QEMU S/390x sqxbr (128-bit IEEE 754 square root) crashes qemu-system-s390x

Bug #1883984 reported by Nelson H F Beebe
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Undecided
Unassigned
qemu (Ubuntu)
Undecided
Unassigned
Focal
Medium
Unassigned

Bug Description

[Impact]

 * An instruction was described wrong so that on usage the program would
   crash.

[Test Case]

 * Run s390x in emulation and there use this program:
   For simplicity and speed you can use KVM guest as usual on s390x, that
   after prep&install&compile of the test you run in qemu-tcg like:

   $ sudo qemu-system-s390x -machine s390-ccw-virtio,accel=tcg -cpu max,zpci=on -serial mon:stdio -display none -m 4096 -nic user,model=virtio,hostfwd=tcp::2222-:22 -drive file=/var/lib/uvtool/libvirt/images/focal-sqxbr.qcow,if=none,id=drive-virtio-disk0,format=qcow2,cache=none -device virtio-blk-ccw,devno=fe.0.0001,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1,scsi=off
   Obviously is you have no s390x access you need to use emulation right
   away.

 * Build and run failing program
   $ sudo apt install clang
   $ cat > bug-sqrtl-one-line.c << EOF
int main(void) { volatile long double x, r; x = 4.0L; __asm__
__volatile__("sqxbr %0, %1" : "=f" (r) : "f" (x)); return (0);}
EOF
   $ cc bug-sqrtl-one-line.c
   $ ./a.out
   Segmentation fault (core dumped)

   qemu is dead by now as long as the bug is present

[Regression Potential]

 * The change only modifies 128 bit square root on s390x so regressions
   should be limited to exactly that - which formerly before this fix was
   a broken instruction.

[Other Info]

 * n/a

---

In porting software to guest Ubuntu 18.04 and 20.04 VMs for S/390x, I discovered
that some of my own numerical programs, and also a GNU configure script for at
least one package with CC=clang, would cause an instant crash of the VM, sometimes
also destroying recently opened files, and producing long strings of NUL characters
in /var/log/syslog in the S/390 guest O/S.

Further detective work narrowed the cause of the crash down to a single IBM S/390
instruction: sqxbr (128-bit IEEE 754 square root). Here is a one-line program
that when compiled and run on a VM hosted on QEMUcc emulator version 4.2.0
(Debian 1:4.2-3ubuntu6.1) [hosted on Ubuntu 20.04 on a Dell Precision 7920
workstation with an Intel Xeon Platinum 8253 CPU], and also on QEMU emulator
version 5.0.0, reproducibly produces a VM crash under qemu-system-s390x.

% cat bug-sqrtl-one-line.c
int main(void) { volatile long double x, r; x = 4.0L; __asm__ __volatile__("sqxbr %0, %1" : "=f" (r) : "f" (x)); return (0);}

% cc bug-sqrtl-one-line.c && ./a.out
Segmentation fault (core dumped)

The problem code may be the function float128_sqrt() defined in qemu-5.0.0/fpu/softfloat.c
starting at line 7619. I have NOT attempted to run the qemu-system-s390x executable
under a debugger. However, I observe that S/390 is the only CPU family that I know of,
except possibly for a Fujitsu SPARC-64, that has a 128-bit square root in hardware.
Thus, this instruction bug may not have been seen before.

Related branches

CVE References

Revision history for this message
Bruno Haible (bruno-clisp) wrote :

Another way to reproduce this bug is with qemu-s390x and a cross-compiled binary:

$ s390x-linux-gnu-gcc-5 -static -o bug-sqrtl-one-line.s390x bug-sqrtl-one-line.c
$ qemu-s390x bug-sqrtl-one-line.s390x
Segmentation fault (core dumped)

Find attached the binary.

Revision history for this message
Richard Henderson (rth) wrote :

With --enable-debug,

qemu-s390x: /home/rth/qemu/qemu/include/tcg/tcg.h:687: temp_idx: Assertion `n >= 0 && n < tcg_ctx->nb_temps' failed.

which turns out to be related to a null-pointer temporary.

Changed in qemu:
status: New → Confirmed
Revision history for this message
Bruno Haible (bruno-clisp) wrote :

I confirm that the patch https://lists.gnu.org/archive/html/qemu-s390x/2020-06/msg00213.html fixes the issue, both for qemu-s390x and qemu-system-s390x.

Thanks Richard!

Richard Henderson (rth)
Changed in qemu:
status: Confirmed → Fix Committed
Changed in qemu (Ubuntu):
status: New → In Progress
assignee: nobody → Christian Ehrhardt  (paelzer)
Changed in qemu (Ubuntu Focal):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:5.0-5ubuntu4

---------------
qemu (1:5.0-5ubuntu4) groovy; urgency=medium

  * xen: provide compat links to what libxen-dev reports where to find
    the binaries (LP: #1890005)
  * d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on
    SQXBR (LP: #1883984)
  * d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP: #1890154)

 -- Christian Ehrhardt <email address hidden> Mon, 03 Aug 2020 07:15:28 +0200

Changed in qemu (Ubuntu):
status: In Progress → Fix Released
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Changed in qemu (Ubuntu):
assignee: Christian Ehrhardt  (paelzer) → nobody
Thomas Huth (th-huth)
Changed in qemu:
status: Fix Committed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Nelson, or anyone else affected,

Accepted qemu into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in qemu (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (qemu/1:4.2-3ubuntu6.5)

All autopkgtests for the newly accepted qemu (1:4.2-3ubuntu6.5) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-image/1.9+20.04ubuntu1 (amd64)
systemd/245.4-4ubuntu3.2 (amd64, armhf, s390x, ppc64el)
livecd-rootfs/2.664.4 (amd64, arm64, s390x, ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#qemu

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

old version
sudo apt install qemu-system-s390x=1:4.2-3ubuntu6.4
...test as listed in the test instructions ...

ubuntu@focal-sqxbr:~$ ./a.out
Segmentation fault
(qemu is dead at this point)

$ sudo apt install qemu-system-s390x=1:4.2-3ubuntu6.5
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  qemu-system-s390x
1 upgraded, 0 newly installed, 0 to remove and 315 not upgraded.
Need to get 2334 kB of archives.
After this operation, 4096 B of additional disk space will be used.
Get:1 http://ports.ubuntu.com focal-proposed/main s390x qemu-system-s390x s390x 1:4.2-3ubuntu6.5 [2334 kB]
Fetched 2334 kB in 1s (3927 kB/s)
(Reading database ... 203254 files and directories currently installed.)
Preparing to unpack .../qemu-system-s390x_1%3a4.2-3ubuntu6.5_s390x.deb ...
Unpacking qemu-system-s390x (1:4.2-3ubuntu6.5) over (1:4.2-3ubuntu6.4) ...
Setting up qemu-system-s390x (1:4.2-3ubuntu6.5) ...
Processing triggers for man-db (2.9.3-2) ...
ubuntu@s1lp05:~$

ubuntu@focal-sqxbr:~$ ./a.out
(no crash)

Setting verified

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for qemu has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:4.2-3ubuntu6.5

---------------
qemu (1:4.2-3ubuntu6.5) focal; urgency=medium

  * further stabilize qemu by importing patches of qemu v4.2.1
    Fixes (LP: #1891203) and (LP: #1891877)
    - d/p/stable/lp-1891877-*
    - as part of the stabilization this also fixes an
      riscv emulation issue due to the CVE-2020-13754 fixes via
      d/p/ubuntu/hw-riscv-Allow-64-bit-access-to-SiFive-CLINT.patch
  * fix s390x SQXBR emulation (LP: #1883984)
    - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
  * fix -no-reboot for s390x protvirt guests (LP: #1890154)
    - d/p/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-*

 -- Christian Ehrhardt <email address hidden> Wed, 19 Aug 2020 13:40:49 +0200

Changed in qemu (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers