Bug#965091: glibc: setgroups: Bad address [2.31/x32, regression from 2.30]

[Thorsten Glaser <t.glaser@tarent.de>]

> So something clearly changed…

Compiler output, most probably. I cannot reproduce it. I tried:

	struct xid_command
	{
	  int syscall_no;
	  long int id[3];
	  volatile int cntr;
	  volatile int error; /* -1: no call yet, 0: success seen, >0: error seen.  */
	};

	extern void a_barrier(int *);

	# define REGISTERS_CLOBBERED_BY_SYSCALL "cc", "r11", "cx"

	/* NB: This also works when X is an array.  For an array X,  type of
	   (X) - (X) is ptrdiff_t, which is signed, since size of ptrdiff_t
	   == size of pointer, cast is a NOP.   */
	#define TYPEFY1(X) __typeof__ ((X) - (X))
	/* Explicit cast the argument.  */
	#define ARGIFY(X) ((TYPEFY1 (X)) (X))
	/* Create a variable 'name' based on type of variable 'X' to avoid
	   explicit types.  */
	#define TYPEFY(X, name) __typeof__ (ARGIFY (X)) name


	#undef INTERNAL_SYSCALL_NCS
	#define INTERNAL_SYSCALL_NCS(number, err, nr, args...)                  \
		internal_syscall##nr (number, err, args)

	#undef internal_syscall3
	#define internal_syscall3(number, err, arg1, arg2, arg3)                \
	({                                                                      \
	    unsigned long int resultvar;                                        \
	    TYPEFY (arg3, __arg3) = ARGIFY (arg3);                              \
	    TYPEFY (arg2, __arg2) = ARGIFY (arg2);                              \
	    TYPEFY (arg1, __arg1) = ARGIFY (arg1);                              \
	    register TYPEFY (arg3, _a3) asm ("rdx") = __arg3;                   \
	    register TYPEFY (arg2, _a2) asm ("rsi") = __arg2;                   \
	    register TYPEFY (arg1, _a1) asm ("rdi") = __arg1;                   \
	    asm volatile (                                                      \
	    "syscall\n\t"                                                       \
	    : "=a" (resultvar)                                                  \
	    : "0" (number), "r" (_a1), "r" (_a2), "r" (_a3)                     \
	    : "memory", REGISTERS_CLOBBERED_BY_SYSCALL);                        \
	    (long int) resultvar;                                               \
	})

	int
	foo(struct xid_command *cmdp)
	{
	  int result;
	  asm volatile ("xor rsi,rsi\n\txor rdi,rdi" : : : "rsi", "rdi");
	  result = INTERNAL_SYSCALL_NCS (cmdp->syscall_no, err, 3,
					 cmdp->id[0], cmdp->id[1], cmdp->id[2]);
	  a_barrier(&result);
	  return result;
	}


Save as x.c then:

x86_64-linux-gnux32-gcc-10 -c -std=gnu11 -fgnu89-inline  -pipe -O2 -g -Wall -Wwrite-strings -Wundef -Werror -fmerge-all-constants -frounding-math -fstack-protector-strong -Wstrict-prototypes -Wold-style-definition -fmath-errno   -fpie   -ftls-model=initial-exec -D_LIBC_REENTRANT -DPIC -S -masm=intel x.c -Wno-error

This doesn’t yield any “movsxd” in the output, like in glibc, though:

     b32:       67 48 63 73 08          movsxd rsi,DWORD PTR [ebx+0x8]
     b37:       67 48 63 7b 04          movsxd rdi,DWORD PTR [ebx+0x4]
     b3c:       67 48 63 53 0c          movsxd rdx,DWORD PTR [ebx+0xc]
     b41:       67 8b 03                mov    eax,DWORD PTR [ebx]
     b44:       0f 05                   syscall

(disassembly of pthread_create.o from libpthread.a 2.31)

I’m unsure whether this is a glibc or gcc issue… without a reproducer
I’m stuck.

I’ll have to downgrade to 2.30 for now, to keep the system ssh-in-able…

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg