Re: qemu-i386 crash on signal handler return

2022-10-02 Thread Tavis Ormandy 
On 2022-10-02, Peter Maydell wrote:
> On Sun, 2 Oct 2022 at 04:41, Tavis Ormandy  wrote:
>> Hello, I'm trying to use qemu-i386 on aarch64 to run an old binary and
>> running into a crash.
>
> 5.2 is a couple of years old now -- does the same bug still repro on
> 7.1 or head-of-git ?
>

Oops, you're right - I'm not usually a Debian user and thought I was
using backports, and apparently I messed that up. Fixing that and the
minimized testcase works.

Unfortunately my binary still doesn't work, but fails in a different
way! I'll try to minimize that one instead.

Tavis.

-- 
 _o)$ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger tav...@sdf.org
_\_V _( ) _( )  @taviso

Re: qemu-i386 crash on signal handler return

2022-10-02 Thread Peter Maydell 
On Sun, 2 Oct 2022 at 04:41, Tavis Ormandy  wrote:
> Hello, I'm trying to use qemu-i386 on aarch64 to run an old binary and
> running into a crash.
>
> I've minimized it down to %esp getting corrupted after return from a
> signal handler return, but this seems so trivial that I must be doing
> something wrong?
>
> Here is a minimal reproducer:
>
> https://lock.cmpxchg8b.com/files/repro.s
>
> To compile it on an x86_64 machine:
>
> $ as --32 repro.s -o repro.o
> $ ld -melf_i386 repro.o -o repro
>
> # It runs totally fine on i386/x86_64:
>
> $ strace ./repro
> [ Process PID=1848 runs in 32 bit mode. ]
> sigaction(SIGALRM, {sa_handler=0x8049001, sa_mask=[],
> sa_flags=SA_INTERRUPT|SA_NODEFER|SA_RESETHAND}, NULL) = 0
> alarm(1)= 0
> pause() = ? ERESTARTNOHAND (To be restarted 
> if no handler)
> --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
> sigreturn({mask=[]})= -1 EINTR (Interrupted system call)
> exit(0) = ?
> +++ exited with 0 +++
>
> Now trying the same binary on aarch64:
> $ qemu-i386 -version
> qemu-i386 version 5.2.0 (Debian 1:5.2+dfsg-11+deb11u2)

5.2 is a couple of years old now -- does the same bug still repro on
7.1 or head-of-git ?

thanks
-- PMM

qemu-i386 crash on signal handler return

2022-10-01 Thread Tavis Ormandy 
Hello, I'm trying to use qemu-i386 on aarch64 to run an old binary and
running into a crash.

I've minimized it down to %esp getting corrupted after return from a
signal handler return, but this seems so trivial that I must be doing
something wrong?

Here is a minimal reproducer:

https://lock.cmpxchg8b.com/files/repro.s

To compile it on an x86_64 machine:

$ as --32 repro.s -o repro.o
$ ld -melf_i386 repro.o -o repro

# It runs totally fine on i386/x86_64:

$ strace ./repro
[ Process PID=1848 runs in 32 bit mode. ]
sigaction(SIGALRM, {sa_handler=0x8049001, sa_mask=[],
sa_flags=SA_INTERRUPT|SA_NODEFER|SA_RESETHAND}, NULL) = 0
alarm(1)= 0
pause() = ? ERESTARTNOHAND (To be restarted if 
no handler)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
sigreturn({mask=[]})= -1 EINTR (Interrupted system call)
exit(0) = ?
+++ exited with 0 +++

Now trying the same binary on aarch64:
$ qemu-i386 -version
qemu-i386 version 5.2.0 (Debian 1:5.2+dfsg-11+deb11u2)
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
# qemu-i386 -d strace ./test
# qemu-i386 -d strace ./repro
29309 sigaction(14,134520832,0,0,0,0) = 0
29309 alarm(1) = 0
29309 pause(1,134520832,0,0,0,0) = -1 errno=4 (Interrupted system call)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL, si_pid=0, si_uid=0} ---
29309 sigreturn(1,134520832,0,0,0,0) = -1 errno=513 (Successful exit
from sigreturn)
--- SIGSEGV {si_signo=SIGSEGV, si_code=1, si_addr=0x4080025c} ---
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault

Does anyone have any hints about what I might be doing wrong?

Thanks, Tavis.

-- 
 _o)$ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger tav...@sdf.org
_\_V _( ) _( )  @taviso