https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87875
Bug ID: 87875
Summary: Address sanitizer doen't work with nested functions
with enabled stack-use-after-return check
Product: gcc
Version: 8.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: belous.vs at yandex dot ru
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at
gcc dot gnu.org
Target Milestone: ---
Created attachment 44953
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=44953&action=edit
sources
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.2.0-9'
--with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr
--with-gcc-major-version-only --program-suffix=-8
--program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto
--enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none --without-cuda-driver
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 8.2.0 (Debian 8.2.0-9)
Commands:
cc -o libxxx.so lib.c -Wall -Wextra -Werror -fsanitize=address -ggdb3 -fPIC
-shared
cc -o bin bin.c -Wall -Wextra -Werror -fsanitize=address -ggdb3 -L. -lxxx
LSAN_OPTIONS='detect_leaks=0' \
ASAN_OPTIONS='verbosity=1,detect_stack_use_after_return=true' LD_LIBRARY_PATH=.
./bin
Result:
...
==9581==AddressSanitizer Init done
==9581==T0: FakeStack created: 0x7ffff3e37000 -- 0x7ffff4940000 stack_size_log:
20; mmapped 11300K, noreserve=0
...
7ffff3e37000-7ffff6cc0000 rw-p 00000000 00:00 0
...
call cb: 0x7ffff3f40024
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9581==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff3f40024 (pc
0x7ffff3f40024 bp 0x7fffffffe800 sp 0x7fffffffe688 T0)
==9581==The signal is caused by a READ memory access.
==9581==Hint: PC is at a non-executable region. Maybe a wild jump?
#0 0x7ffff3f40023 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>)
==9581==ABORTING
It looks like that problem appears because nested function is created on fake
stack, which is not executable. May be one need always use PROT_EXEC when
creating fake stacks?
I've found a workaround - append 'READ_IMPLIES_EXEC' into process
'personality', but it affects all 'mmap' calls, so this is not very good.
Sources are in attachment. With "detect_stack_use_after_return=false" all is
ok.
