Skip to content

[compiler-rt] Android 8.1 getauxval(AT_PAGESZ) crashes if called from .preinit_array. #113427

New issue
New issue
Closed
Bug
Closed
[compiler-rt] Android 8.1 getauxval(AT_PAGESZ) crashes if called from .preinit_array.#113427
Bug
Labels
compiler-rt:asanAddress sanitizercrashPrefer [crash-on-valid] or [crash-on-invalid]
@funsafe-ptr

Description

@funsafe-ptr
funsafe-ptr
opened on Oct 23, 2024

@fmayer
This commit causes a crash in Android 8.1
c6049e6

using termux environment

~ $ cc --version
clang version 19.1.2
Target: aarch64-unknown-linux-android24
Thread model: posix
InstalledDir: /data/data/com.termux/files/usr/bin

~ $ curl -L https://android.googlesource.com/platform/prebuilts/clang/host/linux-x86/+/refs/heads/main/clang-r530567/lib/clang/19/lib/linux/libclang_rt.asan-aarch64-android.so?format=TEXT | base64 -d > libclang_rt.asan-aarch64-android.so

~ $ echo "int main(){}" | cc -x c - -fsanitize=address -Wl,-rpath,"./"; ./a.out
WARNING: linker: "/data/data/com.termux/files/home/libclang_rt.asan-aarch64-android.so" unused DT entry: type 0x70000001 arg 0x0
Segmentation fault

(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) run
Process 8767 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
WARNING: linker: "/data/data/com.termux/files/home/libclang_rt.asan-aarch64-android.so" unused DT entry: type 0x70000001 arg 0x0
Process 8767 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
    frame #0: 0x0000007fb7cb67e8 libc.so`getauxval + 8
libc.so`getauxval:
->  0x7fb7cb67e8 <+8>:  ldr    x9, [x8]
    0x7fb7cb67ec <+12>: cbz    x9, 0x7fb7cb6804 ; <+36>
    0x7fb7cb67f0 <+16>: add    x8, x8, #0x10
    0x7fb7cb67f4 <+20>: cmp    x9, x0
(lldb) bt all
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
  * frame #0: 0x0000007fb7cb67e8 libc.so`getauxval + 8
    frame #1: 0x0000007fb782acb4 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() [inlined] GetPageSizeCached at sanitizer_common.h:72:22
    frame #2: 0x0000007fb782ac88 libclang_rt.asan-aarch64-android.so`::ReadFileToBuffer() at sanitizer_file.cpp:134:19
    frame #3: 0x0000007fb782fd0c libclang_rt.asan-aarch64-android.so`::ReadLongProcessName() at sanitizer_linux.cpp:1203:7
    frame #4: 0x0000007fb782a2e0 libclang_rt.asan-aarch64-android.so`::CacheBinaryName() [inlined] ReadProcessName at sanitizer_common.cpp:279:3
    frame #5: 0x0000007fb782a2cc libclang_rt.asan-aarch64-android.so`::CacheBinaryName() at sanitizer_common.cpp:298:3
    frame #6: 0x0000007fb78c489c libclang_rt.asan-aarch64-android.so`::AsanInitInternal() at asan_rtl.cpp:398:3
    frame #7: 0x0000007fb78c4adc libclang_rt.asan-aarch64-android.so`::TryAsanInitFromRtl() at asan_rtl.cpp:533:17
    frame #8: 0x0000007fb78685ac libclang_rt.asan-aarch64-android.so`::___interceptor_read() at sanitizer_common_interceptors.inc:972:3
    frame #9: 0x0000007fb7d35b30 libc.so`je_pages_boot + 92
    frame #10: 0x0000007fb7d34fdc libc.so`malloc_init_hard_a0_locked + 2940
    frame #11: 0x0000007fb7d330b0 libc.so`jemalloc_constructor + 348
    frame #12: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284
    frame #13: 0x0000007fb7eb3610 linker64`__dl__ZN6soinfo17call_constructorsEv + 400
    frame #14: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
    frame #15: 0x0000007fb7eb3508 linker64`__dl__ZN6soinfo17call_constructorsEv + 136
    frame #16: 0x0000007fb7eaedf4 linker64`__dl___linker_init + 3192
    frame #17: 0x0000007fb7eb5bf4 linker64`__dl__start + 8

root cause: getauxval(AT_PAGESZ) crashes if called from .preinit_array.

~ $ echo $'#include <sys/auxv.h>\nstatic void a() {getauxval(AT_PAGESZ);} void (*preinit[])()__attribute((section(".preinit_array")))={&a};int main(){}' | cc -x c -;./a.out
Segmentation fault

(lldb) target create "./a.out"
Current executable set to '/data/data/com.termux/files/home/a.out' (aarch64).
(lldb) run
Process 28871 launched: '/data/data/com.termux/files/home/a.out' (aarch64)
Process 28871 stopped
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
    frame #0: 0x0000007fb7cbe7e8 libc.so`getauxval + 8
libc.so`getauxval:
->  0x7fb7cbe7e8 <+8>:  ldr    x9, [x8]
    0x7fb7cbe7ec <+12>: cbz    x9, 0x7fb7cbe804 ; <+36>
    0x7fb7cbe7f0 <+16>: add    x8, x8, #0x10
    0x7fb7cbe7f4 <+20>: cmp    x9, x0
(lldb) bt
* thread #1, name = 'a.out', stop reason = signal SIGSEGV: address not mapped to object (fault address: 0x0)
  * frame #0: 0x0000007fb7cbe7e8 libc.so`getauxval + 8
    frame #1: 0x00000055555597a8 a.out`a + 16
    frame #2: 0x0000007fb7eb33e4 linker64`__dl__ZL10call_arrayIPFviPPcS1_EEvPKcPT_mbS5_ + 284
    frame #3: 0x0000007fb7eaede4 linker64`__dl___linker_init + 3176
    frame #4: 0x0000007fb7eb5bf4 linker64`__dl__start + 8
(lldb)

Metadata

Metadata

Assignees

No one assigned

    Labels

    compiler-rt:asanAddress sanitizercrashPrefer [crash-on-valid] or [crash-on-invalid]

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions