search

digego / extempore

A cyber-physical programming environment
1.4k stars 127 forks source link

Crash when evaluating this snippet #276

Closed kroll-j closed 8 years ago

kroll-j commented 8 years ago

With commit b5f80a3d5840385cd72e2588f86cf181f7a9be04 on Ubuntu 16.04, evaluating the following snippet crashes:

(bind-func foo
  (lambda ()
    void))
(llvm:get-native-closure foo)

With the following output:

$ extempore 

------------- Extempore -------------- 
Andrew Sorensen (c) 2010-2016
andrew@moso.com.au, @digego

ARCH           : x86_64-unknown-linux-gnu
CPU            : ivybridge
ATTRS          : -sse4a,-avx512bw,+cx16,-tbm,+xsave,-fma4,-avx512vl,-prfchw,-bmi2,-adx,-xsavec,+fsgsbase,+avx,-avx512cd,-avx512pf,-rtm,+popcnt,-fma,-bmi,+aes,+rdrnd,-xsaves,+sse4.1,+sse4.2,-avx2,-avx512er,+sse,-lzcnt,+pclmul,-avx512f,+f16c,+ssse3,+mmx,-pku,+cmov,-xop,-rdseed,-movbe,-hle,+xsaveopt,-sha,+sse2,+sse3,-avx512dq
LLVM           : 3.8.0 MCJIT
Output Device  : default
Input Device   : 
SampleRate     : 44100
Channels Out   : 2
Channels In    : 0
Frames         : 128
Latency        : 0.00870748 sec
---------------------------------------

Starting utility process
Trying to connect to 'localhost' on port 7098
New Client Connection
Successfully connected to remote process

Starting primary process
Trying to connect to 'localhost' on port 7099
New Client Connection
Successfully connected to remote process
Loading xtmbase library... done in 16.384580 seconds
New Client Connection
Compiled:  foo >>> [void]*
*** buffer overflow detected ***: extempore terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f8d8d14b725]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f8d8d1ec89c]
/lib/x86_64-linux-gnu/libc.so.6(+0x1168a0)[0x7f8d8d1ea8a0]
/lib/x86_64-linux-gnu/libc.so.6(+0x115e09)[0x7f8d8d1e9e09]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7f8d8d14f5e0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x139b)[0x7f8d8d1224cb]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f8d8d1e9e94]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f8d8d1e9ded]
extempore[0xca3fe5]
extempore(scheme_load_string+0xc9)[0xca45b9]
extempore(_ZN6extemp13SchemeProcess8taskImplEv+0x9a4)[0xcd5a04]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76fa)[0x7f8d8e2496fa]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f8d8d1dab5d]
======= Memory map: ========
[...]
fish: Job 2, “extempore” terminated by signal SIGABRT (Abort)

Backtrace:

(gdb) core-file /tmp/core-SP_task-7550
[New LWP 7572]
[New LWP 7560]
[New LWP 7564]
[New LWP 7571]
[New LWP 7573]
[New LWP 7550]
[New LWP 7551]
[New LWP 7562]
[New LWP 7563]
[New LWP 7561]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `extempore'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007f8d8d109418 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7f8d85f42700 (LWP 7572))]
(gdb) bt
#0  0x00007f8d8d109418 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007f8d8d10b01a in __GI_abort () at abort.c:89
#2  0x00007f8d8d14b72a in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f8d8d262c7f "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007f8d8d1ec89c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x7f8d8d262c10 "buffer overflow detected") at fortify_fail.c:37
#4  0x00007f8d8d1ea8a0 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007f8d8d1e9e09 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
#6  0x00007f8d8d14f5e0 in __GI__IO_default_xsputn (f=0x7f8d85f41430, data=<optimized out>, n=503) at genops.c:455
#7  0x00007f8d8d1224cb in _IO_vfprintf_internal (s=s@entry=0x7f8d85f41430, format=<optimized out>, 
    format@entry=0x2185740 "function(%s): argument %d must be: %s\nargument values: %s", ap=ap@entry=0x7f8d85f41568) at vfprintf.c:1632
#8  0x00007f8d8d1e9e94 in ___vsprintf_chk (
    s=0x7f8d85f41830 "function(string-append): argument 1 must be: string\nargument values: (#<<CLOSURE 0x7f8d5b536510><CODE (args (if (and (not (null? args)) (symbol? (car args))) (if (equal? (car args) (quote xtlang)) (qu"..., flags=1, slen=512, format=0x2185740 "function(%s): argument %d must be: %s\nargument values: %s", 
    args=args@entry=0x7f8d85f41568) at vsprintf_chk.c:82
#9  0x00007f8d8d1e9ded in ___sprintf_chk (s=<optimized out>, flags=<optimized out>, slen=<optimized out>, format=<optimized out>) at sprintf_chk.c:31
#10 0x0000000000ca3fe5 in ?? ()
#11 0x0000000000ca45b9 in scheme_load_string ()
#12 0x0000000000cd5a04 in extemp::SchemeProcess::taskImpl() ()
#13 0x00007f8d8e2496fa in start_thread (arg=0x7f8d85f42700) at pthread_create.c:333
#14 0x00007f8d8d1dab5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb)
JimKuhn commented 8 years ago

There was a unchecked sprintf that overran a message buffer. I'm sure there are many more like this. I've posted a quick fix in da7cdb368b5dfeb6002b5d19a699bf8035d4c602 that avoids the crash in this case.

When I get some time (yeah, right) I may run some static analysis on the source that should quickly point out these obvious trouble spots.

benswift commented 8 years ago

Thanks Jim, good catch.

When I get some time (yeah, right)

:)