Bug#1040981: klibc-utils: segfault executing armhf binaries under qemu-user
Dixi quod…
>My guess here is that it’s, as usual, the fault of qemu-user,
Strong evidence for that: doesn’t look like it even executes
one bit of klibc code:
$ qemu-arm-static -d cpu ./fstype --help
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault (core dumped)
And:
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/qemu-arm-static...
Downloading separate debug info for /usr/bin/qemu-arm-static...
Reading symbols from /home/tglase/.cache/debuginfod_client/5a14d0155c981c94a528d6468ded2c203f1e1908/debuginfo...
(gdb) r
Starting program: /usr/bin/qemu-arm-static ./fstype --help
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff7ff8700 (LWP 27273)]
Thread 1 "qemu-arm-static" received signal SIGSEGV, Segmentation fault.
0x00000000004c5cb6 in cpu_lduw_code (env=env@entry=0xcbed30, ptr=3670264) at ./include/qemu/bswap.h:329
Download failed: Invalid argument. Continuing without source file ./b/user-static/./include/qemu/bswap.h.
329 ./include/qemu/bswap.h: No such file or directory.
(gdb) bt
#0 0x00000000004c5cb6 in cpu_lduw_code (env=env@entry=0xcbed30, ptr=3670264) at ./include/qemu/bswap.h:329
#1 0x000000000045c9ac in translator_lduw_swap (do_swap=false, pc=<optimized out>, env=0xcbed30)
at ./include/exec/translator.h:178
#2 arm_lduw_code (sctlr_b=false, addr=<optimized out>, env=0xcbed30) at ../../target/arm/arm_ldst.h:44
#3 thumb_tr_translate_insn (dcbase=0x7fffffffdd50, cpu=<optimized out>) at ../../target/arm/translate.c:9054
#4 0x00000000004bc1e9 in translator_loop (ops=0xa7f180 <thumb_translator_ops>, db=db@entry=0x7fffffffdd50,
cpu=cpu@entry=0xcb6a60, tb=tb@entry=0x7fffe8000040 <code_gen_buffer+22>, max_insns=max_insns@entry=512)
at ../../accel/tcg/translator.c:103
#5 0x0000000000463eb3 in gen_intermediate_code (cpu=cpu@entry=0xcb6a60,
tb=tb@entry=0x7fffe8000040 <code_gen_buffer+22>, max_insns=max_insns@entry=512)
at ../../target/arm/translate.c:9283
#6 0x0000000000512d75 in tb_gen_code (cpu=cpu@entry=0xcb6a60, pc=3670264, cs_base=0, flags=1196288,
cflags=-16777216, cflags@entry=0) at ../../accel/tcg/translate-all.c:1744
#7 0x00000000004b4734 in tb_find (cf_mask=0, tb_exit=0, last_tb=0x0, cpu=0xcb6a60)
at ../../accel/tcg/cpu-exec.c:414
#8 cpu_exec (cpu=cpu@entry=0xcb6a60) at ../../accel/tcg/cpu-exec.c:770
#9 0x0000000000422608 in cpu_loop (env=env@entry=0xcbed30) at ../../linux-user/arm/cpu_loop.c:237
#10 0x0000000000402949 in main (argc=<optimized out>, argv=0x7fffffffe230, envp=<optimized out>)
at ../../linux-user/main.c:882
(gdb) info r
rax 0x40d94000 1087979520
rbx 0x7fffffffdd50 140737488346448
rcx 0xd9a728 14264104
rdx 0xc64d60 12995936
rsi 0x3800f8 3670264
rdi 0xcbed30 13364528
rbp 0x0 0x0
rsp 0x7fffffffdc48 0x7fffffffdc48
r8 0xc64d60 12995936
r9 0xc656e8 12998376
r10 0x0 0
r11 0x0 0
r12 0xcbed30 13364528
r13 0x0 0
r14 0x0 0
r15 0x7fffffffdd50 140737488346448
rip 0x4c5cb6 0x4c5cb6 <cpu_lduw_code+22>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) disas
Dump of assembler code for function cpu_lduw_code:
0x00000000004c5ca0 <+0>: mov QWORD PTR fs:0xffffffffffffff58,0x1
0x00000000004c5cad <+13>: mov esi,esi
0x00000000004c5caf <+15>: mov rax,QWORD PTR [rip+0x79efa2] # 0xc64c58 <guest_base>
=> 0x00000000004c5cb6 <+22>: movzx eax,WORD PTR [rax+rsi*1]
0x00000000004c5cba <+26>: mov QWORD PTR fs:0xffffffffffffff58,0x0
0x00000000004c5cc7 <+39>: ret
End of assembler dump.
The content of rax (guest_base) looks legit:
$ cat /proc/27269/maps
00400000-00401000 r--p 00000000 fd:00 2624234 /usr/bin/qemu-arm-static
00401000-0071e000 r-xp 00001000 fd:00 2624234 /usr/bin/qemu-arm-static
0071e000-00a53000 r--p 0031e000 fd:00 2624234 /usr/bin/qemu-arm-static
00a53000-00be8000 r--p 00652000 fd:00 2624234 /usr/bin/qemu-arm-static
00be8000-00c62000 rw-p 007e7000 fd:00 2624234 /usr/bin/qemu-arm-static
00c62000-00db7000 rw-p 00000000 00:00 0 [heap]
40d94000-40da4000 ---p 00000000 00:00 0
40da4000-40da5000 r--p 00000000 fd:00 2234167 /home/tglase/fstype
40da5000-40da6000 rw-p 00000000 fd:00 2234167 /home/tglase/fstype
40da6000-80d94000 ---p 00000000 00:00 0
80d94000-80d95000 ---p 00000000 00:00 0
80d95000-81595000 rw-p 00000000 00:00 0
81595000-140d84000 ---p 00000000 00:00 0
140d84000-140d85000 r--p 00000000 00:00 0
7fffe8000000-7fffeffff000 rwxp 00000000 00:00 0
7fffeffff000-7ffff0000000 ---p 00000000 00:00 0
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff7777000-7ffff77f8000 rw-p 00000000 00:00 0
7ffff77f8000-7ffff77f9000 ---p 00000000 00:00 0
7ffff77f9000-7ffff7ff9000 rw-p 00000000 00:00 0
7ffff7ff9000-7ffff7ffd000 r--p 00000000 00:00 0 [vvar]
7ffff7ffd000-7ffff7fff000 r-xp 00000000 00:00 0 [vdso]
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
rax+rsi is 0x411140F8 though, which isn’t currently mapped readable,
so the ptr argument (rsi) doesn’t lie in usable memory or so.
Does this help?:
(gdb) frame 4
#4 0x00000000004bc1e9 in translator_loop (ops=0xa7f180 <thumb_translator_ops>, db=db@entry=0x7fffffffdd50,
cpu=cpu@entry=0xcb6a60, tb=tb@entry=0x7fffe8000040 <code_gen_buffer+22>, max_insns=max_insns@entry=512)
at ../../accel/tcg/translator.c:103
Download failed: Invalid argument. Continuing without source file ./b/user-static/../../accel/tcg/translator.c.
103 ../../accel/tcg/translator.c: No such file or directory.
(gdb) print *cpu
$2 = {parent_obj = {parent_obj = {class = 0xcab090, free = 0x615410 <g_free>, properties = 0xcab800, ref = 2,
parent = 0xcaf8f0}, id = 0x0, canonical_path = 0xd52700 "/machine/unattached/device[0]", realized = true,
pending_deleted_event = false, opts = 0x0, hotplugged = 0, allow_unplug_during_migration = false,
parent_bus = 0x0, gpios = {lh_first = 0x0}, clocks = {lh_first = 0x0}, child_bus = {lh_first = 0x0},
num_child_bus = 0, instance_id_alias = -1, alias_required_for_version = 0, reset = {count = 0,
hold_phase_pending = false, exit_phase_in_progress = false}}, nr_cores = 1, nr_threads = 1, thread = 0x0,
thread_id = 0, running = true, has_waiter = false, halt_cond = 0x0, thread_kicked = false, created = false,
stop = false, stopped = false, start_powered_off = false, unplug = false, crash_occurred = false,
exit_request = false, in_exclusive_context = false, cflags_next_tb = 4294967295, interrupt_request = 0,
singlestep_enabled = 0, icount_budget = 0, icount_extra = 0, random_seed = 0, jmp_env = {{__jmpbuf = {
13331040, -3916268391523349795, 13331040, 7528192, 14027408, 2, -3916268390873232675,
3916268883799247581}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}},
work_mutex = {lock = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0,
__elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>,
__align = 0}, initialized = true}, work_list = {sqh_first = 0x0, sqh_last = 0xcb6c30}, cpu_ases = 0x0,
num_ases = 0, as = 0x0, memory = 0x0, env_ptr = 0xcbed30, icount_decr_ptr = 0xcbed28, tb_jmp_cache = {
0x0 <repeats 4096 times>}, gdb_regs = 0xd4fe30, gdb_num_regs = 192, gdb_num_g_regs = 26, node = {
tqe_next = 0x0, tqe_circ = {tql_next = 0x0, tql_prev = 0xbe8010 <cpus>}}, breakpoints = {tqh_first = 0x0,
tqh_circ = {tql_next = 0x0, tql_prev = 0xcbec90}}, watchpoints = {tqh_first = 0x0, tqh_circ = {
tql_next = 0x0, tql_prev = 0xcbeca0}}, watchpoint_hit = 0x0, opaque = 0xd74700, mem_io_pc = 0,
kvm_fd = 0, kvm_state = 0x0, kvm_run = 0x0, trace_dstate_delayed = {0}, trace_dstate = {0}, plugin_mask = {
0}, cpu_index = 0, cluster_index = -1, halted = 0, can_do_io = 1, exception_index = -1, vcpu_dirty = false,
throttle_thread_scheduled = false, ignore_memory_transaction_failures = false, hax_vcpu = 0x0, hvf_fd = 0,
iommu_notifiers = 0x0}
(gdb) print *db
$3 = {tb = 0x7fffe8000040 <code_gen_buffer+22>, pc_first = 3670264, pc_next = 3670264, is_jmp = DISAS_NEXT,
num_insns = 1, max_insns = 512, singlestep_enabled = false}
(gdb) frame 9
#9 0x0000000000422608 in cpu_loop (env=env@entry=0xcbed30) at ../../linux-user/arm/cpu_loop.c:237
Download failed: Invalid argument. Continuing without source file ./b/user-static/../../linux-user/arm/cpu_loop.c.
237 ../../linux-user/arm/cpu_loop.c: No such file or directory.
(gdb) print *env
$4 = {regs = {0, 1082133305, 1082133314, 0, 0, 0, 0, 0, 0, 0, 71688, 0, 0, 1082132928, 0, 3670264}, xregs = {
0 <repeats 32 times>}, pc = 0, pstate = 0, aarch64 = 0, hflags = 1179648, uncached_cpsr = 16, spsr = 0,
banked_spsr = {0, 0, 0, 0, 0, 0, 0, 0}, banked_r13 = {0, 0, 0, 0, 0, 0, 0, 0}, banked_r14 = {0, 0, 0, 0, 0,
0, 0, 0}, usr_regs = {0, 0, 0, 0, 0}, fiq_regs = {0, 0, 0, 0, 0}, CF = 0, VF = 0, NF = 48, ZF = 1073741824,
QF = 0, GE = 0, thumb = 1, condexec_bits = 0, btype = 0, daif = 0, elr_el = {0, 0, 0, 0}, sp_el = {0, 0, 0,
0}, cp15 = {c0_cpuid = 1093648625, {{_unused_csselr0 = 0, csselr_ns = 0, _unused_csselr1 = 0,
csselr_s = 0}, csselr_el = {0, 0, 0, 0}}, {{_unused_sctlr = 0, sctlr_ns = 12910712, hsctlr = 0,
sctlr_s = 0}, sctlr_el = {0, 12910712, 0, 0}}, cpacr_el1 = 15728640, cptr_el = {0, 0, 0, 0},
c1_xscaleauxcr = 0, sder = 0, nsacr = 0, {{_unused_ttbr0_0 = 0, ttbr0_ns = 0, _unused_ttbr0_1 = 0,
ttbr0_s = 0}, ttbr0_el = {0, 0, 0, 0}}, {{_unused_ttbr1_0 = 0, ttbr1_ns = 0, _unused_ttbr1_1 = 0,
ttbr1_s = 0}, ttbr1_el = {0, 0, 0, 0}}, vttbr_el2 = 0, tcr_el = {{raw_tcr = 0, mask = 0,
base_mask = 0}, {raw_tcr = 0, mask = 0, base_mask = 4294950912}, {raw_tcr = 0, mask = 0,
base_mask = 0}, {raw_tcr = 0, mask = 0, base_mask = 0}}, vtcr_el2 = {raw_tcr = 0, mask = 0,
base_mask = 0}, c2_data = 0, c2_insn = 0, {{dacr_ns = 0, dacr_s = 0}, {dacr32_el2 = 0}},
pmsav5_data_ap = 0, pmsav5_insn_ap = 0, hcr_el2 = 0, scr_el3 = 0, {{ifsr_ns = 0, ifsr_s = 0}, {
ifsr32_el2 = 0}}, {{_unused_dfsr = 0, dfsr_ns = 0, hsr = 0, dfsr_s = 0}, esr_el = {0, 0, 0, 0}},
c6_region = {0, 0, 0, 0, 0, 0, 0, 0}, {{_unused_far0 = 0, dfar_ns = 0, ifar_ns = 0, dfar_s = 0, ifar_s = 0,
_unused_far3 = 0}, far_el = {0, 0, 0, 0}}, hpfar_el2 = 0, hstr_el2 = 0, {{_unused_par_0 = 0,
par_ns = 0, _unused_par_1 = 0, par_s = 0}, par_el = {0, 0, 0, 0}}, c9_insn = 0, c9_data = 0,
c9_pmcr = 1090527296, c9_pmcnten = 0, c9_pmovsr = 0, c9_pmuserenr = 0, c9_pmselr = 0, c9_pminten = 0, {{
_unused_mair_0 = 0, mair0_ns = 0, mair1_ns = 0, _unused_mair_1 = 0, mair0_s = 0, mair1_s = 0},
mair_el = {0, 0, 0, 0}}, {{_unused_vbar = 0, vbar_ns = 0, hvbar = 0, vbar_s = 0}, vbar_el = {0, 0, 0,
0}}, mvbar = 0, {fcseidr_ns = 0, fcseidr_s = 0}, {{_unused_contextidr_0 = 0, contextidr_ns = 0,
_unused_contextidr_1 = 0, contextidr_s = 0}, contextidr_el = {0, 0, 0, 0}}, {{tpidrurw_ns = 0,
tpidrprw_ns = 0, htpidr = 0, _tpidr_el3 = 0}, tpidr_el = {0, 0, 0, 0}}, tpidrurw_s = 0, tpidrprw_s = 0,
tpidruro_s = 0, {tpidruro_ns = 0, tpidrro_el = {0}}, c14_cntfrq = 62500000, c14_cntkctl = 0,
cnthctl_el2 = 0, cntvoff_el2 = 0, c14_timer = {{cval = 0, ctl = 0}, {cval = 0, ctl = 0}, {cval = 0,
ctl = 0}, {cval = 0, ctl = 0}, {cval = 0, ctl = 0}}, c15_cpar = 0, c15_ticonfig = 0, c15_i_max = 0,
c15_i_min = 0, c15_threadid = 0, c15_config_base_address = 0, c15_diagnostic = 0, c15_power_diagnostic = 0,
c15_power_control = 0, dbgbvr = {0 <repeats 16 times>}, dbgbcr = {0 <repeats 16 times>}, dbgwvr = {
0 <repeats 16 times>}, dbgwcr = {0 <repeats 16 times>}, mdscr_el1 = 0, oslsr_el1 = 10, mdcr_el2 = 0,
mdcr_el3 = 0, c15_ccnt = 0, c15_ccnt_delta = 0, c14_pmevcntr = {0 <repeats 31 times>},
c14_pmevcntr_delta = {0 <repeats 31 times>}, c14_pmevtyper = {0 <repeats 31 times>}, pmccfiltr_el0 = 0,
--Type <RET> for more, q to quit, c to continue without paging--
vpidr_el2 = 0, vmpidr_el2 = 0, tfsr_el = {0, 0, 0, 0}, gcr_el1 = 0, rgsr_el1 = 0}, v7m = {other_sp = 0,
other_ss_msp = 0, other_ss_psp = 0, vecbase = {0, 0}, basepri = {0, 0}, control = {0, 0}, ccr = {0, 0},
cfsr = {0, 0}, hfsr = 0, dfsr = 0, sfsr = 0, mmfar = {0, 0}, bfar = 0, sfar = 0, mpu_ctrl = {0, 0},
exception = 0, primask = {0, 0}, faultmask = {0, 0}, aircr = 0, secure = 0, csselr = {0, 0}, scr = {0, 0},
msplim = {0, 0}, psplim = {0, 0}, fpcar = {0, 0}, fpccr = {0, 0}, fpdscr = {0, 0}, cpacr = {0, 0},
nsacr = 0, ltpsize = 0}, exception = {syndrome = 0, fsr = 0, vaddress = 0, target_el = 0}, serror = {
pending = 0 '\000', has_esr = 0 '\000', esr = 0}, ext_dabt_raised = 0 '\000', irq_line_state = 0,
teecr = 0, teehbr = 0, vfp = {zregs = {{d = {0, 0}} <repeats 32 times>}, qc = {0, 0, 0, 0}, vec_len = 0,
vec_stride = 0, xregs = {1090793712, 0, 0, 0, 0, 67, 320934161, 286327330, 1073741824, 0, 0, 0, 0, 0, 0,
0}, scratch = {0, 0, 0, 0, 0, 0, 0, 0}, fp_status = {float_rounding_mode = float_round_nearest_even,
float_exception_flags = 0 '\000', floatx80_rounding_precision = 0 '\000',
tininess_before_rounding = true, flush_to_zero = false, flush_inputs_to_zero = false,
default_nan_mode = false, snan_bit_is_one = false, use_first_nan = false, no_signaling_nans = false},
fp_status_f16 = {float_rounding_mode = float_round_nearest_even, float_exception_flags = 0 '\000',
floatx80_rounding_precision = 0 '\000', tininess_before_rounding = true, flush_to_zero = false,
flush_inputs_to_zero = false, default_nan_mode = false, snan_bit_is_one = false, use_first_nan = false,
no_signaling_nans = false}, standard_fp_status = {float_rounding_mode = float_round_nearest_even,
float_exception_flags = 0 '\000', floatx80_rounding_precision = 0 '\000',
tininess_before_rounding = true, flush_to_zero = true, flush_inputs_to_zero = true,
default_nan_mode = true, snan_bit_is_one = false, use_first_nan = false, no_signaling_nans = false},
standard_fp_status_f16 = {float_rounding_mode = float_round_nearest_even, float_exception_flags = 0 '\000',
floatx80_rounding_precision = 0 '\000', tininess_before_rounding = true, flush_to_zero = false,
flush_inputs_to_zero = false, default_nan_mode = true, snan_bit_is_one = false, use_first_nan = false,
no_signaling_nans = false}, zcr_el = {0, 0, 0, 0}}, exclusive_addr = 0, exclusive_val = 0,
exclusive_high = 0, iwmmxt = {regs = {0 <repeats 16 times>}, val = 0, cregs = {0 <repeats 16 times>}},
eabi = 0, cpu_breakpoint = {0x0 <repeats 16 times>}, cpu_watchpoint = {0x0 <repeats 16 times>},
end_reset_fields = {<No data fields>}, features = 30989547897, pmsav7 = {drbar = 0x0, drsr = 0x0,
dracr = 0x0, rnr = {0, 0}}, pmsav8 = {rbar = {0x0, 0x0}, rlar = {0x0, 0x0}, mair0 = {0, 0}, mair1 = {0,
0}}, sau = {rbar = 0x0, rlar = 0x0, rnr = 0, ctrl = 0}, nvic = 0x0, boot_info = 0x0, gicv3state = 0x0}
At this point you’d have to know about the internals of qemu…
Other approach: check how it goes there. Perhaps something about the
ELF headers of klibc*.so and/or fstype…
bye,
//mirabilos
--
<igli> exceptions: a truly awful implementation of quite a nice idea.
<igli> just about the worst way you could do something like that, afaic.
<igli> it's like anti-design. <mirabilos> that too… may I quote you on that?
<igli> sure, tho i doubt anyone will listen ;)
Reply to: