1219395 – libx86 segfault accessing address 0

Bug 1219395 - libx86 segfault accessing address 0

Summary: libx86 segfault accessing address 0

Status:	NEW

Alias:	None

Product:	openSUSE Backports
Classification:	openSUSE
Component:	Packages (show other bugs)
Version:	SLE-15-SP5
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Stefan Seyfried
QA Contact:	E-Mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-01-31 08:49 UTC by Jiri Belka
Modified:	2024-01-31 20:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
getappcore output (831.11 KB, application/x-xz-compressed-tar) 2024-01-31 08:49 UTC, Jiri Belka	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jiri Belka 2024-01-31 08:49:04 UTC

Created attachment 872339 [details]
getappcore output

read-edid-3.0.2-bp155.3.9.x86_64
sles-release-15.5-150500.43.4.x86_64

avocado:~ # get-edid 
This is read-edid version 3.0.2. Prepare for some fun.
Attempting to use i2c interface
Looks like no busses have an EDID. Sorry!
Attempting to use the classical VBE interface
Illegal instruction (core dumped)

avocado:~ # coredumpctl list
TIME                          PID UID GID SIG    COREFILE EXE                SIZE
Wed 2024-01-31 08:07:15 CET 31656   0   0 SIGILL present  /usr/bin/get-edid 27.3K
Wed 2024-01-31 08:09:05 CET 31755   0   0 SIGILL present  /usr/bin/get-edid 27.3K

avocado:~ # systool -vc drm | grep -P 'Class Device path = .*drm/card'
  Class Device path = "/sys/devices/pci0000:00/0000:00:1c.5/0000:02:00.0/0000:03:00.0/drm/card0/card0-VGA-1"
  Class Device path = "/sys/devices/pci0000:00/0000:00:1c.5/0000:02:00.0/0000:03:00.0/drm/card0"
  Class Device path = "/sys/devices/pci0000:00/0000:00:1c.5/0000:02:00.0/0000:03:00.0/drm/card0/card0-Virtual-1"

avocado:~ # ls -1 /sys/devices/pci0000:00/0000:00:1c.5/0000:02:00.0/0000:03:00.0/drm/card0/card0*/edid
/sys/devices/pci0000:00/0000:00:1c.5/0000:02:00.0/0000:03:00.0/drm/card0/card0-VGA-1/edid
/sys/devices/pci0000:00/0000:00:1c.5/0000:02:00.0/0000:03:00.0/drm/card0/card0-Virtual-1/edid


But, `edid' files do not provide any data, there is no monitor attached to it.

ls -1 /sys/devices/pci0000:00/0000:00:1c.5/0000:02:00.0/0000:03:00.0/drm/card0/card0*/edid | xargs -L 1 od -A n -t x1 | wc -l
0

Comment 1 Marcus Meissner 2024-01-31 08:52:54 UTC

michal, you touched it last ... can you take a look

Comment 2 Jiri Belka 2024-01-31 10:02:31 UTC

I assume this tool is too old to work correctly:

jb155sapqe02:~ # get-edid 
This is read-edid version 3.0.2. Prepare for some fun.
Attempting to use i2c interface                                                                                         
Looks like no busses have an EDID. Sorry!
Attempting to use the classical VBE interface
open /dev/mem: Operation not permitted
error initialising realmode interface
do you have full superuser (root) permissions?
I'm sorry nothing was successful. Maybe try some other arguments
if you played with them, or send an email to Matthew Kern <pyrophobicman@gmail.com>.

jb155sapqe02:~ # dmesg | grep -i secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.017138] secureboot: Secure boot enabled
[    2.348429] Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: a746b64b6cb71f13385638055f46162bac632acd'm_
[    2.404620] integrity: Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot CA: ecab0d42c456cf770436b973993862965e87262f'
[    2.410829] Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: a746b64b6cb71f13385638055f46162bac632acd'

Comment 3 Jiri Belka 2024-01-31 10:05:07 UTC

compiled edid-decode from GH:

ls -1 /sys/class/drm/card0/card0*/edid | xargs -I '{}' bash -c 'ls -l {}; cat {} | ./edid-decode - | head ; echo'
-r--r--r-- 1 root root 0 Jan 31 09:50 /sys/class/drm/card0/card0-Virtual-1/edid
EDID version: 1.4
Manufacturer: RHT Model 1234 Serial Number 0
Made in week 42 of 2014
Digital display
8 bits per primary color channel
DisplayPort interface
Maximum image size: 32 cm x 20 cm
Gamma: 2.20
Supported color formats: RGB 4:4:4
Default (sRGB) color space is primary color space



time to drop read-edid? :)

Comment 4 Michal Suchanek 2024-01-31 10:40:05 UTC

Works for me

# get-edid | parse-edid
This is read-edid version 3.0.2. Prepare for some fun.
Attempting to use i2c interface
No EDID on bus 0
No EDID on bus 1
No EDID on bus 2
No EDID on bus 3
No EDID on bus 4
No EDID on bus 5
No EDID on bus 6
No EDID on bus 7
No EDID on bus 8
No EDID on bus 11
No EDID on bus 12
No EDID on bus 13
Problem requesting slave address: Device or resource busy
No EDID on bus 15
Problem requesting slave address: Device or resource busy
No EDID on bus 17
2 potential busses found: 9 10
Will scan through until the first EDID is found.
Pass a bus number as an option to this program to go only for that one.
256-byte EDID successfully retrieved from i2c bus 9
Looks like i2c was successful. Have a good day.
Checksum Correct

Section "Monitor"
	Identifier ""
	ModelName ""
	VendorName "BOE"
	# Monitor Manufactured week 23 of 2019
	# EDID version 1.4
	# Digital Display
	DisplaySize 280 190
	Gamma 2.20
	Option "DPMS" "false"
	Modeline 	"Mode 0" +hsync -vsync 
	Modeline 	"Mode 1" +hsync -vsync 
EndSection

Comment 5 Jiri Belka 2024-01-31 11:07:21 UTC

The crash was from a system without any monitor attached, as written in comment #0.

Comment 6 Michal Suchanek 2024-01-31 11:15:12 UTC

I suppose the problem would be that the system is not locked down, it reads something from /dev/mem, and fails parsing it.

Comment 7 Michal Suchanek 2024-01-31 11:16:16 UTC

Also it needs the i2c-dev module loaded to do anything useful but does not check for it being loaded - patches welcome :)

Comment 8 Michal Suchanek 2024-01-31 11:26:30 UTC

So it tries to run the x86 emulator on something that it assumes will give the VBE data, and it segfaults instead. Hard to debug without having that particular BIOS, and not really something I want to support. If it works for you, great. If not there is an option to disable the classic VBE BIOS reads. Maybe it could be the default to prevent executing random garbage.

#0  0x00007f1dd877116f in LRMI_init () at thunk.c:172
172		*((char *)0) = 0x4f; /* Make sure that we end up jumping back to a
(gdb) bt full
#0  0x00007f1dd877116f in LRMI_init () at thunk.c:172
        i = <optimized out>
        intFuncs = {0x7f1dd8770fd0 <x86emu_do_int> <repeats 256 times>}
        pioFuncs = {inb = 0x7f1dd8770e50 <x_inb>, inw = 0x7f1dd8770e60 <x_inw>, inl = 0x7f1dd8770e70 <x_inl>, outb = 0x7f1dd8770e80 <x_outb>, outw = 0x7f1dd8770e90 <x_outw>, outl = 0x7f1dd8770ea0 <x_outl>}
#1  0x000055ea99e99691 in classicmain (contr=0, qit=<optimized out>) at /usr/src/debug/read-edid-3.0.2-bp155.3.9.x86_64/get-edid/classic.c:131
        controller = 0
        error = <optimized out>
        output = <optimized out>
#2  0x000055ea99e9860b in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/read-edid-3.0.2-bp155.3.9.x86_64/get-edid/get-edid.c:132
        i = <optimized out>

Comment 9 Michal Suchanek 2024-01-31 18:56:17 UTC

Probably the real bug is in libx86 or whatever it's called. If it wants to do

*((char *)0) = 0x4f; 

it needs to ensure that the first page is mapped.

Comment 10 Stefan Seyfried 2024-01-31 20:09:59 UTC

Sorry, I have touched libx86 last in 2008 when I was still at SUSE ;-)
I just learned that I am still officially its maintainer.

I'll request it being dropped from Factory if nobody else can take over now.

Comment 11 Stefan Seyfried 2024-01-31 20:15:18 UTC

Droprequest: https://build.opensuse.org/request/show/1143135