search

CTSRD-CHERI / cheribsd

FreeBSD adapted for CHERI-RISC-V and Arm Morello.
http://cheribsd.org
Other
164 stars 59 forks source link

__elf_phdr_match_addr crash due to sentries #487

Open nwf opened 4 years ago

nwf commented 4 years ago 
Trapframe Register Dump:                                                                                                                                                                                                                                                                                                    
$0: 0                  at: 0x1                v0: 0xe                v1: 0xe00000000
a0: 0xe                a1: 0x1                a2: 0                  a3: 0x1
a4: 0x18               a5: 0                  a6: 0                  a7: 0x100000000
t0: 0                  t1: 0                  t2: 0                  t3: 0
s0: 0x152e0            s1: 0xffd7             s2: 0x21b0             s3: 0
s4: 0                  s5: 0                  s6: 0                  s7: 0                                                                                
t8: 0x101010101010101  t9: 0x3e               k0: 0                  k1: 0                                       
gp: 0                  sp: 0x3                s8: 0                  ra: 0
status: 0x408084b3 mullo: 0x137e0; mulhi: 0x6a2; badvaddr: 0x4063a110
cause: 0x48; pc: 0x4063a138
BadInstr: 0x4a622010 cincoffset c2, c4, 16
CHERI cause: ExcCode: 0x03 RegNum: $c04 (seal violation)                                                             
$ddc: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$c01: v:1 s:0 p:00000014 b:0000000000120040 l:0000000000000310 o:0 t:-1
$c02: v:1 s:0 p:00078117 b:00000000403fa000 l:00000000002a3000 o:240110 t:-1
$c03: v:1 s:0 p:0007817d b:0000007ffffcfe30 l:0000000000000060 o:0 t:-1
$c04: v:1 s:1 p:00078117 b:0000000000120000 l:000000000006c000 o:34e50 t:fffffffffffffffe
$c05: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:2 t:-1
$c06: v:1 s:0 p:0007817d b:0000007ffffcec10 l:0000000000000010 o:0 t:-1
$c07: v:1 s:0 p:0007817d b:0000007ffffcdf10 l:0000000000000010 o:0 t:-1
$c08: v:1 s:0 p:0007817d b:0000007ffffce2b0 l:0000000000000010 o:0 t:-1
$c09: v:1 s:0 p:0007817d b:0000000040e00000 l:0000000000100000 o:4000 t:-1
$c10: v:1 s:0 p:0007817d b:0000007ffffce1a0 l:0000000000000010 o:0 t:-1
$c11: v:1 s:0 p:0007817d b:0000007ffbff0000 l:0000000003fe0000 o:3fdfdf0 t:-1
$c12: v:1 s:1 p:00078117 b:00000000403fa000 l:00000000002a3000 o:240110 t:fffffffffffffffe
$c13: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$c14: v:1 s:0 p:0007817d b:0000007ffffcdea0 l:0000000000000010 o:0 t:-1
$c15: v:1 s:0 p:0007817d b:0000007ffffcde90 l:0000000000000010 o:0 t:-1
$c16: v:1 s:0 p:0007817d b:0000007ffffce200 l:0000000000000010 o:0 t:-1
$c17: v:1 s:1 p:00078117 b:00000000403fa000 l:00000000002a3000 o:1a8ba8 t:fffffffffffffffe
$c18: v:1 s:0 p:00078115 b:000000004042bf96 l:000000000000003d o:0 t:-1
$c19: v:1 s:0 p:0006817d b:0000000040b9b000 l:0000000000000050 o:0 t:-1
$c20: v:1 s:0 p:0006817d b:0000000040b9b000 l:0000000000000050 o:0 t:-1
$c21: v:1 s:0 p:00078117 b:00000000403fa000 l:00000000002a3000 o:28d9c0 t:-1
$c22: v:1 s:0 p:0007817d b:000000004067ab00 l:0000000000000010 o:0 t:-1
$c23: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$c24: v:1 s:0 p:0007817d b:0000007ffbff0000 l:0000000003fe0000 o:3fdfdf0 t:-1
$c25: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$c26: v:1 s:0 p:00078115 b:0000000040687980 l:0000000000015380 o:40 t:-1
$c27: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$c28: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$c29: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$c30: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$c31: v:0 s:0 p:00000000 b:0000000000000000 l:ffffffffffffffff o:0 t:-1
$pcc: v:1 s:0 p:00078117 b:00000000403fa000 l:00000000002a3000 o:240138 t:-1

May 20 20:15:54 qemu-cheri128-daemon kernel: USER_CHERI_EXCEPTION: pid 687 tid 100051 (func-malloc-1), uid 0: CP2 fault (type 0x32)
May 20 20:15:55 qemu-cheri128-daemon kernel: Process arguments: /mnt/snmalloc-128-build/func-malloc-1
Program received signal SIGPROT, CHERI protection violation
Capability sealed faultwarning: GDB can't find the start of the function at 0x4063a138.

    GDB is unable to find the start of the function at 0x4063a138
and thus can't determine the size of that function's stack frame.
This means that GDB may be unable to access that stack frame, or
the frames below it.
    This problem is most likely caused by an invalid program counter or
stack pointer.
    However, if you think GDB should simply search farther back
from 0x4063a138 for code which looks like the beginning of a
function, you can increase the range of the search using the `set
heuristic-fence-post' command.

 caused by register c4: 0x154e50 <snmalloc::OnDestruct<&snmalloc::ThreadAllocCommon::inner_release>::~OnDestruct()> [rxR,0x120000-0x18c000] (sealed).
0x000000004063a138 in ?? ()
Reading symbols from /usr/libcheri/libexecinfo.so.1...
Reading symbols from /usr/libcheri/libc++.so.1...
Reading symbols from /usr/libcheri/libcxxrt.so.1...
Reading symbols from /usr/libcheri/libm.so.5...
Reading symbols from /usr/libcheri/libthr.so.3...
Reading symbols from /usr/libcheri/libc.so.7...
Reading symbols from /usr/libcheri/libelf.so.2...
Reading symbols from /usr/libcheri/libgcc_s.so.1...

Thread 1 (LWP 100051 of process 687):
#0  0x000000004063a138 in __elf_phdr_match_addr (phdr_info=0x7ffffcfe30 [rwRW,0x7ffffcfe30-0x7ffffcfe90], addr=0x154e50 <snmalloc::OnDestruct<&snmalloc::ThreadAllocCommon::inner_release>::~OnDestruct()> [rxR,0x120000-0x18c000] (sealed)) at /cheri/source/mainline/cheribsd/lib/libc/gen/elf_utils.c:50
#1  0x00000000405a2ba8 in walk_cb_call (dtor=0x40b9b000 [rwRW,0x40b9b000-0x40b9b050]) at /cheri/source/mainline/cheribsd/lib/libc/stdlib/cxa_thread_atexit_impl.c:109
#2  cxa_thread_walk (cb=<optimized out>) at /cheri/source/mainline/cheribsd/lib/libc/stdlib/cxa_thread_atexit_impl.c:128
#3  __cxa_thread_call_dtors () at /cheri/source/mainline/cheribsd/lib/libc/stdlib/cxa_thread_atexit_impl.c:144
#4  0x00000000405a288c in exit (status=0) at /cheri/source/mainline/cheribsd/lib/libc/stdlib/exit.c:73
#5  0x000000000014d338 in _start (auxv=<optimized out>, cleanup=<optimized out>, obj=<optimized out>) at /cheri/source/mainline/cheribsd/lib/csu/mips64c128/crt1.c:183
#6  0x000000000014d1f0 in ?? ()
Backtrace stopped: frame did not save the PC
(gdb) p phdr_info
$1 = (struct dl_phdr_info *) 0x7ffffcfe30 [rwRW,0x7ffffcfe30-0x7ffffcfe90]
(gdb) p *phdr_info
$2 = {dlpi_addr = 103845937183995105521252321698381824, dlpi_name = 0x7ffffeff30 [rwRW,0x7ffffeff30-0x7ffffeff56] "/mnt/snmalloc-128-build/func-malloc-1",
  dlpi_phdr = 0x120040 [rR,0x120040-0x120350], dlpi_phnum = 14, dlpi_adds = 9, dlpi_subs = 0, dlpi_tls_modid = 1,
  dlpi_tls_data = 0x179da0 [rwRW,0x0-0x10280000]}
(gdb) p i
$3 = 0
(gdb) p phdr_info->dlpi_phdr[0]
$5 = {p_type = 6, p_flags = 4, p_offset = 64, p_vaddr = 64, p_paddr = 64, p_filesz = 784, p_memsz = 784, p_align = 8}

The offending cincoffset is probably from https://github.com/CTSRD-CHERI/cheribsd/blob/3b5015c9cc95666e3d09fb5fc619db705814e82c/lib/libc/gen/elf_utils.c#L68 despite the debuginfo?

jrtc27 commented 4 years ago

Yeah that's unfortunate. We could add vaddr_t casts here to get the behaviour we want, though really we want a tag-clearing CIncOffset here; slowly coming to believe tag-clearing is the right behaviour...