Bug 1732645

Summary: [abrt] reaver: floor_ifunc_selector(): wash killed by SIGSEGV
Product: [Fedora] Fedora Reporter: Joao Marcos Floriano <joaomfloriano>
Component: wireless-toolsAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: aoliva, arjun.is, codonell, dcbw, dj, fukidid, fweimer, jskarvad, jwharshaw, law, linville, lkundrak, mfabian, moceap, pfrankli, rth, siddhesh, vascom2
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/d540f6b01986b524285448d61c0d25d83c419d8b
Whiteboard: abrt_hash:d0eb2a1c5dd68ed2aa69a0eda997e9221dfa84e4;VARIANT_ID=workstation;
Fixed In Version: wireless-tools-29-25.fc30 wireless-tools-29-25.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-09 20:54:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: cgroup
none
File: core_backtrace
none
File: cpuinfo
none
File: dso_list
none
File: environ
none
File: exploitable
none
File: limits
none
File: maps
none
File: mountinfo
none
File: open_fds
none
File: proc_pid_status none

Description Joao Marcos Floriano 2019-07-24 01:08:45 UTC 
Version-Release number of selected component:
reaver-1.6.5-3.fc30

Additional info:
reporter:       libreport-2.10.1
backtrace_rating: 3
cmdline:        wash
crash_function: floor_ifunc_selector
executable:     /usr/bin/wash
journald_cursor: s=e8a73499ef2b4d96ae8428dce81a6925;i=3878;b=fecc408a9cb74e1cb240ca1a265d7623;m=114043b688;t=58c034bdac76a;x=798d5a7c0779fb1a
kernel:         5.1.11-300.fc30.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 floor_ifunc_selector at ../sysdeps/x86_64/fpu/multiarch/ifunc-sse4_1.h:29
 #1 __floor_ifunc at ../sysdeps/x86_64/fpu/multiarch/s_floor.c:31
 #2 elf_machine_rela at ../sysdeps/x86_64/dl-machine.h:330
 #3 elf_dynamic_do_Rela at do-rel.h:137
 #4 _dl_relocate_object at dl-reloc.c:254
 #5 dl_main at rtld.c:2193
 #6 _dl_sysdep_start at ../elf/dl-sysdep.c:253
 #7 _dl_start_final at rtld.c:413
 #8 _dl_start at rtld.c:520
 #9 _start
Comment 1 Joao Marcos Floriano 2019-07-24 01:08:49 UTC 
Created attachment 1593013 [details]
File: backtrace
Comment 2 Joao Marcos Floriano 2019-07-24 01:08:50 UTC 
Created attachment 1593014 [details]
File: cgroup
Comment 3 Joao Marcos Floriano 2019-07-24 01:08:51 UTC 
Created attachment 1593015 [details]
File: core_backtrace
Comment 4 Joao Marcos Floriano 2019-07-24 01:08:53 UTC 
Created attachment 1593016 [details]
File: cpuinfo
Comment 5 Joao Marcos Floriano 2019-07-24 01:08:54 UTC 
Created attachment 1593017 [details]
File: dso_list
Comment 6 Joao Marcos Floriano 2019-07-24 01:08:55 UTC 
Created attachment 1593018 [details]
File: environ
Comment 7 Joao Marcos Floriano 2019-07-24 01:08:57 UTC 
Created attachment 1593019 [details]
File: exploitable
Comment 8 Joao Marcos Floriano 2019-07-24 01:08:58 UTC 
Created attachment 1593020 [details]
File: limits
Comment 9 Joao Marcos Floriano 2019-07-24 01:09:00 UTC 
Created attachment 1593021 [details]
File: maps
Comment 10 Joao Marcos Floriano 2019-07-24 01:09:01 UTC 
Created attachment 1593022 [details]
File: mountinfo
Comment 11 Joao Marcos Floriano 2019-07-24 01:09:02 UTC 
Created attachment 1593023 [details]
File: open_fds
Comment 12 Joao Marcos Floriano 2019-07-24 01:09:05 UTC 
Created attachment 1593024 [details]
File: proc_pid_status
Comment 13 Jaroslav Škarvada 2019-09-13 21:03:20 UTC 
This is either glibc or gcc, reassigning to glibc for the start, because there were similar IFUNC errors. The problem is following:

$ valgrind reaver
reaver: Relink `/lib64/libiw.so.29' with `/lib64/libm.so.6' for IFUNC symbol `floor'
Neoprávněný přístup do paměti (SIGSEGV) (core dumped [obraz paměti uložen])
...
=20037== Invalid read of size 1
==20037==    at 0x48CFEB2: floor (in /usr/lib64/libm-2.29.so)
==20037==    by 0x400CD59: _dl_relocate_object (in /usr/lib64/ld-2.29.so)
==20037==    by 0x40046A1: dl_main (in /usr/lib64/ld-2.29.so)
==20037==    by 0x4019E2A: _dl_sysdep_start (in /usr/lib64/ld-2.29.so)
==20037==    by 0x40021AB: _dl_start (in /usr/lib64/ld-2.29.so)
==20037==    by 0x4001117: ??? (in /usr/lib64/ld-2.29.so)
==20037==  Address 0x72 is not stack'd, malloc'd or (recently) free'd

$ ldd /lib64/libiw.so.29
	linux-vdso.so.1 (0x00007ffdbd15f000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f1f4b211000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f1f4b43d000)

But libiw is already linked with the -lm, from the build log of wireless-tools:
...
gcc -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -shared -o libiw.so.29 -Wl,-soname,libiw.so.29  -lm -lc iwlib.so
...

If I remove '-Wl,--as-needed' it works as expected without segfault, but it was added there by the distribution LDFLAGS:
$ rpm --eval %__global_ldflags
-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld

So something is broken here.
Comment 14 Florian Weimer 2019-09-14 01:59:01 UTC 
“eu-readelf -s /lib64/libiw.so.29” shows:

…
   29: 0000000000000000      0 NOTYPE  GLOBAL DEFAULT    UNDEF pow
…
   29: 0000000000000000      0 NOTYPE  GLOBAL DEFAULT    UNDEF pow
…
   38: 0000000000000000      0 NOTYPE  GLOBAL DEFAULT    UNDEF floor

The link order in wireless-tools is this:

gcc -Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -shared -o libiw.so.29 -Wl,-soname,libiw.so.29  -lm -lc iwlib.so

--as-needed is specified in such a way that the -lm and first -lc do not result in run-time dependencies (but not the implicit -lc). The toolchain behaves in a documented way here. (Despite the name, iwlib.so is a relocatable object here.)

I think this is just one of the things that break with -as-needed and needs to be fixed in wireless-tools, by moving -lm after the objects that need it.  Basically, change “-lm -lc iwlib.so” into “iwlib.so -lm”.
Comment 15 Jens Petersen 2020-02-23 12:06:57 UTC 
I am applying Florian suggestion to wireless-tools-29-25.
Thanks for this - it was preventing xmobar from building too for some time.
Comment 16 Fedora Update System 2020-02-23 12:13:16 UTC 
FEDORA-2020-a334dc624d has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a334dc624d
Comment 17 Fedora Update System 2020-02-24 02:07:38 UTC 
wireless-tools-29-25.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5d27f4c3f9
Comment 18 Fedora Update System 2020-02-24 02:08:39 UTC 
wireless-tools-29-25.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a334dc624d
Comment 19 Fedora Update System 2020-03-09 20:54:35 UTC 
wireless-tools-29-25.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2020-03-11 22:45:43 UTC 
wireless-tools-29-25.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.