segfault during proot

[bukzor]

I'm getting very reproducible segfaults when using proot in termux.

The attached logs are the result of filtering the output of

proot -v 9 sh -c 'while /bin/true; do /bin/true; done' >& proot.log

proot-1.log proot-2.log proot-587.log proot-588.log

[michalbednarski]

On what architecture (dpkg --print-architectue) and kernel (uname -a)?

[bukzor]

bash-4.4$ dpkg --print-architecture
i686
bash-4.4$ uname -a
Linux localhost 3.18.91+ #1 SMP PREEMPT Tue Jan 9 20:32:02 UTC 2018 i686 Android

I'm running the official "Android 8.1 (Google Play)" image via Android Studio on my Linux laptop. I would have chosen an x86_64 image, to match the host, but there's all the GPlay-compatible images are x86. At any rate, the emulation shouldn't be part of the problem. True?

$ dpkg --print-architecture
amd64

$ uname -a
Linux tortle-2016 4.13.0-36-lowlatency #40-Ubuntu SMP PREEMPT Fri Feb 16 21:12:41 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 17.10
Release:    17.10
Codename:   artful

$ ./emulator/emulator -version 
Android emulator version 27.2.0.0 (build_id 4639322) (CL:b2e3f2a8582187d11681d04c52d314cd1f513ae6)

[michalbednarski]

I'll look into it, as a workaround you might try (on 64-bit emulator use x86_64 instead i686)

setarch i686 --addr-no-randomize proot ...

Generally emulation doesn't cause problems, it's usually matter of used (guest) kernel and processor architecture, arm/aarch64 versions are used more ofter and therefore better tested.

[bukzor]

Workaround confirmed! I'll just work that into my own termux-chroot alias.

Why/how does this improve things?

[michalbednarski]

This disables ASLR for processes inside proot making memory layout always same, as some randomization causes memory region clash after emulated execve call

Clash is happening between two of those but I haven't yet found which:

• proot loader (stub program handling mapping of process memory after execve inside proot)
• main program
• dynamic linker (library actually started before main program in order to load it's libraries, also providing dlsym)
• libraries used by program (libc, etc.)
• heap (region of memory managed with brk syscall)

[themanyone]

This might be a separate issue, but maybe it will spark ideas. Proot 5.1.107-18 arm segfaults on my tablet since flashing to Lineage 14.1 (Android 7.1.2) custom ROM image

Filename: lineage-14.1-20171228_233442-UNOFFICIAL-vk810.zip Device: Android LG Gpad 8.3 VK810 LTE version [altev] (not [v500])

• Proot does work on this device with stock 5.0.2 firmware kernel.
• Other devices without Lineage kernel also work fine.

Termux installs, runs great. Proot anything gives error:

$ proot echo
<jemalloc>: Error in munmap(): Invalid argument
proot info: vpid 1: terminated with signal 11

strace_proot_cat.TXT

Possible cause: Patches of other software with munmap() invalid argument error suggest that the error arises from kernels with a different page size. Memory alignment issues crop up. In this case, iotl() is fetching a block of /dev/random data to what looks like an invalid page boundary. ioctl() and random: http://man7.org/linux/man-pages/man4/random.4.html

None of the setarch options work in this case. Running regular chroot as root works though.

If there is anything else I can do (open a new bug perhaps?) please let me know.

Linux localhost 3.4.0 #1 SMP PREEMPT Thu Dec 28 17:44:24 CST 2017 armv7l Android Termux-packages arch: arm Android version: 7.1.2 Device manufacturer: LGE Device model: LG-VK810

[themanyone]

Curiously, Termux's ltrace crashes too on this weird tablet! The strace report of ltrace looks almost the same as proot crash (strace_proot_cat.TXT above).

$ which ltrace
/data/data/com.termux/files/usr/bin/ltrace
$ ltrace echo
+++ killed by SIGKILL +++
$ strace ltrace echo 2> strace_ltrace_echo.TXT

strace_ltrace_echo.TXT

[michalbednarski]

It looks like even strace has problems on that ROM, so probably there won't be much that could be fixed on my side as strace by default doesn't alter operation of traced program and that was sufficient to introduce breakage and proot in addition to monitoring syscalls it also alters them.

Traces from strace you've provided shows that program hasn't even loaded libc but bailed out on failed library load order randomization. If system really would have broken random device wouldn't boot and as you've shown jemalloc error from prooted process it is clear that proot when running without strace was at least able to start.

You might try export PROOT_NO_SECCOMP=1 But probably just breaking into debugger on syscalls is broken on your ROM. Sorry

[themanyone]

No problem and thanks! Library load order randomization just so happens to have been introduced in Android open source project (AOSP) Android since version 7.0, the codebase which LineageOS is built on. Their /system/xbin/strace is also broken on that build. Wish I had known more about this, but it's great to have some idea of what's going on. Cheers.