QEMU S/390x sqxbr (128-bit IEEE 754 square root) crashes qemu-system-s390x
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
QEMU |
Fix Released
|
Undecided
|
Unassigned | ||
qemu (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* An instruction was described wrong so that on usage the program would
crash.
[Test Case]
* Run s390x in emulation and there use this program:
For simplicity and speed you can use KVM guest as usual on s390x, that
after prep&install&
$ sudo qemu-system-s390x -machine s390-ccw-
Obviously is you have no s390x access you need to use emulation right
away.
* Build and run failing program
$ sudo apt install clang
$ cat > bug-sqrtl-
int main(void) { volatile long double x, r; x = 4.0L; __asm__
__volatile__("sqxbr %0, %1" : "=f" (r) : "f" (x)); return (0);}
EOF
$ cc bug-sqrtl-
$ ./a.out
Segmentation fault (core dumped)
qemu is dead by now as long as the bug is present
[Regression Potential]
* The change only modifies 128 bit square root on s390x so regressions
should be limited to exactly that - which formerly before this fix was
a broken instruction.
[Other Info]
* n/a
---
In porting software to guest Ubuntu 18.04 and 20.04 VMs for S/390x, I discovered
that some of my own numerical programs, and also a GNU configure script for at
least one package with CC=clang, would cause an instant crash of the VM, sometimes
also destroying recently opened files, and producing long strings of NUL characters
in /var/log/syslog in the S/390 guest O/S.
Further detective work narrowed the cause of the crash down to a single IBM S/390
instruction: sqxbr (128-bit IEEE 754 square root). Here is a one-line program
that when compiled and run on a VM hosted on QEMUcc emulator version 4.2.0
(Debian 1:4.2-3ubuntu6.1) [hosted on Ubuntu 20.04 on a Dell Precision 7920
workstation with an Intel Xeon Platinum 8253 CPU], and also on QEMU emulator
version 5.0.0, reproducibly produces a VM crash under qemu-system-s390x.
% cat bug-sqrtl-
int main(void) { volatile long double x, r; x = 4.0L; __asm__ __volatile__("sqxbr %0, %1" : "=f" (r) : "f" (x)); return (0);}
% cc bug-sqrtl-
Segmentation fault (core dumped)
The problem code may be the function float128_sqrt() defined in qemu-5.
starting at line 7619. I have NOT attempted to run the qemu-system-s390x executable
under a debugger. However, I observe that S/390 is the only CPU family that I know of,
except possibly for a Fujitsu SPARC-64, that has a 128-bit square root in hardware.
Thus, this instruction bug may not have been seen before.
Related branches
- Rafael David Tinoco (community): Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 10691 lines (+9839/-7)133 files modifieddebian/changelog (+86/-0)
debian/patches/series (+131/-1)
debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch (+74/-0)
debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch (+91/-0)
debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch (+49/-0)
debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch (+43/-0)
debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch (+44/-0)
debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch (+67/-0)
debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch (+41/-0)
debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch (+65/-0)
debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch (+43/-0)
debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch (+77/-0)
debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch (+24/-0)
debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch (+209/-0)
debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch (+87/-0)
debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch (+41/-0)
debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch (+100/-0)
debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch (+58/-0)
debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch (+55/-0)
debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch (+122/-0)
debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch (+68/-0)
debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch (+49/-0)
debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch (+42/-0)
debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch (+52/-0)
debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch (+167/-0)
debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch (+71/-0)
debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch (+56/-0)
debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch (+55/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch (+45/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch (+51/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch (+137/-0)
debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch (+68/-0)
debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch (+57/-0)
debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch (+98/-0)
debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch (+113/-0)
debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch (+75/-0)
debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch (+60/-0)
debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch (+51/-0)
debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch (+54/-0)
debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch (+61/-0)
debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch (+59/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch (+83/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch (+59/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch (+63/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch (+52/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch (+55/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch (+58/-0)
debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch (+49/-0)
debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch (+66/-0)
debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch (+91/-0)
debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch (+99/-0)
debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch (+232/-0)
debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch (+107/-0)
debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch (+97/-0)
debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch (+57/-0)
debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch (+42/-0)
debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch (+69/-0)
debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch (+71/-0)
debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch (+19/-6)
debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch (+108/-0)
debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch (+157/-0)
debian/patches/stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch (+39/-0)
debian/patches/stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch (+39/-0)
debian/patches/stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch (+67/-0)
debian/patches/stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch (+43/-0)
debian/patches/stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch (+75/-0)
debian/patches/stable/lp-1891877-numa-remove-not-needed-check.patch (+52/-0)
debian/patches/stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch (+63/-0)
debian/patches/stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch (+49/-0)
debian/patches/stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch (+208/-0)
debian/patches/stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch (+43/-0)
debian/patches/stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch (+70/-0)
debian/patches/stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch (+46/-0)
debian/patches/stable/lp-1891877-qga-Fix-undefined-C-behavior.patch (+53/-0)
debian/patches/stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch (+42/-0)
debian/patches/stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch (+47/-0)
debian/patches/stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch (+55/-0)
debian/patches/stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch (+69/-0)
debian/patches/stable/lp-1891877-s390x-adapter-routes-error-handling.patch (+84/-0)
debian/patches/stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch (+102/-0)
debian/patches/stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch (+54/-0)
debian/patches/stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch (+42/-0)
debian/patches/stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch (+47/-0)
debian/patches/stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch (+47/-0)
debian/patches/stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch (+54/-0)
debian/patches/stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch (+66/-0)
debian/patches/stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch (+163/-0)
debian/patches/stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch (+67/-0)
debian/patches/stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch (+36/-0)
debian/patches/stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch (+45/-0)
debian/patches/stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch (+57/-0)
debian/patches/stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch (+54/-0)
debian/patches/stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch (+228/-0)
debian/patches/stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch (+75/-0)
debian/patches/stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch (+67/-0)
debian/patches/stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch (+49/-0)
debian/patches/stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch (+71/-0)
debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch (+51/-0)
debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch (+116/-0)
debian/patches/stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch (+49/-0)
debian/patches/stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch (+61/-0)
debian/patches/stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch (+37/-0)
debian/patches/stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch (+45/-0)
debian/patches/stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch (+40/-0)
debian/patches/stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch (+55/-0)
debian/patches/stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch (+96/-0)
debian/patches/stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch (+163/-0)
debian/patches/ubuntu/CVE-2020-10761.patch (+149/-0)
debian/patches/ubuntu/CVE-2020-12829-2.patch (+55/-0)
debian/patches/ubuntu/CVE-2020-12829-3.patch (+41/-0)
debian/patches/ubuntu/CVE-2020-12829-4.patch (+42/-0)
debian/patches/ubuntu/CVE-2020-12829-5.patch (+28/-0)
debian/patches/ubuntu/CVE-2020-12829-6.patch (+129/-0)
debian/patches/ubuntu/CVE-2020-12829-7.patch (+61/-0)
debian/patches/ubuntu/CVE-2020-12829-pre1.patch (+159/-0)
debian/patches/ubuntu/CVE-2020-12829-pre2.patch (+134/-0)
debian/patches/ubuntu/CVE-2020-12829-pre3.patch (+42/-0)
debian/patches/ubuntu/CVE-2020-12829-pre4.patch (+95/-0)
debian/patches/ubuntu/CVE-2020-12829.patch (+261/-0)
debian/patches/ubuntu/CVE-2020-13253.patch (+122/-0)
debian/patches/ubuntu/CVE-2020-13361.patch (+60/-0)
debian/patches/ubuntu/CVE-2020-13362-1.patch (+51/-0)
debian/patches/ubuntu/CVE-2020-13362-2.patch (+36/-0)
debian/patches/ubuntu/CVE-2020-13362-3.patch (+97/-0)
debian/patches/ubuntu/CVE-2020-13659.patch (+47/-0)
debian/patches/ubuntu/CVE-2020-13754-1.patch (+81/-0)
debian/patches/ubuntu/CVE-2020-13754-2.patch (+59/-0)
debian/patches/ubuntu/CVE-2020-13800.patch (+59/-0)
debian/patches/ubuntu/CVE-2020-14415.patch (+33/-0)
debian/patches/ubuntu/CVE-2020-15863.patch (+58/-0)
debian/patches/ubuntu/CVE-2020-16092.patch (+40/-0)
debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0)
debian/patches/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0)
- Rafael David Tinoco (community): Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 150 lines (+105/-0)5 files modifieddebian/changelog (+10/-0)
debian/patches/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0)
debian/rules (+4/-0)
CVE References
Changed in qemu: | |
status: | Confirmed → Fix Committed |
Changed in qemu (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Christian Ehrhardt (paelzer) |
Changed in qemu (Ubuntu Focal): | |
status: | New → Triaged |
importance: | Undecided → Medium |
description: | updated |
Changed in qemu: | |
status: | Fix Committed → Fix Released |
Another way to reproduce this bug is with qemu-s390x and a cross-compiled binary:
$ s390x-linux- gnu-gcc- 5 -static -o bug-sqrtl- one-line. s390x bug-sqrtl- one-line. c one-line. s390x
$ qemu-s390x bug-sqrtl-
Segmentation fault (core dumped)
Find attached the binary.