Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips

[Jason Thorpe <thorpej%me.com@localhost>]

The following reply was made to PR toolchain/55043; it has been noted by GNATS.

From: Jason Thorpe <thorpej%me.com@localhost>
To: Rin Okuyama <rokuyama.rk%gmail.com@localhost>
Cc: gnats-bugs%netbsd.org@localhost
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
Date: Mon, 2 Mar 2020 22:45:00 -0800

 > On Mar 2, 2020, at 10:00 PM, Rin Okuyama <rokuyama.rk%gmail.com@localhost> =
 wrote:
 >=20
 > Seems like GNU_RELRO v.s. 8KB-page problem observed on mips64:
 >=20
 > https://mail-index.netbsd.org/port-evbmips/2016/09/11/msg000291.html
 >=20
 > sudo still crashes also on mips64.
 
 Maybe not?  This is mipsel o32.
 
 cobalt:thorpej 6$ cc -o hello hello.c
 cobalt:thorpej 7$ ./hello                                                =
      =20
 Hello, World!
 cobalt:thorpej 8$ cc -Wl,-z,relro -o hello-relro hello.c
 cobalt:thorpej 9$ ./hello-relro                                          =
      =20
 Hello, World!
 cobalt:thorpej 10$ sysctl hw.pagesize
 hw.pagesize =3D 8192
 cobalt:thorpej 11$=20
 
 In my case, 0x7dea4db0 is reported as the faulting PC (in =
 libsudo_util.so), and:
 
 (gdb) disas __do_global_ctors_aux
 Dump of assembler code for function __do_global_ctors_aux:
    0x7dea4d78 <+0>:       lui     gp,0x2
    0x7dea4d7c <+4>:       addiu   gp,gp,-15336
    0x7dea4d80 <+8>:       addu    gp,gp,t9
    0x7dea4d84 <+12>:      lw      v0,-32740(gp)
    0x7dea4d88 <+16>:      addiu   sp,sp,-40
    0x7dea4d8c <+20>:      lbu     v1,-27615(v0)
    0x7dea4d90 <+24>:      sw      gp,16(sp)
    0x7dea4d94 <+28>:      sw      ra,36(sp)
    0x7dea4d98 <+32>:      sw      s1,32(sp)
    0x7dea4d9c <+36>:      sw      s0,28(sp)
    0x7dea4da0 <+40>:      bnez    v1,0x7dea4e1c =
 <__do_global_ctors_aux+164>
    0x7dea4da4 <+44>:      li      a0,1
    0x7dea4da8 <+48>:      lw      v1,-32460(gp)
    0x7dea4dac <+52>:      nop
 =3D> 0x7dea4db0 <+56>:      beqz    v1,0x7dea4dd4 =
 <__do_global_ctors_aux+92>
    0x7dea4db4 <+60>:      sb      a0,-27615(v0)
    0x7dea4db8 <+64>:      lw      a1,-32740(gp)
    0x7dea4dbc <+68>:      lw      t9,-32460(gp)
    0x7dea4dc0 <+72>:      lw      a0,-32736(gp)
    0x7dea4dc4 <+76>:      jalr    t9
 
 As far as I can tell, this is:
 
         if (register_frame_info)
                 register_frame_info(__EH_FRAME_LIST__, =
 &dwarf_eh_object);
 
 ...in crtbegin (note the "sb" in the delay slot of the "beqz" is the =
 "__initialized =3D 1;" just above in the function...)
 
 (gdb) print/x $v1
 $3 =3D 0x7de6d5ec
 (gdb)=20
 
 ...which the debugger, at least, does believe is __register_frame_info() =
 function (register_frame_info is a weak ref to it):
 
 (gdb) disas 0x7de6d5ec
 Dump of assembler code for function __register_frame_info:
    0x7de6d5ec <+0>:       lui     gp,0x2
    0x7de6d5f0 <+4>:       addiu   gp,gp,-20972
    0x7de6d5f4 <+8>:       addu    gp,gp,t9
    0x7de6d5f8 <+12>:      lw      t9,-32596(gp)
    0x7de6d5fc <+16>:      move    a3,zero
    0x7de6d600 <+20>:      jr      t9
    0x7de6d604 <+24>:      move    a2,zero
 End of assembler dump.
 
 -- thorpej