Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips

To: Rin Okuyama <rokuyama.rk%gmail.com@localhost>
Subject: Re: toolchain/55043: pkgsrc/security/sudo reliably crashes on mips
From: Jason Thorpe <thorpej%me.com@localhost>
Date: Mon, 2 Mar 2020 22:45:00 -0800

(Re-sending to wider audience.)

> On Mar 2, 2020, at 10:00 PM, Rin Okuyama <rokuyama.rk%gmail.com@localhost> wrote:
> 
> Seems like GNU_RELRO v.s. 8KB-page problem observed on mips64:
> 
> https://mail-index.netbsd.org/port-evbmips/2016/09/11/msg000291.html
> 
> sudo still crashes also on mips64.

Maybe not?  This is mipsel o32.

cobalt:thorpej 6$ cc -o hello hello.c
cobalt:thorpej 7$ ./hello                                                      
Hello, World!
cobalt:thorpej 8$ cc -Wl,-z,relro -o hello-relro hello.c
cobalt:thorpej 9$ ./hello-relro                                                
Hello, World!
cobalt:thorpej 10$ sysctl hw.pagesize
hw.pagesize = 8192
cobalt:thorpej 11$ 

In my case, 0x7dea4db0 is reported as the faulting PC (in libsudo_util.so), and:

(gdb) disas __do_global_ctors_aux
Dump of assembler code for function __do_global_ctors_aux:
  0x7dea4d78 <+0>:       lui     gp,0x2
  0x7dea4d7c <+4>:       addiu   gp,gp,-15336
  0x7dea4d80 <+8>:       addu    gp,gp,t9
  0x7dea4d84 <+12>:      lw      v0,-32740(gp)
  0x7dea4d88 <+16>:      addiu   sp,sp,-40
  0x7dea4d8c <+20>:      lbu     v1,-27615(v0)
  0x7dea4d90 <+24>:      sw      gp,16(sp)
  0x7dea4d94 <+28>:      sw      ra,36(sp)
  0x7dea4d98 <+32>:      sw      s1,32(sp)
  0x7dea4d9c <+36>:      sw      s0,28(sp)
  0x7dea4da0 <+40>:      bnez    v1,0x7dea4e1c <__do_global_ctors_aux+164>
  0x7dea4da4 <+44>:      li      a0,1
  0x7dea4da8 <+48>:      lw      v1,-32460(gp)
  0x7dea4dac <+52>:      nop
=> 0x7dea4db0 <+56>:      beqz    v1,0x7dea4dd4 <__do_global_ctors_aux+92>
  0x7dea4db4 <+60>:      sb      a0,-27615(v0)
  0x7dea4db8 <+64>:      lw      a1,-32740(gp)
  0x7dea4dbc <+68>:      lw      t9,-32460(gp)
  0x7dea4dc0 <+72>:      lw      a0,-32736(gp)
  0x7dea4dc4 <+76>:      jalr    t9

As far as I can tell, this is:

       if (register_frame_info)
               register_frame_info(__EH_FRAME_LIST__, &dwarf_eh_object);

...in crtbegin (note the "sb" in the delay slot of the "beqz" is the "__initialized = 1;" just above in the function...)

(gdb) print/x $v1
$3 = 0x7de6d5ec
(gdb) 

...which the debugger, at least, does believe is __register_frame_info() function (register_frame_info is a weak ref to it):

(gdb) disas 0x7de6d5ec
Dump of assembler code for function __register_frame_info:
  0x7de6d5ec <+0>:       lui     gp,0x2
  0x7de6d5f0 <+4>:       addiu   gp,gp,-20972
  0x7de6d5f4 <+8>:       addu    gp,gp,t9
  0x7de6d5f8 <+12>:      lw      t9,-32596(gp)
  0x7de6d5fc <+16>:      move    a3,zero
  0x7de6d600 <+20>:      jr      t9
  0x7de6d604 <+24>:      move    a2,zero
End of assembler dump.

-- thorpej

Prev by Date: [PATCH 3/3] Add tests for missing libc catalog entries
Next by Date: Re: [PATCH 3/3] Add tests for missing libc catalog entries
Previous by Thread: [PATCH 1/3] Sync errno messages between catalog and errno.h
Next by Thread: [PATCH v2 0/8] PR standards/44921: Add errno consts for robust mutexes + related cleanup
Indexes:

Home | Main Index | Thread Index | Old Index