[valgrind] [Bug 399087] New: memcheck escape from user code into memcheck itself via computed goto

Tue, 25 Sep 2018 21:16:32 -0700 

https://bugs.kde.org/show_bug.cgi?id=399087

            Bug ID: 399087
           Summary: memcheck escape from user code into memcheck itself
                    via computed goto
           Product: valgrind
           Version: 3.13.0
          Platform: Fedora RPMs
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: memcheck
          Assignee: jsew...@acm.org
          Reporter: jrei...@bitwagon.com
  Target Milestone: ---

SUMMARY On armv7hl (32-bit ARM) memcheck did not notice that "add r15, r6, r10"
is a computed goto: r15 is the pc, and writing to the pc causes a jump.  The
result was memcheck began to emulate itself, leading to bizarre results.

STEPS TO REPRODUCE
1. valgrind --smc-check=all ./foo
2. valgrind --trace-flags=10000001 --trace-notbelow=108 ./foo
3. 

OBSERVED RESULT
==== SB 107 (evchecks 18103) [tid 1] 0x21ec8 UNKNOWN_FUNCTION
UNKNOWN_OBJECT+0x0
==== SB 108 (evchecks 18104) [tid 1] 0x21f0c UNKNOWN_FUNCTION
UNKNOWN_OBJECT+0x0
==== SB 109 (evchecks 18105) [tid 1] 0x4811f74 UNKNOWN_FUNCTION
UNKNOWN_OBJECT+0x0

Notice the address jump from 0x21f0c, which is in the program being analyzed,
to 0x4811f74. which is in memcheck-arm-linux

EXPECTED RESULT
"add r15, r6, r10" is recognized as a computed goto.  Emulated control should
remain inside the user program, or else be diagnosed as a "wild jump" error.

ADDITIONAL INFORMATION
The program is a programmer-built version of /bin/date which then was
compressed by upx.  The program is self contained (uses no shared libraries;
the static library uClibc.a was used) and the upx-compressed version also is
self-contained.  It executes correctly (produces the current date on stdout)
when run by the shell.  Under memcheck, all the executed instructions (so far)
are static and unmodified.  The computed jump is the transfer to
dynamically-written instructions.  The --smc-check=all should have caught it. 
Even without --smc-check=all, memcheck should defend against user code jumping
into memcheck.

The error occurs quite soon, in block 108.

The upx-compressed output (75KB) and console transcripts will be attached if
the bugreporting system allows.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to