Closed Bug 1836925 Opened 1 year ago Closed 5 months ago

Unconditional use of adcxq causes SIGILL with nss-3.90

Categories

(NSS :: Libraries, defect, P2)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: sam, Assigned: nkulatova)

References

Details

Attachments

(3 files)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0

Steps to reproduce:

Originally reported downstream in Gentoo at https://bugs.gentoo.org/907932.

Build nss-3.90 on a CPU without Intel ADX (https://en.wikipedia.org/wiki/Intel_ADX?useskin=vector), so missing 'adcx'.

Actual results:

Firefox and Thunderbird crash with SIGILL with nss-3.90:

Program terminated with signal SIGILL, Illegal instruction.
#0  0x00007f734e6883dc in ?? () from /usr/lib64/libc.so.6
[Current thread is 1 (Thread 0x7f733b2be6c0 (LWP 377211))]
(gdb) bt
#0  0x00007f734e6883dc in  () at /usr/lib64/libc.so.6
#1  0x00007f734e63ac42 in raise () at /usr/lib64/libc.so.6
#2  0x00007f7349f6ed24 in  () at /usr/lib64/thunderbird/libxul.so
#3  0x00007f734abebeac in  () at /usr/lib64/thunderbird/libxul.so
#4  0x00007f734e63ace0 in <signal handler called> () at /usr/lib64/libc.so.6
#5  0x00007f73396aee9d in fadd (f2=0x7f733b2bc870, f1=0x7f733b2bc850, out=0x7f733b2bc8d0) at verified/curve25519-inline.h:40
#6  fadd0 (f2=0x7f733b2bc870, f1=0x7f733b2bc850, out=0x7f733b2bc8d0) at verified/Hacl_Curve25519_64.c:44
#7  point_add_and_double (q=q@entry=0x7f733b2bc780, p01_tmp1=p01_tmp1@entry=0x7f733b2bc850, tmp2=tmp2@entry=0x7f733b2bc7d0) at verified/Hacl_Curve25519_64.c:136
#8  0x00007f73396af513 in montgomery_ladder
    (init=0x7f733b2bc780, key=0x7f731e6c7a70 "\275Π\217\033;\346\323l2\323'\223\345\025\346\333\3663\306\363\\\016J\033HIv\353\005C\017", '\345' <repeats 167 times>, <incomplete sequence \345>..., out=0x7f733b2bc780) at verified/Hacl_Curve25519_64.c:216
#9  Hacl_Curve25519_64_scalarmult
    (out=out@entry=0x7f731e6c7a50 '\345' <repeats 32 times>, "\275Π\217\033;\346\323l2\323'\223\345\025\346\333\3663\306\363\\\016J\033HIv\353\005C\017", '\345' <repeats 135 times>, <incomplete sequence \345>..., priv=0x7f731e6c7a70 "\275Π\217\033;\346\323l2\323'\223\345\025\346\333\3663\306\363\\\016J\033HIv\353\005C\017", '\345' <repeats 167 times>, <incomplete sequence \345>..., pub=<optimized out>)
    at verified/Hacl_Curve25519_64.c:371
#10 0x00007f73396afc19 in Hacl_Curve25519_64_ecdh
    (out=0x7f731e6c7a50 '\345' <repeats 32 times>, "\275Π\217\033;\346\323l2\323'\223\345\025\346\333\3663\306\363\\\016J\033HIv\353\005C\017", '\345' <repeats 135 times>, <incomplete sequence \345>..., priv=<optimized out>, pub=<optimized out>) at verified/Hacl_Curve25519_64.c:391
#11 0x00007f73396adfd9 in ec_Curve25519_mul (mypublic=<optimized out>, secret=<optimized out>, basepoint=<optimized out>) at ecl/curve25519_64.c:18
#12 0x00007f733969c3c6 in ec_Curve25519_pt_mul (X=X@entry=0x7f731e6c7918, k=k@entry=0x7f731e6c7930, P=P@entry=0x0) at ecl/ecp_25519.c:121
#13 0x00007f733966a7d9 in ec_NewKey
    (ecParams=ecParams@entry=0x7f731e6ce020, privKey=privKey@entry=0x7f733b2bcb20, privKeyBytes=privKeyBytes@entry=0x7f731ef5d780 "\275Π\217\033;\346\323l2\323'\223\345\025\346\333\3663\306\363\\\016J\033HIv\353\005C\017", privKeyLen=privKeyLen@entry=32) at ec.c:289
#14 0x00007f733966a943 in EC_NewKey (ecParams=0x7f731e6ce020, privKey=privKey@entry=0x7f733b2bcb20) at ec.c:411
#15 0x00007f733988e170 in NSC_GenerateKeyPair
    (hSession=1, pMechanism=0x7f733b2bce80, pPublicKeyTemplate=<optimized out>, ulPublicKeyAttributeCount=<optimized out>, pPrivateKeyTemplate=0x7f733b2bcfa0, ulPrivateKeyAttributeCount=<optimized out>, phPublicKey=0x7f733b2bce78, phPrivateKey=0x7f733b2bce70) at pkcs11c.c:5611
#16 0x00007f7342e18526 in PK11_GenerateKeyPairWithOpFlags
    (slot=slot@entry=0x7f733a8e5400, type=type@entry=4160, param=param@entry=0x7f733b2bd3d0, pubKey=pubKey@entry=0x7f733b2bd3c8, attrFlags=attrFlags@entry=138, opFlags=opFlags@entry=524288, opFlagsMask=526336, wincx=0x7f7321d9fe08) at pk11akey.c:1537
#17 0x00007f7342e1027b in SECKEY_CreateECPrivateKey (param=param@entry=0x7f733b2bd3d0, pubk=pubk@entry=0x7f733b2bd3c8, cx=0x7f7321d9fe08) at seckey.c:218
#18 0x00007f7342f69f25 in ssl_CreateECDHEphemeralKeyPair (ss=ss@entry=0x7f731de15000, ecGroup=0x7f7342f99920 <ssl_named_groups>, keyPair=keyPair@entry=0x7f733b2bd420) at ssl3ecc.c:448
#19 0x00007f7342f6a010 in ssl3_SendECDHClientKeyExchange (ss=ss@entry=0x7f731de15000, svrPubKey=svrPubKey@entry=0x7f731e6d1020) at ssl3ecc.c:192
#20 0x00007f7342f62b2b in ssl3_SendClientKeyExchange (ss=0x7f731de15000) at ssl3con.c:6478
#21 ssl3_SendClientSecondRound (ss=ss@entry=0x7f731de15000) at ssl3con.c:8231
#22 0x00007f7342f652d8 in ssl3_HandleServerHelloDone (ss=0x7f731de15000) at ssl3con.c:8155
#23 ssl3_HandlePostHelloHandshakeMessage (length=0, b=0x7f731e5cd004 'N' <repeats 200 times>..., ss=0x7f731de15000) at ssl3con.c:12715
#24 ssl3_HandleHandshakeMessage (ss=ss@entry=0x7f731de15000, b=b@entry=0x7f731e5cd004 'N' <repeats 200 times>..., length=0, endOfRecord=1) at ssl3con.c:12623
#25 0x00007f7342f67da5 in ssl3_HandleHandshake (origBuf=0x7f731de152c0, ss=0x7f731de15000) at ssl3con.c:12800
#26 ssl3_HandleNonApplicationData (ss=ss@entry=0x7f731de15000, rType=<optimized out>, epoch=<optimized out>, seqNum=<optimized out>, databuf=databuf@entry=0x7f731de152c0) at ssl3con.c:13335
#27 0x00007f7342f6883b in ssl3_HandleRecord (ss=ss@entry=0x7f731de15000, cText=cText@entry=0x7f733b2bd7d0) at ssl3con.c:13680
#28 0x00007f7342f6eabf in ssl3_GatherCompleteHandshake (flags=<optimized out>, ss=<optimized out>) at ssl3gthr.c:561
#29 ssl3_GatherCompleteHandshake (ss=ss@entry=0x7f731de15000, flags=flags@entry=0) at ssl3gthr.c:449
#30 0x00007f7342f75d79 in SSL_ForceHandshake (fd=<optimized out>) at sslsecur.c:417
#31 0x00007f7349d954f1 in  () at /usr/lib64/thunderbird/libxul.so
#32 0x00007f7346bcb69d in  () at /usr/lib64/thunderbird/libxul.so
#33 0x00007f7346c02a9c in  () at /usr/lib64/thunderbird/libxul.so
#34 0x00007f7346c081b0 in  () at /usr/lib64/thunderbird/libxul.so
#35 0x00007f7346a0030d in  () at /usr/lib64/thunderbird/libxul.so
#36 0x00007f7346a03fbd in  () at /usr/lib64/thunderbird/libxul.so
#37 0x00007f7346a0b2ee in  () at /usr/lib64/thunderbird/libxul.so
#38 0x00007f7346a0cbad in  () at /usr/lib64/thunderbird/libxul.so
--Type <RET> for more, q to quit, c to continue without paging--
#39 0x00007f73468bd4f7 in  () at /usr/lib64/thunderbird/libxul.so
#40 0x00007f73468c1faa in  () at /usr/lib64/thunderbird/libxul.so
#41 0x00007f7346db2318 in  () at /usr/lib64/thunderbird/libxul.so
#42 0x00007f7346d74eb7 in  () at /usr/lib64/thunderbird/libxul.so
#43 0x00007f73468ba981 in  () at /usr/lib64/thunderbird/libxul.so
#44 0x00007f734e2c3abf in _pt_root (arg=0x7f734e330700) at /usr/src/debug/dev-libs/nspr-4.35-r1/nspr-4.35/nspr/pr/src/pthreads/ptthread.c:201
#45 0x00007f734e6866fc in  () at /usr/lib64/libc.so.6
#46 0x00007f734e706cac in  () at /usr/lib64/libc.so.6
(gdb)
(gdb) frame 5
#5  0x00007f73396aee9d in fadd (f2=0x7f733b2bc870, f1=0x7f733b2bc850, out=0x7f733b2bc8d0) at verified/curve25519-inline.h:40
40          __asm__ volatile(

Expected results:

No crash, i.e. don't use advx on CPUs which don't support it.

Summary: Unconditional use of adcx causes SIGILL with nss-3.90 → Unconditional use of adcxq causes SIGILL with nss-3.90

Hello,

Thank you for the report.
In order to address the issue, could I ask you to apply the following patch on the following file:
/nss_dir/nss/lib/freebl/Makefile, where nss_dir is the location of your nss directory.

<         SUPPORTS_VALE_CURVE25519 = 1
---
>         ifeq ($(CPU_ARCH),x86_64)
>             SUPPORTS_VALE_CURVE25519 = 1
>         endif

The patch is applying a restriction on the include of curve25519-inline.h file, that's the offender in the current case.

Flags: needinfo?(sam)
Assignee: nobody → nkulatova

Thanks. I asked some of the affected folks to try https://github.com/nss-dev/nss/commit/c07c4e073d95a25343cbf56b4a830a71e432869e and they can still hit it. This makes sense given x86_64 is not enough to guarantee adcxq, I think it's only in >= Broadwell.

Flags: needinfo?(sam)

(Just to give an explicit example of such a < Broadwell x86_64 CPU: Intel R Core TM i5 3360M is one hitting this.)

Ok, thanks for the information.
We have implemented the patch (https://phabricator.services.mozilla.com/D180068) serving to totally disable the optimisation.

Could you check that it works?

Flags: needinfo?(sam)
Attachment #9337634 - Attachment description: WIP: Bug 1836925 - Removing the support of Curve25519 → Bug 1836925 - Removing the support of Curve25519
Attached file backtrace
I'm surprised by this, but I'm told it doesn't help:
```

I'm surprised by this, but it doesn't help:

Program terminated with signal SIGILL, Illegal instruction.
#0  0x00007f3f52ea93dc in ?? () from /usr/lib64/libc.so.6
[Current thread is 1 (Thread 0x7f3f3fabe6c0 (LWP 516908))]
(gdb) bt
#0  0x00007f3f52ea93dc in  () at /usr/lib64/libc.so.6
#1  0x00007f3f52e5bc42 in raise () at /usr/lib64/libc.so.6
#2  0x00007f3f4e791d24 in  () at /usr/lib64/thunderbird/libxul.so
#3  0x00007f3f4f40eeac in  () at /usr/lib64/thunderbird/libxul.so
#4  0x00007f3f52e5bce0 in <signal handler called> () at /usr/lib64/libc.so.6
#5  0x00007f3f3deaee9d in fadd (f2=0x7f3f3fabc870, f1=0x7f3f3fabc850, out=0x7f3f3fabc8d0) at verified/curve25519-inline.h:40
#6  fadd0 (f2=0x7f3f3fabc870, f1=0x7f3f3fabc850, out=0x7f3f3fabc8d0) at verified/Hacl_Curve25519_64.c:44
#7  point_add_and_double (q=q@entry=0x7f3f3fabc780, p01_tmp1=p01_tmp1@entry=0x7f3f3fabc850, tmp2=tmp2@entry=0x7f3f3fabc7d0) at verified/Hacl_Curve25519_64.c:136
#8  0x00007f3f3deaf513 in montgomery_ladder
    (init=0x7f3f3fabc780, key=0x7f3f22f21a70 "\212\242\r\v,\237\022\273K\263\020LkB\364N\223\270=\357\371\252Pb\016g\245H\275\250r\312", '\345' <repeats 167 times>, <incomplete sequence \345>..., out=0x7f3f3fabc780)
    at verified/Hacl_Curve25519_64.c:216
#9  Hacl_Curve25519_64_scalarmult
    (out=out@entry=0x7f3f22f21a50 '\345' <repeats 31 times>, "劢\r\v,\237\022\273K\263\020LkB\364N\223\270=\357\371\252Pb\016g\245H\275\250r\312", '\345' <repeats 135 times>, <incomplete sequence \345>..., priv=0x7f3f22f21a70 "\212\242\r\v,\237\022\273K\263\020LkB\364N\223\270=\357\371\252Pb\016g\245H\275\250r\312", '\345' <repeats 167 times>, <incomplete sequence \345>..., pub=<optimized out>)
    at verified/Hacl_Curve25519_64.c:371
#10 0x00007f3f3deafc19 in Hacl_Curve25519_64_ecdh
    (out=0x7f3f22f21a50 '\345' <repeats 31 times>, "劢\r\v,\237\022\273K\263\020LkB\364N\223\270=\357\371\252Pb\016g\245H\275\250r\312", '\345' <repeats 135 times>, <incomplete sequence \345>..., priv=<optimized out>, pub=<optimized out>) at verified/Hacl_Curve25519_64.c:391
#11 0x00007f3f3deadfd9 in ec_Curve25519_mul (mypublic=<optimized out>, secret=<optimized out>, basepoint=<optimized out>) at ecl/curve25519_64.c:18
#12 0x00007f3f3de9c3c6 in ec_Curve25519_pt_mul (X=X@entry=0x7f3f22f21918, k=k@entry=0x7f3f22f21930, P=P@entry=0x0) at ecl/ecp_25519.c:121
#13 0x00007f3f3de6a7d9 in ec_NewKey
    (ecParams=ecParams@entry=0x7f3f22f22820, privKey=privKey@entry=0x7f3f3fabcb20, privKeyBytes=privKeyBytes@entry=0x7f3f266da2c0 "\212\242\r\v,\237\022\273K\263\020LkB\364N\223\270=\357\371\252Pb\016g\245H\275\250", <incomplete sequence \312>, privKeyLen=privKeyLen@entry=32) at ec.c:289
#14 0x00007f3f3de6a943 in EC_NewKey (ecParams=0x7f3f22f22820, privKey=privKey@entry=0x7f3f3fabcb20) at ec.c:411
#15 0x00007f3f3e08e170 in NSC_GenerateKeyPair
    (hSession=1, pMechanism=0x7f3f3fabce80, pPublicKeyTemplate=<optimized out>, ulPublicKeyAttributeCount=<optimized out>, pPrivateKeyTemplate=0x7f3f3fabcfa0, ulPrivateKeyAttributeCount=<optimized out>, phPublicKey=0x7f3f3fabce78, phPrivateKey=0x7f3f3fabce70) at pkcs11c.c:5611
#16 0x00007f3f4763b526 in PK11_GenerateKeyPairWithOpFlags
    (slot=slot@entry=0x7f3f3f0de000, type=type@entry=4160, param=param@entry=0x7f3f3fabd3d0, pubKey=pubKey@entry=0x7f3f3fabd3c8, attrFlags=attrFlags@entry=138, opFlags=opFlags@entry=524288, opFlagsMask=526336, wincx=0x7f3f230ee208) at pk11akey.c:1537
#17 0x00007f3f4763327b in SECKEY_CreateECPrivateKey (param=param@entry=0x7f3f3fabd3d0, pubk=pubk@entry=0x7f3f3fabd3c8, cx=0x7f3f230ee208) at seckey.c:218
#18 0x00007f3f4778cf25 in ssl_CreateECDHEphemeralKeyPair (ss=ss@entry=0x7f3f20d0d000, ecGroup=0x7f3f477bc920 <ssl_named_groups>, keyPair=keyPair@entry=0x7f3f3fabd420) at ssl3ecc.c:448
#19 0x00007f3f4778d010 in ssl3_SendECDHClientKeyExchange (ss=ss@entry=0x7f3f20d0d000, svrPubKey=svrPubKey@entry=0x7f3f22f18020) at ssl3ecc.c:192
#20 0x00007f3f47785b2b in ssl3_SendClientKeyExchange (ss=0x7f3f20d0d000) at ssl3con.c:6478
#21 ssl3_SendClientSecondRound (ss=ss@entry=0x7f3f20d0d000) at ssl3con.c:8231
#22 0x00007f3f477882d8 in ssl3_HandleServerHelloDone (ss=0x7f3f20d0d000) at ssl3con.c:8155
#23 ssl3_HandlePostHelloHandshakeMessage (length=0, b=0x7f3f1c9f9004 'N' <repeats 200 times>..., ss=0x7f3f20d0d000) at ssl3con.c:12715
#24 ssl3_HandleHandshakeMessage (ss=ss@entry=0x7f3f20d0d000, b=b@entry=0x7f3f1c9f9004 'N' <repeats 200 times>..., length=0, endOfRecord=1) at ssl3con.c:12623
#25 0x00007f3f4778ada5 in ssl3_HandleHandshake (origBuf=0x7f3f20d0d2c0, ss=0x7f3f20d0d000) at ssl3con.c:12800
#26 ssl3_HandleNonApplicationData (ss=ss@entry=0x7f3f20d0d000, rType=<optimized out>, epoch=<optimized out>, seqNum=<optimized out>, databuf=databuf@entry=0x7f3f20d0d2c0) at ssl3con.c:13335
#27 0x00007f3f4778b83b in ssl3_HandleRecord (ss=ss@entry=0x7f3f20d0d000, cText=cText@entry=0x7f3f3fabd7d0) at ssl3con.c:13680
#28 0x00007f3f47791abf in ssl3_GatherCompleteHandshake (flags=<optimized out>, ss=<optimized out>) at ssl3gthr.c:561
#29 ssl3_GatherCompleteHandshake (ss=ss@entry=0x7f3f20d0d000, flags=flags@entry=0) at ssl3gthr.c:449
#30 0x00007f3f47798d79 in SSL_ForceHandshake (fd=<optimized out>) at sslsecur.c:417
#31 0x00007f3f4e5b84f1 in  () at /usr/lib64/thunderbird/libxul.so
#32 0x00007f3f4b3ee69d in  () at /usr/lib64/thunderbird/libxul.so
#33 0x00007f3f4b425a9c in  () at /usr/lib64/thunderbird/libxul.so
#34 0x00007f3f4b42b1b0 in  () at /usr/lib64/thunderbird/libxul.so
#35 0x00007f3f4b22330d in  () at /usr/lib64/thunderbird/libxul.so
#36 0x00007f3f4b226fbd in  () at /usr/lib64/thunderbird/libxul.so
#37 0x00007f3f4b22e2ee in  () at /usr/lib64/thunderbird/libxul.so
#38 0x00007f3f4b22fbad in  () at /usr/lib64/thunderbird/libxul.so
--Type <RET> for more, q to quit, c to continue without paging--c
#39 0x00007f3f4b0e04f7 in  () at /usr/lib64/thunderbird/libxul.so
#40 0x00007f3f4b0e4faa in  () at /usr/lib64/thunderbird/libxul.so
#41 0x00007f3f4b5d5318 in  () at /usr/lib64/thunderbird/libxul.so
#42 0x00007f3f4b597eb7 in  () at /usr/lib64/thunderbird/libxul.so
#43 0x00007f3f4b0dd981 in  () at /usr/lib64/thunderbird/libxul.so
#44 0x00007f3f52aeaabf in _pt_root (arg=0x7f3f52b30820) at /usr/src/debug/dev-libs/nspr-4.35-r1/nspr-4.35/nspr/pr/src/pthreads/ptthread.c:201
#45 0x00007f3f52ea76fc in  () at /usr/lib64/libc.so.6
#46 0x00007f3f52f27cac in  () at /usr/lib64/libc.so.6
(gdb)

and

(gdb) frame 5
#5  0x00007f3f3deaee9d in fadd (f2=0x7f3f3fabc870, f1=0x7f3f3fabc850, out=0x7f3f3fabc8d0) at verified/curve25519-inline.h:40
40          __asm__ volatile(
(gdb) list
35
36      // Computes the field addition of two field elements
37      static inline void
38      fadd(uint64_t *out, uint64_t *f1, uint64_t *f2)
39      {
40          __asm__ volatile(
41              // Compute the raw addition of f1 + f2
42              "  movq 0(%0), %%r8;"
43              "  addq 0(%2), %%r8;"
44              "  movq 8(%0), %%r9;"
(gdb)
Attached file build log
Flags: needinfo?(sam)

Ah, I see the problem.

Your patch defines it to 0, but it doesn't undefine it, so..

ifdef SUPPORTS_VALE_CURVE25519
    VERIFIED_SRCS += Hacl_Curve25519_64.c
    DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM
endif

... this still gets triggered.

ACK. Should be better now.

Flags: needinfo?(sam)

Thanks, that works.

Flags: needinfo?(sam)

For the record, since I discovered the issue independently (search functionality in bugzilla is somehow to hard for me). Same issue as with ADX applies to BMI2 so before enabling it again please review carefully each instruction that is used and add proper runtime detection.

Duplicate of this bug: 1839975

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(bbeurdouche)

Anna, can you check priority and severity please? : ) Thanks !

Flags: needinfo?(bbeurdouche) → needinfo?(nkulatova)
Severity: -- → S4
Priority: -- → P2

This bug is solved, I am closing.

Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Flags: needinfo?(nkulatova)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: