This is an archive of the discontinued LLVM Phabricator instance.

Differential D115919

SIGSEGV in Sanitizer INTERCEPTOR of strstr function.
AcceptedPublic

Authored by RitanyaB on Dec 17 2021, 12:06 AM.

Details

Reviewers
dreachem
protze.joachim
vitalybuka
Commits
rG685c94c6cbba: SIGSEGV in Sanitizer INTERCEPTOR of strstr function.
Summary

This is a segmentation fault in INTERCEPTOR function on a special edge
case of strstr libc call. When 'Haystack'(main string to be examined) is
NULL and 'needle'(sub-string to be searched in 'Haystack') is an empty
string then it hits a SEGV while using sanitizers and as a 'string not
found' case otherwise.

Diff Detail

Unit TestsFailed

TimeTest
90 msx64 debian > LLVM.Bindings/Go::go.test

Event Timeline

RitanyaB created this revision.Dec 17 2021, 12:06 AM
Herald added a subscriber: pengfei. · View Herald TranscriptDec 17 2021, 12:06 AM
RitanyaB requested review of this revision.Dec 17 2021, 12:06 AM
Herald added a subscriber: Restricted Project. · View Herald TranscriptDec 17 2021, 12:06 AM
vitalybuka added a reviewer: vitalybuka.Dec 17 2021, 12:27 AM
vitalybuka added a subscriber: vitalybuka.

Nice find!

Can you please extend llvm-project/compiler-rt/test/sanitizer_common/TestCases/strstr.c

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
594

Could you fix instead internal_strstr and StrstrCheck?

Harbormaster completed remote builds in B139793: Diff 394804.Dec 17 2021, 12:27 AM
soumitra added a subscriber: soumitra.Dec 17 2021, 12:43 AM
RitanyaB updated this revision to Diff 395810.Dec 22 2021, 3:33 AM
RitanyaB edited the summary of this revision. (Show Details)
In D115919#3199280, @vitalybuka wrote:

Nice find!

Can you please extend llvm-project/compiler-rt/test/sanitizer_common/TestCases/strstr.c

I have added the fix to internal_strstr and extended the test case well. In libc's implementation of strstr, the empty needle string check is done at the very beginning and returns haystack if true. In accordance to that, I have added the fix in INTERCEPTOR for an early check rather than StrstrCheck where string length is being calculated. Fixing StrstrCheck would require changing the behavior of internal_strlen and that would not be consistent with the behavior of libc's implementation of strlen.

Harbormaster completed remote builds in B140372: Diff 395810.Dec 22 2021, 3:51 AM
vitalybuka updated this revision to Diff 395943.Dec 22 2021, 4:11 PM
vitalybuka edited the summary of this revision. (Show Details)

update

vitalybuka accepted this revision.Dec 22 2021, 4:12 PM
vitalybuka edited the summary of this revision. (Show Details)
vitalybuka edited the summary of this revision. (Show Details)

hm, according to this it's Undefined Behavior
Sanitizer should probably crash in this case, at least with strict_string_checks
https://en.cppreference.com/w/c/string/byte/strstr

If this version is OK, I will land it?

compiler-rt/test/sanitizer_common/TestCases/strstr.c
2

why this one is here?

This revision is now accepted and ready to land.Dec 22 2021, 4:13 PM
Harbormaster completed remote builds in B140453: Diff 395943.Dec 22 2021, 4:38 PM
soumitra added a comment.Dec 22 2021, 8:07 PM
In D115919#3207280, @vitalybuka wrote:

hm, according to this it's Undefined Behavior
Sanitizer should probably crash in this case, at least with strict_string_checks
https://en.cppreference.com/w/c/string/byte/strstr

Instead, why should the sanitizer not diagnose the use of undefined behavior?
It would be good for the sanitizer to emit a diagnostic about "undefined behavior" (probably a warning). Code that leads to undefined behavior is generally not portable and is a bad programing practice that should be avoided.

soumitra added inline comments.Dec 22 2021, 9:19 PM
compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp
221–223

Isn't checking for needle[0] efficient than calling a function?
It also matches the corresponding implementation in glibc.

vitalybuka added a comment.Dec 22 2021, 10:50 PM
In D115919#3207475, @soumitra wrote:
In D115919#3207280, @vitalybuka wrote:

hm, according to this it's Undefined Behavior
Sanitizer should probably crash in this case, at least with strict_string_checks
https://en.cppreference.com/w/c/string/byte/strstr

Instead, why should the sanitizer not diagnose the use of undefined behavior?
It would be good for the sanitizer to emit a diagnostic about "undefined behavior" (probably a warning). Code that leads to undefined behavior is generally not portable and is a bad programing practice that should be avoided.

SEGV in this case should be straightforward
but if we check here but not in the rest of COMMON_INTERCEPTOR_READ_STRING usage, it will be inconsistent

compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp
221–223

most likely case is != 0 and internal_strlen is going to be inlined anyway producing same code

RitanyaB added a comment.Jan 3 2022, 10:14 PM
In D115919#3207280, @vitalybuka wrote:

hm, according to this it's Undefined Behavior
Sanitizer should probably crash in this case, at least with strict_string_checks
https://en.cppreference.com/w/c/string/byte/strstr

If this version is OK, I will land it?

I verified the changes and it looks good to me. Please go ahead with the commit. Thanks.

This revision was landed with ongoing or failed builds.Jan 5 2022, 12:12 AM
Closed by commit rG685c94c6cbba: SIGSEGV in Sanitizer INTERCEPTOR of strstr function. (authored by RitanyaB, committed by vitalybuka). · Explain Why
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rG685c94c6cbba: SIGSEGV in Sanitizer INTERCEPTOR of strstr function..
paulkirth added a subscriber: paulkirth.Jan 5 2022, 9:23 PM

Hi, we've noticed a breakage in Fuchsia's canaries for LLVM. This commit seems to be responsible, as it fails on the strstr.c tests or aarch64-linux.

It seems to affect all sanitizers in our build. Sorry this took so long to report, but other breakages hid this for most of the day.

If this is not easy to address, can you revert until a fix is ready?

Script:
--
: 'RUN: at line 1';      /b/s/w/ir/x/w/staging/llvm_build/./bin/clang  -gline-tables-only -fsanitize=address  --unwindlib=libunwind -static-libgcc -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta  -funwind-tables --sysroot=/b/s/w/ir/x/w/cipd/linux  -ldl /b/s/w/ir/x/w/llvm-project/compiler-rt/test/sanitizer_common/TestCases/strstr.c -o /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-aarch64-unknown-linux-gnu-bins/compiler-rt/test/sanitizer_common/asan-aarch64-Linux/Output/strstr.c.tmp &&  /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-aarch64-unknown-linux-gnu-bins/compiler-rt/test/sanitizer_common/asan-aarch64-Linux/Output/strstr.c.tmp 2>&1
--
Exit Code: 1

Command Output (stdout):
--
AddressSanitizer:DEADLYSIGNAL
=================================================================
==30792==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0xffff9ad9c328 bp 0xfffff746b950 sp 0xfffff746b950 T0)
==30792==The signal is caused by a READ memory access.
==30792==Hint: address points to the zero page.
libunwind: Unsupported .eh_frame_hdr version
    #0 0xffff9ad9c328 in strstr (/lib/aarch64-linux-gnu/libc.so.6+0x7c328) (BuildId: 53f40c1d2f3739ae017dcdcef1a17314786e3709)
    #1 0x26f8c8 in strstr ../staging/llvm_build/runtimes/runtimes-aarch64-unknown-linux-gnu-bins/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc
    #2 0xffff9ad406dc in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x206dc) (BuildId: 53f40c1d2f3739ae017dcdcef1a17314786e3709)
    #3 0x25a554 in _start (/b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-aarch64-unknown-linux-gnu-bins/compiler-rt/test/sanitizer_common/asan-aarch64-Linux/Output/strstr.c.tmp+0x25a554) (BuildId: 5196c7df40b5e4c2)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/aarch64-linux-gnu/libc.so.6+0x7c328) (BuildId: 53f40c1d2f3739ae017dcdcef1a17314786e3709) in strstr
==30792==ABORTING

--
vitalybuka reopened this revision.Jan 5 2022, 9:26 PM

I am going to revert and investigate tomorrow.

This revision is now accepted and ready to land.Jan 5 2022, 9:26 PM
vitalybuka added a reverting change: rG6396a4436145: Revert "SIGSEGV in Sanitizer INTERCEPTOR of strstr function.".Jan 5 2022, 9:28 PM
paulkirth added a comment.Jan 5 2022, 9:35 PM

filed https://github.com/llvm/llvm-project/issues/53031 to track

RitanyaB added a comment.Mar 23 2022, 3:02 AM
In D115919#3224323, @paulkirth wrote:

filed https://github.com/llvm/llvm-project/issues/53031 to track

Hi, any updates on the fix so far? Is there anything I can do to get this patch committed?

Herald added a project: Restricted Project. · View Herald TranscriptMar 23 2022, 3:02 AM
paulkirth added a comment.Mar 23 2022, 9:57 AM

Hi, I closed the issue on github, since we hadn't seen movement here or the issue show up at for a month. I was just reporting the breakage, and didn't investigate further after the revert. Maybe check with @vitalybuka if you need more support/information?

I think this should show up in any config when compiling w/ asan. So, AFICT just building for a Linux x64 target should reproduce the SEGV for you. The most important bit of Fuchsia's toolchain build is that we use a build a stage 2 compiler, so building clang, and using that just built clang + runtimes should give you something very close to our config if you're having trouble reproducing.

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
10 lines
4 lines
test/
sanitizer_common/
TestCases/
4 lines

Diff 395943

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 569 Lines▼ Show 20 Lines
#else #else
#define INIT_STRCASECMP #define INIT_STRCASECMP
#define INIT_STRNCASECMP #define INIT_STRNCASECMP
#endif #endif
#if SANITIZER_INTERCEPT_STRSTR || SANITIZER_INTERCEPT_STRCASESTR #if SANITIZER_INTERCEPT_STRSTR || SANITIZER_INTERCEPT_STRCASESTR
static inline void StrstrCheck(void *ctx, char *r, const char *s1, static inline void StrstrCheck(void *ctx, char *r, const char *s1,
const char *s2) { const char *s2) {
uptr len1 = internal_strlen(s1);
uptr len2 = internal_strlen(s2); uptr len2 = internal_strlen(s2);
COMMON_INTERCEPTOR_READ_STRING(ctx, s1, r ? r - s1 + len2 : len1 + 1);
COMMON_INTERCEPTOR_READ_RANGE(ctx, s2, len2 + 1); COMMON_INTERCEPTOR_READ_RANGE(ctx, s2, len2 + 1);
if (len2 == 0 && !common_flags()->strict_string_checks)
return;
uptr len1 = internal_strlen(s1);
COMMON_INTERCEPTOR_READ_STRING(ctx, s1, r ? r - s1 + len2 : len1 + 1);
} }
#endif #endif
#if SANITIZER_INTERCEPT_STRSTR #if SANITIZER_INTERCEPT_STRSTR
DECLARE_WEAK_INTERCEPTOR_HOOK(__sanitizer_weak_hook_strstr, uptr called_pc, DECLARE_WEAK_INTERCEPTOR_HOOK(__sanitizer_weak_hook_strstr, uptr called_pc,
const char *s1, const char *s2, char *result) const char *s1, const char *s2, char *result)
INTERCEPTOR(char*, strstr, const char *s1, const char *s2) { INTERCEPTOR(char*, strstr, const char *s1, const char *s2) {
if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED) if (COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED)
return internal_strstr(s1, s2); return internal_strstr(s1, s2);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Could you fix instead internal_strstr and StrstrCheck?

vitalybuka: Could you fix instead internal_strstr and StrstrCheck?
void *ctx; void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, strstr, s1, s2); COMMON_INTERCEPTOR_ENTER(ctx, strstr, s1, s2);
char *r = REAL(strstr)(s1, s2); char *r = REAL(strstr)(s1, s2);
if (common_flags()->intercept_strstr) if (common_flags()->intercept_strstr)
StrstrCheck(ctx, r, s1, s2); StrstrCheck(ctx, r, s1, s2);
CALL_WEAK_INTERCEPTOR_HOOK(__sanitizer_weak_hook_strstr, GET_CALLER_PC(), s1, CALL_WEAK_INTERCEPTOR_HOOK(__sanitizer_weak_hook_strstr, GET_CALLER_PC(), s1,
s2, r); s2, r);
return r; return r;
▲ Show 20 LinesShow All 9,934 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp

Show First 20 LinesShow All 211 Lines▼ Show 20 Lines
uptr internal_strnlen(const char *s, uptr maxlen) { uptr internal_strnlen(const char *s, uptr maxlen) {
uptr i = 0; uptr i = 0;
while (i < maxlen && s[i]) i++; while (i < maxlen && s[i]) i++;
return i; return i;
} }
char *internal_strstr(const char *haystack, const char *needle) { char *internal_strstr(const char *haystack, const char *needle) {
// This is O(N^2), but we are not using it in hot places. // This is O(N^2), but we are not using it in hot places.
uptr len1 = internal_strlen(haystack);
uptr len2 = internal_strlen(needle); uptr len2 = internal_strlen(needle);
if (len2 == 0)
return const_cast<char *>(haystack);
uptr len1 = internal_strlen(haystack);
soumitraUnsubmitted
Not Done
ReplyInline Actions

Isn't checking for needle[0] efficient than calling a function?
It also matches the corresponding implementation in glibc.

soumitra: Isn't checking for `needle[0]` efficient than calling a function? It also matches the…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

most likely case is != 0 and internal_strlen is going to be inlined anyway producing same code

vitalybuka: most likely case is != 0 and internal_strlen is going to be inlined anyway producing same code
if (len1 < len2) return nullptr; if (len1 < len2) return nullptr;
for (uptr pos = 0; pos <= len1 - len2; pos++) { for (uptr pos = 0; pos <= len1 - len2; pos++) {
if (internal_memcmp(haystack + pos, needle, len2) == 0) if (internal_memcmp(haystack + pos, needle, len2) == 0)
return const_cast<char *>(haystack) + pos; return const_cast<char *>(haystack) + pos;
} }
return nullptr; return nullptr;
} }
▲ Show 20 LinesShow All 63 LinesShow Last 20 Lines

compiler-rt/test/sanitizer_common/TestCases/strstr.c

// RUN: %clang %s -o %t && %run %t 2>&1 // RUN: %clang %s -o %t && %run %t 2>&1
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

why this one is here?

vitalybuka: why this one is here?
#include <assert.h> #include <assert.h>
#include <string.h> #include <string.h>
int main(int argc, char **argv) { int main(int argc, char **argv) {
char *r = 0; char *r = 0;
char s1[] = "ab"; char s1[] = "ab";
char s2[] = "b"; char s2[] = "b";
r = strstr(s1, s2); r = strstr(s1, s2);
assert(r == s1 + 1); assert(r == s1 + 1);
char *s3 = NULL;
char *s4 = "";
char *p = strstr(s3, s4);
assert(p == NULL);
return 0; return 0;
} }