search

lewisje / address-sanitizer

Automatically exported from code.google.com/p/address-sanitizer
0 stars 0 forks source link

Segfault in instrumented programs that use GNU indirect functions. #342

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Testcase is attached. Compile with GCC with -fsanitize=address option.
2. Run.
3.

What is the expected output? What do you see instead?
Expected: 
Got: Segmentation fault (core dumped).

What version of the product are you using? On what operating system?
Compiler: gcc version 5.0.0 20140916 (experimental) (GCC).
OS: Linux 3.2.0-56-generic #86-Ubuntu 12.04 x86_64 x86_64 x86_64 GNU/Linux

Please provide any additional information below.
It seems that resolution of indirect function's implementation happens before 
asan_init invokes, so if ASan inserts red zones into resolver's stack, we will 
have segfault.

Original issue reported on code.google.com by chefM...@gmail.com on 18 Sep 2014 at 10:36

Attachments:

GoogleCodeExporter commented 9 years ago 
For the record, Clang does not support the ifunc attribute yet, so this is a 
GCC-only problem.

Am I right that the resolver functions themselves aren't marked anyhow and may 
reside in a different TU, so we can't decide to instrument them differently?

For now you'll need to mark your resolver functions with 
__attribute__((no_sanitize_address)). Not sure if something can be done without 
messing up with the linker (wonder why the resolver function is called before 
.preinit_array initializer).

Original comment by ramosian.glider@gmail.com on 18 Sep 2014 at 11:45

GoogleCodeExporter commented 9 years ago 
> For the record, Clang does not support the ifunc attribute yet,
> so this is a GCC-only problem.

There is a bug in LLVM Bugzilla about this so it may get to Clang eventually.

> Am I right that the resolver functions themselves aren't marked anyhow
> and may reside in a different TU,
> so we can't decide to instrument them differently?

Luckily not: "Finally, the indirect function needs to be defined in the same 
translation unit as the resolver function" (from 
https://gcc.gnu.org/onlinedocs/gcc-4.7.2/gcc/Function-Attributes.html). So 
looks like this could be detected by GCC.

Original comment by tetra2...@gmail.com on 18 Sep 2014 at 12:32

GoogleCodeExporter commented 9 years ago 
Adding Project:AddressSanitizer as part of GitHub migration.

Original comment by ramosian.glider@gmail.com on 30 Jul 2015 at 9:06