Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elf Segment Assumptions cause segfaults #50975

Closed
tomrittervg opened this issue May 22, 2018 · 2 comments
Closed

Elf Segment Assumptions cause segfaults #50975

tomrittervg opened this issue May 22, 2018 · 2 comments

Comments

@tomrittervg
Copy link

I'm not sure exactly where; but somewhere in rust there seems to be an assumption about the ELF format and when I break it (which I'm trying to do to make elfhack work on lld: https://bugzilla.mozilla.org/show_bug.cgi?id=1423822 ) I get segfaults.

I'm compiling with clang, using lld as the linker. Here's a simple reproducer that occurs because I offset the second segment 0xF0 bytes from the first PHDR segment.

root@bca724986ba7:~/myworkspace/build/rust # cat main.rs
fn main() {}

root@bca724986ba7:~/myworkspace/build/rust # cat padding.ld
SECTIONS
{
  . = SEGMENT_START("text-segment", 0) + SIZEOF_HEADERS + 0xF0;
}

root@bca724986ba7:~/myworkspace/build/rust # cat ./cargo-linker
#!/bin/sh

eval ${MOZ_CARGO_WRAP_LD} ${MOZ_CARGO_WRAP_LDFLAGS} '"$@"'

# Minimal reproducer

root@bca724986ba7:~/myworkspace/build/rust # MOZ_CARGO_WRAP_LD=clang MOZ_CARGO_WRAP_LDFLAGS="-lpthread -fuse-ld=lld -flto=thin -Wl,-T,./padding.ld -Wl,-z,noexecstack -Wl,-z,text -Wl,-z,relro -Wl,--build-id" /builds/worker/myworkspace/build/src/rustc/bin/rustc -C linker=./cargo-linker main.rs

root@bca724986ba7:~/myworkspace/build/rust # ./main
Segmentation fault (core dumped)
139

# Remove the padding script:

root@bca724986ba7:~/myworkspace/build/rust # MOZ_CARGO_WRAP_LD=clang MOZ_CARGO_WRAP_LDFLAGS="-lpthread -fuse-ld=lld -flto=thin  -Wl,-z,noexecstack -Wl,-z,text -Wl,-z,relro -Wl,--build-id" /builds/worker/myworkspace/build/src/rustc/bin/rustc -C linker=./cargo-linker main.rs

root@bca724986ba7:~/myworkspace/build/rust # ./main
(no error)

I have a second reproducer that's considerably more difficult to reproduce, it involves patching clang to not output the PHDR segment.
@glandium
Copy link
Contributor

glandium commented May 22, 2018
edited
Loading

This is not a rust bug at all. What I get with your testcase is a binary with:

  LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x06c510 0x06c510 R E 0x1000
  LOAD           0x06c510 0x000000000006c510 0x000000000006c510 0x003dc8 0x005004 RW  0x1000

but once loaded the process has:

555555554000-5555555c0000 r-xp 00000000 fd:01 1081097                    /tmp/main
5555555c0000-5555555c4000 r--p 0006c000 fd:01 1081097                    /tmp/main
5555555c4000-5555555c5000 rw-p 00070000 fd:01 1081097                    /tmp/main

And the crash happens at 0x5555555c05c0, which is the address of the jemalloc lock per the symbol table, which is in the second LOAD, but what's actually loaded makes it an error.

So this is actually a ld.so bug because it's not really mapping as it's supposed to, but there's also a lld bug because there's an overlap between the 2 LOADs that would need to be writable and executable at the same time.

@Mark-Simulacrum
Copy link
Member

Closing as not a bug per the previous comment. Please let us know if you disagree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomrittervg @glandium @Mark-Simulacrum