From: Stefan Liebler <stli@linux.ibm.com>
To: David Hildenbrand <david@redhat.com>, qemu-devel@nongnu.org
Cc: Thomas Huth <thuth@redhat.com>, Ilya Leoshkevich <iii@de.ibm.com>,
Andreas Krebbel <Andreas.Krebbel@de.ibm.com>,
Cornelia Huck <cohuck@redhat.com>,
qemu-s390x@nongnu.org, Richard Henderson <rth@twiddle.net>
Subject: Re: [Qemu-devel] [PATCH v1 2/2] s390x/tcg: Store only the necessary amount of doublewords for STFLE
Date: Mon, 3 Jun 2019 16:39:51 +0200 [thread overview]
Message-ID: <3bec7cf0-9be1-ea6f-7dbc-cbf95fd08293@linux.ibm.com> (raw)
In-Reply-To: <dcf1b51b-78c8-7936-092b-439e8a9a3c8b@redhat.com>
On 6/3/19 12:45 PM, David Hildenbrand wrote:
> On 03.06.19 12:38, Stefan Liebler wrote:
>> On 5/31/19 4:56 PM, David Hildenbrand wrote:
>>> The PoP (z14, 7-382) says:
>>> Doublewords to the right of the doubleword in which the
>>> highest-numbered facility bit is assigned for a model
>>> may or may not be stored.
>>>
>>> However, stack protection in certain binaries can't deal with that.
>>> "gzip" example code:
>>>
>>> f1b4: a7 08 00 03 lhi %r0,3
>>> f1b8: b2 b0 f0 a0 stfle 160(%r15)
>>> f1bc: e3 20 f0 b2 00 90 llgc %r2,178(%r15)
>>> f1c2: c0 2b 00 00 00 01 nilf %r2,1
>>> f1c8: b2 4f 00 10 ear %r1,%a0
>>> f1cc: b9 14 00 22 lgfr %r2,%r2
>>> f1d0: eb 11 00 20 00 0d sllg %r1,%r1,32
>>> f1d6: b2 4f 00 11 ear %r1,%a1
>>> f1da: d5 07 f0 b8 10 28 clc 184(8,%r15),40(%r1)
>>> f1e0: a7 74 00 06 jne f1ec <file_read@@Base+0x1bc>
>>> f1e4: eb ef f1 30 00 04 lmg %r14,%r15,304(%r15)
>>> f1ea: 07 fe br %r14
>>> f1ec: c0 e5 ff ff 9d 6e brasl %r14,2cc8 <__stack_chk_fail@plt>
>>>
>>> In QEMU, we currently have:
>>> max_bytes = 24
>>> the code asks for (3 + 1) doublewords == 32 bytes.
>>>
>>> If we write 32 bytes instead of only 24, and return "2 + 1" doublewords
>>> ("one less than the number of doulewords needed to contain all of the
>>> facility bits"), the example code detects a stack corruption.
>>>
>>> In my opinion, the code is wrong. However, it seems to work fine on
>>> real machines. So let's limit storing to the minimum of the requested
>>> and the maximum doublewords.
>> Hi David,
>>
>> Thanks for catching this. I've reported the "gzip" example to Ilya and
>> indeed, r0 is setup too large. He will fix it in gzip.
>>
>> You've mentioned, that this is detected in certain binaries.
>> Can you please share those occurrences.
>
> Hi Stafan,
>
> thanks for your reply.
>
> I didn't track all occurrences, it *could* be that it was only gzip in
> the background making other processes fail.
>
> For example, the systemd "vitual console setup" unit failed, too, which
> was fixed by this change.
At least "objdump -d /usr/lib/systemd/systemd-vconsole-setup" does not
contain the stfle instruction, but "ldd
/usr/lib/systemd/systemd-vconsole-setup" is showing libz.so which could
also contain Ilya's patches with the stfle instruction (I assume there
is the same bug as in gzip). But I have no idea if libz is really called.
>
> I also remember, seeing segfaults in rpmbuild, for example. They only
> "changed" with this fix - I m still chasing different errors. :)
The same applies for rpmbuild.
>
> You mentioned "He will fix it in gzip", so I assume this is a gzip issue
> and not a gcc/glibc/whatever toolchain issue?
>
Yes, this is a gzip bug. r0 was initialized with:
(sizeof(array-on-stack) / 8)
instead of:
(sizeof(array-on-stack) / 8) - 1
Ilya will fix it in gzip and zlib.
@Ilya: Please correct me if I'm wrong.
next prev parent reply other threads:[~2019-06-03 14:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-31 14:56 [Qemu-devel] [PATCH v1 0/2] s390x/tcg: STFLE fixes David Hildenbrand
2019-05-31 14:56 ` [Qemu-devel] [PATCH v1 1/2] s390x/tcg: Fix max_byte detection for stfle David Hildenbrand
2019-05-31 15:02 ` Richard Henderson
2019-05-31 14:56 ` [Qemu-devel] [PATCH v1 2/2] s390x/tcg: Store only the necessary amount of doublewords for STFLE David Hildenbrand
2019-05-31 15:05 ` Richard Henderson
2019-05-31 15:08 ` David Hildenbrand
2019-06-03 10:38 ` Stefan Liebler
2019-06-03 10:45 ` David Hildenbrand
2019-06-03 14:39 ` Stefan Liebler [this message]
2019-06-04 8:11 ` David Hildenbrand
2019-06-03 7:02 ` [Qemu-devel] [PATCH v1 0/2] s390x/tcg: STFLE fixes Cornelia Huck
2019-06-03 7:16 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3bec7cf0-9be1-ea6f-7dbc-cbf95fd08293@linux.ibm.com \
--to=stli@linux.ibm.com \
--cc=Andreas.Krebbel@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=iii@de.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=rth@twiddle.net \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).