Bug#925359: dietlibc: built program on x32 terminates with 'smashed stack detected, program terminated.'

Bernhard Übelacker Tue, 09 Apr 2019 14:21:25 -0700

Hello Thorsten Glaser,

Am 24.03.19 um 14:25 schrieb Thorsten Glaser:
> Bernhard Übelacker dixit:
> 
>> I see that the syscall number gets modified to become 0x40000062.
>>
>> But the syscall modifies 144 bytes, more than just the size of
>> variable ru1 of 88 bytes.
>>
>> This 144 bytes is the size I could observe within amd64 userland.
> 
> The x32 syscalls often have struct mapping, so amd64 userland
> sizes have no bearing on it.


That was just to demonstrate what the size would be if
the interface uses 64bit int.
Could there still be struct mapping behind the syscall instruction?
Wouldn't that then already be on kernel side?


>> Found also this bug at bugzilla.kernel.org [1].
> 
> That’s from 2013. But given that it works with the other C libraries
> I’ll see whether I can fix it myself, unless Christian beats me to it.

As this was opened by "H.J. Lu", who was implementing
linux x32 [1][2], I think this sentence from the bug
report could still be relevant:

    ...
    X32 uses the same system call interface as x86-64
    for them. Some of those field should be long long
    since they must be 64-bit integer in x32.  But long
    is 32-bit in x32.


Attached is also a file that wants to demonstrate a
getrusage call with a x32 glibc linked program.
There 144 bytes get modified by the syscall instruction.

Kind regards,
Bernhard

[1] https://lkml.org/lkml/2011/8/26/415
[2] https://sites.google.com/site/x32abi/documents/abi.pdf?attredirects=0&d=1

# Unstable amd64-kernel with x32-userland qemu VM 2019-04-09

apt update
apt dist-upgrade


apt install dpkg-dev devscripts build-essential gdb mc



mkdir /home/benutzer/source/libc6/orig -p
cd    /home/benutzer/source/libc6/orig
apt source libc6
cd




########


cat <<EOF > test.c
/*
gcc -g -O0 test.c -o test
*/

#include <sys/time.h>
#include <sys/resource.h>
#include <stdio.h>
#include <string.h>

int main()
{
    struct rusage usage;
    int r;
    memset(&usage, 0xab, sizeof(usage));
    r = getrusage(RUSAGE_SELF, &usage);
    printf("r=%d sizeof(usage)=%d\n", r, sizeof(usage));
}
EOF

gcc -g -O0 test.c -o test
file test
ldd test
./test




########



benutzer@debian:~$ cat <<EOF > test.c
> /*
> gcc -g -O0 test.c -o test
> */
> 
> #include <sys/time.h>
> #include <sys/resource.h>
> #include <stdio.h>
> #include <string.h>
> 
> int main()
> {
>     struct rusage usage;
>     int r;
>     memset(&usage, 0xab, sizeof(usage));
>     r = getrusage(RUSAGE_SELF, &usage);
>     printf("r=%d sizeof(usage)=%d\n", r, sizeof(usage));
> }
> EOF
benutzer@debian:~$ 
benutzer@debian:~$ gcc -g -O0 test.c -o test
benutzer@debian:~$ file test
test: ELF 32-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, 
interpreter /libx32/ld-linux-x32.so.2, for GNU/Linux 3.4.0, 
BuildID[sha1]=fc9badaccaf302b5c1707a8a3c02d4949a4934dd, with debug_info, not 
stripped
benutzer@debian:~$ ldd test
        linux-vdso.so.1 (0xff9b0000)
        libc.so.6 => /lib/x86_64-linux-gnux32/libc.so.6 (0xf7d70000)
        /libx32/ld-linux-x32.so.2 (0xf7f29000)
benutzer@debian:~$ ./test
r=0 sizeof(usage)=144



########



gdb -q --args ./test

set width 0
set pagination off
directory /home/benutzer/source/libc6/orig/glibc-2.28/sysdeps
b getrusage
run
bt
display/i $pc
stepi
up
print sizeof(usage)
print &usage
x/160xb (char*)$2 - 8
stepi
x/160xb (char*)$2 - 8
detach
q



##########


benutzer@debian:~$ gdb -q --args ./test
Reading symbols from ./test...done.
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /home/benutzer/source/libc6/orig/glibc-2.28/sysdeps
Source directories searched: 
/home/benutzer/source/libc6/orig/glibc-2.28/sysdeps:$cdir:$cwd
(gdb) b getrusage
Breakpoint 1 at 0x401030
(gdb) run
Starting program: /home/benutzer/test 

Breakpoint 1, getrusage () at ../sysdeps/unix/syscall-template.S:78
78      T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
(gdb) bt
#0  getrusage () at ../sysdeps/unix/syscall-template.S:78
#1  0x0040117a in main () at test.c:15
(gdb) display/i $pc
1: x/i $pc
=> 0xf7efc190 <getrusage>:      mov    $0x40000062,%eax
(gdb) stepi
0xf7efc195      78      T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
1: x/i $pc
=> 0xf7efc195 <getrusage+5>:    syscall 
(gdb) up
#1  0x0040117a in main () at test.c:15
15          r = getrusage(RUSAGE_SELF, &usage);
(gdb) print sizeof(usage)
$1 = 144
(gdb) print &usage
$2 = (struct rusage *) 0xffffd5a0
(gdb) x/160xb (char*)$2 - 8
0xffffd598:     0x7a    0x11    0x40    0x00    0x00    0x00    0x00    0x00
0xffffd5a0:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5a8:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5b0:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5b8:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5c0:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5c8:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5d0:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5d8:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5e0:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5e8:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5f0:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd5f8:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd600:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd608:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd610:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd618:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd620:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd628:     0xab    0xab    0xab    0xab    0xab    0xab    0xab    0xab
0xffffd630:     0x10    0xd7    0xff    0xff    0x00    0x00    0x00    0x00
(gdb) stepi
0xf7efc197      78      T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
1: x/i $pc
=> 0xf7efc197 <getrusage+7>:    cmp    $0xfffffffffffff001,%rax
(gdb) x/160xb (char*)$2 - 8
0xffffd598:     0x7a    0x11    0x40    0x00    0x00    0x00    0x00    0x00
0xffffd5a0:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5a8:     0xd1    0x07    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5b0:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5b8:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5c0:     0xe8    0x3a    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5c8:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5d0:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5d8:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5e0:     0x93    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5e8:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5f0:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd5f8:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd600:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd608:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd610:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd618:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd620:     0x08    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd628:     0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0xffffd630:     0x10    0xd7    0xff    0xff    0x00    0x00    0x00    0x00
(gdb) detach
Detaching from program: /home/benutzer/test, process 15717
[Inferior 1 (process 15717) detached]
r=0 sizeof(usage)=144
(gdb) q

Bug#925359: dietlibc: built program on x32 terminates with 'smashed stack detected, program terminated.'

Reply via email to