Skip to content

Misaligned stack leads to dynamic linker crash

Running programs compiled with ghc leads to a crash
of the glibc dynamic linker. This happens because ghc
doesn't align the stack correctly during lazy symbol resolution.

Example:

 markus@x4 glibc-build % gdb --args /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2 /home/markus/bin/xmonad
Reading symbols from /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2...done.
(gdb) run
Starting program: /var/tmp/glibc-build/elf/ld-linux-x86-64.so.2 /home/markus/bin/xmonad
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
_dl_lookup_symbol_x (undef_name=0x7ffff75cb3c5 "__gmpn_invert_limb", undef_map=0x7ffff76494d0, ref=ref@entry=0x7fffffffa170, symbol_scope=0x7ffff7649828, version=0x0, 
    type_class=type_class@entry=1, flags=1, skip_map=0x0) at dl-lookup.c:809
809       struct sym_val current_value = { NULL, NULL };
(gdb) bt
#0  _dl_lookup_symbol_x (undef_name=0x7ffff75cb3c5 "__gmpn_invert_limb", undef_map=0x7ffff76494d0, ref=ref@entry=0x7fffffffa170, symbol_scope=0x7ffff7649828, version=0x0, 
    type_class=type_class@entry=1, flags=1, skip_map=0x0) at dl-lookup.c:809
#1  0x0000555555564413 in _dl_fixup (l=<optimized out>, reloc_arg=<optimized out>) at ../elf/dl-runtime.c:111
#2  0x000055555556ce1f in _dl_runtime_resolve_sse () at ../sysdeps/x86_64/dl-trampoline.h:112
#3  0x00007ffff762093a in __gmpn_divrem_1 () from /usr/lib/libgmp.so.10
#4  0xee6b280000000000 in ?? ()
#5  0x00007ffff6b0b138 in ?? ()
#6  0x00007ffff6b057d0 in ?? ()
#7  0x00000000ffffffe2 in ?? ()
#8  0x00007ffff6b057b8 in ?? ()
#9  0x00007ffff6b051b0 in ?? ()
#10 0x00007ffff6b0b1b0 in ?? ()
#11 0x00000000006b47d8 in ?? ()
#12 0x00000000006142a9 in ?? ()
#13 0x0000000000000000 in ?? ()
(gdb) disass
Dump of assembler code for function _dl_lookup_symbol_x:
...
=> 0x000055555555e93a <+154>:   movaps %xmm0,-0x80(%rbp)


The crash happens because the incoming stack alignment is wrong:

rax            0xffffffff       4294967295
rbx            0x7ffff763c360   140737343898464
rcx            0x7ffff75cb3d7   140737343435735
rdx            0x0      0
rsi            0x33f9b936d4fb49a0       3745228210287888800
rdi            0x7ffff75cb3c5   140737343435717
rbp            0x7fffffffa148   0x7fffffffa148
rsp            0x7fffffffa058   0x7fffffffa058
r8             0x0      0
r9             0x1      1
r10            0x7ffff76494d0   140737343952080
r11            0x7ffff7620840   140737343785024
r12            0x0      0
r13            0x0      0
r14            0x7ffff76494d0   140737343952080
r15            0x7fffffffa170   140737488331120
rip            0x55555555e93a   0x55555555e93a <_dl_lookup_symbol_x+154>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

0000000000001470 <_dl_lookup_symbol_x>:
    1470:       55                      push   %rbp
    1471:       48 89 e5                mov    %rsp,%rbp
    1474:       41 57                   push   %r15
    1476:       41 56                   push   %r14
    1478:       41 55                   push   %r13
    147a:       41 54                   push   %r12
    147c:       49 89 d5                mov    %rdx,%r13
    147f:       53                      push   %rbx
    1480:       49 89 f7                mov    %rsi,%r15
    1483:       4d 89 c6                mov    %r8,%r14
    1486:       48 81 ec a8 00 00 00    sub    $0xa8,%rsp
    148d:       0f b6 17                movzbl (%rdi),%edx
    1490:       48 89 bd 68 ff ff ff    mov    %rdi,-0x98(%rbp)
    1497:       48 89 8d 50 ff ff ff    mov    %rcx,-0xb0(%rbp)
    149e:       44 89 8d 5c ff ff ff    mov    %r9d,-0xa4(%rbp)
    14a5:       4c 8b 65 18             mov    0x18(%rbp),%r12
    14a9:       84 d2                   test   %dl,%dl
    14ab:       0f 84 cb 02 00 00       je     177c <_dl_lookup_symbol_x+0x30c>
    14b1:       48 89 f9                mov    %rdi,%rcx
    14b4:       b8 05 15 00 00          mov    $0x1505,%eax
    14b9:       0f 1f 80 00 00 00 00    nopl   0x0(%rax)
    14c0:       48 89 c6                mov    %rax,%rsi
    14c3:       48 83 c1 01             add    $0x1,%rcx
    14c7:       48 c1 e6 05             shl    $0x5,%rsi
    14cb:       48 01 f0                add    %rsi,%rax
    14ce:       48 01 d0                add    %rdx,%rax
    14d1:       0f b6 11                movzbl (%rcx),%edx
    14d4:       84 d2                   test   %dl,%dl
    14d6:       75 e8                   jne    14c0 <_dl_lookup_symbol_x+0x50>
    14d8:       89 c0                   mov    %eax,%eax
    14da:       48 89 85 60 ff ff ff    mov    %rax,-0xa0(%rbp)
    14e1:       66 0f ef c0             pxor   %xmm0,%xmm0
    14e5:       b8 ff ff ff ff          mov    $0xffffffff,%eax
    14ea:       4d 85 f6                test   %r14,%r14
    14ed:       48 89 85 78 ff ff ff    mov    %rax,-0x88(%rbp)
=>  14f4:       0f 29 45 80             movaps %xmm0,-0x80(%rbp)

(0x7fffffffa058 + 0xa8) % 16 == 0 (instead of the correct 8)

Please see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68537
for further info.
Trac metadata
Trac field Value
Version 7.10.2
Type Bug
TypeOfFailure OtherFailure
Priority normal
Resolution Unresolved
Component Compiler
Test case
Differential revisions
BlockedBy
Related
Blocking
CC
Operating system
Architecture
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information