From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 461F73858C52; Sat, 30 Dec 2023 21:20:34 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 461F73858C52 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1703971234; bh=wmrsSLkb1pD5O6TncG2W3b54qIF5BgkjsG9USEDDeoI=; h=From:To:Subject:Date:From; b=BRluUYhk9LU4xKWzBP3pxkgty9k30QlPxrRmxXckdV49y+3SEgjbmXTxi3RZOyIf1 OiRz0shOfwU9FuBTHHNbd/9MxNr9hKswvuFLAnvL+xW65N/f3YklNc0B+/C9I7sBGM X6H/1RCpaNDQ05Vk4EGCZqTqkZKwnMGBtMIB0Ezs= From: "bieganski.m at wp dot pl" To: glibc-bugs@sourceware.org Subject: [Bug dynamic-link/31199] New: _dl_debug_state size can be to small to fit a breakpoint, without OOB access. Date: Sat, 30 Dec 2023 21:20:33 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: dynamic-link X-Bugzilla-Version: 2.40 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: bieganski.m at wp dot pl X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31199 Bug ID: 31199 Summary: _dl_debug_state size can be to small to fit a breakpoint, without OOB access. Product: glibc Version: 2.40 Status: UNCONFIRMED Severity: normal Priority: P2 Component: dynamic-link Assignee: unassigned at sourceware dot org Reporter: bieganski.m at wp dot pl Target Milestone: --- I observed the issue when running 'ltrace' on a RISC-V Linux. The CPU implements rv64gc instruction set, where 'c' letter stands for 'compressed' instructions (2 bytes long, instead of usual 4 bytes). For some traced binaries, the `ltrace ` invocation was being killed= due to SIGILL signal, as tracee was executing some invalid instruction. We found out that the following sequence happens: The ltrace for RISC-V [1] (not very well tested I think) is implemented in a way that it always tries to insert 4-byte breakpoint, as it is not aware if= the CPU supports the compressed ISA (due to RISC-V modularity). The opcode for `ebreak` instruction is 0x100073. After it determines the address of _dl_debug_state (0x3ff7fdfe2a), it inser= ts a breakpoint: ``` ptrace(PTRACE_PEEKTEXT, 2667987, 0x3ff7fdfe2a, 0x0001f517872a8082) =3D 0 ptrace(PTRACE_POKETEXT, 2667987, 0x3ff7fdfe2a, 0x0001f51700100073) =3D 0 ``` Then it continues execution. The problem is, that the _dl_debug_state's con= tent is a single compressed 'ret' instruction, 0x8082, as in the objdump's output below: ``` 0000000000001e2a <_dl_debug_state@@GLIBC_PRIVATE>: 1e2a: 8082 ret 1e2c: 872a mv a4,a0 1e2e: 0001f517 auipc a0,0x1f ``` It's not shown there because my ld.so is stripped, but **just after 'ret' another function starts** (In my compilation it is _dl_debug_update, from t= he same compilation unit). First two bytes of that another function are overwritten by breakpoint set on _dl_debug_state, and the SIGILL is emitted= on entry to the other function. I see two possible solutions for the issue: 1) 'ltrace' (and other debuggers) will implement arch detection (either compilation-time or runtime), and always use the smallest possible breakpoi= nt size. 2) '_dl_debug_update' will contain at least a single 'nop' (plus a 'ret'). = it covers RISC-V architecture, and all the architectures with ret size at leas= t of breakpoint size My questions are as follows: * Can someone confirm that the issue is real? Was it discussed before? * What does the glibc team thinks of implementing 2) (increasing '_dl_debug_update' size)? Thank you! [1] https://gitlab.com/cespedes/ltrace/-/merge_requests/4/diffs#8ff83520fcec4ad= 41e7f667f16cc44678206252b_0_29 --=20 You are receiving this mail because: You are on the CC list for the bug.=