qemu-i386 crash on signal handler return

[Tavis Ormandy]

Hello, I'm trying to use qemu-i386 on aarch64 to run an old binary and
running into a crash.

I've minimized it down to %esp getting corrupted after return from a
signal handler return, but this seems so trivial that I must be doing
something wrong?

Here is a minimal reproducer:

https://lock.cmpxchg8b.com/files/repro.s

To compile it on an x86_64 machine:

$ as --32 repro.s -o repro.o
$ ld -melf_i386 repro.o -o repro

# It runs totally fine on i386/x86_64:

$ strace ./repro
[ Process PID=1848 runs in 32 bit mode. ]
sigaction(SIGALRM, {sa_handler=0x8049001, sa_mask=[],
sa_flags=SA_INTERRUPT|SA_NODEFER|SA_RESETHAND}, NULL) = 0
alarm(1)                                = 0
pause()                                 = ? ERESTARTNOHAND (To be restarted if 
no handler)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
sigreturn({mask=[]})                    = -1 EINTR (Interrupted system call)
exit(0)                                 = ?
+++ exited with 0 +++

Now trying the same binary on aarch64:
$ qemu-i386 -version
qemu-i386 version 5.2.0 (Debian 1:5.2+dfsg-11+deb11u2)
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers
# qemu-i386 -d strace ./test
# qemu-i386 -d strace ./repro
29309 sigaction(14,134520832,0,0,0,0) = 0
29309 alarm(1) = 0
29309 pause(1,134520832,0,0,0,0) = -1 errno=4 (Interrupted system call)
--- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL, si_pid=0, si_uid=0} ---
29309 sigreturn(1,134520832,0,0,0,0) = -1 errno=513 (Successful exit
from sigreturn)
--- SIGSEGV {si_signo=SIGSEGV, si_code=1, si_addr=0x4080025c} ---
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault

Does anyone have any hints about what I might be doing wrong?

Thanks, Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@sdf.org
_\_V _( ) _( )  @taviso