[llvm-bugs] [Bug 49486] New: Segmentation fault triggered by calling dlsym() with a null pointer in interceptor machinery

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Mar 9 03:05:26 PST 2021 

https://bugs.llvm.org/show_bug.cgi?id=49486

            Bug ID: 49486
           Summary: Segmentation fault triggered by calling dlsym() with a
                    null pointer in interceptor machinery
           Product: compiler-rt
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: compiler-rt
          Assignee: unassignedbugs at nondot.org
          Reporter: aanderso at tcd.ie
                CC: llvm-bugs at lists.llvm.org

A segmentation fault is triggered when the compiler-rt calls dlsym() with a
null pointer at compiler-rt/lib/interception/interception_linux.cpp:42

Repro:

In a sanitizer, attempt to intercept calls to malloc like so:

INTERCEPTOR(void*, malloc, uptr size) {
  return REAL(malloc)(size);
}

At the point where we call INTERCEPT_FUNCTION(malloc), a segmentation fault is
triggered with the following backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff7e23c38 in ?? () from /usr/lib/libdl.so.2
#2  0x00007ffff7e23520 in dlsym () from /usr/lib/libdl.so.2
#3  0x0000000000409bd4 in GetFuncAddr () at
/home/andrew/Workspaces/asan-workspace/llvm-project-sanitizer-demo/compiler-rt/lib/interception/interception_linux.cpp:42
#4  InterceptFunction () at
/home/andrew/Workspaces/asan-workspace/llvm-project-sanitizer-demo/compiler-rt/lib/interception/interception_linux.cpp:61
#5  0x0000000000409392 in __gsan::InitializeInterceptors() () at
/home/andrew/Workspaces/asan-workspace/llvm-project-sanitizer-demo/compiler-rt/lib/gsan/gsan_interceptors.cpp:536
#6  0x00000000004045a9 in __gsan_init () at
/home/andrew/Workspaces/asan-workspace/llvm-project-sanitizer-demo/compiler-rt/lib/gsan/gsan.cpp:106
#7  0x00007ffff7fdbfce in _dl_init () from /lib64/ld-linux-x86-64.so.2
#8  0x00007ffff7fcd0ca in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
#9  0x0000000000000001 in ?? ()
#10 0x00007fffffffea03 in ?? ()
#11 0x0000000000000000 in ?? ()

Upon inspection, it can be seen that the const char* name that GetFuncAddr() is
passed at compiler-rt/lib/interception/interception_linux.cpp:42 is null. This
is surprising, because the const char* "malloc" is not null.

Building with a checkout of main from the LLVM github monorepo. I have not
touched anything in the compiler-rt, but I'm just trying to add my own
customized sanitizer. It is fairly simple, and just makes use of facilities
already present in the compiler-rt.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210309/23795393/attachment.html>

More information about the llvm-bugs mailing list