<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Segmentation fault triggered by calling dlsym() with a null pointer in interceptor machinery"

   href="https://bugs.llvm.org/show_bug.cgi?id=49486">49486</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Segmentation fault triggered by calling dlsym() with a null pointer in interceptor machinery

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>aanderso@tcd.ie

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>A segmentation fault is triggered when the compiler-rt calls dlsym() with a

null pointer at compiler-rt/lib/interception/interception_linux.cpp:42

Repro:

In a sanitizer, attempt to intercept calls to malloc like so:

INTERCEPTOR(void*, malloc, uptr size) {

  return REAL(malloc)(size);

}

At the point where we call INTERCEPT_FUNCTION(malloc), a segmentation fault is

triggered with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.

0x0000000000000000 in ?? ()

(gdb) bt

#0  0x0000000000000000 in ?? ()

#1  0x00007ffff7e23c38 in ?? () from /usr/lib/libdl.so.2

#2  0x00007ffff7e23520 in dlsym () from /usr/lib/libdl.so.2

#3  0x0000000000409bd4 in GetFuncAddr () at

/home/andrew/Workspaces/asan-workspace/llvm-project-sanitizer-demo/compiler-rt/lib/interception/interception_linux.cpp:42

#4  InterceptFunction () at

/home/andrew/Workspaces/asan-workspace/llvm-project-sanitizer-demo/compiler-rt/lib/interception/interception_linux.cpp:61

#5  0x0000000000409392 in __gsan::InitializeInterceptors() () at

/home/andrew/Workspaces/asan-workspace/llvm-project-sanitizer-demo/compiler-rt/lib/gsan/gsan_interceptors.cpp:536

#6  0x00000000004045a9 in __gsan_init () at

/home/andrew/Workspaces/asan-workspace/llvm-project-sanitizer-demo/compiler-rt/lib/gsan/gsan.cpp:106

#7  0x00007ffff7fdbfce in _dl_init () from /lib64/ld-linux-x86-64.so.2

#8  0x00007ffff7fcd0ca in _dl_start_user () from /lib64/ld-linux-x86-64.so.2

#9  0x0000000000000001 in ?? ()

#10 0x00007fffffffea03 in ?? ()

#11 0x0000000000000000 in ?? ()

Upon inspection, it can be seen that the const char* name that GetFuncAddr() is

passed at compiler-rt/lib/interception/interception_linux.cpp:42 is null. This

is surprising, because the const char* "malloc" is not null.

Building with a checkout of main from the LLVM github monorepo. I have not

touched anything in the compiler-rt, but I'm just trying to add my own

customized sanitizer. It is fairly simple, and just makes use of facilities

already present in the compiler-rt.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>