Bug#908109: clang-6.0: AddressSanitizer: SEGV on unknown address ... in _dl_get_tls_static_info
Sylvestre Ledru
sylvestre at debian.org
Thu Sep 6 09:38:16 BST 2018
Le 06/09/2018 à 10:30, Jakub Wilk a écrit :
> Package: clang-6.0
> Version: 1:6.0.1-6
>
> Programs built with -fsanitize=address seem completely broken:
>
> $ printf '#include <stdio.h>\nint main(int
> argc,char**argv){printf("Hello world!\\n");}' > hello.c
> $ clang-6.0 -fsanitize=address hello.c -o hello
> $ ./hello
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==7617==ERROR: AddressSanitizer: SEGV on unknown address 0xf7ee9430
> (pc 0xf7ee9444 bp 0xff9c367c sp 0xff9c363c T16777215)
> ==7617==The signal is caused by a WRITE memory access.
> #0 0xf7ee9443 in _dl_get_tls_static_info
> (/lib/ld-linux.so.2+0x12443)
> #1 0x8159e89 in __sanitizer::InitTlsSize()
> (/home/jwilk/hello+0x8159e89)
> #2 0x813ed32 in __asan::AsanInitInternal() [clone .part.3]
> (/home/jwilk/hello+0x813ed32)
> #3 0xf7ee6eda (/lib/ld-linux.so.2+0xfeda)
> #4 0xf7ed8299 (/lib/ld-linux.so.2+0x1299)
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV (/lib/ld-linux.so.2+0x12443) in
> _dl_get_tls_static_info
> ==7617==ABORTING
>
>
on my system (amd64)
$ ./hello
Hello world!
What happens with
----
#include <stdlib.h>
int main() {
char *x = (char*)malloc(10 * sizeof(char*));
free(x);
return x[5];
}
---
$ clang-6.0 -o foo -fsanitize=address -O1 -g foo.c
$ ./foo
it should show
=================================================================
==20597==ERROR: AddressSanitizer: heap-use-after-free on address
0x607000000025 at pc 0x0000005156d1 bp 0x7ffd2d0ef200 sp 0x7ffd2d0ef1f8
READ of size 1 at 0x607000000025 thread T0
#0 0x5156d0 in main /tmp/foo.c:5:10
#1 0x7fda04fbaa86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#2 0x41d339 in _start (/tmp/foo+0x41d339)
0x607000000025 is located 5 bytes inside of 80-byte region
[0x607000000020,0x607000000070)
freed by thread T0 here:
#0 0x4e1f40 in __interceptor_free.localalias.0 (/tmp/foo+0x4e1f40)
#1 0x5156a5 in main /tmp/foo.c:4:3
previously allocated by thread T0 here:
#0 0x4e2110 in malloc (/tmp/foo+0x4e2110)
#1 0x51569a in main /tmp/foo.c:3:20
SUMMARY: AddressSanitizer: heap-use-after-free /tmp/foo.c:5:10 in main
Shadow bytes around the buggy address:
0x0c0e7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c0e7fff8000: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fa fa
0x0c0e7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20597==ABORTING
S
More information about the Pkg-llvm-team
mailing list