public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug dynamic-link/31199] New: _dl_debug_state size can be to small to fit a breakpoint, without OOB access.
@ 2023-12-30 21:20 bieganski.m at wp dot pl
2023-12-30 22:35 ` [Bug dynamic-link/31199] " schwab@linux-m68k.org
2023-12-31 11:41 ` fw at deneb dot enyo.de
0 siblings, 2 replies; 3+ messages in thread
From: bieganski.m at wp dot pl @ 2023-12-30 21:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31199
Bug ID: 31199
Summary: _dl_debug_state size can be to small to fit a
breakpoint, without OOB access.
Product: glibc
Version: 2.40
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: bieganski.m at wp dot pl
Target Milestone: ---
I observed the issue when running 'ltrace' on a RISC-V Linux. The CPU
implements rv64gc instruction set, where 'c' letter stands for 'compressed'
instructions (2 bytes long, instead of usual 4 bytes).
For some traced binaries, the `ltrace <binary>` invocation was being killed due
to SIGILL signal, as tracee was executing some invalid instruction.
We found out that the following sequence happens:
The ltrace for RISC-V [1] (not very well tested I think) is implemented in a
way that it always tries to insert 4-byte breakpoint, as it is not aware if the
CPU supports the compressed ISA (due to RISC-V modularity). The opcode for
`ebreak` instruction is 0x100073.
After it determines the address of _dl_debug_state (0x3ff7fdfe2a), it inserts a
breakpoint:
```
ptrace(PTRACE_PEEKTEXT, 2667987, 0x3ff7fdfe2a, 0x0001f517872a8082) = 0
ptrace(PTRACE_POKETEXT, 2667987, 0x3ff7fdfe2a, 0x0001f51700100073) = 0
```
Then it continues execution. The problem is, that the _dl_debug_state's content
is a single compressed 'ret' instruction, 0x8082, as in the objdump's output
below:
```
0000000000001e2a <_dl_debug_state@@GLIBC_PRIVATE>:
1e2a: 8082 ret
1e2c: 872a mv a4,a0
1e2e: 0001f517 auipc a0,0x1f
```
It's not shown there because my ld.so is stripped, but **just after 'ret'
another function starts** (In my compilation it is _dl_debug_update, from the
same compilation unit). First two bytes of that another function are
overwritten by breakpoint set on _dl_debug_state, and the SIGILL is emitted on
entry to the other function.
I see two possible solutions for the issue:
1) 'ltrace' (and other debuggers) will implement arch detection (either
compilation-time or runtime), and always use the smallest possible breakpoint
size.
2) '_dl_debug_update' will contain at least a single 'nop' (plus a 'ret'). it
covers RISC-V architecture, and all the architectures with ret size at least of
breakpoint size
My questions are as follows:
* Can someone confirm that the issue is real? Was it discussed before?
* What does the glibc team thinks of implementing 2) (increasing
'_dl_debug_update' size)?
Thank you!
[1]
https://gitlab.com/cespedes/ltrace/-/merge_requests/4/diffs#8ff83520fcec4ad41e7f667f16cc44678206252b_0_29
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug dynamic-link/31199] _dl_debug_state size can be to small to fit a breakpoint, without OOB access.
2023-12-30 21:20 [Bug dynamic-link/31199] New: _dl_debug_state size can be to small to fit a breakpoint, without OOB access bieganski.m at wp dot pl
@ 2023-12-30 22:35 ` schwab@linux-m68k.org
2023-12-31 11:41 ` fw at deneb dot enyo.de
1 sibling, 0 replies; 3+ messages in thread
From: schwab@linux-m68k.org @ 2023-12-30 22:35 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31199
--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
gdb looks whether the replaced insn is a compressed one and then uses c.ebreak
instead of ebreak.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug dynamic-link/31199] _dl_debug_state size can be to small to fit a breakpoint, without OOB access.
2023-12-30 21:20 [Bug dynamic-link/31199] New: _dl_debug_state size can be to small to fit a breakpoint, without OOB access bieganski.m at wp dot pl
2023-12-30 22:35 ` [Bug dynamic-link/31199] " schwab@linux-m68k.org
@ 2023-12-31 11:41 ` fw at deneb dot enyo.de
1 sibling, 0 replies; 3+ messages in thread
From: fw at deneb dot enyo.de @ 2023-12-31 11:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=31199
Florian Weimer <fw at deneb dot enyo.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |fw at deneb dot enyo.de
Resolution|--- |MOVED
--- Comment #2 from Florian Weimer <fw at deneb dot enyo.de> ---
Please report this to the ltrace port:
https://gitlab.com/cespedes/ltrace/-/issues
As Andreas said, the ISA supports the c.ebreak encoding for this purpose.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-12-31 11:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-30 21:20 [Bug dynamic-link/31199] New: _dl_debug_state size can be to small to fit a breakpoint, without OOB access bieganski.m at wp dot pl
2023-12-30 22:35 ` [Bug dynamic-link/31199] " schwab@linux-m68k.org
2023-12-31 11:41 ` fw at deneb dot enyo.de
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).