NetBSD Problem Report #50932
From martin@duskware.de Thu Mar 10 11:59:20 2016
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 5D8D77ABE3
for <gnats-bugs@gnats.NetBSD.org>; Thu, 10 Mar 2016 11:59:20 +0000 (UTC)
Message-Id: <20160310115839.A0D4EED0E4F@emmas.aprisoft.de>
Date: Thu, 10 Mar 2016 12:58:39 CET
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: compiler changes broke rump
X-Send-Pr-Version: 3.95
>Number: 50932
>Category: toolchain
>Synopsis: compiler changes broke rump
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: toolchain-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 10 12:00:00 +0000 2016
>Closed-Date: Wed Jun 22 15:18:21 +0000 2016
>Last-Modified: Wed Jun 22 15:18:21 +0000 2016
>Originator: Martin Husemann
>Release: NetBSD 7.99.26
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD night-owl.duskware.de 7.99.26 NetBSD 7.99.26 (NIGHT-OWL) #391: Thu Feb 25 11:24:27 CET 2016 martin@night-owl.duskware.de:/usr/src/sys/arch/amd64/compile/NIGHT-OWL amd64
Architecture: x86_64
Machine: amd64
>Description:
Recent compiler changes to deal with copy relocations for hidden symbols
broke link sets in rump.
Here is gdb output from a working binary:
0x7f7ff68769fa <sysctl_init+28>:
callq 0x7f7ff6835e70 <rumpns_sysctl_basenode_init@plt>
0x7f7ff68769ff <sysctl_init+33>:
lea 0x264ada(%rip),%rbp # 0x7f7ff6adb4e0
0x7f7ff6876a06 <sysctl_init+40>:
lea 0x264a9b(%rip),%rbx # 0x7f7ff6adb4a8
0x7f7ff6876a0d <sysctl_init+47>: cmp %rbp,%rbx
0x7f7ff6876a10 <sysctl_init+50>: jae 0x7f7ff6876a1f <sysctl_init+65>
=> 0x7f7ff6876a12 <sysctl_init+52>: xor %edi,%edi
0x7f7ff6876a14 <sysctl_init+54>: callq *(%rbx)
0x7f7ff6876a16 <sysctl_init+56>: add $0x8,%rbx
0x7f7ff6876a1a <sysctl_init+60>: cmp %rbp,%rbx
0x7f7ff6876a1d <sysctl_init+63>: jb 0x7f7ff6876a12 <sysctl_init+52>
0x7f7ff6876a1f <sysctl_init+65>: xor %edx,%edx
0x7f7ff6876a21 <sysctl_init+67>: mov $0x2,%esi
as you can see it iterates function pointers from 0x7f7ff6adb4e0 to
0x7f7ff6adb4a8 and callse each of them.
Now the same for a broken binary:
0x7f7ff68755e7 <sysctl_init+9>:
callq 0x7f7ff68336a0 <rumpns_rw_init@plt>
0x7f7ff68755ec <sysctl_init+14>:
mov 0x25c2cd(%rip),%rax # 0x7f7ff6ad18c0
0x7f7ff68755f3 <sysctl_init+21>: movl $0x400,0x4(%rax)
0x7f7ff68755fa <sysctl_init+28>:
callq 0x7f7ff68349b0 <rumpns_sysctl_basenode_init@plt>
0x7f7ff68755ff <sysctl_init+33>:
mov 0x25bb32(%rip),%rbp # 0x7f7ff6ad1138
0x7f7ff6875606 <sysctl_init+40>:
lea 0x26575b(%rip),%rbx # 0x7f7ff6adad68
0x7f7ff687560d <sysctl_init+47>: cmp %rbp,%rbx
0x7f7ff6875610 <sysctl_init+50>: jae 0x7f7ff687561f <sysctl_init+65>
0x7f7ff6875612 <sysctl_init+52>: xor %edi,%edi
0x7f7ff6875614 <sysctl_init+54>: callq *(%rbx)
=> 0x7f7ff6875616 <sysctl_init+56>: add $0x8,%rbx
0x7f7ff687561a <sysctl_init+60>: cmp %rbp,%rbx
0x7f7ff687561d <sysctl_init+63>: jb 0x7f7ff6875612 <sysctl_init+52>
here it iterates pointers from 0x7f7ff6ad1138 to 0x7f7ff6adad68 and thus
overruns the end of the link set, resulting in a crash when jumping to
something that is not a function but some arbitrary data.
>How-To-Repeat:
cd /usr/tests/includes/sys
gdb ./t_socket
run sock_cloexec
>Fix:
n/a
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Wed, 22 Jun 2016 15:18:21 +0000
State-Changed-Why:
This has been fixed
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.