[Bug libc/31877] New: elf/tst-shstk-legacy-1g test failure on znver4

[Bug libc/31877] New: elf/tst-shstk-legacy-1g test failure on znver4

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31877

            Bug ID: 31877
           Summary: elf/tst-shstk-legacy-1g test failure on znver4
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: sam at gentoo dot org
                CC: drepper.fsp at gmail dot com, hjl.tools at gmail dot com
  Target Milestone: ---

I can reproduce this but it was also reported downstream in Gentoo at
https://bugs.gentoo.org/927973.

```
# cat elf/tst-shstk-legacy-1g.test-result
FAIL: elf/tst-shstk-legacy-1g
original exit status 1
```

```
# cat elf/tst-shstk-legacy-1g.out # blank
```

```
# lscpu
Architecture:             x86_64
CPU op-mode(s):         32-bit, 64-bit
Address sizes:          48 bits physical, 48 bits virtual
Byte Order:             Little Endian
CPU(s):                   16
On-line CPU(s) list:    0-15
Vendor ID:                AuthenticAMD
BIOS Vendor ID:         Advanced Micro Devices, Inc.
Model name:             AMD Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics
BIOS Model name:      AMD Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics  None CPU
@ 4.0GHz
BIOS CPU family:      107
CPU family:           25
Model:                116
Thread(s) per core:   2
Core(s) per socket:   8
Socket(s):            1
Stepping:             1
Frequency boost:      enabled
CPU(s) scaling MHz:   34%
CPU max MHz:          5263.0000
CPU min MHz:          400.0000
BogoMIPS:             7985.11
Flags:                fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb
rdtscp lm constant_tsc r
ep_good amd_lbr_v2 nopl xtopology nonstop_tsc cpuid extd_apicid aperfmperf rapl
pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes
xsave
avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse
3dnowprefetch osvw ibs skinit wdt tce topoext perfctr_core perfctr_nb bpext per
fctr_llc mwaitx cpb cat_l3 cdp_l3 hw_pstate ssbd mba perfmon_v2 ibrs ibpb stibp
ibrs_enhanced vmmcall fsgsbase bmi1 avx2 smep bmi2 erms invpcid cqm rdt_a
avx512
f avx512dq rdseed adx smap avx512ifma clflushopt clwb avx512cd sha_ni avx512bw
avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total
cqm_m
bm_local user_shstk avx512_bf16 clzero irperf xsaveerptr rdpru wbnoinvd cppc
arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists
pau
sefilter pfthreshold v_vmsave_vmload vgif x2avic v_spec_ctrl vnmi avx512vbmi
umip pku ospke avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg
avx512_v
popcntdq rdpid overflow_recov succor smca flush_l1d amd_lbr_pmc_freeze
Virtualization features:
Virtualization:         AMD-V
Caches (sum of all):
L1d:                    256 KiB (8 instances)
L1i:                    256 KiB (8 instances)
L2:                     8 MiB (8 instances)
L3:                     16 MiB (1 instance)
NUMA:
NUMA node(s):           1
NUMA node0 CPU(s):      0-15
Vulnerabilities:
Gather data sampling:   Not affected
Itlb multihit:          Not affected
L1tf:                   Not affected
Mds:                    Not affected
Meltdown:               Not affected
Mmio stale data:        Not affected
Reg file data sampling: Not affected
Retbleed:               Not affected
Spec rstack overflow:   Vulnerable: Safe RET, no microcode
Spec store bypass:      Mitigation; Speculative Store Bypass disabled via prctl
Spectre v1:             Mitigation; usercopy/swapgs barriers and __user pointer
sanitization
Spectre v2:             Mitigation; Enhanced / Automatic IBRS; IBPB
conditional; STIBP always-on; RSB filling; PBRSB-eIBRS Not affected; BHI Not
affected
Srbds:                  Not affected
Tsx async abort:        Not affected
```

dmesg has these for the other tests as expected:
```
[ 4023.300729] ld-linux-x86-64[3977174] control protection ip:7feae26b8833
sp:7ffed9928168 ssp:7feae23fffd0 error:1(near ret) in
tst-shstk-legacy-1b[7feae26b8000+2000]
[ 4023.301270] tst-shstk-legac[3977179] control protection ip:7f3bcaea7443
sp:7ffd5a033148 ssp:7f3bcadfffd8 error:1(near ret) in
tst-shstk-legacy-1b-static[7f3bcaea6000+9e000]
[ 4023.304565] ld-linux-x86-64[3977194] control protection ip:7f821de9182b
sp:7ffca75f7768 ssp:7f821dbfffe8 error:1(near ret) in
tst-shstk-legacy-1e[7f821de91000+2000]
[ 4023.304937] tst-shstk-legac[3977199] control protection ip:7fa4fb2e143b
sp:7ffc7c405928 ssp:7fa4fb1ffff0 error:1(near ret) in
tst-shstk-legacy-1e-static[7fa4fb2e0000+9e000]
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31877] elf/tst-shstk-legacy-1g test failure on znver4

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31877

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simon.chopin at canonical dot com

--- Comment #1 from Sam James <sam at gentoo dot org> ---
Ubuntu seem to have hit this too at
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2059603 (Simon, was it on
znver3/znver4, or Intel HW?)

```
# zgrep -Ei "(ibt|shstk|cet)=" /proc/config.gz
CONFIG_CC_HAS_IBT=y
CONFIG_X86_CET=y
CONFIG_X86_KERNEL_IBT=y
```

```
# uname -a
Linux goop 6.9.3 #1 SMP PREEMPT_DYNAMIC Thu Jun  6 10:29:40 BST 2024 x86_64 AMD
Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics AuthenticAMD GNU/Linux
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31877] elf/tst-shstk-legacy-1g test failure on znver4

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31877

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |SUSPENDED

--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> ---
On Intel Tiger Lake, I got

[hjl@gnu-tgl-3 build-x86_64-linux]$ GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK
elf/tst-shstk-legacy-1g
Segmentation fault (core dumped)
[hjl@gnu-tgl-3 build-x86_64-linux]$ echo $?
139
[hjl@gnu-tgl-3 build-x86_64-linux]$ 

What did you get?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31877] elf/tst-shstk-legacy-1g test failure on znver4

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=31877

--- Comment #3 from Sam James <sam at gentoo dot org> ---
```
# GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK elf/tst-shstk-legacy-1g ; echo $?
Expected signal 'Segmentation fault' from child, got none
1
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31877] elf/tst-shstk-legacy-1g test failure on znver4

[hjl.tools at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31877

--- Comment #4 from H.J. Lu <hjl.tools at gmail dot com> ---
(In reply to Sam James from comment #3)
> ```
> # GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK elf/tst-shstk-legacy-1g ; echo $?
> Expected signal 'Segmentation fault' from child, got none
> 1
> ```

This sounds like a kernel or CPU bug:

(gdb) b legacy
Function "legacy" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (legacy) pending.
(gdb) r
Starting program:
/export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/elf/tst-shstk-legacy-1g 
warning: Unable to find libthread_db matching inferior's thread library, thread
debugging will not be available.

Breakpoint 1, legacy () at ../sysdeps/x86_64/tst-shstk-legacy-1-extra.S:25
25              movq    (%rsp), %rax
(gdb) disass
Dump of assembler code for function legacy:
=> 0x000055555554e0f9 <+0>:     mov    (%rsp),%rax
   0x000055555554e0fd <+4>:     add    $0x8,%rsp
   0x000055555554e101 <+8>:     jmp    *%rax   <<< Shadow srack isn't popped.
End of assembler dump.
(gdb) bt
#0  legacy () at ../sysdeps/x86_64/tst-shstk-legacy-1-extra.S:25
#1  0x00007ffff7fcb2de in call_init (l=<optimized out>, argc=1, 
    argv=0x7fffffffdd68, env=0x7fffffffdd78) at dl-init.c:74
#2  call_init (l=<optimized out>, argc=1, argv=0x7fffffffdd68, 
    env=0x7fffffffdd78) at dl-init.c:26
#3  0x00007ffff7fcb3cc in _dl_init (main_map=0x7ffff7ffe2e0, argc=1, 
    argv=0x7fffffffdd68, env=0x7fffffffdd78) at dl-init.c:121
#4  0x00007ffff7fe32a0 in _dl_start_user ()
   from
/export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/elf/ld.so
#5  0x0000000000000001 in ?? ()
#6  0x00007fffffffe0cb in ?? ()
#7  0x0000000000000000 in ?? ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fcb2ee in call_init (l=<optimized out>, argc=<optimized out>, 
    argv=<optimized out>, env=<optimized out>) at dl-init.c:76
76      }  <<< Shadow stack mismatch.
(gdb)

[hjl@gnu-tgl-3 libgcc]$ ps xa | grep legacy
 822317 pts/0    Sl+    0:00 gdb elf/tst-shstk-legacy-1g
 822327 pts/0    t      0:00
/export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/elf/tst-shstk-legacy-1g
 822373 pts/2    S+     0:00 grep --color=auto legacy
[hjl@gnu-tgl-3 libgcc]$ grep features /proc/822327/status
x86_Thread_features:    shstk 
x86_Thread_features_locked:     shstk wrss 
[hjl@gnu-tgl-3 libgcc]$ 

Please check if SHSTK is enabled.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/31877] elf/tst-shstk-legacy-1g test failure on znver4

[simon.chopin at canonical dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=31877

--- Comment #5 from Simon Chopin <simon.chopin at canonical dot com> ---
This is on my personal laptop, CPU i7-1185G7 (Tiger Lake)

-- 
You are receiving this mail because:
You are on the CC list for the bug.