Bug#1003610: libc6 crashes with VIA C7 and VIA Eden processors starting with 2.33
On 2022-01-13 14:20, Wolfgang Walter wrote:
> Am 2022-01-12 16:46, schrieb Aurelien Jarno:
> > On 2022-01-12 16:14, Wolfgang Walter wrote:
> > > Package: libc6
> > > Version: 2.33-2
> > > Severity: important
> > >
> > > After upgrading from libc6 2.32 to 2.33 all machines with a VIA C7
> > > or VIA
> > > Eden show segfaults in libc (i.e. hostname fails to work, or rebooting
> > > fails). Machines with VIA Nehemiah work fine.
> >
> > Could you please provide more details? At least the content of dmesg
> > when it happens or ideally a core dump or a backtrace.
>
> Not easy. These machines just boot into a initramfs (which is a very minimal
> debian sid) from an usb-stick and nothing survives a reboot. /bin/sh points
> to bash.
>
> The system does not use systemd but sysv.
>
> The login prompt is:
>
> (none) login:
>
>
> I cannot log into the machine, login seems also be broken, it always says
> "login incorrect".
>
> If I try to reboot by entering ctrl-alt-del the reboot fails with:
>
> INIT: Switching to runlevel: 6
> INIT: No inittab.d directory found
> INIT: Sending processes configured via /etc/inittab the TERM signal
> [ 305.550677][ T1235] rc[1235]: segfault at 1c81000 ip b7ebf634 sp bfb5ce78
> error 6 in libc-2.33.so[b7d8e000+158000]
> [ 305.550791][ T1235] Code: 95 04 00 03 1c 8b 01 ca ff e3 29 d9 8d b4 26 00
> 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00 00 81 eb 80 00 00
> 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42 30 66 0f 7f
> Give root password for maintenance
> (or press Control-D to continue):
Thanks. This codes corresponds to memset_sse2:
14e607: 81 c3 69 95 04 00 add $0x49569,%ebx
14e60d: 03 1c 8b add (%ebx,%ecx,4),%ebx
14e610: 01 ca add %ecx,%edx
14e612: ff e3 jmp *%ebx
14e614: 29 d9 sub %ebx,%ecx
14e616: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
14e61d: 8d 76 00 lea 0x0(%esi),%esi
14e620: 0f 18 8a c0 03 00 00 prefetcht0 0x3c0(%edx)
14e627: 0f 18 8a 80 03 00 00 prefetcht0 0x380(%edx)
14e62e: 81 eb 80 00 00 00 sub $0x80,%ebx
=>14e634: 66 0f 7f 02 movdqa %xmm0,(%edx)
14e638: 66 0f 7f 42 10 movdqa %xmm0,0x10(%edx)
14e63d: 66 0f 7f 42 20 movdqa %xmm0,0x20(%edx)
14e642: 66 0f 7f 42 30 movdqa %xmm0,0x30(%edx)
14e647: 66 0f 7f 42 40 movdqa %xmm0,0x40(%edx)
> But I cannot login (Login incorrect). If I enter control-d instead, I get
> "sulogin: cannot read /dev/tty1: Operation not permitted".
>
> The very same usb stick boots just fine with non VIA 7 / VIA Eden
> processors.
>
>
> I modified it a bit an set --autologin for one getty. This did not worḱ, I
> get a lot of things like
>
> [ ......][ T1231] login[1231]: segfault at bfd3d000 ip b7eb5656 sp
> bfd36978 error 6 in libc-2.33.so[b7d84000+158000]
>
> or
>
> [ ........][ T1241] sh[1241]: segfault at 12ac000 ip b7e03638 sp bff99ff8
> error 6 in libc-2.33.so[b7cd2000+158000]
>
>
> Now I tried getty -n -l /bin/dash. This worked.
>
> If I try to start bash, bash crashes with a segmentation fault. I have no
> debugger and no debugging symbols in this image at the moment, only strace
>
> If I strace -f bash I get:
>
> The last thing done is reading the first line of passwd, closing the file.
> Then there is a SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR,
> si_addr=0x12d9000}
>
> When I do a strace -f bash 2> /tmp/blub the last system call is uname(),
> then again a SEGV_MAPPERR
>
> When bash segfaults I get no log that it crashed in libc6.
>
> ls, rm, mount etc seem to work.
>
> But vim crashes in libc6, again at +158000 and with Code "1c 8b 01 ca ff e3
> 29 d9 8d b4 26 00 00 00 00 8d 76 00 0f 18 8a c0 03 00 00 0f 18 8a 80 03 00
> 00 81 eb 80 00 00 00 <66> 0f 7f 02 66 0f 7f 42 10 66 0f 7f 42 20 66 0f 7f 42
> 30 66 0f"
>
> Also ip link ls crashes, again in libc6, again at +158000 and with Code "0f
> 18 8a 80 03 00 00 81 eb 80 00 00 00 00 66 0f 7f 02 66 0f 7f 42 10 66 0f 7f
> 42 20 66 0f 7f 42 30 66 0f 7f 42 40 66 0f 7f 42 50 <66> 0f 7f 02 66 0f 7f 42
> 70 71 c2 80 00 00 00 81 fb 80 00 00 00"
>
> or ip addr ls
>
> or less, perl, ssh, sshd, rsyslogd
>
> The Code is not always the same, but <66> 0f 7f 42 seems to be and the crash
> in libc-2.33.so[xxxxx+158000]
>
The above crashes are in memset_sse2 or bzero_sse2, I do not have enough
details to confirm, but that's not that important.
Thanks a lot for those details, they definitely help to understand
things a bit better, although things are not fully clear yet.
The memset_sse2 and bzero_sse2 are called only on a SSE2 capable CPU,
which is the case of the VIA C7, and that matches the fact the crash is
a segmentation fault and not an illegal instruction. The addresses
seems to be correctly aligned as required by SSE2 instructions.
I do not (yet?) understand why upgrading from 2.32 to 2.33 causes such
an issue, as the code of those functions hasn't changed for years.
Regards,
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://www.aurel32.net
Reply to: