Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33

Fri, 14 Jan 2022 05:21:19 -0800 

Am 2022-01-13 23:07, schrieb Aurelien Jarno:

On 2022-01-13 14:20, Wolfgang Walter wrote:

Am 2022-01-12 16:46, schrieb Aurelien Jarno:
> On 2022-01-12 16:14, Wolfgang Walter wrote:
> > Package: libc6
> > Version: 2.33-2
> > Severity: important
> >
> > After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7
> > or VIA
> > Eden show segfaults in libc (i.e. hostname fails to work, or rebooting
> > fails). Machines with VIA Nehemiah work fine.
>
> Could you please provide more details? At least the content of dmesg
> when it happens or ideally a core dump or a backtrace.
Not easy. These machines just boot into a initramfs (which is a very minimal debian sid) from an usb-stick and nothing survives a reboot. /bin/sh points 
to bash.

The system does not use systemd but sysv.

The login prompt is:

(none) login:
I cannot log into the machine, login seems also be broken, it always says 
"login incorrect".

If I try to reboot by entering ctrl-alt-del the reboot fails with:

INIT: Switching to runlevel: 6
INIT: No inittab.d directory found
INIT: Sending processes configured via /etc/inittab the TERM signal
[ 305.550677][ T1235] rc[1235]: segfault at 1c81000 ip b7ebf634 sp bfb5ce78 
error 6 in libc-2.33.so[b7d8e000+158000]
[ 305.550791][ T1235] Code: 95 04 00 03 1c 8b 01 ca ff e3 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00 
00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f
Give root password for maintenance
(or press Control-D to continue):


Thanks. This codes corresponds to memset_sse2:

  14e607:       81 c3 69 95 04 00       add    $0x49569,%ebx
  14e60d:       03 1c 8b                add    (%ebx,%ecx,4),%ebx
  14e610:       01 ca                   add    %ecx,%edx
  14e612:       ff e3                   jmp    *%ebx
  14e614:       29 d9                   sub    %ebx,%ecx
  14e616:       8d b4 26 00 00 00 00    lea    0x0(%esi,%eiz,1),%esi
  14e61d:       8d 76 00                lea    0x0(%esi),%esi
  14e620:       0f 18 8a c0 03 00 00    prefetcht0 0x3c0(%edx)
  14e627:       0f 18 8a 80 03 00 00    prefetcht0 0x380(%edx)
  14e62e:       81 eb 80 00 00 00       sub    $0x80,%ebx
=>14e634:       66 0f 7f 02             movdqa %xmm0,(%edx)
  14e638:       66 0f 7f 42 10          movdqa %xmm0,0x10(%edx)
  14e63d:       66 0f 7f 42 20          movdqa %xmm0,0x20(%edx)
  14e642:       66 0f 7f 42 30          movdqa %xmm0,0x30(%edx)
  14e647:       66 0f 7f 42 40          movdqa %xmm0,0x40(%edx)
But I cannot login (Login incorrect). If I enter control-d instead, I get 
"sulogin: cannot read /dev/tty1: Operation not permitted".

The very same usb stick boots just fine with non VIA 7 / VIA Eden
processors.
I modified it a bit an set --autologin for one getty. This did not worḱ, I 
get a lot of things like

[   ......][ T1231] login[1231]: segfault at bfd3d000 ip b7eb5656 sp
bfd36978 error 6 in libc-2.33.so[b7d84000+158000]

or
[ ........][ T1241] sh[1241]: segfault at 12ac000 ip b7e03638 sp bff99ff8 
error 6 in libc-2.33.so[b7cd2000+158000]


Now I tried  getty -n -l /bin/dash. This worked.
If I try to start bash, bash crashes with a segmentation fault. I have no debugger and no debugging symbols in this image at the moment, only strace 

If I strace -f bash I get:
The last thing done is reading the first line of passwd, closing the file. 
Then there is a SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR,
si_addr=0x12d9000}
When I do a strace -f bash 2> /tmp/blub the last system call is uname(), 
then again a SEGV_MAPPERR

When bash segfaults I get no log that it crashed in libc6.

ls, rm, mount  etc seem to work.
But vim crashes in libc6, again at +158000 and with Code "1c 8b 01 ca ff e3 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 
30 66 0f"
Also ip link ls crashes, again in libc6, again at +158000 and with Code "0f 18 8a 80 03 00 00 81 eb 80 00 00 00 00 66 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f 42 40 66 0f 7f 42 50 <66> 0f 7f 02 66 0f 7f 42 
70 71 c2 80 00 00 00 81 fb 80 00 00 00"

or ip addr ls

or less, perl, ssh, sshd, rsyslogd
The Code is not always the same, but <66> 0f 7f 42 seems to be and the crash 
in libc-2.33.so[xxxxx+158000]
The above crashes are in memset_sse2 or bzero_sse2, I do not have enough 
details to confirm, but that's not that important.


Thanks a lot for those details, they definitely help to understand
things a bit better, although things are not fully clear yet.

The memset_sse2 and bzero_sse2 are called only on a SSE2 capable CPU,
which is the case of the VIA C7, and that matches the fact the crash is
a segmentation fault and not an illegal instruction. The addresses
seems to be correctly aligned as required by SSE2 instructions.

I do not (yet?) understand why upgrading from 2.32 to 2.33 causes such
an issue, as the code of those functions hasn't changed for years.

Regards,
Aurelien


Thanks a lot for your investigation.

Therefor I tried setting

export GLIBC_TUNABLES=glibc.cpu.hwcaps=-SSE2

And then I indeed can start bash, ip addr ls etc.

Is there a way to switch of SSE2 globally for a system?


Regards
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

Reply via email to