[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 1883984] Re: QEMU S/390x sqxbr (128-bit IEEE 754 square root) crash

From: Launchpad Bug Tracker
Subject: [Bug 1883984] Re: QEMU S/390x sqxbr (128-bit IEEE 754 square root) crashes qemu-system-s390x
Date: Wed, 16 Sep 2020 02:18:43 -0000

This bug was fixed in the package qemu - 1:4.2-3ubuntu6.5

qemu (1:4.2-3ubuntu6.5) focal; urgency=medium

  * further stabilize qemu by importing patches of qemu v4.2.1
    Fixes (LP: #1891203) and (LP: #1891877)
    - d/p/stable/lp-1891877-*
    - as part of the stabilization this also fixes an
      riscv emulation issue due to the CVE-2020-13754 fixes via
  * fix s390x SQXBR emulation (LP: #1883984)
    - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
  * fix -no-reboot for s390x protvirt guests (LP: #1890154)
    - d/p/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-*

 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 19 Aug
2020 13:40:49 +0200

** Changed in: qemu (Ubuntu Focal)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13754

You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.

  QEMU S/390x sqxbr (128-bit IEEE 754 square root) crashes qemu-system-

Status in QEMU:
  Fix Released
Status in qemu package in Ubuntu:
  Fix Released
Status in qemu source package in Focal:
  Fix Released

Bug description:

   * An instruction was described wrong so that on usage the program would 

  [Test Case]

   * Run s390x in emulation and there use this program:
     For simplicity and speed you can use KVM guest as usual on s390x, that 
     after prep&install&compile of the test you run in qemu-tcg like:

     $ sudo qemu-system-s390x -machine s390-ccw-virtio,accel=tcg -cpu 
max,zpci=on -serial mon:stdio -display none -m 4096 -nic 
user,model=virtio,hostfwd=tcp::2222-:22 -drive 
     Obviously is you have no s390x access you need to use emulation right 

   * Build and run failing program
     $ sudo apt install clang
     $ cat > bug-sqrtl-one-line.c << EOF
  int main(void) { volatile long double x, r; x = 4.0L; __asm__ 
  __volatile__("sqxbr %0, %1" : "=f" (r) : "f" (x)); return (0);}
     $ cc bug-sqrtl-one-line.c
     $ ./a.out
     Segmentation fault (core dumped)

     qemu is dead by now as long as the bug is present

  [Regression Potential]

   * The change only modifies 128 bit square root on s390x so regressions
     should be limited to exactly that - which formerly before this fix was 
     a broken instruction.

  [Other Info]
   * n/a


  In porting software to guest Ubuntu 18.04 and 20.04 VMs for S/390x, I 
  that some of my own numerical programs, and also a GNU configure script for at
  least one package with CC=clang, would cause an instant crash of the VM, 
  also destroying recently opened files, and producing long strings of NUL 
  in /var/log/syslog in the S/390 guest O/S.

  Further detective work narrowed the cause of the crash down to a single IBM 
  instruction: sqxbr (128-bit IEEE 754 square root).  Here is a one-line program
  that when compiled and run on a VM hosted on QEMUcc emulator version 4.2.0
  (Debian 1:4.2-3ubuntu6.1) [hosted on Ubuntu 20.04 on a Dell Precision 7920
  workstation with an Intel Xeon Platinum 8253 CPU],  and also on QEMU emulator
  version 5.0.0, reproducibly produces a VM crash under qemu-system-s390x.

  % cat bug-sqrtl-one-line.c
  int main(void) { volatile long double x, r; x = 4.0L; __asm__ 
__volatile__("sqxbr %0, %1" : "=f" (r) : "f" (x)); return (0);}

  % cc bug-sqrtl-one-line.c && ./a.out
  Segmentation fault (core dumped)

  The problem code may be the function float128_sqrt() defined in 
  starting at line 7619.  I have NOT attempted to run the qemu-system-s390x 
  under a debugger.  However, I observe that S/390 is the only CPU family that 
I know of,
  except possibly for a Fujitsu SPARC-64, that has a 128-bit square root in 
  Thus, this instruction bug may not have been seen before.

To manage notifications about this bug go to:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]