Bug 2055179

Summary: test_asan_lc.c test case from upstream integration test suite segfaults on aarch64
Product: Red Hat Enterprise Linux 8 Reporter: Miloš Prchlík <mprchlik>
Component: binutilsAssignee: Nick Clifton <nickc>
binutils sub component: system-version QA Contact: Miloš Prchlík <mprchlik>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: fweimer, mprchlik, nickc, ohudlick, sipoyare
Version: 8.6Keywords: Bugfix, Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard:
Fixed In Version: binutils-2.30-114.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:45:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miloš Prchlík 2022-02-16 12:44:14 UTC 
Description of problem:

 $ cat test_asan_lc.c 
// Test asan with lc https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876973
//
// REQUIRES: clang
// RUN: %clang -fsanitize=address %s -o %t -lc
// RUN: %t

#include <stdio.h>
int main(int argc, char **argv)
{
   printf("Hello world!\n");
   return 0;
}


$ clang -fsanitize=address test_asan_lc.c -o test_asan_lc.c.tmp -lc

$ gdb test_asan_lc.c.tmp
GNU gdb (GDB) Red Hat Enterprise Linux 8.2-18.el8
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "aarch64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from test_asan_lc.c.tmp...(no debugging symbols found)...done.
(gdb) r
Starting program: /root/test_asan_lc.c.tmp 

Program received signal SIGSEGV, Segmentation fault.
strcmp () at ../sysdeps/aarch64/strcmp.S:64
64              ldr     data1, [src1], #8
(gdb) bt
#0  strcmp () at ../sysdeps/aarch64/strcmp.S:64
#1  0x0000ffffbe7ca7c4 in check_match (undef_name=undef_name@entry=0x41a8f9 "longjmp", ref=ref@entry=0x40a468, version=version@entry=0xffffbe804148, flags=flags@entry=9, type_class=type_class@entry=4, sym=0x40a468, symidx=<optimized out>, strtab=strtab@entry=0x411da0 "", map=map@entry=0xffffbe801280, 
    versioned_sym=versioned_sym@entry=0xffffffffe358, num_versions=num_versions@entry=0xffffffffe354) at dl-lookup.c:152
#2  0x0000ffffbe7cab40 in do_lookup_x (undef_name=undef_name@entry=0x41a8f9 "longjmp", new_hash=new_hash@entry=2285809788, old_hash=old_hash@entry=0xffffffffe428, ref=0x40a468, result=result@entry=0xffffffffe438, scope=<optimized out>, i=0, version=version@entry=0xffffbe804148, flags=flags@entry=9, 
    skip=<optimized out>, skip@entry=0x0, type_class=type_class@entry=4, undef_map=undef_map@entry=0xffffbe801280) at dl-lookup.c:430
#3  0x0000ffffbe7cb2b0 in _dl_lookup_symbol_x (undef_name=0x41a8f9 "longjmp", undef_map=undef_map@entry=0xffffbe801280, ref=0xffffffffe538, ref@entry=0xa, symbol_scope=symbol_scope@entry=0xffffbe801618, version=0xffffbe804148, type_class=4, flags=flags@entry=9, skip_map=skip_map@entry=0x0) at dl-lookup.c:855
#4  0x0000ffffbe7ccd40 in elf_machine_rela (skip_ifunc=<optimized out>, reloc_addr_arg=0x0, version=<optimized out>, sym=<optimized out>, reloc=0x420dd0, map=0xffffbe801280) at ../sysdeps/aarch64/dl-machine.h:259
#5  elf_dynamic_do_Rela (skip_ifunc=<optimized out>, lazy=0, nrelative=<optimized out>, relsize=<optimized out>, reladdr=<optimized out>, map=0xffffbe801280) at do-rel.h:137
#6  _dl_relocate_object (scope=0xffffbe801618, reloc_mode=<optimized out>, consider_profiling=<optimized out>, consider_profiling@entry=0) at dl-reloc.c:278
#7  0x0000ffffbe7c5368 in dl_main (phdr=<optimized out>, phnum=<optimized out>, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:2425
#8  0x0000ffffbe7d759c in _dl_sysdep_start (start_argptr=start_argptr@entry=0xffffffffee50, dl_main=dl_main@entry=0xffffbe7c3768 <dl_main>) at ../elf/dl-sysdep.c:253
#9  0x0000ffffbe7c2abc in _dl_start_final (arg=arg@entry=0xffffffffee50, info=info@entry=0xffffffffe9a0) at rtld.c:487
#10 0x0000ffffbe7c31a4 in _dl_start (arg=0xffffffffee50) at rtld.c:582
#11 0x0000ffffbe7c2430 in _start () from /lib/ld-linux-aarch64.so.1
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) 
(gdb) list
59              b.ne    L(mutual_align)
60              /* NUL detection works on the principle that (X - 1) & (~X) & 0x80
61                 (=> (X - 1) & ~(X | 0x7f)) is non-zero iff a byte is zero, and
62                 can be done in parallel across the entire word.  */
63      L(loop_aligned):
64              ldr     data1, [src1], #8
65              ldr     data2, [src2], #8
66      L(start_realigned):
67              sub     tmp1, data1, zeroones
68              orr     tmp2, data1, #REP8_7f
(gdb) 


Version-Release number of selected component (if applicable):

clang-13.0.1-1.module+el8.6.0+14118+d530a951.aarch64
llvm-13.0.1-1.module+el8.6.0+14118+d530a951.aarch64
glibc-2.28-189.el8.aarch64


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Florian Weimer 2022-03-03 20:16:48 UTC 
(In reply to Miloš Prchlík from comment #0)
> Description of problem:
> 
>  $ cat test_asan_lc.c 
> // Test asan with lc https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876973
> //
> // REQUIRES: clang
> // RUN: %clang -fsanitize=address %s -o %t -lc
> // RUN: %t
> 
> #include <stdio.h>
> int main(int argc, char **argv)
> {
>    printf("Hello world!\n");
>    return 0;
> }

Where did you find this test case? It seems to be a binutils bug.
Comment 2 Nick Clifton 2022-03-04 10:39:00 UTC 
I am not sure how this is a binutils bug, but anyway...

I assume that this problem only happens when address sanitization is used, and only for the AArch64, correct ?

Is the seg-fault happening because [src1] is not aligned to an 8-byte boundary, or because it is an illegal address ?
(I am assuming the latter).

My best guess is that there is a bug in the address sanitization library code, possibly AArch64 specific, but without more details it is hard to say.
Comment 3 Nick Clifton 2022-03-04 10:46:05 UTC 
(In reply to Nick Clifton from comment #2)
> I am not sure how this is a binutils bug, but anyway...

Florian has just pointed out to me that this is PR 28348...  Reassinging.
Comment 4 Miloš Prchlík 2022-03-04 11:10:57 UTC 
(In reply to Florian Weimer from comment #1)
> (In reply to Miloš Prchlík from comment #0)
> > Description of problem:
> > 
> >  $ cat test_asan_lc.c 
> > // Test asan with lc https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876973
> > //
> > // REQUIRES: clang
> > // RUN: %clang -fsanitize=address %s -o %t -lc
> > // RUN: %t
> > 
> > #include <stdio.h>
> > int main(int argc, char **argv)
> > {
> >    printf("Hello world!\n");
> >    return 0;
> > }
> 
> Where did you find this test case? It seems to be a binutils bug.

It comes from upstream LLVM integration test suite, https://github.com/opencollab/llvm-toolchain-integration-test-suite/blob/main/tests/test_asan_lc.c

Let me grab another aarch64 box, and get more details. It was fairly reproducible.
Comment 5 Nick Clifton 2022-03-07 15:57:30 UTC 
Fixed in binutils-2.30-114.el8
Comment 6 Miloš Prchlík 2022-04-11 07:19:47 UTC 
Bumping ITM by one week to gain more time for testing. I got distracted by the fallout of the recent PSI outage.
Comment 9 Miloš Prchlík 2022-04-14 14:00:55 UTC 
Verified with binutils-2.30-114.el8.

$ export LSAN_OPTIONS=verbosity=1:log_threads=1
$ ./test_asan_lc.c.tmp
==16987==AddressSanitizer: failed to intercept '__isoc99_printf'
==16987==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==16987==AddressSanitizer: failed to intercept 'xdr_destroy'
==16987==AddressSanitizer: failed to intercept 'crypt'
==16987==AddressSanitizer: failed to intercept 'crypt_r'
==16987==AddressSanitizer: failed to intercept '__cxa_throw'
==16987==AddressSanitizer: failed to intercept '__cxa_rethrow_primary_exception'
==16987==AddressSanitizer: libc interceptors initialized
|| `[0x201000000000, 0xffffffffffff]` || HighMem    ||
|| `[0x041200000000, 0x200fffffffff]` || HighShadow ||
|| `[0x001200000000, 0x0411ffffffff]` || ShadowGap  ||
|| `[0x001000000000, 0x0011ffffffff]` || LowShadow  ||
|| `[0x000000000000, 0x000fffffffff]` || LowMem     ||
MemToShadow(shadow): 0x001200000000 0x00123fffffff 0x009240000000 0x0411ffffffff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
thread_local_quarantine_size_kb=1024K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x1000000000
==16987==Installed the sigaction for signal 11
==16987==Installed the sigaction for signal 7
==16987==Installed the sigaction for signal 8
==16987==T0: stack [0xffffc5d70000,0xffffc6570000) size 0x800000; local=0xffffc65643e0
==16987==AddressSanitizer Init done
Hello world!
==16988==Processing thread 16987.
==16988==Stack at 0xffffc5d70000-0xffffc6570000 (SP = 0xffffc65640d0).
==16988==TLS at 0xffff84dc4bb0-0xffff84dc5a40.
$
Comment 14 errata-xmlrpc 2022-11-08 10:45:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (binutils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7693