lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 15 Oct 2021 16:41:20 +0700
From:   Louvian Lyndal <>
To:     Ammar Faizi <>
Cc:     Willy Tarreau <>, Paul Walmsley <>,
        Palmer Dabbelt <>,
        Albert Ou <>,
        Linux Kernel Mailing List <>,
        Andy Lutomirski <>,
        Thomas Gleixner <>,
        Ingo Molnar <>,,
        "H. Peter Anvin" <>,
        David Laight <>,
        Peter Cordes <>,
        Bedirhan KURT <>
Subject: Re: [PATCH 2/2] tools/nolibc: x86-64: Fix startup code bug

On Fri, Oct 15, 2021 at 3:57 PM Ammar Faizi wrote:
> Hi,
> This is a code to test.
> Compile with:
>   gcc -O3 -ggdb3 -nostdlib -o test test.c
> Technical explanation:
> The System V ABI mandates the %rsp must be 16-byte aligned before
> performing a function call, but the current nolibc.h violates it.
> This %rsp alignment violation makes the callee can't align its stack
> properly. Note that the callee may have a situation where it requires
> vector aligned move. For example, `movaps` with memory operand w.r.t.
> xmm registers, it requires the src/dst address be 16-byte aligned.
> Since the callee can't align its stack properly, it will segfault when
> executing `movaps`. The following C code is the reproducer and test
> to ensure the bug really exists and this patch fixes it.

With the current nolibc.h, the program segfault on movaps:
Program received signal SIGSEGV, Segmentation fault.
0x0000555555555032 in dump_argv (argv=0x7fffffffe288, argc=1) at test.c:15
15        const char str[] = "\nDumping argv...\n";
(gdb) x/20i main
   0x555555555000 <main>:    endbr64
   0x555555555004 <main+4>:    push   %r14
   0x555555555006 <main+6>:    push   %r13
   0x555555555008 <main+8>:    mov    %edi,%r13d
   0x55555555500b <main+11>:    push   %r12
   0x55555555500d <main+13>:    push   %rbp
   0x55555555500e <main+14>:    mov    %rdx,%rbp
   0x555555555011 <main+17>:    mov    $0xa,%edx
   0x555555555016 <main+22>:    push   %rbx
   0x555555555017 <main+23>:    mov    %rsi,%rbx
   0x55555555501a <main+26>:    sub    $0x8,%rsp
   0x55555555501e <main+30>:    movdqa 0xffa(%rip),%xmm0        # 0x555555556020
   0x555555555026 <main+38>:    mov    %dx,-0x68(%rsp)
   0x55555555502b <main+43>:    lea    -0x78(%rsp),%r12
   0x555555555030 <main+48>:    xor    %edx,%edx
=> 0x555555555032 <main+50>:    movaps %xmm0,-0x78(%rsp)
   0x555555555037 <main+55>:    nopw   0x0(%rax,%rax,1)
   0x555555555040 <main+64>:    add    $0x1,%rdx
   0x555555555044 <main+68>:    cmpb   $0x0,(%r12,%rdx,1)
   0x555555555049 <main+73>:    jne    0x555555555040 <main+64>
(gdb) p $rsp-0x78
$1 = (void *) 0x7fffffffe1c8

Apparently it's because $rsp-0x78 is not multiple of 16. After this
patchset, it works fine. gcc version 11.1.0

Tested-by: Louvian Lyndal <>

Powered by blists - more mailing lists