Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33

2022-01-14 Thread Wolfgang Walter

Am 2022-01-13 23:07, schrieb Aurelien Jarno:

On 2022-01-13 14:20, Wolfgang Walter wrote:

Am 2022-01-12 16:46, schrieb Aurelien Jarno:
> On 2022-01-12 16:14, Wolfgang Walter wrote:
> > Package: libc6
> > Version: 2.33-2
> > Severity: important
> >
> > After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7
> > or VIA
> > Eden show segfaults in libc (i.e. hostname fails to work, or rebooting
> > fails). Machines with VIA Nehemiah work fine.
>
> Could you please provide more details? At least the content of dmesg
> when it happens or ideally a core dump or a backtrace.

Not easy. These machines just boot into a initramfs (which is a very 
minimal
debian sid) from an usb-stick and nothing survives a reboot. /bin/sh 
points

to bash.

The system does not use systemd but sysv.

The login prompt is:

(none) login:


I cannot log into the machine, login seems also be broken, it always 
says

"login incorrect".

If I try to reboot by entering ctrl-alt-del the reboot fails with:

INIT: Switching to runlevel: 6
INIT: No inittab.d directory found
INIT: Sending processes configured via /etc/inittab the TERM signal
[  305.550677][ T1235] rc[1235]: segfault at 1c81000 ip b7ebf634 sp 
bfb5ce78

error 6 in libc-2.33.so[b7d8e000+158000]
[  305.550791][ T1235] Code: 95 04 00 03 1c 8b 01 ca ff e3 29 d9 8d b4 
26 00
00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 
00 00

00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f
Give root password for maintenance
(or press Control-D to continue):


Thanks. This codes corresponds to memset_sse2:

  14e607:   81 c3 69 95 04 00   add$0x49569,%ebx
  14e60d:   03 1c 8badd(%ebx,%ecx,4),%ebx
  14e610:   01 ca   add%ecx,%edx
  14e612:   ff e3   jmp*%ebx
  14e614:   29 d9   sub%ebx,%ecx
  14e616:   8d b4 26 00 00 00 00lea0x0(%esi,%eiz,1),%esi
  14e61d:   8d 76 00lea0x0(%esi),%esi
  14e620:   0f 18 8a c0 03 00 00prefetcht0 0x3c0(%edx)
  14e627:   0f 18 8a 80 03 00 00prefetcht0 0x380(%edx)
  14e62e:   81 eb 80 00 00 00   sub$0x80,%ebx
=>14e634:   66 0f 7f 02 movdqa %xmm0,(%edx)
  14e638:   66 0f 7f 42 10  movdqa %xmm0,0x10(%edx)
  14e63d:   66 0f 7f 42 20  movdqa %xmm0,0x20(%edx)
  14e642:   66 0f 7f 42 30  movdqa %xmm0,0x30(%edx)
  14e647:   66 0f 7f 42 40  movdqa %xmm0,0x40(%edx)

But I cannot login (Login incorrect). If I enter control-d instead, I 
get

"sulogin: cannot read /dev/tty1: Operation not permitted".

The very same usb stick boots just fine with non VIA 7 / VIA Eden
processors.


I modified it a bit an set --autologin for one getty. This did not 
worḱ, I

get a lot of things like

[   ..][ T1231] login[1231]: segfault at bfd3d000 ip b7eb5656 sp
bfd36978 error 6 in libc-2.33.so[b7d84000+158000]

or

[ ][ T1241] sh[1241]: segfault at 12ac000 ip b7e03638 sp 
bff99ff8

error 6 in libc-2.33.so[b7cd2000+158000]


Now I tried  getty -n -l /bin/dash. This worked.

If I try to start bash, bash crashes with a segmentation fault. I have 
no
debugger and no debugging symbols in this image at the moment, only 
strace


If I strace -f bash I get:

The last thing done is reading the first line of passwd, closing the 
file.

Then there is a SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR,
si_addr=0x12d9000}

When I do a strace -f bash 2> /tmp/blub the last system call is 
uname(),

then again a SEGV_MAPPERR

When bash segfaults I get no log that it crashed in libc6.

ls, rm, mount  etc seem to work.

But vim crashes in libc6, again at +158000 and with Code "1c 8b 01 ca 
ff e3
29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 
03 00
00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 
7f 42

30 66 0f"

Also ip link ls crashes, again in libc6, again at +158000 and with 
Code "0f
18 8a 80 03 00 00 81 eb 80 00 00 00 00 66 0f 7f 02 66 0f 7f 42 10 66 
0f 7f
42 20 66 0f 7f 42 30 66 0f 7f 42 40 66 0f 7f 42 50 <66> 0f 7f 02 66 0f 
7f 42

70 71 c2 80 00 00 00 81 fb 80 00 00 00"

or ip addr ls

or less, perl, ssh, sshd, rsyslogd

The Code is not always the same, but <66> 0f 7f 42 seems to be and the 
crash

in libc-2.33.so[x+158000]



The above crashes are in memset_sse2 or bzero_sse2, I do not have 
enough

details to confirm, but that's not that important.


Thanks a lot for those details, they definitely help to understand
things a bit better, although things are not fully clear yet.

The memset_sse2 and bzero_sse2 are called only on a SSE2 capable CPU,
which is the case of the VIA C7, and that matches the fact the crash is
a segmentation fault and not an illegal instruction. The addresses
seems to be correctly aligned as required by SSE2 instructions.

I do not (yet?) understand why upgrading from 2.32 to 2.33 causes such
an issue, as the code of those functions 

Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33

2022-01-13 Thread Aurelien Jarno
On 2022-01-13 14:20, Wolfgang Walter wrote:
> Am 2022-01-12 16:46, schrieb Aurelien Jarno:
> > On 2022-01-12 16:14, Wolfgang Walter wrote:
> > > Package: libc6
> > > Version: 2.33-2
> > > Severity: important
> > > 
> > > After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7
> > > or VIA
> > > Eden show segfaults in libc (i.e. hostname fails to work, or rebooting
> > > fails). Machines with VIA Nehemiah work fine.
> > 
> > Could you please provide more details? At least the content of dmesg
> > when it happens or ideally a core dump or a backtrace.
> 
> Not easy. These machines just boot into a initramfs (which is a very minimal
> debian sid) from an usb-stick and nothing survives a reboot. /bin/sh points
> to bash.
> 
> The system does not use systemd but sysv.
> 
> The login prompt is:
> 
> (none) login:
> 
> 
> I cannot log into the machine, login seems also be broken, it always says
> "login incorrect".
> 
> If I try to reboot by entering ctrl-alt-del the reboot fails with:
> 
> INIT: Switching to runlevel: 6
> INIT: No inittab.d directory found
> INIT: Sending processes configured via /etc/inittab the TERM signal
> [  305.550677][ T1235] rc[1235]: segfault at 1c81000 ip b7ebf634 sp bfb5ce78
> error 6 in libc-2.33.so[b7d8e000+158000]
> [  305.550791][ T1235] Code: 95 04 00 03 1c 8b 01 ca ff e3 29 d9 8d b4 26 00
> 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00
> 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f
> Give root password for maintenance
> (or press Control-D to continue):

Thanks. This codes corresponds to memset_sse2:

  14e607:   81 c3 69 95 04 00   add$0x49569,%ebx
  14e60d:   03 1c 8badd(%ebx,%ecx,4),%ebx
  14e610:   01 ca   add%ecx,%edx
  14e612:   ff e3   jmp*%ebx
  14e614:   29 d9   sub%ebx,%ecx
  14e616:   8d b4 26 00 00 00 00lea0x0(%esi,%eiz,1),%esi
  14e61d:   8d 76 00lea0x0(%esi),%esi
  14e620:   0f 18 8a c0 03 00 00prefetcht0 0x3c0(%edx)
  14e627:   0f 18 8a 80 03 00 00prefetcht0 0x380(%edx)
  14e62e:   81 eb 80 00 00 00   sub$0x80,%ebx
=>14e634:   66 0f 7f 02 movdqa %xmm0,(%edx)
  14e638:   66 0f 7f 42 10  movdqa %xmm0,0x10(%edx)
  14e63d:   66 0f 7f 42 20  movdqa %xmm0,0x20(%edx)
  14e642:   66 0f 7f 42 30  movdqa %xmm0,0x30(%edx)
  14e647:   66 0f 7f 42 40  movdqa %xmm0,0x40(%edx)
 
> But I cannot login (Login incorrect). If I enter control-d instead, I get
> "sulogin: cannot read /dev/tty1: Operation not permitted".
> 
> The very same usb stick boots just fine with non VIA 7 / VIA Eden
> processors.
> 
> 
> I modified it a bit an set --autologin for one getty. This did not worḱ, I
> get a lot of things like
> 
> [   ..][ T1231] login[1231]: segfault at bfd3d000 ip b7eb5656 sp
> bfd36978 error 6 in libc-2.33.so[b7d84000+158000]
> 
> or
> 
> [ ][ T1241] sh[1241]: segfault at 12ac000 ip b7e03638 sp bff99ff8
> error 6 in libc-2.33.so[b7cd2000+158000]
> 
> 
> Now I tried  getty -n -l /bin/dash. This worked.
> 
> If I try to start bash, bash crashes with a segmentation fault. I have no
> debugger and no debugging symbols in this image at the moment, only strace
> 
> If I strace -f bash I get:
> 
> The last thing done is reading the first line of passwd, closing the file.
> Then there is a SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR,
> si_addr=0x12d9000}
> 
> When I do a strace -f bash 2> /tmp/blub the last system call is uname(),
> then again a SEGV_MAPPERR
> 
> When bash segfaults I get no log that it crashed in libc6.
> 
> ls, rm, mount  etc seem to work.
> 
> But vim crashes in libc6, again at +158000 and with Code "1c 8b 01 ca ff e3
> 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00
> 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42
> 30 66 0f"
> 
> Also ip link ls crashes, again in libc6, again at +158000 and with Code "0f
> 18 8a 80 03 00 00 81 eb 80 00 00 00 00 66 0f 7f 02 66 0f 7f 42 10 66 0f 7f
> 42 20 66 0f 7f 42 30 66 0f 7f 42 40 66 0f 7f 42 50 <66> 0f 7f 02 66 0f 7f 42
> 70 71 c2 80 00 00 00 81 fb 80 00 00 00"
> 
> or ip addr ls
> 
> or less, perl, ssh, sshd, rsyslogd
> 
> The Code is not always the same, but <66> 0f 7f 42 seems to be and the crash
> in libc-2.33.so[x+158000]
> 

The above crashes are in memset_sse2 or bzero_sse2, I do not have enough
details to confirm, but that's not that important.


Thanks a lot for those details, they definitely help to understand
things a bit better, although things are not fully clear yet.

The memset_sse2 and bzero_sse2 are called only on a SSE2 capable CPU,
which is the case of the VIA C7, and that matches the fact the crash is
a segmentation fault and not an illegal instruction. The addresses
seems to be correctly aligned as required by SSE2 instructions. 

I do 

Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33

2022-01-13 Thread Wolfgang Walter

Am 2022-01-12 16:46, schrieb Aurelien Jarno:

On 2022-01-12 16:14, Wolfgang Walter wrote:

Package: libc6
Version: 2.33-2
Severity: important

After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7 or 
VIA

Eden show segfaults in libc (i.e. hostname fails to work, or rebooting
fails). Machines with VIA Nehemiah work fine.


Could you please provide more details? At least the content of dmesg
when it happens or ideally a core dump or a backtrace.


Not easy. These machines just boot into a initramfs (which is a very 
minimal debian sid) from an usb-stick and nothing survives a reboot. 
/bin/sh points to bash.


The system does not use systemd but sysv.

The login prompt is:

(none) login:


I cannot log into the machine, login seems also be broken, it always 
says "login incorrect".


If I try to reboot by entering ctrl-alt-del the reboot fails with:

INIT: Switching to runlevel: 6
INIT: No inittab.d directory found
INIT: Sending processes configured via /etc/inittab the TERM signal
[  305.550677][ T1235] rc[1235]: segfault at 1c81000 ip b7ebf634 sp 
bfb5ce78 error 6 in libc-2.33.so[b7d8e000+158000]
[  305.550791][ T1235] Code: 95 04 00 03 1c 8b 01 ca ff e3 29 d9 8d b4 
26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 
80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 
66 0f 7f

Give root password for maintenance
(or press Control-D to continue):



But I cannot login (Login incorrect). If I enter control-d instead, I 
get "sulogin: cannot read /dev/tty1: Operation not permitted".


The very same usb stick boots just fine with non VIA 7 / VIA Eden 
processors.



I modified it a bit an set --autologin for one getty. This did not worḱ, 
I get a lot of things like


[   ..][ T1231] login[1231]: segfault at bfd3d000 ip b7eb5656 sp 
bfd36978 error 6 in libc-2.33.so[b7d84000+158000]


or

[ ][ T1241] sh[1241]: segfault at 12ac000 ip b7e03638 sp 
bff99ff8 error 6 in libc-2.33.so[b7cd2000+158000]



Now I tried  getty -n -l /bin/dash. This worked.

If I try to start bash, bash crashes with a segmentation fault. I have 
no debugger and no debugging symbols in this image at the moment, only 
strace


If I strace -f bash I get:

The last thing done is reading the first line of passwd, closing the 
file. Then there is a SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, 
si_addr=0x12d9000}


When I do a strace -f bash 2> /tmp/blub the last system call is uname(), 
then again a SEGV_MAPPERR


When bash segfaults I get no log that it crashed in libc6.

ls, rm, mount  etc seem to work.

But vim crashes in libc6, again at +158000 and with Code "1c 8b 01 ca ff 
e3 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 
03 00 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 
66 0f 7f 42 30 66 0f"


Also ip link ls crashes, again in libc6, again at +158000 and with Code 
"0f 18 8a 80 03 00 00 81 eb 80 00 00 00 00 66 0f 7f 02 66 0f 7f 42 10 66 
0f 7f 42 20 66 0f 7f 42 30 66 0f 7f 42 40 66 0f 7f 42 50 <66> 0f 7f 02 
66 0f 7f 42 70 71 c2 80 00 00 00 81 fb 80 00 00 00"


or ip addr ls

or less, perl, ssh, sshd, rsyslogd

The Code is not always the same, but <66> 0f 7f 42 seems to be and the 
crash in libc-2.33.so[x+158000]




Thanks,
Aurelien


Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts



Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33

2022-01-12 Thread Aurelien Jarno
On 2022-01-12 16:14, Wolfgang Walter wrote:
> Package: libc6
> Version: 2.33-2
> Severity: important
> 
> After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7 or VIA
> Eden show segfaults in libc (i.e. hostname fails to work, or rebooting
> fails). Machines with VIA Nehemiah work fine.

Could you please provide more details? At least the content of dmesg
when it happens or ideally a core dump or a backtrace.

Thanks,
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net



Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33

2022-01-12 Thread Wolfgang Walter

Package: libc6
Version: 2.33-2
Severity: important

After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7 or 
VIA Eden show segfaults in libc (i.e. hostname fails to work, or 
rebooting fails). Machines with VIA Nehemiah work fine.


I tested again starting with an older version of sid, upgrading all 
packages but libc6 (pinned to 2.32) (some other packaages could not been 
updated because they already depend on 2.33). This works fine.



Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts