Bug#869090: gcc-6: Address sanitizer: Shadow memory range interleaves

[Sven Eckelmann]

On Montag, 24. Juli 2017 16:34:34 CEST Ben Hutchings wrote:
[...]
> > Downgrading the kernel from linux-image-4.11.0-2-amd64 (4.11.11-1+b1) to
> > linux-image-4.11.0-1-amd64 (4.11.6-1) fixed this.  I wonder if the stack
> > clash fix has broken ASan.
> 
> The address space change that went into 4.11.11-1 and might have
> triggered this is "binfmt_elf: use ELF_ET_DYN_BASE only for PIE" (CVE-
> 2017-1000370, CVE-2017-1000371).  This moved PIEs to lower addresses on
> x86 (starting at 0x40 on i386 and 0x1 on amd4) while
> keeping the dynamic linker in the mmap area.

It seems like the behavior will be reverted [1] in the kernel and no change in 
GCC is necessary at the moment.

Kind regards,
Sven

[1] https://lkml.kernel.org/r/20170807201542.GA21271@beast



signature.asc
Description: This is a digitally signed message part.

Bug#869090: gcc-6: Address sanitizer: Shadow memory range interleaves

[Ben Hutchings]

On Sun, 23 Jul 2017 23:06:15 -0500 Jason Crain  wrote:
> On Thu, Jul 20, 2017 at 02:45:11PM +0200, Tim Ruehsen wrote:
> > ==13782==Shadow memory range interleaves with an existing memory mapping. 
> > ASan cannot proceed correctly. ABORTING.
> > ==13782==ASan shadow was supposed to be located in the 
> > [0x7fff7000-0x10007fff7fff] range.
> > ==13782==Process memory map follows:
> > 0x005450338000-0x005450339000   /usr/oms/src/libpsl/conftest
> > 0x005450539000-0x00545053a000   /usr/oms/src/libpsl/conftest
> > ...
> > 0x7fff70943000-0x7fff70964000   [stack]
> > 0x7fff709a4000-0x7fff709a6000   [vvar]
> > 0x7fff709a6000-0x7fff709a8000   [vdso]
> > ==13782==End of process memory map.
> 
> I noticed these same error messages after rebooting today.  Not when
> building a package, but when testing other software, like this:
> 
> LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.3 /bin/ls
> 
> Downgrading the kernel from linux-image-4.11.0-2-amd64 (4.11.11-1+b1) to
> linux-image-4.11.0-1-amd64 (4.11.6-1) fixed this.  I wonder if the stack
> clash fix has broken ASan.

The address space change that went into 4.11.11-1 and might have
triggered this is "binfmt_elf: use ELF_ET_DYN_BASE only for PIE" (CVE-
2017-1000370, CVE-2017-1000371).  This moved PIEs to lower addresses on
x86 (starting at 0x40 on i386 and 0x1 on amd4) while
keeping the dynamic linker in the mmap area.

Ben.

-- 
Ben Hutchings
All extremists should be taken out and shot.


signature.asc
Description: This is a digitally signed message part

Bug#869090: gcc-6: Address sanitizer: Shadow memory range interleaves

[Jason Crain]

On Thu, Jul 20, 2017 at 02:45:11PM +0200, Tim Ruehsen wrote:
> ==13782==Shadow memory range interleaves with an existing memory mapping. 
> ASan cannot proceed correctly. ABORTING.
> ==13782==ASan shadow was supposed to be located in the 
> [0x7fff7000-0x10007fff7fff] range.
> ==13782==Process memory map follows:
> 0x005450338000-0x005450339000   /usr/oms/src/libpsl/conftest
> 0x005450539000-0x00545053a000   /usr/oms/src/libpsl/conftest
> ...
> 0x7fff70943000-0x7fff70964000   [stack]
> 0x7fff709a4000-0x7fff709a6000   [vvar]
> 0x7fff709a6000-0x7fff709a8000   [vdso]
> ==13782==End of process memory map.

I noticed these same error messages after rebooting today.  Not when
building a package, but when testing other software, like this:

LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.3 /bin/ls

Downgrading the kernel from linux-image-4.11.0-2-amd64 (4.11.11-1+b1) to
linux-image-4.11.0-1-amd64 (4.11.6-1) fixed this.  I wonder if the stack
clash fix has broken ASan.

Bug#869090: gcc-6: Address sanitizer: Shadow memory range interleaves

[Tim Rühsen]

On 07/20/2017 05:09 PM, Matthias Klose wrote:
> On 20.07.2017 14:45, Tim Ruehsen wrote:
>> Package: gcc-6
>> Version: 6.4.0-1
>> Severity: important
>>
>> Dear Maintainer,
>>
>> building autotools packages with address sanitizer currently breaks with 
>> gcc-6 and gcc-7.
>> gcc-5 is not effected.
>>
>> This breaks quality checking and fuzzing with ASAN enabled.
>> Using LD_PRELOAD to load libasan first doesn't change anything.
>>
>> This doesn't help either (in case this is a ASLR problem with the kernel):
>> echo 0 >/proc/sys/kernel/randomize_va_space
>>
>>
>> $ CC=gcc-6 CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" 
>> ./configure   
>> checking for a BSD-compatible install... /usr/bin/install -c 
>>  
>>
>> checking whether build environment is sane... yes
>>  
>>
>> checking for a thread-safe mkdir -p... /bin/mkdir -p 
>>  
>>
>> checking for gawk... gawk
>>  
>>
>> checking whether make sets $(MAKE)... yes
>>  
>>
>> checking whether make supports nested variables... yes   
>>  
>>
>> checking for gcc... gcc-6
>>  
>>
>> checking whether the C compiler works... yes 
>>  
>>
>> checking for C compiler default output file name... a.out
>> checking for suffix of executables... 
>> checking whether we are cross compiling... configure: error: in 
>> `/usr/oms/src/libpsl':
>> configure: error: cannot run C compiled programs.
>> If you meant to cross compile, use `--host'.
>> See `config.log' for more details
>>
>>
>> >From config.log:
>> configure:3459: gcc-6 -o conftest -g -fsanitize=address 
>> -fno-omit-frame-pointer   conftest.c  >&5
>> configure:3463: $? = 0
>> configure:3470: ./conftest
>> ==13782==Shadow memory range interleaves with an existing memory mapping. 
>> ASan cannot proceed correctly. ABORTING.
>> ==13782==ASan shadow was supposed to be located in the 
>> [0x7fff7000-0x10007fff7fff] range.
>> ==13782==Process memory map follows:
>> 0x005450338000-0x005450339000   /usr/oms/src/libpsl/conftest
>> 0x005450539000-0x00545053a000   /usr/oms/src/libpsl/conftest
>> ...
>> 0x7fff70943000-0x7fff70964000   [stack]
>> 0x7fff709a4000-0x7fff709a6000   [vvar]
>> 0x7fff709a6000-0x7fff709a8000   [vdso]
>> ==13782==End of process memory map.
>> configure:3474: $? = 1
>> configure:3481: error: in `/usr/oms/src/libpsl':
>> configure:3483: error: cannot run C compiled programs.
>> If you meant to cross compile, use `--host'.
>> See `config.log' for more details
> 
> please could you attach the failing conftest?

config.log doesn't even say.
It continues with

==28018==End of process memory map.
configure:3474: $? = 1
configure:3481: error: in `/usr/oms/src/libpsl':
configure:3483: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details

##  ##
## Cache variables. ##
##  ##

...

and exit.


Regards, Tim



signature.asc
Description: OpenPGP digital signature

Bug#869090: gcc-6: Address sanitizer: Shadow memory range interleaves

[Tim Rühsen]

Any program:

#include 

int main(void)
{
printf("Hello\n");
}

$ gcc-6 -g -fsanitize=address -fno-omit-frame-pointer x.c -o x

$ ./x

==29033==Shadow memory range interleaves with an existing memory
mapping. ASan cannot proceed correctly. ABORTING.
==29033==ASan shadow was supposed to be located in the
[0x7fff7000-0x10007fff7fff] range.
==29033==Process memory map follows:
0x0001-0x00011000   /usr/oms/src/libpsl/x
0x00010020-0x000100201000   /usr/oms/src/libpsl/x
0x000100201000-0x000100202000   /usr/oms/src/libpsl/x
0x75889000-0x75bdb000
0x75bdb000-0x75bf1000   /lib/x86_64-linux-gnu/libgcc_s.so.1
0x75bf1000-0x75df   /lib/x86_64-linux-gnu/libgcc_s.so.1

...


With Best Regards, Tim



On 07/20/2017 05:09 PM, Matthias Klose wrote:
> On 20.07.2017 14:45, Tim Ruehsen wrote:
>> Package: gcc-6
>> Version: 6.4.0-1
>> Severity: important
>>
>> Dear Maintainer,
>>
>> building autotools packages with address sanitizer currently breaks with 
>> gcc-6 and gcc-7.
>> gcc-5 is not effected.
>>
>> This breaks quality checking and fuzzing with ASAN enabled.
>> Using LD_PRELOAD to load libasan first doesn't change anything.
>>
>> This doesn't help either (in case this is a ASLR problem with the kernel):
>> echo 0 >/proc/sys/kernel/randomize_va_space
>>
>>
>> $ CC=gcc-6 CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" 
>> ./configure   
>> checking for a BSD-compatible install... /usr/bin/install -c 
>>  
>>
>> checking whether build environment is sane... yes
>>  
>>
>> checking for a thread-safe mkdir -p... /bin/mkdir -p 
>>  
>>
>> checking for gawk... gawk
>>  
>>
>> checking whether make sets $(MAKE)... yes
>>  
>>
>> checking whether make supports nested variables... yes   
>>  
>>
>> checking for gcc... gcc-6
>>  
>>
>> checking whether the C compiler works... yes 
>>  
>>
>> checking for C compiler default output file name... a.out
>> checking for suffix of executables... 
>> checking whether we are cross compiling... configure: error: in 
>> `/usr/oms/src/libpsl':
>> configure: error: cannot run C compiled programs.
>> If you meant to cross compile, use `--host'.
>> See `config.log' for more details
>>
>>
>> >From config.log:
>> configure:3459: gcc-6 -o conftest -g -fsanitize=address 
>> -fno-omit-frame-pointer   conftest.c  >&5
>> configure:3463: $? = 0
>> configure:3470: ./conftest
>> ==13782==Shadow memory range interleaves with an existing memory mapping. 
>> ASan cannot proceed correctly. ABORTING.
>> ==13782==ASan shadow was supposed to be located in the 
>> [0x7fff7000-0x10007fff7fff] range.
>> ==13782==Process memory map follows:
>> 0x005450338000-0x005450339000   /usr/oms/src/libpsl/conftest
>> 0x005450539000-0x00545053a000   /usr/oms/src/libpsl/conftest
>> ...
>> 0x7fff70943000-0x7fff70964000   [stack]
>> 0x7fff709a4000-0x7fff709a6000   [vvar]
>> 0x7fff709a6000-0x7fff709a8000   [vdso]
>> ==13782==End of process memory map.
>> configure:3474: $? = 1
>> configure:3481: error: in `/usr/oms/src/libpsl':
>> configure:3483: error: cannot run C compiled programs.
>> If you meant to cross compile, use `--host'.
>> See `config.log' for more details
> 
> please could you attach the failing conftest?
> 
> 
> 



signature.asc
Description: OpenPGP digital signature

Bug#869090: gcc-6: Address sanitizer: Shadow memory range interleaves

[Matthias Klose]

On 20.07.2017 14:45, Tim Ruehsen wrote:
> Package: gcc-6
> Version: 6.4.0-1
> Severity: important
> 
> Dear Maintainer,
> 
> building autotools packages with address sanitizer currently breaks with 
> gcc-6 and gcc-7.
> gcc-5 is not effected.
> 
> This breaks quality checking and fuzzing with ASAN enabled.
> Using LD_PRELOAD to load libasan first doesn't change anything.
> 
> This doesn't help either (in case this is a ASLR problem with the kernel):
> echo 0 >/proc/sys/kernel/randomize_va_space
> 
> 
> $ CC=gcc-6 CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure 
>   
> checking for a BSD-compatible install... /usr/bin/install -c  
>   
>  
> checking whether build environment is sane... yes 
>   
>  
> checking for a thread-safe mkdir -p... /bin/mkdir -p  
>   
>  
> checking for gawk... gawk 
>   
>  
> checking whether make sets $(MAKE)... yes 
>   
>  
> checking whether make supports nested variables... yes
>   
>  
> checking for gcc... gcc-6 
>   
>  
> checking whether the C compiler works... yes  
>   
>  
> checking for C compiler default output file name... a.out
> checking for suffix of executables... 
> checking whether we are cross compiling... configure: error: in 
> `/usr/oms/src/libpsl':
> configure: error: cannot run C compiled programs.
> If you meant to cross compile, use `--host'.
> See `config.log' for more details
> 
> 
>>From config.log:
> configure:3459: gcc-6 -o conftest -g -fsanitize=address 
> -fno-omit-frame-pointer   conftest.c  >&5
> configure:3463: $? = 0
> configure:3470: ./conftest
> ==13782==Shadow memory range interleaves with an existing memory mapping. 
> ASan cannot proceed correctly. ABORTING.
> ==13782==ASan shadow was supposed to be located in the 
> [0x7fff7000-0x10007fff7fff] range.
> ==13782==Process memory map follows:
> 0x005450338000-0x005450339000   /usr/oms/src/libpsl/conftest
> 0x005450539000-0x00545053a000   /usr/oms/src/libpsl/conftest
> ...
> 0x7fff70943000-0x7fff70964000   [stack]
> 0x7fff709a4000-0x7fff709a6000   [vvar]
> 0x7fff709a6000-0x7fff709a8000   [vdso]
> ==13782==End of process memory map.
> configure:3474: $? = 1
> configure:3481: error: in `/usr/oms/src/libpsl':
> configure:3483: error: cannot run C compiled programs.
> If you meant to cross compile, use `--host'.
> See `config.log' for more details

please could you attach the failing conftest?

Bug#869090: gcc-6: Address sanitizer: Shadow memory range interleaves

[Tim Ruehsen]

Package: gcc-6
Version: 6.4.0-1
Severity: important

Dear Maintainer,

building autotools packages with address sanitizer currently breaks with gcc-6 
and gcc-7.
gcc-5 is not effected.

This breaks quality checking and fuzzing with ASAN enabled.
Using LD_PRELOAD to load libasan first doesn't change anything.

This doesn't help either (in case this is a ASLR problem with the kernel):
echo 0 >/proc/sys/kernel/randomize_va_space


$ CC=gcc-6 CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure   

checking for a BSD-compatible install... /usr/bin/install -c

 
checking whether build environment is sane... yes   

 
checking for a thread-safe mkdir -p... /bin/mkdir -p

 
checking for gawk... gawk   

 
checking whether make sets $(MAKE)... yes   

 
checking whether make supports nested variables... yes  

 
checking for gcc... gcc-6   

 
checking whether the C compiler works... yes

 
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... configure: error: in 
`/usr/oms/src/libpsl':
configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details


>From config.log:
configure:3459: gcc-6 -o conftest -g -fsanitize=address -fno-omit-frame-pointer 
  conftest.c  >&5
configure:3463: $? = 0
configure:3470: ./conftest
==13782==Shadow memory range interleaves with an existing memory mapping. ASan 
cannot proceed correctly. ABORTING.
==13782==ASan shadow was supposed to be located in the 
[0x7fff7000-0x10007fff7fff] range.
==13782==Process memory map follows:
0x005450338000-0x005450339000   /usr/oms/src/libpsl/conftest
0x005450539000-0x00545053a000   /usr/oms/src/libpsl/conftest
...
0x7fff70943000-0x7fff70964000   [stack]
0x7fff709a4000-0x7fff709a6000   [vvar]
0x7fff709a6000-0x7fff709a8000   [vdso]
==13782==End of process memory map.
configure:3474: $? = 1
configure:3481: error: in `/usr/oms/src/libpsl':
configure:3483: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details


Regards, Tim


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set 
to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gcc-6 depends on:
ii  binutils  2.28-6
ii  cpp-6 6.4.0-1
ii  gcc-6-base6.4.0-1
ii  libc6 2.24-12
ii  libcc1-0  7.1.0-9
ii  libgcc-6-dev  6.4.0-1
ii  libgcc1   1:7.1.0-9
ii  libgmp10  2:6.1.2+dfsg-1
ii  libisl15  0.18-1
ii  libmpc3   1.0.3-1+b2
ii  libmpfr4  3.1.5-1
ii  libstdc++67.1.0-9
ii  zlib1g1:1.2.8.dfsg-5

Versions of packages gcc-6 recommends:
ii  libc6-dev  2.24-12

Versions of packages gcc-6 suggests:
ii  gcc-6-doc 6.3.0-1
pn  gcc-6-locales 
pn  gcc-6-multilib
pn  libasan3-dbg  
pn  libatomic1-dbg
pn  libcilkrts5-dbg   
pn  libgcc1-dbg   
pn  libgomp1-dbg  
pn  libitm1-dbg   
pn  liblsan0-dbg  
pn  libmpx2-dbg   
pn  libquadmath0-dbg  
pn  libtsan0-dbg  
pn  libubsan0-dbg 

-- no debconf information