Bug 31877 - elf/tst-shstk-legacy-1g test failure on znver4
Summary: elf/tst-shstk-legacy-1g test failure on znver4
Status: SUSPENDED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-10 19:42 UTC by Sam James
Modified: 2024-06-18 13:12 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James 2024-06-10 19:42:33 UTC 
I can reproduce this but it was also reported downstream in Gentoo at https://bugs.gentoo.org/927973.

```
# cat elf/tst-shstk-legacy-1g.test-result
FAIL: elf/tst-shstk-legacy-1g
original exit status 1
```

```
# cat elf/tst-shstk-legacy-1g.out # blank
```

```
# lscpu
Architecture:             x86_64
CPU op-mode(s):         32-bit, 64-bit
Address sizes:          48 bits physical, 48 bits virtual
Byte Order:             Little Endian
CPU(s):                   16
On-line CPU(s) list:    0-15
Vendor ID:                AuthenticAMD
BIOS Vendor ID:         Advanced Micro Devices, Inc.
Model name:             AMD Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics
BIOS Model name:      AMD Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics  None CPU @ 4.0GHz
BIOS CPU family:      107
CPU family:           25
Model:                116
Thread(s) per core:   2
Core(s) per socket:   8
Socket(s):            1
Stepping:             1
Frequency boost:      enabled
CPU(s) scaling MHz:   34%
CPU max MHz:          5263.0000
CPU min MHz:          400.0000
BogoMIPS:             7985.11
Flags:                fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc r
ep_good amd_lbr_v2 nopl xtopology nonstop_tsc cpuid extd_apicid aperfmperf rapl pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave
avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt tce topoext perfctr_core perfctr_nb bpext per
fctr_llc mwaitx cpb cat_l3 cdp_l3 hw_pstate ssbd mba perfmon_v2 ibrs ibpb stibp ibrs_enhanced vmmcall fsgsbase bmi1 avx2 smep bmi2 erms invpcid cqm rdt_a avx512
f avx512dq rdseed adx smap avx512ifma clflushopt clwb avx512cd sha_ni avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_m
bm_local user_shstk avx512_bf16 clzero irperf xsaveerptr rdpru wbnoinvd cppc arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pau
sefilter pfthreshold v_vmsave_vmload vgif x2avic v_spec_ctrl vnmi avx512vbmi umip pku ospke avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg avx512_v
popcntdq rdpid overflow_recov succor smca flush_l1d amd_lbr_pmc_freeze
Virtualization features:
Virtualization:         AMD-V
Caches (sum of all):
L1d:                    256 KiB (8 instances)
L1i:                    256 KiB (8 instances)
L2:                     8 MiB (8 instances)
L3:                     16 MiB (1 instance)
NUMA:
NUMA node(s):           1
NUMA node0 CPU(s):      0-15
Vulnerabilities:
Gather data sampling:   Not affected
Itlb multihit:          Not affected
L1tf:                   Not affected
Mds:                    Not affected
Meltdown:               Not affected
Mmio stale data:        Not affected
Reg file data sampling: Not affected
Retbleed:               Not affected
Spec rstack overflow:   Vulnerable: Safe RET, no microcode
Spec store bypass:      Mitigation; Speculative Store Bypass disabled via prctl
Spectre v1:             Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2:             Mitigation; Enhanced / Automatic IBRS; IBPB conditional; STIBP always-on; RSB filling; PBRSB-eIBRS Not affected; BHI Not affected
Srbds:                  Not affected
Tsx async abort:        Not affected
```

dmesg has these for the other tests as expected:
```
[ 4023.300729] ld-linux-x86-64[3977174] control protection ip:7feae26b8833 sp:7ffed9928168 ssp:7feae23fffd0 error:1(near ret) in tst-shstk-legacy-1b[7feae26b8000+2000]
[ 4023.301270] tst-shstk-legac[3977179] control protection ip:7f3bcaea7443 sp:7ffd5a033148 ssp:7f3bcadfffd8 error:1(near ret) in tst-shstk-legacy-1b-static[7f3bcaea6000+9e000]
[ 4023.304565] ld-linux-x86-64[3977194] control protection ip:7f821de9182b sp:7ffca75f7768 ssp:7f821dbfffe8 error:1(near ret) in tst-shstk-legacy-1e[7f821de91000+2000]
[ 4023.304937] tst-shstk-legac[3977199] control protection ip:7fa4fb2e143b sp:7ffc7c405928 ssp:7fa4fb1ffff0 error:1(near ret) in tst-shstk-legacy-1e-static[7fa4fb2e0000+9e000]
```
Comment 1 Sam James 2024-06-10 19:44:04 UTC 
Ubuntu seem to have hit this too at https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2059603 (Simon, was it on znver3/znver4, or Intel HW?)

```
# zgrep -Ei "(ibt|shstk|cet)=" /proc/config.gz
CONFIG_CC_HAS_IBT=y
CONFIG_X86_CET=y
CONFIG_X86_KERNEL_IBT=y
```

```
# uname -a
Linux goop 6.9.3 #1 SMP PREEMPT_DYNAMIC Thu Jun  6 10:29:40 BST 2024 x86_64 AMD Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics AuthenticAMD GNU/Linux
```
Comment 2 H.J. Lu 2024-06-10 20:49:56 UTC 
On Intel Tiger Lake, I got

[hjl@gnu-tgl-3 build-x86_64-linux]$ GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK elf/tst-shstk-legacy-1g
Segmentation fault (core dumped)
[hjl@gnu-tgl-3 build-x86_64-linux]$ echo $?
139
[hjl@gnu-tgl-3 build-x86_64-linux]$ 

What did you get?
Comment 3 Sam James 2024-06-10 20:51:25 UTC 
```
# GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK elf/tst-shstk-legacy-1g ; echo $?
Expected signal 'Segmentation fault' from child, got none
1
```
Comment 4 H.J. Lu 2024-06-10 21:13:19 UTC 
(In reply to Sam James from comment #3)
> ```
> # GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK elf/tst-shstk-legacy-1g ; echo $?
> Expected signal 'Segmentation fault' from child, got none
> 1
> ```

This sounds like a kernel or CPU bug:

(gdb) b legacy
Function "legacy" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (legacy) pending.
(gdb) r
Starting program: /export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/elf/tst-shstk-legacy-1g 
warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available.

Breakpoint 1, legacy () at ../sysdeps/x86_64/tst-shstk-legacy-1-extra.S:25
25		movq	(%rsp), %rax
(gdb) disass
Dump of assembler code for function legacy:
=> 0x000055555554e0f9 <+0>:	mov    (%rsp),%rax
   0x000055555554e0fd <+4>:	add    $0x8,%rsp
   0x000055555554e101 <+8>:	jmp    *%rax   <<< Shadow srack isn't popped.
End of assembler dump.
(gdb) bt
#0  legacy () at ../sysdeps/x86_64/tst-shstk-legacy-1-extra.S:25
#1  0x00007ffff7fcb2de in call_init (l=<optimized out>, argc=1, 
    argv=0x7fffffffdd68, env=0x7fffffffdd78) at dl-init.c:74
#2  call_init (l=<optimized out>, argc=1, argv=0x7fffffffdd68, 
    env=0x7fffffffdd78) at dl-init.c:26
#3  0x00007ffff7fcb3cc in _dl_init (main_map=0x7ffff7ffe2e0, argc=1, 
    argv=0x7fffffffdd68, env=0x7fffffffdd78) at dl-init.c:121
#4  0x00007ffff7fe32a0 in _dl_start_user ()
   from /export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/elf/ld.so
#5  0x0000000000000001 in ?? ()
#6  0x00007fffffffe0cb in ?? ()
#7  0x0000000000000000 in ?? ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fcb2ee in call_init (l=<optimized out>, argc=<optimized out>, 
    argv=<optimized out>, env=<optimized out>) at dl-init.c:76
76	}  <<< Shadow stack mismatch.
(gdb)

[hjl@gnu-tgl-3 libgcc]$ ps xa | grep legacy
 822317 pts/0    Sl+    0:00 gdb elf/tst-shstk-legacy-1g
 822327 pts/0    t      0:00 /export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/elf/tst-shstk-legacy-1g
 822373 pts/2    S+     0:00 grep --color=auto legacy
[hjl@gnu-tgl-3 libgcc]$ grep features /proc/822327/status
x86_Thread_features:	shstk 
x86_Thread_features_locked:	shstk wrss 
[hjl@gnu-tgl-3 libgcc]$ 

Please check if SHSTK is enabled.
Comment 5 Simon Chopin 2024-06-18 13:12:04 UTC 
This is on my personal laptop, CPU i7-1185G7 (Tiger Lake)