Re: Crash in application's startup code around Asan red zone

[Jeffrey Walton]

Thanks Evgeniy,

Before I run under GDB, I perform:

    set env LD_PRELOAD /usr/lib/x86_64-linux-gnu/libasan.so.5

> What's the backtrace of the crash? 

Here is the backtrace:

(gdb) r
...
Program received signal SIGSEGV, Segmentation fault.
0x000055555578cb83 in internal_malloc (n=n@entry=0x20, file=file@entry=0x0, 
    line=line@entry=0x0, flags=<optimized out>) at malloc.c:820
820    malloc.c: No such file or directory.
(gdb) bt full
#0  0x000055555578cb83 in internal_malloc (n=n@entry=0x20, 
    file=file@entry=0x0, line=line@entry=0x0, flags=<optimized out>)
    at malloc.c:820
        p = <optimized out>
        nunits = <optimized out>
        m = <optimized out>
        z = <optimized out>
        nbytes = <optimized out>
        mg = <optimized out>
#1  0x000055555578e5fe in internal_calloc (flags=0x0, line=0x0, file=0x0, 
    s=0x20, n=0x1) at malloc.c:1322
        total = 0x20
        result = <optimized out>
        total = <optimized out>
        result = <optimized out>
#2  calloc (n=n@entry=0x1, s=s@entry=0x20) at malloc.c:1472
No locals.
#3  0x00007ffff7439c05 in _dlerror_run (
    operate=operate@entry=0x7ffff7439490 <dlsym_doit>, 
    args=args@entry=0x7fffffffdef0) at dlerror.c:148
        result = <optimized out>
#4  0x00007ffff7439525 in __dlsym (handle=<optimized out>, 
    name=0x7ffff76f28c7 "mmap") at dlsym.c:70
--Type <RET> for more, q to quit, c to continue without paging--
        args = {handle = 0xffffffffffffffff, name = 0x7ffff76f28c7 "mmap", 
          who = 0x7ffff76d2c19, sym = 0x0}
        result = <optimized out>
#5  0x00007ffff76d2c19 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
No symbol table info available.
#6  0x00007ffff768db28 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
No symbol table info available.
#7  0x00007ffff76b1887 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
No symbol table info available.
#8  0x00007ffff7fe0ce6 in _dl_init (main_map=0x7ffff7ffe190, argc=0x1, 
    argv=0x7fffffffe028, env=0x7fffffffe038) at dl-init.c:104
        addrs = <optimized out>
        cnt = <optimized out>
        preinit_array = <optimized out>
        preinit_array_size = <optimized out>
        i = <optimized out>
#9  0x00007ffff7fd013a in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
        audit_list = 0x0
        _dl_rtld_libname2 = {name = 0x0, next = 0x0, dont_free = 0x0}
        library_path = 0x0
        version_info = 0x0
        load_time = 0xbb757
        _dl_rtld_libname = { ... }

> Perhaps ASan did not initialize in time? Try a breakpoint on __asan_init. 
 It looks like __asan_init is being called:

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
...
Breakpoint 2, 0x00007ffff76b1a60 in __asan_init ()
   from /usr/lib/x86_64-linux-gnu/libasan.so.5
(gdb) n
Single stepping until exit from function __asan_init,
which has no line number information.
0x00007ffff76b1730 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
(gdb) n
Cannot find bounds of current function
(gdb) n
Cannot find bounds of current function
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x000055555578cb83 in internal_malloc (n=n@entry=0x20, file=file@entry=0x0, 
    line=line@entry=0x0, flags=<optimized out>) at malloc.c:820
820    in malloc.c

I can't find malloc.c in the Bash sources. Cf., 
https://git.savannah.gnu.org/cgit/bash.git/tree/. I don't know where it is 
coming from.

Jeff

On Friday, January 15, 2021 at 2:57:53 PM UTC-5 Evgeniy Stepanov wrote:

> 0x7fff8000(0xffffffffbc0) looks fine - it's a shadow address for ~near top 
> of the main thread stack. Perhaps ASan did not initialize in time? What's 
> the backtrace of the crash? Try a breakpoint on __asan_init. Try running 
> with ASAN_OPTIONS=verbosity=2,debug=1, it should print the memory layout.
>
>
> On Fri, Jan 15, 2021 at 11:48 AM Jeffrey Walton <nolo...@gmail.com> wrote:
>
>> Hi Everyone,
>>
>> I'm testing an Asan instrumented build of Bash. Bash and all dependencies 
>> have been instrumented. I'm working on Ubuntu 20.04 x86_64 fully patched. 
>> It has gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0.
>>
>> All of the executables and shared objects were built with  
>> CFLAGS/CXXFLAGS of -fsanitize=address and -fno-omit-frame-pointer. LDFLAGS 
>> includes -fno-lto. (I tried both with and without LTO).
>>
>> Bash is crashing in startup code. It looks like Asan is trying to setup a 
>> red zone:
>>
>>    shr    $0x3,%r15
>>    ===> movl   $0xf1f1f1f1,0x7fff8000(%r15)
>>         movl   $0xf3f3f304,0x7fff8004(%r15)
>>
>> r15 is 0xffffffffbc0. The effective address of 0x7fff8000(0xffffffffbc0) 
>> does seem to be a bit sideways.
>>
>> Does anyone know where to go from here?
>>
>> -----
>>
>> (gdb) r
>> ...
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x000055555578cb83 in internal_malloc (n=n@entry=0x20, 
>> file=file@entry=0x0, 
>>     line=line@entry=0x0, flags=<optimized out>) at malloc.c:820
>> 820    in malloc.c
>> (gdb) disass
>> Dump of assembler code for function internal_malloc:
>>    0x000055555578cb20 <+0>:    push   %rbp
>>    0x000055555578cb21 <+1>:    mov    %rsp,%rbp
>>    0x000055555578cb24 <+4>:    push   %r15
>>    0x000055555578cb26 <+6>:    lea    -0x90(%rbp),%rcx
>>    0x000055555578cb2d <+13>:    push   %r14
>>    0x000055555578cb2f <+15>:    mov    %rsi,%r14
>>    0x000055555578cb32 <+18>:    push   %r13
>>    0x000055555578cb34 <+20>:    mov    %rdi,%r13
>>    0x000055555578cb37 <+23>:    push   %r12
>>    0x000055555578cb39 <+25>:    push   %rbx
>>    0x000055555578cb3a <+26>:    sub    $0xa8,%rsp
>>    0x000055555578cb41 <+33>:    mov    0x6d2e8(%rip),%rax        # 
>> 0x5555557f9e30
>>    0x000055555578cb48 <+40>:    mov    %edx,-0xa0(%rbp)
>>    0x000055555578cb4e <+46>:    mov    (%rax),%edx
>>    0x000055555578cb50 <+48>:    mov    %rcx,-0x98(%rbp)
>>    0x000055555578cb57 <+55>:    test   %edx,%edx
>>    0x000055555578cb59 <+57>:    jne    0x55555578d7cf 
>> <internal_malloc+3247>
>>    0x000055555578cb5f <+63>:    lea    0x4856a(%rip),%rax        # 
>> 0x5555557d50d0
>>    0x000055555578cb66 <+70>:    mov    %rax,0x8(%rcx)
>>    0x000055555578cb6a <+74>:    lea    -0x51(%rip),%rax        # 
>> 0x55555578cb20 --Type <RET> for more, q to quit, c to continue without 
>> paging--
>> <internal_malloc>
>>    0x000055555578cb71 <+81>:    movq   $0x41b58ab3,(%rcx)
>>    0x000055555578cb78 <+88>:    mov    %rax,0x10(%rcx)
>>    0x000055555578cb7c <+92>:    mov    %rcx,%r15
>>    0x000055555578cb7f <+95>:    shr    $0x3,%r15
>> => 0x000055555578cb83 <+99>:    movl   $0xf1f1f1f1,0x7fff8000(%r15)
>>    0x000055555578cb8e <+110>:    movl   $0xf3f3f304,0x7fff8004(%r15)
>>    0x000055555578cb99 <+121>:    mov    0xc6261(%rip),%ebx        # 
>> 0x555555852e00 <pagesz>
>>    0x000055555578cb9f <+127>:    lea    0x60(%rcx),%r8
>>    0x000055555578cba3 <+131>:    mov    %fs:0x28,%rax
>>    0x000055555578cbac <+140>:    mov    %rax,-0x38(%rbp)
>>    0x000055555578cbb0 <+144>:    xor    %eax,%eax
>>    0x000055555578cbb2 <+146>:    test   %ebx,%ebx
>>    0x000055555578cbb4 <+148>:    je     0x55555578d3c0 
>> <internal_malloc+2208>
>>    0x000055555578cbba <+154>:    lea    0x23(%r13),%rsi
>>    0x000055555578cbbe <+158>:    sar    %ebx
>>    0x000055555578cbc0 <+160>:    and    $0xfffffffffffffff0,%rsi
>>    0x000055555578cbc4 <+164>:    movslq %ebx,%rbx
>>    0x000055555578cbc7 <+167>:    cmp    %rbx,%rsi
>>    0x000055555578cbca <+170>:    jg     0x55555578d100 
>> <internal_malloc+1504>
>>    0x000055555578cbd0 <+176>:    mov    $0x10,%eax
>>    0x000055555578cbd5 <+181>:    mov    $0x1,%ebx
>>    ...
>>
>> (gdb) info registers
>> rax            0x55555578cb20      0x55555578cb20
>> rbx            0x0                 0x0
>> rcx            0x7fffffffde00      0x7fffffffde00
>> rdx            0x0                 0x0
>> rsi            0x0                 0x0
>> rdi            0x20                0x20
>> rbp            0x7fffffffde90      0x7fffffffde90
>> rsp            0x7fffffffddc0      0x7fffffffddc0
>> r8             0x0                 0x0
>> r9             0x1                 0x1
>> r10            0x7ffff7438b0f      0x7ffff7438b0f
>> r11            0x55555578e5e0      0x55555578e5e0
>> r12            0x20                0x20
>> r13            0x20                0x20
>> r14            0x0                 0x0
>> r15            0xffffffffbc0       0xffffffffbc0
>> rip            0x55555578cb83      0x55555578cb83 <internal_malloc+99>
>> eflags         0x10206             [ PF IF RF ]
>> cs             0x33                0x33
>> ss             0x2b                0x2b
>> ds             0x0                 0x0
>> es             0x0                 0x0
>> fs             0x0                 0x0
>>
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "address-sanitizer" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to address-saniti...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/address-sanitizer/0752f970-ec19-4aab-8ca1-c4c6b3c1e1a2n%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/address-sanitizer/0752f970-ec19-4aab-8ca1-c4c6b3c1e1a2n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to address-sanitizer+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/address-sanitizer/774185d0-920a-4a24-8b94-9cb88d4d3206n%40googlegroups.com.