2055179 – test_asan_lc.c test case from upstream integration test suite segfaults on aarch64

Bug 2055179 - test_asan_lc.c test case from upstream integration test suite segfaults on aarch64

Summary: test_asan_lc.c test case from upstream integration test suite segfaults on aa...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	binutils
Sub Component:
Version:	8.6
Hardware:	aarch64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Nick Clifton
QA Contact:	Miloš Prchlík
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-16 12:44 UTC by Miloš Prchlík
Modified:	2023-07-18 14:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:	binutils-2.30-114.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-08 10:45:15 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-112540	None	None	None	2022-02-16 12:49:08 UTC
Red Hat Product Errata	RHBA-2022:7693	None	None	None	2022-11-08 10:45:25 UTC
Sourceware	28348	P2	RESOLVED	ld generates corrupted binaries with -lc	2022-03-03 20:16:47 UTC

Description Miloš Prchlík 2022-02-16 12:44:14 UTC

Description of problem:

 $ cat test_asan_lc.c 
// Test asan with lc https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876973
//
// REQUIRES: clang
// RUN: %clang -fsanitize=address %s -o %t -lc
// RUN: %t

#include <stdio.h>
int main(int argc, char **argv)
{
   printf("Hello world!\n");
   return 0;
}


$ clang -fsanitize=address test_asan_lc.c -o test_asan_lc.c.tmp -lc

$ gdb test_asan_lc.c.tmp
GNU gdb (GDB) Red Hat Enterprise Linux 8.2-18.el8
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "aarch64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from test_asan_lc.c.tmp...(no debugging symbols found)...done.
(gdb) r
Starting program: /root/test_asan_lc.c.tmp 

Program received signal SIGSEGV, Segmentation fault.
strcmp () at ../sysdeps/aarch64/strcmp.S:64
64              ldr     data1, [src1], #8
(gdb) bt
#0  strcmp () at ../sysdeps/aarch64/strcmp.S:64
#1  0x0000ffffbe7ca7c4 in check_match (undef_name=undef_name@entry=0x41a8f9 "longjmp", ref=ref@entry=0x40a468, version=version@entry=0xffffbe804148, flags=flags@entry=9, type_class=type_class@entry=4, sym=0x40a468, symidx=<optimized out>, strtab=strtab@entry=0x411da0 "", map=map@entry=0xffffbe801280, 
    versioned_sym=versioned_sym@entry=0xffffffffe358, num_versions=num_versions@entry=0xffffffffe354) at dl-lookup.c:152
#2  0x0000ffffbe7cab40 in do_lookup_x (undef_name=undef_name@entry=0x41a8f9 "longjmp", new_hash=new_hash@entry=2285809788, old_hash=old_hash@entry=0xffffffffe428, ref=0x40a468, result=result@entry=0xffffffffe438, scope=<optimized out>, i=0, version=version@entry=0xffffbe804148, flags=flags@entry=9, 
    skip=<optimized out>, skip@entry=0x0, type_class=type_class@entry=4, undef_map=undef_map@entry=0xffffbe801280) at dl-lookup.c:430
#3  0x0000ffffbe7cb2b0 in _dl_lookup_symbol_x (undef_name=0x41a8f9 "longjmp", undef_map=undef_map@entry=0xffffbe801280, ref=0xffffffffe538, ref@entry=0xa, symbol_scope=symbol_scope@entry=0xffffbe801618, version=0xffffbe804148, type_class=4, flags=flags@entry=9, skip_map=skip_map@entry=0x0) at dl-lookup.c:855
#4  0x0000ffffbe7ccd40 in elf_machine_rela (skip_ifunc=<optimized out>, reloc_addr_arg=0x0, version=<optimized out>, sym=<optimized out>, reloc=0x420dd0, map=0xffffbe801280) at ../sysdeps/aarch64/dl-machine.h:259
#5  elf_dynamic_do_Rela (skip_ifunc=<optimized out>, lazy=0, nrelative=<optimized out>, relsize=<optimized out>, reladdr=<optimized out>, map=0xffffbe801280) at do-rel.h:137
#6  _dl_relocate_object (scope=0xffffbe801618, reloc_mode=<optimized out>, consider_profiling=<optimized out>, consider_profiling@entry=0) at dl-reloc.c:278
#7  0x0000ffffbe7c5368 in dl_main (phdr=<optimized out>, phnum=<optimized out>, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:2425
#8  0x0000ffffbe7d759c in _dl_sysdep_start (start_argptr=start_argptr@entry=0xffffffffee50, dl_main=dl_main@entry=0xffffbe7c3768 <dl_main>) at ../elf/dl-sysdep.c:253
#9  0x0000ffffbe7c2abc in _dl_start_final (arg=arg@entry=0xffffffffee50, info=info@entry=0xffffffffe9a0) at rtld.c:487
#10 0x0000ffffbe7c31a4 in _dl_start (arg=0xffffffffee50) at rtld.c:582
#11 0x0000ffffbe7c2430 in _start () from /lib/ld-linux-aarch64.so.1
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) 
(gdb) list
59              b.ne    L(mutual_align)
60              /* NUL detection works on the principle that (X - 1) & (~X) & 0x80
61                 (=> (X - 1) & ~(X | 0x7f)) is non-zero iff a byte is zero, and
62                 can be done in parallel across the entire word.  */
63      L(loop_aligned):
64              ldr     data1, [src1], #8
65              ldr     data2, [src2], #8
66      L(start_realigned):
67              sub     tmp1, data1, zeroones
68              orr     tmp2, data1, #REP8_7f
(gdb) 


Version-Release number of selected component (if applicable):

clang-13.0.1-1.module+el8.6.0+14118+d530a951.aarch64
llvm-13.0.1-1.module+el8.6.0+14118+d530a951.aarch64
glibc-2.28-189.el8.aarch64


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Florian Weimer 2022-03-03 20:16:48 UTC

(In reply to Miloš Prchlík from comment #0)
> Description of problem:
> 
>  $ cat test_asan_lc.c 
> // Test asan with lc https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876973
> //
> // REQUIRES: clang
> // RUN: %clang -fsanitize=address %s -o %t -lc
> // RUN: %t
> 
> #include <stdio.h>
> int main(int argc, char **argv)
> {
>    printf("Hello world!\n");
>    return 0;
> }

Where did you find this test case? It seems to be a binutils bug.

Comment 2 Nick Clifton 2022-03-04 10:39:00 UTC

I am not sure how this is a binutils bug, but anyway...

I assume that this problem only happens when address sanitization is used, and only for the AArch64, correct ?

Is the seg-fault happening because [src1] is not aligned to an 8-byte boundary, or because it is an illegal address ?
(I am assuming the latter).

My best guess is that there is a bug in the address sanitization library code, possibly AArch64 specific, but without more details it is hard to say.

Comment 3 Nick Clifton 2022-03-04 10:46:05 UTC

(In reply to Nick Clifton from comment #2)
> I am not sure how this is a binutils bug, but anyway...

Florian has just pointed out to me that this is PR 28348...  Reassinging.

Comment 4 Miloš Prchlík 2022-03-04 11:10:57 UTC

(In reply to Florian Weimer from comment #1)
> (In reply to Miloš Prchlík from comment #0)
> > Description of problem:
> > 
> >  $ cat test_asan_lc.c 
> > // Test asan with lc https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876973
> > //
> > // REQUIRES: clang
> > // RUN: %clang -fsanitize=address %s -o %t -lc
> > // RUN: %t
> > 
> > #include <stdio.h>
> > int main(int argc, char **argv)
> > {
> >    printf("Hello world!\n");
> >    return 0;
> > }
> 
> Where did you find this test case? It seems to be a binutils bug.

It comes from upstream LLVM integration test suite, https://github.com/opencollab/llvm-toolchain-integration-test-suite/blob/main/tests/test_asan_lc.c

Let me grab another aarch64 box, and get more details. It was fairly reproducible.

Comment 5 Nick Clifton 2022-03-07 15:57:30 UTC

Fixed in binutils-2.30-114.el8

Comment 6 Miloš Prchlík 2022-04-11 07:19:47 UTC

Bumping ITM by one week to gain more time for testing. I got distracted by the fallout of the recent PSI outage.

Comment 9 Miloš Prchlík 2022-04-14 14:00:55 UTC

Verified with binutils-2.30-114.el8.

$ export LSAN_OPTIONS=verbosity=1:log_threads=1
$ ./test_asan_lc.c.tmp
==16987==AddressSanitizer: failed to intercept '__isoc99_printf'
==16987==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==16987==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==16987==AddressSanitizer: failed to intercept 'xdr_destroy'
==16987==AddressSanitizer: failed to intercept 'crypt'
==16987==AddressSanitizer: failed to intercept 'crypt_r'
==16987==AddressSanitizer: failed to intercept '__cxa_throw'
==16987==AddressSanitizer: failed to intercept '__cxa_rethrow_primary_exception'
==16987==AddressSanitizer: libc interceptors initialized
|| `[0x201000000000, 0xffffffffffff]` || HighMem    ||
|| `[0x041200000000, 0x200fffffffff]` || HighShadow ||
|| `[0x001200000000, 0x0411ffffffff]` || ShadowGap  ||
|| `[0x001000000000, 0x0011ffffffff]` || LowShadow  ||
|| `[0x000000000000, 0x000fffffffff]` || LowMem     ||
MemToShadow(shadow): 0x001200000000 0x00123fffffff 0x009240000000 0x0411ffffffff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
thread_local_quarantine_size_kb=1024K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x1000000000
==16987==Installed the sigaction for signal 11
==16987==Installed the sigaction for signal 7
==16987==Installed the sigaction for signal 8
==16987==T0: stack [0xffffc5d70000,0xffffc6570000) size 0x800000; local=0xffffc65643e0
==16987==AddressSanitizer Init done
Hello world!
==16988==Processing thread 16987.
==16988==Stack at 0xffffc5d70000-0xffffc6570000 (SP = 0xffffc65640d0).
==16988==TLS at 0xffff84dc4bb0-0xffff84dc5a40.
$

Comment 14 errata-xmlrpc 2022-11-08 10:45:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (binutils bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7693

Note You need to log in before you can comment on or make changes to this bug.