Bug#961510: clang -sanitize=fuzzer crashes on FMV from shared library

David Kalnischkies david at kalnischkies.de
Mon May 25 13:59:53 BST 2020 

Package: clang
Version: 1:9.0-49.1
Severity: normal


Hi,

(I guess that is either me doing something wrong or an upstream bug,
but I can't test non-debian clang versions and have no account for
reporting upstream anyhow nor a good idea where it belongs, so I would
appreciate if you could test this and/or pass on)


Given a shared library with function multi-versioning I want to fuzz
with libFuzzer, the compilation seems fine (expect a strange unused
warning), but the fuzzer crashes instantly:

$ CXX=clang++ ../reproducer.sh
| + clang++ -Wall -Wextra -fsanitize=fuzzer-no-link -fPIC -c foobar.cc
| foobar.cc:3:46: warning: unused function 'bar_impl' [-Wunused-function]
| __attribute__((target("sse4.2"))) static int bar_impl() { return 1; }
|                                              ^
| 1 warning generated.
| + clang++ -Wall -Wextra -shared -o libfoobar.so foobar.o
| + clang++ -Wall -Wextra -fsanitize=fuzzer fuzzer.cc -L. -lfoobar -o fuzzer
| + LD_LIBRARY_PATH=. ./fuzzer
| Segmentation fault (core dumped)


The backtrace is:
| #0  0x0000000000001036 in ?? ()
| #1  0x00007f9dce37983f in bar_impl() [clone .resolver] () from ./libfoobar.so
| #2  0x00007f9dce5893da in elf_machine_rela (skip_ifunc=<optimized out>, reloc_addr_arg=0x7f9dce37bfd8, version=<optimized out>, sym=<optimized out>, reloc=0x7f9dce378888, map=0x7f9dce54a4f0) at ../sysdeps/x86_64/dl-machine.h:330
| #3  elf_dynamic_do_Rela (skip_ifunc=<optimized out>, lazy=<optimized out>, nrelative=<optimized out>, relsize=<optimized out>, reladdr=<optimized out>, map=0x7f9dce54a4f0) at do-rel.h:137
| #4  _dl_relocate_object (l=l at entry=0x7f9dce54a4f0, scope=<optimized out>, reloc_mode=<optimized out>, consider_profiling=<optimized out>, consider_profiling at entry=0) at dl-reloc.c:254
| #5  0x00007f9dce580d0a in dl_main (phdr=<optimized out>, phnum=<optimized out>, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:2259
| #6  0x00007f9dce5957cf in _dl_sysdep_start (start_argptr=start_argptr at entry=0x7fff3a3edc00, dl_main=dl_main at entry=0x7f9dce57f3a0 <dl_main>) at ../elf/dl-sysdep.c:253
| #7  0x00007f9dce57ef04 in _dl_start_final (arg=0x7fff3a3edc00) at rtld.c:447
| #8  _dl_start (arg=0x7fff3a3edc00) at rtld.c:537
| #9  0x00007f9dce57e098 in _start () from /lib64/ld-linux-x86-64.so.2
| #10 0x0000000000000001 in ?? ()
| #11 0x00007fff3a3ef527 in ?? ()
| #12 0x0000000000000000 in ?? ()


The crash happens with clang versions 9 (1:9.0.1-12), 10 (1:10.0.0-4) &
11 (1:11~++20200411120955+c65e6079fc9-1~exp1). Note that bar_impl() or
bar() is not even called in the fuzzer.


clang-11 has gained the option -fsanitize-coverage-blacklist which
I found and tried on a whim and gives me the expected result:

$ cat ../blacklist.txt
| fun:*.resolver
$ CXX=clang++-11 CXXFLAGS="-fsanitize-coverage-blacklist=../blacklist.txt" ../reproducer.sh
| + clang++-11 -fsanitize-coverage-blacklist=../blacklist.txt -Wall -Wextra -fsanitize=fuzzer-no-link -fPIC -c foobar.cc
| foobar.cc:3:46: warning: unused function 'bar_impl' [-Wunused-function]
| __attribute__((target("sse4.2"))) static int bar_impl() { return 1; }
|                                              ^
| 1 warning generated.
| + clang++-11 -fsanitize-coverage-blacklist=../blacklist.txt -Wall -Wextra -shared -o libfoobar.so foobar.o
| + clang++-11 -fsanitize-coverage-blacklist=../blacklist.txt -Wall -Wextra -fsanitize=fuzzer fuzzer.cc -L. -lfoobar -o fuzzer
| + LD_LIBRARY_PATH=. ./fuzzer
[…]
| fuzzer: fuzzer.cc:8: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `foo() == 2' failed.
[…]

(The existing -fsanitize-blacklist option did not have an effect.)


Attached is the reproducer.sh script I was using here.


Best regards

David Kalnischkies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: reproducer.sh
Type: application/x-sh
Size: 750 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-llvm-team/attachments/20200525/35c7fedd/attachment.sh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-llvm-team/attachments/20200525/35c7fedd/attachment.sig>

More information about the Pkg-llvm-team mailing list