From owner-freebsd-hackers@freebsd.org  Wed Jun 12 04:54:10 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B20E15CED0D
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed, 12 Jun 2019 04:54:10 +0000 (UTC)
 (envelope-from marklmi@yahoo.com)
Received: from sonic301-20.consmr.mail.gq1.yahoo.com
 (sonic301-20.consmr.mail.gq1.yahoo.com [98.137.64.146])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CFC598D232
 for <freebsd-hackers@freebsd.org>; Wed, 12 Jun 2019 04:54:08 +0000 (UTC)
 (envelope-from marklmi@yahoo.com)
X-YMail-OSG: H5DNLScVM1l5heb0xBT7HURupzJeie6g6OLNXYQIbXu..WCbtPOPqXWKgUFrH5x
 zsyraFkKd_R8XSEj3HIuMY2gF8cd6U4Qzf57pqTkzkFKZXb403y_JTUBN6L7.YIO7Z7j2WUBTtqs
 JxWAbMrnOaWnPfqli1NiGMXeqwkREzn1BK6GCS9sK_EzWzQLZtm7dYtlD6OcVCCJqwzJDIOMOZj2
 o3svJKjNNEbYCn3joEv1l.GqRtVbfCXoy5DoXqUbzljWss3pNYStuOUUS73sMAheCSQ6TgMW_Bx1
 lapP4bmeHNBqKdfyBEJuYKj5y6tGyE.7m3s1aRARO6x3WIRRCMoD1uQwChOwsTkkRTdjetMAhMzs
 5ckZOpMyf8aMHEwqCFogC1m9ECYSBCoruSwPU8W4ru3Z3MbSE1T0FpR7HD51jEO0CVkF7acKF04g
 g_E1BDlweN4S2A.IbaNsHOwMDnM7CMyQaXqbgC5PArn4ax9dosmeJg3x36pE0OKW.liT.4DObvUn
 5xblIatTL2C7CgTRgjhGUqC9n9bvARPUiypzdhmtwlooRNbBANHBCNV.QihNMSlDxDbhqgwkJCTQ
 jJH9d03_ztHA5Ak7ppiE4OEbXnXyzKOEGnnJLrSMYA7MlStiJ0aPX5YdLdDxRuTS0BoxHtlUrs.5
 1Xvwr.ShY6HeuVMgV4Oouncavpkk_..xNj9QkB.v3t3wnv7vYXcplfqpwBnzTxXd8o_udJlDJEO6
 390QH0IDI_1onyHCoPNWgA2MmUUhjF7hnVZkWThljqOiw4xyd6kHgTcLqz_O__fwuoaBGQ2ZAMyJ
 hyuIyk9H0HMzwO4Gg79p.HxLgyM916tGdDSxThq92qXfaJcD8Dd.Gd1NaJ8zevOUrZZ34T0f0OBO
 RjI4RJeuVwUN6n6rohJLCMY8bN.suVyIzgOjbE19wacQtMtT9Zxx2vxqX1EFFtc12r5wMOAeLcXy
 U1FtqLSuBQ8tsljjbSxPuctv6CpznSF3qvB9h_EV6dARVCENlH8rqqGYhiGwXRilywTfYQ48vuy7
 WJuWR7iSzrTboU6WQxTlQW_cGA65YgpcC_KVae5fr.2ClssRmQoKicmyhZlNQ0q0jkcEJg_R.WTG
 Fncne7.2InJR_.HPZTEuakOQwkESW.Aj.LG7jBu7KjvulBsTOMFTv_2.kyhqcGYnL3ef7YYqp0mV
 DDjdRkeXeTq8cN_q0WgMiHczdPP44GVEfA7_5V5UIu35Cq1cGCrgn7uKkM3I-
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic301.consmr.mail.gq1.yahoo.com with HTTP; Wed, 12 Jun 2019 04:54:00 +0000
Received: from c-67-170-167-181.hsd1.or.comcast.net (EHLO [192.168.1.115])
 ([67.170.167.181])
 by smtp416.mail.gq1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID
 dce79d6d04f209e2c5bbde054d31f817; 
 Wed, 12 Jun 2019 04:53:56 +0000 (UTC)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: kern_execve using vm_page_zero_invalid but not
 vm_page_set_validclean to load /sbin/init ?
From: Mark Millard <marklmi@yahoo.com>
In-Reply-To: <86F7C4C4-2BB6-40F0-B5D3-C80ECB4A97CF@yahoo.com>
Date: Tue, 11 Jun 2019 21:53:55 -0700
Cc: Alfredo Dal Ava Junior <alfredo.junior@eldorado.org.br>,
 Justin Hibbits <jrh29@alumni.cwru.edu>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1093D97-C7B5-4370-9C75-507D1EB98D03@yahoo.com>
References: <1464D960-A1D6-404A-BB10-E615E2D14C1D@yahoo.com>
 <CAG6CVpV5FBHgOTgxEgRmP+46Vm7mxoPCPECDJiq3k=D4qZ8PCA@mail.gmail.com>
 <4003198F-C11B-4587-910B-2001DC09F538@yahoo.com>
 <47E002B7-D4A1-4C4B-BFFD-D926263D895E@yahoo.com>
 <48148449-93B0-446C-AA28-F211FFAE1A8B@yahoo.com>
 <86F7C4C4-2BB6-40F0-B5D3-C80ECB4A97CF@yahoo.com>
To: FreeBSD Toolchain <freebsd-toolchain@freebsd.org>,
 FreeBSD Hackers <freebsd-hackers@freebsd.org>,
 freeBSD PowerPC ML <freebsd-ppc@freebsd.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-Rspamd-Queue-Id: CFC598D232
X-Spamd-Bar: ++++
X-Spamd-Result: default: False [4.34 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; MV_CASE(0.50)[];
 FREEMAIL_FROM(0.00)[yahoo.com]; RCPT_COUNT_FIVE(0.00)[5];
 RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[yahoo.com:+];
 MX_GOOD(-0.01)[cached: mta6.am0.yahoodns.net];
 DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 SUBJECT_ENDS_QUESTION(1.00)[];
 FREEMAIL_ENVFROM(0.00)[yahoo.com];
 ASN(0.00)[asn:36647, ipnet:98.137.64.0/21, country:US];
 MID_RHS_MATCH_FROM(0.00)[];
 DWL_DNSWL_NONE(0.00)[yahoo.com.dwl.dnswl.org : 127.0.5.0];
 ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048];
 FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.96)[0.958,0];
 MIME_GOOD(-0.10)[text/plain];
 IP_SCORE(1.49)[ip: (5.79), ipnet: 98.137.64.0/21(0.95), asn: 36647(0.76),
 country: US(-0.06)]; NEURAL_SPAM_MEDIUM(0.50)[0.503,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.90)[0.904,0];
 RCVD_IN_DNSWL_NONE(0.00)[146.64.137.98.list.dnswl.org : 127.0.5.0];
 RCVD_TLS_LAST(0.00)[]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 04:54:10 -0000

[The garbage after .got up to the page boundary is
.comment section strings. The context here is
targeting 32-bit powerpc via system-clang-8 and
devel/powerpc64-binutils for buildworld and
buildkernel . ]

On 2019-Jun-11, at 19:55, Mark Millard <marklmi at yahoo.com> wrote:

> [I have confirmed .sbss not being zero'd out and environ
> thereby starting out non-zero (garbage): a
> debug.minidump=3D0 style dump.]
>=20
>> On 2019-Jun-10, at 16:19, Mark Millard <marklmi@yahoo.com> wrote:
>>=20
>> . . . (omitted) . . .
>=20
> I used debug.minidump=3D0 in /boot/loader.conf for
> cusing a dump for the crash and a libkvm modified
> enough for my working boot environment to allow me
> to examine the the memory-image bytes of such a dump,
> with libkvm used via /usr/local/bin/kgdb . (No support
> of automatically translating user-space addresses
> or other such.)
>=20
> For the clang based debug buildworld and debug buildkernel
> context with /sbin/init having:
>=20
>  [16] .got              PROGBITS        01956ccc 146ccc 000010 04 WAX  =
0   0  4
>  [17] .sbss             NOBITS          01956cdc 146cdc 0000b0 00  WA  =
0   0  4
>  [18] .bss              NOBITS          01956dc0 146cdc 02ee28 00  WA  =
0   0 64
>=20
> I confirmed that .sbss in /sbin/init's address space
> is not zeroed (so environ is not assigned by handle_argv ).
> I also confirmed that _start was given a good env value
> (in %r5) based on where the value was stored on the
> stack. It is just that the value was not used.
>=20
> The detailed obvious-failure point (crash) can change based
> on the garbage in the .sbss and, for the build that I used
> this time, that happened in __je_arean_malloc_hard instead
> of before _init_tls called _libc_allocate_tls . (I traced
> the call chain in the dump.)
>=20
>=20
> =46rom what I've seen in the dump there seem to be special
> uses of some values (that also have normal uses, of
> course):
>=20
> 0xfa5005af: as yet invalid page content.
> 0x1c000020: as yet unassigned user-space-stack memory for /sbin/init.
>=20
> These are the same locations that I previously reported as
> showing up in the DSI read trap reports for /sbin/init failing.
> The specific build here failed with a different value.
>=20
> For reference relative to libkvm:
>=20
> # svnlite diff /usr/src/lib/libkvm/
> Index: /usr/src/lib/libkvm/kvm_powerpc.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- /usr/src/lib/libkvm/kvm_powerpc.c	(revision 347549)
> +++ /usr/src/lib/libkvm/kvm_powerpc.c	(working copy)
> @@ -211,6 +211,53 @@
> 	if (be32toh(vm->ph->p_paddr) =3D=3D 0xffffffff)
> 		return ((int)powerpc_va2off(kd, va, ofs));
>=20
> +	// HACK in something for what I observe in
> +	// a debug.minidump=3D0 vmcore.* for 32-bit powerpc
> +	//
> +	if (  be32toh(vm->ph->p_vaddr)  =3D=3D 0xffffffff
> +	   && be32toh(vm->ph->p_paddr)  =3D=3D 0
> +	   && be16toh(vm->eh->e_phnum)  =3D=3D 1
> +	   ) {
> +		// Presumes p_memsz is either unsigned
> +		// 32-bit or is 64-bit, same for va .
> +
> +		if (be32toh(vm->ph->p_memsz) <=3D va)
> +			return 0; // Like powerpc_va2off
> +
> +		// If ofs was (signed) 32-bit there
> +		// would be a problem for sufficiently
> +		// large postive memsz's and va's
> +		// near the end --because of p_offset
> +		// and dmphdrsz causing overflow/wrapping
> +		// for some large va values.
> +		// Presumes 64-bit ofs for such cases.
> +		// Also presumes dmphdrsz+p_offset
> +		// is non-negative so that small
> +		// non-negative va values have no
> +		// problems with ofs going negative.
> +
> +		*ofs =3D    vm->dmphdrsz
> +			+ be32toh(vm->ph->p_offset)
> +			+ va;
> +
> +		// The normal return value overflows/wraps
> +		// for p_memsz =3D=3D 0x80000000u when va =3D=3D 0 .
> +		// Avoid this by depending on calling code's
> +		// loop for sufficiently large cases.
> +		// This code presumes p_memsz/2 <=3D MAX_INT .
> +		// 32-bit powerpc FreeBSD does not allow
> +		// using more than 2 GiBytes of RAM but
> +		// does allow using 2 GiBytes on 64-bit
> +		// hardware.
> +		//
> +		if (  (int)be32toh(vm->ph->p_memsz) < 0
> +		   && va < be32toh(vm->ph->p_memsz)/2
> +		   )
> +			return be32toh(vm->ph->p_memsz)/2;
> +
> +		return be32toh(vm->ph->p_memsz) - va;
> +	}
> +
> 	_kvm_err(kd, kd->program, "Raw corefile not supported");
> 	return (0);
> }
> Index: /usr/src/lib/libkvm/kvm_private.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- /usr/src/lib/libkvm/kvm_private.c	(revision 347549)
> +++ /usr/src/lib/libkvm/kvm_private.c	(working copy)
> @@ -131,7 +131,9 @@
> {
>=20
> 	return (kd->nlehdr.e_ident[EI_CLASS] =3D=3D class &&
> -	    kd->nlehdr.e_type =3D=3D ET_EXEC &&
> +	    (  kd->nlehdr.e_type =3D=3D ET_EXEC ||
> +	       kd->nlehdr.e_type =3D=3D ET_DYN
> +	    ) &&
> 	    kd->nlehdr.e_machine =3D=3D machine);
> }
>=20
>=20
>=20

The following is was is in the .sbss/.bss up to the page
boundry (after the .got bytes):

(kgdb) x/s 0x2a66cdc
0x2a66cdc:	"$FreeBSD: head/lib/csu/powerpc/crt1.c 326219 2017-11-26 =
02:00:33Z pfg $"

(kgdb) x/s 0x2a66d24
0x2a66d24:	"$FreeBSD: head/lib/csu/common/crtbrand.c 340701 =
2018-11-20 20:59:49Z emaste $"

(kgdb) x/s 0x2a66d72
0x2a66d72:	"$FreeBSD: head/lib/csu/common/ignore_init.c 340702 =
2018-11-20 21:04:20Z emaste $"

(kgdb) x/s 0x2a66dc3
0x2a66dc3:	"FreeBSD clang version 8.0.0 (tags/RELEASE_800/final =
356365) (based on LLVM 8.0.0)"

(kgdb) x/s 0x2a66e15
0x2a66e15:	"$FreeBSD: head/lib/csu/powerpc/crti.S 217399 2011-01-14 =
11:34:58Z kib $"

(kgdb) x/s 0x2a66e5d
0x2a66e5d:	"$FreeBSD: head/sbin/mount/getmntopts.c 326025 =
2017-11-20 19:49:47Z pfg $"

(kgdb) x/s 0x2a66ea6
0x2a66ea6:	"$FreeBSD: head/lib/libutil/login_tty.c 334106 =
2018-05-23 17:02:12Z jhb $"

(kgdb) x/s 0x2a66eef
0x2a66eef:	"$FreeBSD: head/lib/libutil/login_class.c 296723 =
2016-03-12 14:54:34Z kib $"

(kgdb) x/s 0x2a66f83
0x2a66f83:	"$FreeBSD: head/lib/libutil/_secure_path.c 139012 =
2004-12-18 12:31:12Z ru $"

(kgdb) x/s 0x2a66fce
0x2a66fce:	"$FreeBSD: head/lib/libcrypt/crypt.c 326219 2017-11

(I truncated that last to avoid the 0xfa5005af's on the next page
in RAM.)

Compare ( from readelf /sbin/init ):

String dump of section '.comment':
  [     0]  $FreeBSD: head/lib/csu/powerpc/crt1.c 326219 2017-11-26 =
02:00:33Z pfg $
  [    48]  $FreeBSD: head/lib/csu/common/crtbrand.c 340701 2018-11-20 =
20:59:49Z emaste $
  [    96]  $FreeBSD: head/lib/csu/common/ignore_init.c 340702 =
2018-11-20 21:04:20Z emaste $
  [    e7]  FreeBSD clang version 8.0.0 (tags/RELEASE_800/final 356365) =
(based on LLVM 8.0.0)
  [   139]  $FreeBSD: head/lib/csu/powerpc/crti.S 217399 2011-01-14 =
11:34:58Z kib $
  [   181]  $FreeBSD: head/sbin/mount/getmntopts.c 326025 2017-11-20 =
19:49:47Z pfg $
  [   1ca]  $FreeBSD: head/lib/libutil/login_tty.c 334106 2018-05-23 =
17:02:12Z jhb $
  [   213]  $FreeBSD: head/lib/libutil/login_class.c 296723 2016-03-12 =
14:54:34Z kib $
  [   25e]  $FreeBSD: head/lib/libutil/login_cap.c 317265 2017-04-21 =
19:27:33Z pfg $
  [   2a7]  $FreeBSD: head/lib/libutil/_secure_path.c 139012 2004-12-18 =
12:31:12Z ru $
  [   2f2]  $FreeBSD: head/lib/libcrypt/crypt.c 326219 2017-11-26 =
02:00:33Z pfg $
. . .

Note:

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg =
Align
  LOAD           0x000000 0x01800000 0x01800000 0x140ad4 0x140ad4 R E =
0x10000
  LOAD           0x140ae0 0x01950ae0 0x01950ae0 0x061fc 0x35108 RWE =
0x10000
  NOTE           0x0000d4 0x018000d4 0x018000d4 0x00048 0x00048 R   0x4
  TLS            0x140ae0 0x01950ae0 0x01950ae0 0x00b10 0x00b1d R   0x10
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x10

 Section to Segment mapping:
  Segment Sections...
   00     .note.tag .init .text .fini .rodata .eh_frame=20
   01     .tdata .tbss .init_array .fini_array .ctors .dtors .jcr =
.data.rel.ro .data .got .sbss .bss=20
   02     .note.tag=20
   03     .tdata .tbss=20
   04    =20
There are 24 section headers, starting at offset 0x16cec8:

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg =
Lk Inf Al
. . .
  [16] .got              PROGBITS        01956ccc 146ccc 000010 04 WAX  =
0   0  4
  [17] .sbss             NOBITS          01956cdc 146cdc 0000b0 00  WA  =
0   0  4
  [18] .bss              NOBITS          01956dc0 146cdc 02ee28 00  WA  =
0   0 64
  [19] .comment          PROGBITS        00000000 146cdc 0073d4 01  MS  =
0   0  1

It looks like material after the .got is being copied,
spanning the in-file-empty .sbss and .bss sections and
implicitly initializing (the first part of) those
sections.

=3D=3D=3D
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)