glibc/s390: Save and restore fprs/vrs while resolving symbols.

Bug #1564918 reported by bugproxy on 2016-04-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Undecided
Unassigned
glibc (Ubuntu)
High
Adam Conrad

Bug Description

== Comment: #0 - Stefan Liebler <email address hidden> - 2016-04-01 08:33:44 ==
On s390, no fpr/vrs were saved while resolving a symbol
via _dl_runtime_resolve/_dl_runtime_profile.

According to the abi, the fpr-arguments are defined as call clobbered.
In leaf-functions, gcc 4.9 and newer can use fprs for saving/restoring gprs
instead of saving them to the stack.
If gcc do this in one of the resolver-functions, then the floating point
arguments of a library-function are invalid for the first library-function-call.
Thus, this patch (see below) saves/restores the fprs around the resolving code.

The same could occur for vector registers. Furthermore an ifunc-resolver
could also clobber the vector/floating point argument registers.
Thus this patch provides the further variants _dl_runtime_resolve_vx/
_dl_runtime_profile_vx, which are used if the kernel claims, that
we run on a machine with vector registers.

Furthermore, if _dl_runtime_profile calls _dl_call_pltexit,
the pointers to inregs-/outregs-structs were setup invalid.
Now they point to the correct location in the stack-frame.
Before branching back to the caller, the return values are now
restored instead of containing the return values of the
_dl_call_pltexit() call.
On s390-32, an endless loop occurs if _dl_call_pltexit() should be called.
Now, this code-path branches to this function instead of just after the
preceding basr-instruction.

(Picked from upstream commits 4603c51ef7989d7eb800cdd6f42aab206f891077
and d8a012c5c9e4bfc1b8db2bc6deacb85b44a2e1eb)

Starting with z13, vector registers can also occur as argument registers.
Thus the passed input/output register structs for
la_s390_[32|64]_gnu_plt[enter|exit] functions should reflect those new
registers. This patch extends these structs La_s390_regs and La_s390_retval
and adjusts _dl_runtime_profile() to handle those fields in case of
running on a z13 machine.

(picked from upstream commit 5cdd1989d1d2f135d02e66250f37ba8e767f9772)

These upstream patches are also backported to glibc 2.23 release branch:
S390: Save and restore fprs/vrs while resolving symbols.
https://sourceware.org/git/?p=glibc.git;a=commit;h=d93f04543c68c461bd90294751f5fa532a24680c

S390: Extend structs La_s390_regs / La_s390_retval with vector-registers.
https://sourceware.org/git/?p=glibc.git;a=commit;h=0eb234232eaf925fe4dca3bd60a3e1b4a7ab2882

Please pull both and add it to ubuntu glibc package.

CVE References

bugproxy (bugproxy) on 2016-04-01
tags: added: architecture-s39064 bugnameltc-139912 severity-high targetmilestone-inin1604
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Gary Gaydos (gmgaydos) on 2016-04-01
affects: ubuntu → glibc (Ubuntu)
Changed in glibc (Ubuntu):
assignee: Skipper Bug Screeners (skipper-screen-team) → Adam Conrad (adconrad)
Changed in glibc (Ubuntu):
importance: Undecided → High

------- Comment From <email address hidden> 2016-04-11 10:51 EDT-------
Canonical, will these updates been taken for glibc?

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.23-0ubuntu3

---------------
glibc (2.23-0ubuntu3) xenial; urgency=medium

  * Merge with 2.23 from experimental, bringing in upstream updates:
    - Save/restore fprs/vrs while resolving symbols (LP: #1564918)
    - Fix _nss_dns_getnetbyname_r() stack overflow (CVE-2016-3075)
    - Merge libnss-dns-udeb and libnss-files-udeb into libc6-udeb.
  * Tidy up locale-gen, thanks to Gunnar Hjalmarsson (LP: #1560577):
    - Fix thinko that broke handling of multiple locale arguments.
    - Recognize UTF-8 locales without charset suffix in SUPPORTED.
    - Fix bug that led to the unsupported message not being shown.
  * Show reboot-required notification for all updates (LP: #1546457)

 -- Adam Conrad <email address hidden> Thu, 14 Apr 2016 10:26:16 -0600

Changed in glibc (Ubuntu):
status: New → Fix Released
dann frazier (dannf) on 2016-04-26
Changed in ubuntu-z-systems:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers