Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-122599

SSL_connect not preserving f29 register as required by POWER ELF v2 ABI

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • Moderate
    • rhel-security-crypto-diamonds
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • ppc64le
    • None

      What were you trying to do that didn't work?

      Correct the tests on https://jira.mariadb.org/browse/MDEV-33603.

      What is the impact of this issue to you?

      The reliability of floating point operations in registers before a MariaDB instigated a SSL connection in the same thread (CONNECTION or Spider connection), could contain corrupted data resulting in data loss or unpredictable behaviour.

      Please provide the package NVR for which the bug is seen:

       
      openssl-3.2.2-6.el9_5.1

      How reproducible is this bug?:

      Always.

      Steps to reproduce

      1. using a MariaDB-11.4+ version of MariaDB (that does SSL by default)
      2. do a basic cmake compile with the default CMAKE_BUILD_TYPE=RelWithDebInfo
      3. cut down the connect.mysql_index.test to just the "SELECT * FROM t2 WHERE id <= 3" SELECT query.

      diff --git a/storage/connect/mysql-test/connect/t/mysql_index.test b/storage/connect/mysql-test/connect/t/mysql_index.test
      index a70ea3fd6f9..86ead152837 100644
      — a/storage/connect/mysql-test/connect/t/mysql_index.test
      +++ b/storage/connect/mysql-test/connect/t/mysql_index.test
      @@ -31,7 +31,7 @@ CREATE TABLE t1 (
      ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
      INSERT INTO t1 VALUES(1,'Un'),(3,'Trois'),(5,'Cinq');
      INSERT INTO t1 VALUES(2,'Two'),(4,'Four'),(6,'Six'), (7,'seven');
      -SELECT * FROM t1;
      +ANALYZE TABLE t1;

      --echo #
      --echo # Make local MYSQL table with indexed id column
      @@ -41,20 +41,16 @@ CREATE TABLE t2 (
      msg char(100) DEFAULT NULL,
      PRIMARY KEY (id)
      ) ENGINE=CONNECT DEFAULT CHARSET=latin1 TABLE_TYPE=MYSQL TABNAME=t1;
      +ANALYZE TABLE t2;

      --echo #
      --echo # Testing SELECT, etc.
      --echo #
      -SELECT * FROM t2;
      -SELECT * FROM t2 WHERE id = 3;
      -SELECT * FROM t2 WHERE id IN (2,4);
      -SELECT * FROM t2 WHERE id IN (2,4) AND msg = 'Two';
      -SELECT * FROM t2 WHERE id > 4;
      ---sorted_result
      -SELECT * FROM t2 WHERE id >= 3;
      -SELECT * FROM t2 WHERE id < 3;
      -SELECT * FROM t2 WHERE id < 2 OR id > 4;
      -explain SELECT * FROM t2 WHERE id <= 3;
      +set optimizer_trace='enabled=on';
      +SELECT * FROM t2 WHERE id <= 3;
      +--vertical_results
      +select * from information_schema.optimizer_trace limit 1;
      +--horizontal_results
      SELECT * FROM t2 WHERE id <= 3;
      SELECT * FROM t2 WHERE id BETWEEN 3 AND 5;
      SELECT * FROM t2 WHERE id > 2 AND id < 6;

      4. invoke {{ mysql-test/mtr --manual-gdb='b check_quick_select;r;display $f1;display $f29;b ssl_do; c' connect.mysql_index}}
      5. launch gdb sessions in new terminals as instructed (only first is used)

      Expected results

      read_time, as a double in get_key_scans_params to preserve its value.

      Actual results

      gdb stepping into SSL_connect and finish
      ...
#15 get_key_scans_params (param=param@entry=0x3fff79e244f8, tree=tree@entry=0x3fff68a3b328, index_read_must_be_used=index_read_must_be_used@entry=false, for_range_access=for_range_access@entry=true, 
    read_time=read_time@entry=0.113371474, limit=0, limit@entry=18446744073709551615, using_table_scan=using_table_scan@entry=true) at /source/sql/opt_range.cc:7861

(gdb) b SSL_connect
Breakpoint 5 at 0x3fff81a267b8
(gdb) c


284	  while ((ret= func(ssl)) < 1)
1: $f1 = 0.113371474
2: $f29 = 0.113371474
(gdb) p func
$2 = (ssl_handshake_func_t) 0x3fff81a267a0 <SSL_connect>
(gdb) s

Thread 6 "mariadbd" hit Breakpoint 5, 0x00003fff81a267b8 in SSL_connect () from /lib64/libssl.so.3
1: $f1 = 0.113371474
2: $f29 = 0.113371474
(gdb) s
Single stepping until exit from function SSL_connect,
which has no line number information.
ssl_handshake_loop (func=0x3fff81a267a0 <SSL_connect>, ssl=0x3fff689e9600, vio=0x3fff68a5da78) at /source/vio/viossl.c:286
286	    if (handle_ssl_io_error(vio,ret))
1: $f1 = 1.3980758192240678e+104
2: $f29 = 0
(gdb) bt
#0  ssl_handshake_loop (func=0x3fff81a267a0 <SSL_connect>, ssl=0x3fff689e9600, vio=0x3fff68a5da78) at /source/vio/viossl.c:286
#1  ssl_do (vio=0x3fff68a5da78, timeout=0, func=0x3fff81a267a0 <SSL_connect>, errptr=0x3fff79e224f0, errptr@entry=0x3fff79e22540, ptr=<optimized out>, ptr=<optimized out>) at /source/vio/viossl.c:328
#2  0x0000000128d64d50 in sslconnect (ptr=<optimized out>, vio=<optimized out>, timeout=<optimized out>, errptr=errptr@entry=0x3fff79e22540) at /source/vio/viossl.c:390
#3  0x0000000128b00444 in send_client_reply_packet (mpvio=mpvio@entry=0x3fff79e228e0, data=0x0, data_len=<optimized out>) at /source/sql-common/client.c:2183
#4  0x0000000128b00a60 in client_mpvio_write_packet (mpv=0x3fff79e228e0, pkt=<optimized out>, pkt_len=<optimized out>) at /source/sql-common/client.c:2378
#5  0x0000000128afca7c in native_password_auth_client (vio=0x3fff79e228e0, mysql=0x3fff689863c8) at /source/sql-common/client.c:4225
#6  0x0000000128b01020 in run_plugin_auth (mysql=mysql@entry=0x3fff689863c8, data=data@entry=0x3fff68a03ac3 "k8pP}G(3d~p8bg_(EdGv", data_len=data_len@entry=21, 
    data_plugin=data_plugin@entry=0x3fff68a03ad8 "mysql_native_password", db=db@entry=0x3fff5ffff1a8 "test") at /source/sql-common/client.c:2511
#7  0x0000000128b036c0 in server_mysql_real_connect (mysql=0x3fff689863c8, host=<optimized out>, user=<optimized out>, passwd=<optimized out>, db=0x3fff5ffff1a8 "test", port=<optimized out>, 
    unix_socket=<optimized out>, client_flag=2147614720) at /source/sql-common/client.c:3174
#8  0x00003fff7b3007ac in MYSQLC::Open (this=this@entry=0x3fff5ffff4e0, g=g@entry=0x3fff6894b200, host=0x3fff5ffff198 "localhost", db=0x3fff5ffff1a8 "test", user=0x3fff5ffff1c0 "root", pwd=0x0, 
    pt=<optimized out>, csname=0x3fff5ffff190 "latin1") at /source/storage/connect/myconn.cpp:535
#9  0x00003fff7b333474 in TDBMYSQL::OpenDB (g=0x3fff6894b200, this=0x3fff5ffff3a8) at /source/storage/connect/tabmysql.cpp:897
#10 TDBMYSQL::OpenDB (this=0x3fff5ffff3a8, g=0x3fff6894b200) at /source/storage/connect/tabmysql.cpp:876
#11 0x00003fff7b2bace0 in CntOpenTable (g=g@entry=0x3fff6894b200, tdbp=0x3fff5ffff3a8, mode=<optimized out>, c1=c1@entry=0x3fff5ffff548 "id", c2=c2@entry=0x0, del=del@entry=false)
    at /source/storage/connect/connect.cc:355
#12 0x00003fff7b2a9a48 in ha_connect::OpenTable (this=this@entry=0x3fff68949238, g=g@entry=0x3fff6894b200, del=<optimized out>) at /source/storage/connect/ha_connect.cc:2092
#13 0x00003fff7b2aa4a0 in ha_connect::rnd_init (this=this@entry=0x3fff68949238, scan=scan@entry=false) at /source/storage/connect/ha_connect.cc:4156
#14 0x00003fff7b2aa7e0 in ha_connect::index_init (this=this@entry=0x3fff68949238, idx=idx@entry=0, sorted=sorted@entry=false) at /source/storage/connect/ha_connect.cc:3830
#15 0x00003fff7b2aa98c in ha_connect::records_in_range (this=0x3fff68949238, inx=<optimized out>, min_key=0x0, max_key=<optimized out>, pages=<optimized out>) at /source/storage/connect/ha_connect.cc:5340
#16 0x00000001289cd614 in handler::multi_range_read_info_const (this=0x3fff68949238, keyno=keyno@entry=0, seq=seq@entry=0x3fff79e23bf0, seq_init_param=0x100000, seq_init_param@entry=0x3fff79e23c68, 
    n_ranges_arg=<optimized out>, bufsz=0x3fff79e23a50, bufsz@entry=0x3fff79e239ec, flags=0x3fff79e23ac0, flags@entry=0x3fff79e239e8, top_limit=0, top_limit@entry=18446744073709551615, 
    cost=cost@entry=0x3fff79e23c18) at /source/sql/multi_range_read.cc:247
#17 0x00000001289d055c in DsMrr_impl::dsmrr_info_const (this=this@entry=0x3fff689497f8, keyno=<optimized out>, keyno@entry=0, seq=<optimized out>, seq@entry=0x3fff79e23bf0, seq_init_param=<optimized out>, 
    seq_init_param@entry=0x3fff79e23c68, n_ranges=<optimized out>, n_ranges@entry=0, bufsz=bufsz@entry=0x3fff79e23bac, flags=flags@entry=0x3fff79e23ba8, limit=<optimized out>, limit@entry=18446744073709551615, 
    cost=0x3fff79e23c18, cost@entry=0x3fff79e23c68) at /source/sql/multi_range_read.cc:1787
#18 0x00003fff7b2a6f94 in ha_connect::multi_range_read_info_const (this=0x3fff68949238, keyno=<optimized out>, seq=0x3fff79e23bf0, seq_init_param=0x3fff79e23c68, n_ranges=<optimized out>, bufsz=0x3fff79e23bac, 
    flags=0x3fff79e23ba8, limit=18446744073709551615, cost=0x3fff79e23c18) at /source/storage/connect/ha_connect.cc:7427
#19 0x00000001286fbf38 in check_quick_select (is_ror_scan=<synthetic pointer>, cost=0x0, bufsize=0x0, mrr_flags=0x0, update_tbl_stats=<optimized out>, tree=0x3fff68a3b3b0, index_only=false, 
    limit=<optimized out>, idx=0, param=0x3fff79e244f8) at /source/sql/opt_range.cc:12131
#20 get_key_scans_params (param=param@entry=0x3fff79e244f8, tree=tree@entry=0x3fff68a3b328, index_read_must_be_used=index_read_must_be_used@entry=false, for_range_access=for_range_access@entry=true, 
    read_time=0, read_time@entry=0.113371474, limit=0, limit@entry=18446744073709551615, using_table_scan=using_table_scan@entry=true) at /source/sql/opt_range.cc:7861
#21 0x00000001286fe634 in SQL_SELECT::test_quick_select (this=this@entry=0x3fff68016ed0, thd=thd@entry=0x3fff68000c58, keys_to_use=..., prev_tables=prev_tables@entry=0, limit=limit@entry=18446744073709551615, 
    force_quick_range=force_quick_range@entry=false, ordered_output=ordered_output@entry=false, remove_false_parts_of_where=remove_false_parts_of_where@entry=true, only_single_index_range_scan=60, 
    only_single_index_range_scan@entry=false, note_unusable_keys=Item_func::BITMAP_NONE, note_unusable_keys@entry=Item_func::BITMAP_EXCEPT_ANY_EQUALITY) at /source/sql/opt_range.cc:3001
#22 0x00000001288a83b4 in get_quick_record_count (quick_count=<synthetic pointer>, limit=18446744073709551615, keys=0x3fff68015a70, table=0x3fff68948e08, select=0x3fff68016ed0, thd=0x3fff68000c58)
    at /source/sql/sql_select.cc:5441
#23 make_join_statistics (join=join@entry=0x3fff68014d78, tables_list=..., keyuse_array=0x129bb6900 <my_long_options+3200>, keyuse_array@entry=0x3fff680150d0) at /source/sql/sql_select.cc:6219
#24 0x00000001288adccc in JOIN::optimize_inner (this=this@entry=0x3fff68014d78) at /source/sql/sql_select.cc:2725
#25 0x00000001288ae338 in JOIN::optimize (this=<optimized out>, this@entry=0x3fff68014d78) at /source/sql/sql_select.cc:2019
#26 0x00000001288ae4c8 in mysql_select (thd=thd@entry=0x3fff68000c58, tables=0x3fff68013940, fields=..., conds=0x3fff68014210, og_num=<optimized out>, order=0x0, group=0x0, having=0x0, proc_param=0x0, 
    select_options=<optimized out>, result=result@entry=0x3fff68014d50, unit=unit@entry=0x3fff68004f38, select_lex=select_lex@entry=0x3fff68013308) at /source/sql/sql_select.cc:5366
#27 0x00000001288aec84 in handle_select (thd=thd@entry=0x3fff68000c58, lex=lex@entry=0x3fff68004e58, result=result@entry=0x3fff68014d50, setup_tables_done_option=70366494092496, 
    setup_tables_done_option@entry=0) at /source/sql/sql_select.cc:642
#28 0x0000000128812490 in execute_sqlcom_select (thd=thd@entry=0x3fff68000c58, all_tables=0x3fff68013940) at /source/sql/sql_parse.cc:6185
#29 0x0000000128823010 in mysql_execute_command (thd=thd@entry=0x3fff68000c58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /source/sql/sql_parse.cc:3971
#30 0x000000012882490c in mysql_parse (thd=0x3fff68000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /source/sql/sql_parse.cc:7900
#31 0x0000000128826bb8 in dispatch_command (command=command@entry=COM_QUERY, thd=<optimized out>, thd@entry=0x3fff68000c58, packet=packet@entry=0x3fff68008769 "SELECT * FROM t2 WHERE id <= 3", 
    packet_length=packet_length@entry=30, blocking=blocking@entry=true) at /source/sql/sql_parse.cc:1905
#32 0x0000000128828f84 in do_command (thd=thd@entry=0x3fff68000c58, blocking=blocking@entry=true) at /source/sql/sql_parse.cc:1418
#33 0x0000000128981928 in do_handle_one_connection (connect=<optimized out>, put_in_cache=put_in_cache@entry=true) at /source/sql/sql_connect.cc:1497
#34 0x0000000128981e98 in handle_one_connection (arg=<optimized out>, arg@entry=0x1561e40b8) at /source/sql/sql_connect.cc:1409
#35 0x0000000128e1b7a8 in pfs_spawn_thread (arg=0x15613d0e8) at /source/storage/perfschema/pfs.cc:2201
#36 0x00003fff80edae24 in start_thread () from /lib64/libc.so.6
#37 0x00003fff80f884c0 in clone () from /lib64/libc.so.6

      The f1 was the first floating point point argument read_time of get_key_scans_params. The initially compiled part of this function copied this to the f29 register. On entry to the SSL_connect function the regsiters still had the correct value, 0.113371474, and on return they didn't despite the ABI requiring the callee to save and restore these registers.

      Unable to find source-code formatter for language: asm. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      (gdb) disassemble/s get_key_scans_params
Dump of assembler code for function get_key_scans_params(PARAM*, SEL_TREE*, bool, bool, double, ha_rows, bool):
/source/sql/opt_range.cc:
7810	{
   0x00000001286fb600 <+0>:	addis   r2,r12,332
   0x00000001286fb604 <+4>:	addi    r2,r2,-19712
...
   0x00000001286fb694 <+148>:	fmr     f29,f1

              dbelyavs@redhat.com Dmitry Belyavskiy
              danielgblack Daniel Black
              Dmitry Belyavskiy Dmitry Belyavskiy
              Georgios Stavros Pantelakis Georgios Stavros Pantelakis
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: