[Qemu-devel] linux-user/mmap: Should not return NULL on guest call mmap(NULL, ...), causes crash inside glibc

Maximilian Riemensberger Fri, 05 Jan 2018 10:25:08 -0800

Hi,

yesterday I hit the following problem when running an arm linux executable on
qemu-2.10 (qemu-arm-static through binfmt_misc)


1879 
mmap2(NULL,8388608,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS|0x20000,-1,0) 
= 0x00000000
1879 write(2,0xf6fd39d0,79) stx_test: allocatestack.c:514: allocate_stack: 
Assertion `mem != NULL' failed.

The issue comes up when the executable creates and joins lots of
threads in a loop (it's a unit test).  Eventually, glibc allocatestack
hits the mmap(NULL, ...) == NULL.  Judging from the posix and linux
manuals mmap(NULL, ...) never returns NULL.  Either it fails with MAP_FAILED
or it succeeds and returns non-NULL address.

AFAIK target_mmap() and mmap_find_vma() don't check the start address
after h2g().

More detailed straces below.

Cheers
Max



Guest strace: qemu-arm-static --strace [truncated and filtered]:

...

1879 
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x00ffef88,parent_tidptr=0x00fff4b8,tls=0x00fff910,child_tidptr=0x00fff4b8)
 = 2483
1879 
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x00ffef88,parent_tidptr=0x00fff4b8,tls=0x00fff910,child_tidptr=0x00fff4b8)
 = 2484
1879 
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136)1879
 
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x017fef88,parent_tidptr=0x017ff4b8,tls=0x017ff910,child_tidptr=0x017ff4b8)
 = 2485
1879 
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM1879
 
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136)|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x01ffef88,parent_tidptr=0x01fff4b8,tls=0x01fff910,child_tidptr=0x01fff4b8)
 = 2486
1879 
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x027fef88,parent_tidptr=0x027ff4b8,tls=0x027ff910,child_tidptr=0x027ff4b8)1879
 futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136) = 
2487
1879 clone(CLONE_VM|CLONE_FS|CLONE_FILES1879 
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136)|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x02ffef88,parent_tidptr=0x02fff4b8,tls=0x02fff910,child_tidptr=0x02fff4b8)
 = 2488
1879 mmap2(NULL,8388608,PROT_READ|PROT_WRITE,MAP_PRIVATE1879 
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136)|MAP_ANONYMOUS|0x20000,-1,0)
 = 0x00000000
1879 write(2,0xf6fd39d0,79)stx_test: allocatestack.c:514: allocate_stack: 
Assertion `mem != NULL' failed.
1879 mmap2(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 
0xf61ca000


Host strace: strace -f qemu-arm-static [truncated and filtered, different run 
than above]:

mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 
0x7f5344532000
clone(child_stack=0x7f5344d31db0, 
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
 parent_tidptr=0x7f5344d329d0, tls=0x7f5344d32700, child_tidptr=0x7f5344d329d0) 
= 2492
[pid  2491] mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x7f53444b1000
[pid  2491] mmap(NULL, 225280, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x7f534447a000
[pid  2491] mmap(NULL, 4143972352, PROT_NONE, 
MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f524d47a000
[pid  2491] mmap(0x7f534d46a000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f534d46a000
[pid  2491] openat(AT_FDCWD, "/proc/sys/vm/mmap_min_addr", O_RDONLY) = 3

...

[pid  2491] clone(child_stack=0x7f524cd1bdb0, 
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
 parent_tidptr=0x7f524cd1c9d0, tls=0x7f524cd1c700, child_tidptr=0x7f524cd1c9d0) 
= 3092
[pid  2491] mmap(0x7f524e47a000, 8388608, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0 <unfinished ...>
[pid  2491] <... mmap resumed> )        = 0x7f524e47a000
[pid  2491] clone(child_stack=0x7f524cd9ddb0, 
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
 parent_tidptr=0x7f524cd9e9d0, tls=0x7f524cd9e700, child_tidptr=0x7f524cd9e9d0) 
= 3093
[pid  2491] mmap(0x7f524dc7a000, 8388608, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0 <unfinished ...>
[pid  2491] <... mmap resumed> )        = 0x7f524dc7a000
[pid  2491] clone(strace: Process 3094 attached
[pid  2491] mmap(0x7f525b47a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0 <unfinished ...>
[pid  2491] <... mmap resumed> )        = 0x7f525b47a000
[pid  2491] mmap(0x7f525bc7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0 <unfinished ...>
[pid  2491] <... mmap resumed> )        = 0x7f525bc7a000
[pid  2491] mmap(0x7f525c47a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525c47a000
[pid  2491] mmap(0x7f525cc7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525cc7a000
[pid  2491] mmap(0x7f525d47a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525d47a000
[pid  2491] mmap(0x7f525ac7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525ac7a000
[pid  2491] mmap(0x7f525a47a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525a47a000
[pid  2491] mmap(0x7f5259c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5259c7a000
[pid  2491] mmap(0x7f525947a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525947a000
[pid  2491] mmap(0x7f5258c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5258c7a000
[pid  2491] mmap(0x7f525847a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525847a000
[pid  2491] mmap(0x7f5257c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5257c7a000
[pid  2491] mmap(0x7f525747a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525747a000
[pid  2491] mmap(0x7f5256c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5256c7a000
[pid  2491] mmap(0x7f525647a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525647a000
[pid  2491] mmap(0x7f5255c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5255c7a000
[pid  2491] mmap(0x7f525547a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525547a000
[pid  2491] mmap(0x7f5254c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5254c7a000
[pid  2491] mmap(0x7f525447a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525447a000
[pid  2491] mmap(0x7f5253c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5253c7a000
[pid  2491] mmap(0x7f525347a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525347a000
[pid  2491] mmap(0x7f5252c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5252c7a000
[pid  2491] mmap(0x7f525247a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525247a000
[pid  2491] mmap(0x7f5251c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5251c7a000
[pid  2491] mmap(0x7f525147a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525147a000
[pid  2491] mmap(0x7f5250c7a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5250c7a000
[pid  2491] mmap(0x7f525047a000, 8388608, PROT_NONE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525047a000
[pid  2491] clone(strace: Process 3095 attached
[pid  2491] clone(strace: Process 3096 attached
[pid  2491] clone(strace: Process 3097 attached
[pid  2491] clone(strace: Process 3098 attached
[pid  2491] clone(strace: Process 3099 attached
[pid  2491] clone(strace: Process 3100 attached
[pid  2491] mmap(0x7f524d47a000, 8388608, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0 <unfinished ...>
[pid  2491] <... mmap resumed> )        = 0x7f524d47a000
[pid  2491] write(2, "stx_test: allocatestack.c:514: a"..., 79stx_test: 
allocatestack.c:514: allocate_stack: Assertion `mem != NULL' failed.








-- 
----------------------------------------------------------------------
Cadami UG (haftungsbeschränkt)
Waagstraße 10, 85386 Eching (near Munich), Germany
Office:    c/o Wayra, Kaufingerstraße 15, 80331 Munich, Germany

Contact:   +49-176-63360306, riemensber...@cadami.net, www.cadami.net

Geschäftsführer:         Andreas Dotzler, Michael Heindlmaier,
                         Thomas Kühn, Maximilian Riemensberger
Sitz der Gesellschaft:   Eching, HRB 219979 Amtsgericht München
USt-IdNr.:               DE301293803
----------------------------------------------------------------------

[Qemu-devel] linux-user/mmap: Should not return NULL on guest call mmap(NULL, ...), causes crash inside glibc

Reply via email to