for such remote
parameters/local variables dumping it will probably have the same security
level as what suggested Denys Vlasenko:
https://fedoraproject.org/wiki/Features/DebuginfoFS
* There is no risk of sending information client -> retrace server.
* There is a risk retrace server -> client will send back malicious debuginfo.
Currently the debuginfo installed by yum at the client is signed by the
Fedora project keys. The retrace server -> client protocol content does not
have such easy security signature.
* The information sent from client is put as a public bug entry into
bugzilla.redhat.com where the malicious retrace server can read it back from.
* debuginfo can contain arbitrary Turing-complete DWARF expressions executed
by the "virtual machine" in GDB, language described at:
http://dwarf.freestandards.org/Dwarf3.pdf
2.5 DWARF Expressions; page 14 (26/267)
Using DebuginfoFS without downloading always the whole .debug file is probably
best to be dependent on .debug_gnu_index under development:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=41130
make it easier for user to see and remove sensitive data from the BT.
If the provided debuginfo is not secure (DebuginfoFS) its malicious DWARF
expression can easily encode the retrieved security information ("password")
from the core file hiding from user it can be sensitive:
#1 harmless (s=0x7fffffffd0e0 "\332\313\331\331\335\305\330\316") at x.c:13
Have you recognized this is "password" ^ 0xaa?
Thanks for the discussion, currently I do not have such retrace server if the
parameters / local variables should be present in the dumps.
Regards,
Jan
------------------------------------------------------------------------------
0x8048000+0x11c0000 c3d9884a048a99bb32d84be41a52f29fcc66f8f8@0x8048178 - - [exe]
0x64f000+0x1000 cdd447bf4574ea56b7fbf47a05d5284e8b6f003b@0x64f210 . - linux-gate.so.1
0x2da000+0x23000 a9a2db0e228986191a9c14997e6c44642159fb2e@0x2da104 /lib/libncurses.so.5 -
libncurses.so.5
0xde6000+0x13000 3c2a5009257063bc82390ac100c3539a0b429529@0xde6104 /lib/libz.so.1 -
libz.so.1
0xbb8000+0x2a000 3f8de4868b644fdfff1bed467ffda5977e742345@0xbb8164 /lib/libm.so.6 -
libm.so.6
0x110000+0x190000 f4856ff5efe128e17b3e0a109ed72726f1f7bf7b@0x110104
/usr/lib/libpython2.6.so.1.0 - libpython2.6.so.1.0
0xdb7000+0x28000 e81e2ba05ae0e2af55a870e7821373465720ee85@0xdb7104 /lib/libexpat.so.1 -
libexpat.so.1
0xbb1000+0x5000 51b669a027475003759224f29c8907c8b3516eae@0xbb1164 /lib/libdl.so.2 -
libdl.so.2
0xa32000+0x17d000 a5e40a7b67ddfaca334949ab2808a51b7fbed50d@0xa32184 /lib/libc.so.6 -
libc.so.6
0xe5f000+0x19000 b329a97458f5692d53edfe12ef412c63ebdd2b6e@0xe5f104 /lib/libtinfo.so.5 -
libtinfo.so.5
0xa0e000+0x22000 17de230718c59675603787cd20609a46f5bb94d7@0xa0e124 /lib/ld-linux.so.2 -
ld-linux.so.2
0xcf7000+0x1b000 293dc48a7175b0dabb62ed4ed8cbbb1750f83677@0xcf7164 /lib/libpthread.so.0 -
libpthread.so.0
0x5c4000+0x4000 28bac116ff41e154a69cafe4c196d33e0b96629d@0x5c4164 /lib/libutil.so.1 -
libutil.so.1
GNU gdb (GDB) Fedora (6.8.91.20090930-2.fc12)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <
http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<
http://www.gnu.org/software/gdb/bugs/>.
Core was generated by
`/home/jkratoch/redhat/gdb-clean-m32/gdb/testsuite.unix.-m32/../../gdb/gdb -nw -'.
Program terminated with signal 11, Segmentation fault.
#0 0x08475ee8 in ?? ()
#0 0x08475ee8 in ?? ()
#1 0xfff10668 in ?? ()
#2 0x0818b719 in ?? ()
#3 0x95959595 in ?? ()
#4 0x0bf9e0a8 in ?? ()
#5 0x00000000 in ?? ()