Hi, after installing corekeeper i got a coredump of the crashing stunnel. Installing some dbgsym packages i got this backtrace.
It seems the bug could be reassigned to glibc as it creashes in thread unlocking. Its pretty interesting. It crashes in the "xend" instruction with is an opcode of the transactional memory feature. From the CPU type it should be supported but concerning the Intel errata it might be disabled by microcode. Its not advertised as available in the cpuinfo - Should be flag "hle" root@pax:/var/crash/0# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 8 On-line CPU(s) list: 0-7 Thread(s) per core: 2 Core(s) per socket: 4 Socket(s): 1 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 60 Model name: Intel(R) Xeon(R) CPU E3-1270 v3 @ 3.50GHz Stepping: 3 CPU MHz: 3699.951 CPU max MHz: 3900.0000 CPU min MHz: 800.0000 BogoMIPS: 6983.94 Virtualization: VT-x L1d cache: 32K L1i cache: 32K L2 cache: 256K L3 cache: 8192K NUMA node0 CPU(s): 0-7 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm epb invpcid_single ssbd ibrs ibpb stibp kaiser tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid xsaveopt dtherm ida arat pln pts flush_l1d I have installed latest microcode: root@pax:/var/crash/0# dmesg | grep micro [ 0.000000] microcode: microcode updated early to revision 0x25, date = 2018-04-02 [ 1.593723] microcode: sig=0x306c3, pf=0x2, revision=0x25 root@pax:/var/crash/0# dpkg -l intel-microcode Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=================================-=====================-=====================-======================================================================== ii intel-microcode 3.20180807a.2~deb9u1 amd64 Processor microcode firmware for Intel CPUs root@pax:/var/crash/0# gdb -c 15*core /usr/bin/stunnel4 GNU gdb (Debian 7.12-6) 7.12.0.20161007-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/stunnel4...Reading symbols from /usr/lib/debug/.build-id/bb/b0710645254c912da337f32e7a2d40cd849ec3.debug...done. done. [New LWP 15247] [New LWP 15244] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `/usr/bin/stunnel4 /etc/stunnel/stunnel-suucp.conf'. Program terminated with signal SIGILL, Illegal instruction. #0 0x00007f51f7858c43 in _xend () at pthread_rwlock_unlock.c:38 38 pthread_rwlock_unlock.c: No such file or directory. [Current thread is 1 (Thread 0x7f51f64ad700 (LWP 15247))] (gdb) info thread Id Target Id Frame * 1 Thread 0x7f51f64ad700 (LWP 15247) 0x00007f51f7858c43 in _xend () at pthread_rwlock_unlock.c:38 2 Thread 0x7f51f8b13880 (LWP 15244) 0x00007f51f785856f in __GI___pthread_rwlock_wrlock (rwlock=0x5607e3c25070) at pthread_rwlock_wrlock.c:107 (gdb) bt #0 0x00007f51f7858c43 in _xend () at pthread_rwlock_unlock.c:38 #1 __GI___pthread_rwlock_unlock (rwlock=0x5607e3c68ce0) at pthread_rwlock_unlock.c:38 #2 0x00007f51f8453f09 in CRYPTO_THREAD_unlock (lock=<optimized out>) at ../crypto/threads_pthread.c:79 #3 0x00007f51f8422c9d in rand_bytes (buf=0x7f51f0006ec0 "\031e\342\244\035O2\226\235p", num=0, pseudo=0) at ../crypto/rand/md_rand.c:498 #4 0x00007f51f835b551 in bnrand (pseudorand=0, rnd=0x7f51f0002a10, bits=2047, top=<optimized out>, bottom=<optimized out>) at ../crypto/bn/bn_rand.c:46 #5 0x00007f51f835a533 in probable_prime_dh_safe (ctx=0x7f51f0002840, rem=0x7f51f0001408, padd=0x7f51f00013f0, bits=2047, p=0x7f51f00016d0) at ../crypto/bn/bn_prime.c:548 #6 BN_generate_prime_ex (ret=0x7f51f00016d0, bits=bits@entry=2048, safe=safe@entry=1, add=add@entry=0x7f51f00013f0, rem=0x7f51f0001408, cb=cb@entry=0x0) at ../crypto/bn/bn_prime.c:139 #7 0x00007f51f838597d in dh_builtin_genparams (ret=0x7f51f00010b0, ret=0x7f51f00010b0, cb=0x0, generator=2, prime_len=2048) at ../crypto/dh/dh_gen.c:112 #8 DH_generate_parameters_ex (ret=0x7f51f00010b0, prime_len=2048, generator=2, cb=0x0) at ../crypto/dh/dh_gen.c:28 #9 0x00005607e32be538 in cron_dh_param () at cron.c:172 #10 cron_worker () at cron.c:133 #11 cron_thread (arg=<optimized out>) at cron.c:88 #12 0x00007f51f78534a4 in start_thread (arg=0x7f51f64ad700) at pthread_create.c:456 #13 0x00007f51f7595d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97 (gdb) disas 0x00007f51f7858c43 Dump of assembler code for function __GI___pthread_rwlock_unlock: 0x00007f51f7858c20 <+0>: mov 0x1c(%rdi),%esi 0x00007f51f7858c23 <+3>: mov 0x18(%rdi),%r9d 0x00007f51f7858c27 <+7>: xor %r8d,%r8d 0x00007f51f7858c2a <+10>: mov %rdi,%rdx 0x00007f51f7858c2d <+13>: test %esi,%esi 0x00007f51f7858c2f <+15>: setne %r8b 0x00007f51f7858c33 <+19>: shl $0x7,%r8d 0x00007f51f7858c37 <+23>: test %r9d,%r9d 0x00007f51f7858c3a <+26>: jne 0x7f51f7858c50 <__GI___pthread_rwlock_unlock+48> 0x00007f51f7858c3c <+28>: mov 0x4(%rdi),%edi 0x00007f51f7858c3f <+31>: test %edi,%edi 0x00007f51f7858c41 <+33>: jne 0x7f51f7858c50 <__GI___pthread_rwlock_unlock+48> => 0x00007f51f7858c43 <+35>: xend 0x00007f51f7858c46 <+38>: xor %eax,%eax 0x00007f51f7858c48 <+40>: retq 0x00007f51f7858c49 <+41>: nopl 0x0(%rax) 0x00007f51f7858c50 <+48>: sub $0x8,%rsp 0x00007f51f7858c54 <+52>: mov $0x1,%edi 0x00007f51f7858c59 <+57>: xor %eax,%eax 0x00007f51f7858c5b <+59>: lock cmpxchg %edi,(%rdx) 0x00007f51f7858c5f <+63>: je 0x7f51f7858c77 <__GI___pthread_rwlock_unlock+87> 0x00007f51f7858c61 <+65>: lea (%rdx),%rdi 0x00007f51f7858c64 <+68>: sub $0x80,%rsp 0x00007f51f7858c6b <+75>: callq 0x7f51f785bf60 <__lll_lock_wait> 0x00007f51f7858c70 <+80>: add $0x80,%rsp 0x00007f51f7858c77 <+87>: mov 0x18(%rdx),%eax 0x00007f51f7858c7a <+90>: test %eax,%eax 0x00007f51f7858c7c <+92>: jne 0x7f51f7858d00 <__GI___pthread_rwlock_unlock+224> 0x00007f51f7858c82 <+98>: mov 0x4(%rdx),%eax 0x00007f51f7858c85 <+101>: sub $0x1,%eax 0x00007f51f7858c88 <+104>: test %eax,%eax 0x00007f51f7858c8a <+106>: mov %eax,0x4(%rdx) 0x00007f51f7858c8d <+109>: jne 0x7f51f7858d12 <__GI___pthread_rwlock_unlock+242> 0x00007f51f7858c93 <+115>: mov 0x14(%rdx),%esi 0x00007f51f7858c96 <+118>: test %esi,%esi 0x00007f51f7858c98 <+120>: jne 0x7f51f7858d40 <__GI___pthread_rwlock_unlock+288> ---Type <return> to continue, or q <return> to quit---q Quit (gdb) -- Florian Lohoff f...@zz.de UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away
signature.asc
Description: PGP signature
