search

vnmakarov / mir

A lightweight JIT compiler based on MIR (Medium Internal Representation) and C11 JIT compiler and interpreter based on MIR
MIT License
2.24k stars 145 forks source link

Segfault in `target_get_blk_type` #361

Open clesmian opened 11 months ago

clesmian commented 11 months ago

When executing c2m on poc.txt, a segfault occurs

POC

#include<stdarg.h>
struct car{
    char a;
    long d;
};                                                                                                                                                                                                          

o(int n,...){
        struct car c0,c;
        va_list args;
        va_arg(args,struct car);
        int n0;
        c=va_arg(args,struct car);
        int n2=(args);
        return 0;
}

ASAN Output

poc:13:17: warning -- assigning pointer without cast to integer                                                                            AddressSanitizer:DEADLYSIGNAL                                                                         =================================================================
==1783169==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x555b51456b7f bp 0x000000000012 sp 0x7fa217fe18f0 T1)
==1783169==The signal is caused by a READ memory access.
==1783169==Hint: address points to the zero page.
    #0 0x555b51456b7e in target_get_blk_type c2mir/x86_64/cx86_64-ABI-code.c:349
    #1 0x555b51456b7e in gen c2mir/c2mir.c:12211
    #2 0x555b5145d177 in top_gen c2mir/c2mir.c:10551
    #3 0x555b51449f18 in gen c2mir/c2mir.c:12739
    #4 0x555b51449e85 in gen c2mir/c2mir.c:11631
    #5 0x555b5144a86e in gen c2mir/c2mir.c:12492
    #6 0x555b5144fca2 in gen c2mir/c2mir.c:12454
    #7 0x555b51449e85 in gen c2mir/c2mir.c:11631
    #8 0x555b5144a86e in gen c2mir/c2mir.c:12492
    #9 0x555b51463e24 in top_gen c2mir/c2mir.c:10551
    #10 0x555b51463e24 in gen_mir c2mir/c2mir.c:12881
    #11 0x555b51463e24 in c2mir_compile c2mir/c2mir.c:13492
    #12 0x555b51468d6a in compile c2mir/c2mir-driver.c:498
    #13 0x7fa21b5ba608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
    #14 0x7fa21b4df132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV c2mir/x86_64/cx86_64-ABI-code.c:349 in target_get_blk_type
Thread T1 created by T0 here:
    #0 0x7fa21b764815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
    #1 0x555b5137d6f8 in init_compilers c2mir/c2mir-driver.c:540
    #2 0x555b5137d6f8 in main c2mir/c2mir-driver.c:656

==1783169==ABORTING

Found while fuzzing https://github.com/vnmakarov/mir/commit/d51b45f6c76d2ca03a5b2e1968c195b867eaed30, verified with https://github.com/vnmakarov/mir/commit/cf3c9c106afdda59c402bdd40e61241aa20a755d

vnmakarov commented 11 months ago

I fixed this one by 69465b2e273721029f0eff05c983e493be465f2a