| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAP2ubg+p9sxJRKVhRAqYE0RKVU0Xz81YYy+=fysRiScMtAV2LQ@mail.gmail.com>
Date: Fri, 15 Oct 2021 16:41:20 +0700
From: Louvian Lyndal <louvianlyndal@...il.com>
To: Ammar Faizi <ammar.faizi@...dents.amikom.ac.id>
Cc: Willy Tarreau <w@....eu>, Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Andy Lutomirski <luto@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
David Laight <David.Laight@...lab.com>,
Peter Cordes <peter@...des.ca>,
Bedirhan KURT <windowz414@...weeb.org>
Subject: Re: [PATCH 2/2] tools/nolibc: x86-64: Fix startup code bug
On Fri, Oct 15, 2021 at 3:57 PM Ammar Faizi wrote:
>
> Hi,
>
> This is a code to test.
>
> Compile with:
> gcc -O3 -ggdb3 -nostdlib -o test test.c
>
> Technical explanation:
> The System V ABI mandates the %rsp must be 16-byte aligned before
> performing a function call, but the current nolibc.h violates it.
>
> This %rsp alignment violation makes the callee can't align its stack
> properly. Note that the callee may have a situation where it requires
> vector aligned move. For example, `movaps` with memory operand w.r.t.
> xmm registers, it requires the src/dst address be 16-byte aligned.
>
> Since the callee can't align its stack properly, it will segfault when
> executing `movaps`. The following C code is the reproducer and test
> to ensure the bug really exists and this patch fixes it.
Hello,
With the current nolibc.h, the program segfault on movaps:
Program received signal SIGSEGV, Segmentation fault.
0x0000555555555032 in dump_argv (argv=0x7fffffffe288, argc=1) at test.c:15
15 const char str[] = "\nDumping argv...\n";
(gdb) x/20i main
0x555555555000 <main>: endbr64
0x555555555004 <main+4>: push %r14
0x555555555006 <main+6>: push %r13
0x555555555008 <main+8>: mov %edi,%r13d
0x55555555500b <main+11>: push %r12
0x55555555500d <main+13>: push %rbp
0x55555555500e <main+14>: mov %rdx,%rbp
0x555555555011 <main+17>: mov $0xa,%edx
0x555555555016 <main+22>: push %rbx
0x555555555017 <main+23>: mov %rsi,%rbx
0x55555555501a <main+26>: sub $0x8,%rsp
0x55555555501e <main+30>: movdqa 0xffa(%rip),%xmm0 # 0x555555556020
0x555555555026 <main+38>: mov %dx,-0x68(%rsp)
0x55555555502b <main+43>: lea -0x78(%rsp),%r12
0x555555555030 <main+48>: xor %edx,%edx
=> 0x555555555032 <main+50>: movaps %xmm0,-0x78(%rsp)
0x555555555037 <main+55>: nopw 0x0(%rax,%rax,1)
0x555555555040 <main+64>: add $0x1,%rdx
0x555555555044 <main+68>: cmpb $0x0,(%r12,%rdx,1)
0x555555555049 <main+73>: jne 0x555555555040 <main+64>
(gdb) p $rsp-0x78
$1 = (void *) 0x7fffffffe1c8
(gdb)
Apparently it's because $rsp-0x78 is not multiple of 16. After this
patchset, it works fine. gcc version 11.1.0
Tested-by: Louvian Lyndal <louvianlyndal@...il.com>
Powered by blists - more mailing lists