Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33

Thu, 13 Jan 2022 14:09:15 -0800 

On 2022-01-13 14:20, Wolfgang Walter wrote:
> Am 2022-01-12 16:46, schrieb Aurelien Jarno:
> > On 2022-01-12 16:14, Wolfgang Walter wrote:
> > > Package: libc6
> > > Version: 2.33-2
> > > Severity: important
> > > 
> > > After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7
> > > or VIA
> > > Eden show segfaults in libc (i.e. hostname fails to work, or rebooting
> > > fails). Machines with VIA Nehemiah work fine.
> > 
> > Could you please provide more details? At least the content of dmesg
> > when it happens or ideally a core dump or a backtrace.
> 
> Not easy. These machines just boot into a initramfs (which is a very minimal
> debian sid) from an usb-stick and nothing survives a reboot. /bin/sh points
> to bash.
> 
> The system does not use systemd but sysv.
> 
> The login prompt is:
> 
> (none) login:
> 
> 
> I cannot log into the machine, login seems also be broken, it always says
> "login incorrect".
> 
> If I try to reboot by entering ctrl-alt-del the reboot fails with:
> 
> INIT: Switching to runlevel: 6
> INIT: No inittab.d directory found
> INIT: Sending processes configured via /etc/inittab the TERM signal
> [  305.550677][ T1235] rc[1235]: segfault at 1c81000 ip b7ebf634 sp bfb5ce78
> error 6 in libc-2.33.so[b7d8e000+158000]
> [  305.550791][ T1235] Code: 95 04 00 03 1c 8b 01 ca ff e3 29 d9 8d b4 26 00
> 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00
> 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f
> Give root password for maintenance
> (or press Control-D to continue):

Thanks. This codes corresponds to memset_sse2:

  14e607:       81 c3 69 95 04 00       add    $0x49569,%ebx
  14e60d:       03 1c 8b                add    (%ebx,%ecx,4),%ebx
  14e610:       01 ca                   add    %ecx,%edx
  14e612:       ff e3                   jmp    *%ebx
  14e614:       29 d9                   sub    %ebx,%ecx
  14e616:       8d b4 26 00 00 00 00    lea    0x0(%esi,%eiz,1),%esi
  14e61d:       8d 76 00                lea    0x0(%esi),%esi
  14e620:       0f 18 8a c0 03 00 00    prefetcht0 0x3c0(%edx)
  14e627:       0f 18 8a 80 03 00 00    prefetcht0 0x380(%edx)
  14e62e:       81 eb 80 00 00 00       sub    $0x80,%ebx
=>14e634:       66 0f 7f 02             movdqa %xmm0,(%edx)
  14e638:       66 0f 7f 42 10          movdqa %xmm0,0x10(%edx)
  14e63d:       66 0f 7f 42 20          movdqa %xmm0,0x20(%edx)
  14e642:       66 0f 7f 42 30          movdqa %xmm0,0x30(%edx)
  14e647:       66 0f 7f 42 40          movdqa %xmm0,0x40(%edx)
 
> But I cannot login (Login incorrect). If I enter control-d instead, I get
> "sulogin: cannot read /dev/tty1: Operation not permitted".
> 
> The very same usb stick boots just fine with non VIA 7 / VIA Eden
> processors.
> 
> 
> I modified it a bit an set --autologin for one getty. This did not worḱ, I
> get a lot of things like
> 
> [   ......][ T1231] login[1231]: segfault at bfd3d000 ip b7eb5656 sp
> bfd36978 error 6 in libc-2.33.so[b7d84000+158000]
> 
> or
> 
> [ ........][ T1241] sh[1241]: segfault at 12ac000 ip b7e03638 sp bff99ff8
> error 6 in libc-2.33.so[b7cd2000+158000]
> 
> 
> Now I tried  getty -n -l /bin/dash. This worked.
> 
> If I try to start bash, bash crashes with a segmentation fault. I have no
> debugger and no debugging symbols in this image at the moment, only strace
> 
> If I strace -f bash I get:
> 
> The last thing done is reading the first line of passwd, closing the file.
> Then there is a SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR,
> si_addr=0x12d9000}
> 
> When I do a strace -f bash 2> /tmp/blub the last system call is uname(),
> then again a SEGV_MAPPERR
> 
> When bash segfaults I get no log that it crashed in libc6.
> 
> ls, rm, mount  etc seem to work.
> 
> But vim crashes in libc6, again at +158000 and with Code "1c 8b 01 ca ff e3
> 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00
> 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42
> 30 66 0f"
> 
> Also ip link ls crashes, again in libc6, again at +158000 and with Code "0f
> 18 8a 80 03 00 00 81 eb 80 00 00 00 00 66 0f 7f 02 66 0f 7f 42 10 66 0f 7f
> 42 20 66 0f 7f 42 30 66 0f 7f 42 40 66 0f 7f 42 50 <66> 0f 7f 02 66 0f 7f 42
> 70 71 c2 80 00 00 00 81 fb 80 00 00 00"
> 
> or ip addr ls
> 
> or less, perl, ssh, sshd, rsyslogd
> 
> The Code is not always the same, but <66> 0f 7f 42 seems to be and the crash
> in libc-2.33.so[xxxxx+158000]
> 

The above crashes are in memset_sse2 or bzero_sse2, I do not have enough
details to confirm, but that's not that important.


Thanks a lot for those details, they definitely help to understand
things a bit better, although things are not fully clear yet.

The memset_sse2 and bzero_sse2 are called only on a SSE2 capable CPU,
which is the case of the VIA C7, and that matches the fact the crash is
a segmentation fault and not an illegal instruction. The addresses
seems to be correctly aligned as required by SSE2 instructions. 

I do not (yet?) understand why upgrading from 2.32 to 2.33 causes such
an issue, as the code of those functions hasn't changed for years.

Regards,
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurel...@aurel32.net                 http://www.aurel32.net

Reply via email to