New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
None of the sanitizers work in Clang 3.9.1 #769
Comments
Hm, it seems that you forgot to checkout compiler-rt sources (http://releases.llvm.org/3.9.1/compiler-rt-3.9.1.src.tar.xz):
|
Thank you. That helped indeed.
It looks like free() in a shared library (libcurl in this case) causes it:
Any idea what could be wrong this time? |
It's hard to tell without more context. Could you provide a disassembly around failed instruction? |
Sure, here it is:
|
Hm, Glibc free has been called instead of ASan's interceptor. Did you build main executable with |
This is internal free... perhaps it's OK to call it if corresponding malloc also was internal. |
In general it isn't. ASan wraps every malloc/free call, so letting any
other library allocate anything directly from libc will likely break
everything if this pointer is ever passed to ASan allocator.
However this isn't the case. Here /lib64/libnss_dns.so.2 dynamically calls
free() from libc. For some case it didn't pick the interceptor provided by
ASan.
Antony, how do you build/run your program?
…On Tue, Feb 14, 2017 at 3:25 PM, chefmax ***@***.***> wrote:
This is internal free... perhaps it's OK to call it if corresponding
malloc also was internal.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#769 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA3s83h3VE_UiqLEfWT7VIce58S5N6IZks5rcblcgaJpZM4MAPv6>
.
|
I've built the libraries as usual (only added -fno-omit-frame-pointer) and the main binary was built then with -fsanitize=address. |
Well, glibc has mechanisms how to bypass ASan interceptors (it can call malloc/free directly without plt). But I haven't seen problems with that because Glibc tends to call internal free on pointers that were allocated by internal malloc. |
@tony2001 Could you provide disasm around 0x00007ffff00e4db2? |
Here it is:
|
I would say the situation has nothing to do with libc and _int_free(), but
rather with the internals of libnss_dns.so.2
For some reason the call from _nss_dns_gethostbyname4_r() to free() avoids
PLT, which normally shouldn't happen, because they are in different dynamic
libraries.
Antony, any chance you're using prelink?
Can you please attach the output of the program ran with LD_DEBUG=all
(careful, there's a lot of output).
…On Tue, Feb 14, 2017 at 3:52 PM, Antony Dovgal ***@***.***> wrote:
Here it is:
0x00007ffff00e4d50 <+2048>: pop %r14
0x00007ffff00e4d52 <+2050>: pop %r15
0x00007ffff00e4d54 <+2052>: jmpq 0x7ffff00e2c60 <sYSTRIm>
0x00007ffff00e4d59 <+2057>: nopl 0x0(%rax)
0x00007ffff00e4d60 <+2064>: lea (%r12,%rbp,1),%rdi
0x00007ffff00e4d64 <+2068>: mov $0x4,%edx
0x00007ffff00e4d69 <+2073>: mov %rbx,%rsi
0x00007ffff00e4d6c <+2076>: callq 0x7ffff0145650 <madvise>
0x00007ffff00e4d71 <+2081>: jmpq 0x7ffff00e4b16 <_int_free+1478>
0x00007ffff00e4d76 <+2086>: nopw %cs:0x0(%rax,%rax,1)
0x00007ffff00e4d80 <+2096>: lea 0xc4545(%rip),%rsi # 0x7ffff01a92cc
0x00007ffff00e4d87 <+2103>: jmpq 0x7ffff00e4b98 <_int_free+1608>
0x00007ffff00e4d8c <+2108>: mov 0x2fb376(%rip),%edi # 0x7ffff03e0108 <check_action>
0x00007ffff00e4d92 <+2114>: lea 0xc448a(%rip),%rsi # 0x7ffff01a9223
0x00007ffff00e4d99 <+2121>: mov %r15,%rdx
0x00007ffff00e4d9c <+2124>: callq 0x7ffff00e3010 <malloc_printerr>
0x00007ffff00e4da1 <+2129>: jmpq 0x7ffff00e47c7 <_int_free+631>
0x00007ffff00e4da6 <+2134>: lea 0xc7aa3(%rip),%rsi # 0x7ffff01ac850
0x00007ffff00e4dad <+2141>: jmpq 0x7ffff00e4b98 <_int_free+1608>
=> 0x00007ffff00e4db2 <+2146>: mov 0x8(%rcx),%rax
0x00007ffff00e4db6 <+2150>: lea 0xc7b2b(%rip),%rsi # 0x7ffff01ac8e8
0x00007ffff00e4dbd <+2157>: and $0xfffffffffffffff8,%rax
0x00007ffff00e4dc1 <+2161>: lea (%rcx,%rax,1),%rax
0x00007ffff00e4dc5 <+2165>: cmp %rax,%r12
0x00007ffff00e4dc8 <+2168>: jb 0x7ffff00e45d1 <_int_free+129>
0x00007ffff00e4dce <+2174>: jmpq 0x7ffff00e4b98 <_int_free+1608>
0x00007ffff00e4dd3 <+2179>: nopl 0x0(%rax,%rax,1)
0x00007ffff00e4dd8 <+2184>: lea -0x10(%rbp),%rdx
0x00007ffff00e4ddc <+2188>: lea 0x10(%rbx),%rdi
0x00007ffff00e4de0 <+2192>: movzbl %al,%esi
0x00007ffff00e4de3 <+2195>: mov %r8,0x8(%rsp)
0x00007ffff00e4de8 <+2200>: callq 0x7ffff00eff20 <__memset_sse2>
0x00007ffff00e4ded <+2205>: mov 0x8(%rbx),%rdx
0x00007ffff00e4df1 <+2209>: mov 0x8(%rsp),%r8
0x00007ffff00e4df6 <+2214>: jmpq 0x7ffff00e4611 <_int_free+193>
0x00007ffff00e4dfb <+2219>: lea -0x10(%rbp),%rdx
0x00007ffff00e4dff <+2223>: lea 0x10(%rbx),%rdi
0x00007ffff00e4e03 <+2227>: movzbl %al,%esi
0x00007ffff00e4e06 <+2230>: callq 0x7ffff00eff20 <__memset_sse2>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#769 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA3s8yZfZ29gudbwJFh17ZlHtPYrfgO0ks5rcb-6gaJpZM4MAPv6>
.
|
Which symbol are you looking for in the output? free()? Maybe I can cut the output a bit.. |
The symbols from the report plus everything related to loading of the
corresponding shared libraries.
How about attaching it here or pasting to paste.com etc.?
…On Tue, Feb 14, 2017 at 5:47 PM, Antony Dovgal ***@***.***> wrote:
Which symbol are you looking for in the output? free()? Maybe I can cut
the output a bit..
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#769 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA3s82LrVjV7ZGbgSekGiBaBNeyGrdHNks5rcdq-gaJpZM4MAPv6>
.
|
I also ran into this issue a while back, it is specific to SLES 11. Upgrading to SLES 12 solved it for me, as did downgrading glibc. It happened first after upgrading to the glibc with the fix for CVE-2015-7547, around version 2.11.3-17.95.2. To avoid downgrading the system glibc I had a workaround in place which just placed the old versions of libnss_dns.so.2, libnss_files.so.2 and libresolv.so.2 in the LD_LIBRARY_PATH of our installation for our internal ASan tests. I filed a bug with SuSE but since I didn't have a reasonably small reproducer, and a workaround in place, it didn't get fixed. The root cause of this is somewhere in the loading of the NSS libs with DEEPBIND, which will prevent interception of some relevant allocation functions. I hit a related issue much earlier, which I could workaround in ASan. Some related links for that are: Best regards, |
From http://linux.unige.ch/install/suse/opensuse/11.4/i386/ChangeLog:
So this is probly a dup of #611 indeed. |
Indeed, it looks like RTLD_DEEPBIND is the culprit. Anyway, I agree that it's not an ASAN problem, so you can safely close this issue as a dup. |
I get the following errors when trying to use any of the sanitizers:
Clang/LLVM version: 3.9.1
OS: SUSE Linux Enterprise Server 11 SP3 x86-64
Compiler used to build Clang: gcc-6.3.0
How to reproduce:
I saw many similar bug reports, but all of them were related to autotools build and were fixed several years ago. The current build doesn't even mention autotools anymore, yet the problem still persists.
Any idea what I'm doing wrong?
The text was updated successfully, but these errors were encountered: