NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

toolchain/50932: compiler changes broke rump

>Number:         50932
>Category:       toolchain
>Synopsis:       compiler changes broke rump
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    toolchain-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 10 12:00:00 +0000 2016
>Originator:     Martin Husemann
>Release:        NetBSD 7.99.26
The NetBSD Foundation, Inc.
System: NetBSD 7.99.26 NetBSD 7.99.26 (NIGHT-OWL) #391: Thu Feb 25 11:24:27 CET 2016 amd64
Architecture: x86_64
Machine: amd64

Recent compiler changes to deal with copy relocations for hidden symbols
broke link sets in rump.

Here is gdb output from a working binary:

   0x7f7ff68769fa <sysctl_init+28>:     
    callq  0x7f7ff6835e70 <rumpns_sysctl_basenode_init@plt>
   0x7f7ff68769ff <sysctl_init+33>:     
    lea    0x264ada(%rip),%rbp        # 0x7f7ff6adb4e0
   0x7f7ff6876a06 <sysctl_init+40>:     
    lea    0x264a9b(%rip),%rbx        # 0x7f7ff6adb4a8
   0x7f7ff6876a0d <sysctl_init+47>:     cmp    %rbp,%rbx
   0x7f7ff6876a10 <sysctl_init+50>:     jae    0x7f7ff6876a1f <sysctl_init+65>
=> 0x7f7ff6876a12 <sysctl_init+52>:     xor    %edi,%edi
   0x7f7ff6876a14 <sysctl_init+54>:     callq  *(%rbx)
   0x7f7ff6876a16 <sysctl_init+56>:     add    $0x8,%rbx
   0x7f7ff6876a1a <sysctl_init+60>:     cmp    %rbp,%rbx
   0x7f7ff6876a1d <sysctl_init+63>:     jb     0x7f7ff6876a12 <sysctl_init+52>
   0x7f7ff6876a1f <sysctl_init+65>:     xor    %edx,%edx
   0x7f7ff6876a21 <sysctl_init+67>:     mov    $0x2,%esi

as you can see it iterates function pointers from 0x7f7ff6adb4e0 to 
0x7f7ff6adb4a8 and callse each of them.

Now the same for a broken binary:

   0x7f7ff68755e7 <sysctl_init+9>:      
    callq  0x7f7ff68336a0 <rumpns_rw_init@plt>
   0x7f7ff68755ec <sysctl_init+14>:     
    mov    0x25c2cd(%rip),%rax        # 0x7f7ff6ad18c0
   0x7f7ff68755f3 <sysctl_init+21>:     movl   $0x400,0x4(%rax)
   0x7f7ff68755fa <sysctl_init+28>:     
    callq  0x7f7ff68349b0 <rumpns_sysctl_basenode_init@plt>
   0x7f7ff68755ff <sysctl_init+33>:     
    mov    0x25bb32(%rip),%rbp        # 0x7f7ff6ad1138
   0x7f7ff6875606 <sysctl_init+40>:     
    lea    0x26575b(%rip),%rbx        # 0x7f7ff6adad68
   0x7f7ff687560d <sysctl_init+47>:     cmp    %rbp,%rbx
   0x7f7ff6875610 <sysctl_init+50>:     jae    0x7f7ff687561f <sysctl_init+65>
   0x7f7ff6875612 <sysctl_init+52>:     xor    %edi,%edi
   0x7f7ff6875614 <sysctl_init+54>:     callq  *(%rbx)
=> 0x7f7ff6875616 <sysctl_init+56>:     add    $0x8,%rbx
   0x7f7ff687561a <sysctl_init+60>:     cmp    %rbp,%rbx
   0x7f7ff687561d <sysctl_init+63>:     jb     0x7f7ff6875612 <sysctl_init+52>

here it iterates pointers from 0x7f7ff6ad1138 to 0x7f7ff6adad68 and thus
overruns the end of the link set, resulting in a crash when jumping to 
something that is not a function but some arbitrary data.

cd /usr/tests/includes/sys
gdb ./t_socket
run sock_cloexec


Home | Main Index | Thread Index | Old Index