Bug#1003574: segfault in libc-2.33.so during i386 boot ofde QEMU VM
Am 2022-01-15 11:26, schrieb Aurelien Jarno: control: reopen -1 control: merge 1003610 -1 control: severity -1 serious control: found -1 glibc/2.33-1 control: forwarded -1 https://sourceware.org/bugzilla/show_bug.cgi?id=28784 On 2022-01-12 14:08, Christian Kastner wrote: Hi Aurelien, thank you for the quick reply. On 2022-01-12 11:45, Aurelien Jarno wrote: >> # Boot image. -enable-kvm assumes that this is being tested on amd64 >> # Optionally use -nographic for terminal output instead of GUI >> $ qemu-system-i386 \ >>-machine q35 \ >>-enable-kvm \ > > You might also want to try without -enable-kvm Indeed, this fixed the issue. So sorry for the noise. I was 120% sure that I had tried that. My turn to be sorry, it appears to be a genuine issue on the GNU libc side, and changing the CPU definition in QEMU, either with -cpu or by disabling kvm) just hide the bug. I was not able to reproduce the issue as you need a non-Intel CPU to get the issue with the command line your provided. This bug also affects via C7 CPUs. I have reported the issue upstream and provided a patch, currently waiting for review. Regards, Aurelien I built the libc6 deb-package for i386 with your patch applied. It fixes the problem for VIA C7 and VIA Eden. Thanks a lot for your help. I hope upstream will include this fix soon. Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts
Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33
Am 2022-01-13 23:07, schrieb Aurelien Jarno: On 2022-01-13 14:20, Wolfgang Walter wrote: Am 2022-01-12 16:46, schrieb Aurelien Jarno: > On 2022-01-12 16:14, Wolfgang Walter wrote: > > Package: libc6 > > Version: 2.33-2 > > Severity: important > > > > After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7 > > or VIA > > Eden show segfaults in libc (i.e. hostname fails to work, or rebooting > > fails). Machines with VIA Nehemiah work fine. > > Could you please provide more details? At least the content of dmesg > when it happens or ideally a core dump or a backtrace. Not easy. These machines just boot into a initramfs (which is a very minimal debian sid) from an usb-stick and nothing survives a reboot. /bin/sh points to bash. The system does not use systemd but sysv. The login prompt is: (none) login: I cannot log into the machine, login seems also be broken, it always says "login incorrect". If I try to reboot by entering ctrl-alt-del the reboot fails with: INIT: Switching to runlevel: 6 INIT: No inittab.d directory found INIT: Sending processes configured via /etc/inittab the TERM signal [ 305.550677][ T1235] rc[1235]: segfault at 1c81000 ip b7ebf634 sp bfb5ce78 error 6 in libc-2.33.so[b7d8e000+158000] [ 305.550791][ T1235] Code: 95 04 00 03 1c 8b 01 ca ff e3 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f Give root password for maintenance (or press Control-D to continue): Thanks. This codes corresponds to memset_sse2: 14e607: 81 c3 69 95 04 00 add$0x49569,%ebx 14e60d: 03 1c 8badd(%ebx,%ecx,4),%ebx 14e610: 01 ca add%ecx,%edx 14e612: ff e3 jmp*%ebx 14e614: 29 d9 sub%ebx,%ecx 14e616: 8d b4 26 00 00 00 00lea0x0(%esi,%eiz,1),%esi 14e61d: 8d 76 00lea0x0(%esi),%esi 14e620: 0f 18 8a c0 03 00 00prefetcht0 0x3c0(%edx) 14e627: 0f 18 8a 80 03 00 00prefetcht0 0x380(%edx) 14e62e: 81 eb 80 00 00 00 sub$0x80,%ebx =>14e634: 66 0f 7f 02 movdqa %xmm0,(%edx) 14e638: 66 0f 7f 42 10 movdqa %xmm0,0x10(%edx) 14e63d: 66 0f 7f 42 20 movdqa %xmm0,0x20(%edx) 14e642: 66 0f 7f 42 30 movdqa %xmm0,0x30(%edx) 14e647: 66 0f 7f 42 40 movdqa %xmm0,0x40(%edx) But I cannot login (Login incorrect). If I enter control-d instead, I get "sulogin: cannot read /dev/tty1: Operation not permitted". The very same usb stick boots just fine with non VIA 7 / VIA Eden processors. I modified it a bit an set --autologin for one getty. This did not worḱ, I get a lot of things like [ ..][ T1231] login[1231]: segfault at bfd3d000 ip b7eb5656 sp bfd36978 error 6 in libc-2.33.so[b7d84000+158000] or [ ][ T1241] sh[1241]: segfault at 12ac000 ip b7e03638 sp bff99ff8 error 6 in libc-2.33.so[b7cd2000+158000] Now I tried getty -n -l /bin/dash. This worked. If I try to start bash, bash crashes with a segmentation fault. I have no debugger and no debugging symbols in this image at the moment, only strace If I strace -f bash I get: The last thing done is reading the first line of passwd, closing the file. Then there is a SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x12d9000} When I do a strace -f bash 2> /tmp/blub the last system call is uname(), then again a SEGV_MAPPERR When bash segfaults I get no log that it crashed in libc6. ls, rm, mount etc seem to work. But vim crashes in libc6, again at +158000 and with Code "1c 8b 01 ca ff e3 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f" Also ip link ls crashes, again in libc6, again at +158000 and with Code "0f 18 8a 80 03 00 00 81 eb 80 00 00 00 00 66 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f 42 40 66 0f 7f 42 50 <66> 0f 7f 02 66 0f 7f 42 70 71 c2 80 00 00 00 81 fb 80 00 00 00" or ip addr ls or less, perl, ssh, sshd, rsyslogd The Code is not always the same, but <66> 0f 7f 42 seems to be and the crash in libc-2.33.so[x+158000] The above crashes are in memset_sse2 or bzero_sse2, I do not have enough details to confirm, but that's not that important. Thanks a lot for those details, they definitely help to understand things a bit better, although things are not fully clear yet. The memset_sse2 and bzero_sse2 are called only on a SSE2 capable CPU, which is the case of the VIA C7, and that matches the fact the crash is a segmentation fault and not an illegal instruction. The addresses seems to be correctly aligned as required by S
Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33
Am 2022-01-12 16:46, schrieb Aurelien Jarno: On 2022-01-12 16:14, Wolfgang Walter wrote: Package: libc6 Version: 2.33-2 Severity: important After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7 or VIA Eden show segfaults in libc (i.e. hostname fails to work, or rebooting fails). Machines with VIA Nehemiah work fine. Could you please provide more details? At least the content of dmesg when it happens or ideally a core dump or a backtrace. Not easy. These machines just boot into a initramfs (which is a very minimal debian sid) from an usb-stick and nothing survives a reboot. /bin/sh points to bash. The system does not use systemd but sysv. The login prompt is: (none) login: I cannot log into the machine, login seems also be broken, it always says "login incorrect". If I try to reboot by entering ctrl-alt-del the reboot fails with: INIT: Switching to runlevel: 6 INIT: No inittab.d directory found INIT: Sending processes configured via /etc/inittab the TERM signal [ 305.550677][ T1235] rc[1235]: segfault at 1c81000 ip b7ebf634 sp bfb5ce78 error 6 in libc-2.33.so[b7d8e000+158000] [ 305.550791][ T1235] Code: 95 04 00 03 1c 8b 01 ca ff e3 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f Give root password for maintenance (or press Control-D to continue): But I cannot login (Login incorrect). If I enter control-d instead, I get "sulogin: cannot read /dev/tty1: Operation not permitted". The very same usb stick boots just fine with non VIA 7 / VIA Eden processors. I modified it a bit an set --autologin for one getty. This did not worḱ, I get a lot of things like [ ..][ T1231] login[1231]: segfault at bfd3d000 ip b7eb5656 sp bfd36978 error 6 in libc-2.33.so[b7d84000+158000] or [ ][ T1241] sh[1241]: segfault at 12ac000 ip b7e03638 sp bff99ff8 error 6 in libc-2.33.so[b7cd2000+158000] Now I tried getty -n -l /bin/dash. This worked. If I try to start bash, bash crashes with a segmentation fault. I have no debugger and no debugging symbols in this image at the moment, only strace If I strace -f bash I get: The last thing done is reading the first line of passwd, closing the file. Then there is a SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x12d9000} When I do a strace -f bash 2> /tmp/blub the last system call is uname(), then again a SEGV_MAPPERR When bash segfaults I get no log that it crashed in libc6. ls, rm, mount etc seem to work. But vim crashes in libc6, again at +158000 and with Code "1c 8b 01 ca ff e3 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f" Also ip link ls crashes, again in libc6, again at +158000 and with Code "0f 18 8a 80 03 00 00 81 eb 80 00 00 00 00 66 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f 42 40 66 0f 7f 42 50 <66> 0f 7f 02 66 0f 7f 42 70 71 c2 80 00 00 00 81 fb 80 00 00 00" or ip addr ls or less, perl, ssh, sshd, rsyslogd The Code is not always the same, but <66> 0f 7f 42 seems to be and the crash in libc-2.33.so[x+158000] Thanks, Aurelien Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts
Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33
Package: libc6 Version: 2.33-2 Severity: important After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7 or VIA Eden show segfaults in libc (i.e. hostname fails to work, or rebooting fails). Machines with VIA Nehemiah work fine. I tested again starting with an older version of sid, upgrading all packages but libc6 (pinned to 2.32) (some other packaages could not been updated because they already depend on 2.33). This works fine. Regards, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts