AddressSanitizer: SEGV on unknown address

[p1ngfl0yd]

Hi Team,

Summary

While fuzzing check using clang 6.0 with ASAN multiple segfaults were observed in check_run.c, check_check_master.c and check_check_main.c.

Vulnerable code from check_run.c:

    {
        setpgid(0, 0);
        group_pid = getpgrp();
        tr = tcase_run_checked_setup(sr, tc);
        free(tr);
        clock_gettime(check_get_clockid(), &ts_start);
        tcase_fn_start(tfun->ttest->name, tfun->ttest->file, tfun->ttest->line);
        tfun->ttest->fn(i);
        clock_gettime(check_get_clockid(), &ts_end);
        tcase_run_checked_teardown(tc);
        send_duration_info(DIFF_IN_USEC(ts_start, ts_end));
        exit(EXIT_SUCCESS);
}

Vulnerable code from check_check_master.c:

{
  Suite *s = make_sub_suite();
  SRunner *sr = srunner_create(s);

  init_signal_strings();

  /*
   * Create files that will contain the test names and line numbers of the failures
   * in check_check_sub.c, as they occur.
   */
#if !HAVE_MKSTEMP
  test_names_file_name = tempnam(NULL, "check_test_names_");
  test_names_file = fopen(test_names_file_name, "w+b");
  line_num_failures_file_name = tempnam(NULL, "check_error_linenums_");
  line_num_failures = fopen(line_num_failures_file_name, "w+b");
#else
  test_names_file_name = strdup("check_test_names__XXXXXX");
  assert(test_names_file_name != NULL && "strdup() failed");
  test_names_file = fdopen(mkstemp(test_names_file_name), "w+b");
  line_num_failures_file_name = strdup("check_error_linenums_XXXXXX");
  assert(line_num_failures_file_name != NULL && "strdup() failed");
  line_num_failures = fdopen(mkstemp(line_num_failures_file_name), "w+b");
#endif

  srunner_add_suite(sr, make_sub2_suite());

  srunner_run_all(sr, CK_VERBOSE);
  tr_fail_array = srunner_failures(sr);
  tr_all_array = srunner_results(sr);
  sub_nfailed = srunner_ntests_failed(sr);
  sub_ntests = srunner_ntests_run(sr);
}

Vulnerable code from check_check_main.c:

{
  int n;
  SRunner *sr;

  fork_setup();
  setup_fixture();
  setup();

  sr = srunner_create (make_master_suite());
  srunner_add_suite(sr, make_list_suite());
  srunner_add_suite(sr, make_msg_suite());
  srunner_add_suite(sr, make_log_suite());
  srunner_add_suite(sr, make_log_internal_suite());
  srunner_add_suite(sr, make_limit_suite());
  srunner_add_suite(sr, make_fork_suite());
  srunner_add_suite(sr, make_fixture_suite());
  srunner_add_suite(sr, make_pack_suite());
  srunner_add_suite(sr, make_tag_suite());

#if defined(HAVE_FORK) && HAVE_FORK==1
  srunner_add_suite(sr, make_exit_suite());
#endif

  srunner_add_suite(sr, make_selective_suite());
  
  printf ("Ran %d tests in subordinate suite\n", sub_ntests);
  srunner_run_all (sr, CK_VERBOSE);
  cleanup();
  fork_teardown();
  teardown_fixture();
  n = srunner_ntests_failed(sr);
  srunner_free(sr);
  return (n == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}

Output from ASAN:

zubin@UbuntuVM:~/check/tests$ ./check_check
Running suite(s): Fork Sub
100%: Checks: 3, Failures: 0, Errors: 0
check_check_fork.c:38:P:Core:test_inc:0: Passed
check_check_fork.c:47:P:Core:test_nofork_sideeffects:0: Passed
check_check_fork.c:54:P:Core:test_nofork_pid:0: Passed
Running suite(s): Fix Sub
0%: Checks: 1, Failures: 1, Errors: 0
check_check_fixture.c:36:S:Fix Sub:unchecked_setup:0: Test failure in fixture
Running suite(s): Check Servant
ASAN:DEADLYSIGNAL
=================================================================
==103002==ERROR: AddressSanitizer: SEGV on unknown address 0x03e80001925a (pc 0x7fde7a5ae727 bp 0x7ffd2fff3c30 sp 0x7ffd2fff38a0 T0)
==103002==The signal is caused by a READ memory access.
    #0 0x7fde7a5ae726 in gsignal (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726)
    #1 0x544ecc in tcase_run_tfun_fork /home/zubin/check/src/check_run.c:496:9
    #2 0x544ecc in srunner_iterate_tcase_tfuns /home/zubin/check/src/check_run.c:252
    #3 0x544ecc in srunner_run_tcase /home/zubin/check/src/check_run.c:401
    #4 0x544ecc in srunner_iterate_suites /home/zubin/check/src/check_run.c:218
    #5 0x544ecc in srunner_run_tagged /home/zubin/check/src/check_run.c:813
    #6 0x51dfd4 in setup /home/zubin/check/tests/check_check_master.c:865:3
    #7 0x5340f4 in main /home/zubin/check/tests/check_check_main.c:35:3
    #8 0x7fde79db0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41d169 in _start (/home/zubin/check/tests/check_check+0x41d169)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726) in gsignal
==103002==ABORTING
ASAN:DEADLYSIGNAL
=================================================================
==103004==ERROR: AddressSanitizer: SEGV on unknown address 0x03e80001925c (pc 0x7fde7a5ae727 bp 0x7ffd2fff3c30 sp 0x7ffd2fff38a0 T0)
==103004==The signal is caused by a READ memory access.
    #0 0x7fde7a5ae726 in gsignal (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726)
    #1 0x544ecc in tcase_run_tfun_fork /home/zubin/check/src/check_run.c:496:9
    #2 0x544ecc in srunner_iterate_tcase_tfuns /home/zubin/check/src/check_run.c:252
    #3 0x544ecc in srunner_run_tcase /home/zubin/check/src/check_run.c:401
    #4 0x544ecc in srunner_iterate_suites /home/zubin/check/src/check_run.c:218
    #5 0x544ecc in srunner_run_tagged /home/zubin/check/src/check_run.c:813
    #6 0x51dfd4 in setup /home/zubin/check/tests/check_check_master.c:865:3
    #7 0x5340f4 in main /home/zubin/check/tests/check_check_main.c:35:3
    #8 0x7fde79db0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41d169 in _start (/home/zubin/check/tests/check_check+0x41d169)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726) in gsignal
==103004==ABORTING
ASAN:DEADLYSIGNAL
=================================================================
==103006==ERROR: AddressSanitizer: SEGV on unknown address 0x03e80001925e (pc 0x7fde7a5ae727 bp 0x7ffd2fff3c30 sp 0x7ffd2fff38a0 T0)
==103006==The signal is caused by a READ memory access.
    #0 0x7fde7a5ae726 in gsignal (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726)
    #1 0x544ecc in tcase_run_tfun_fork /home/zubin/check/src/check_run.c:496:9
    #2 0x544ecc in srunner_iterate_tcase_tfuns /home/zubin/check/src/check_run.c:252
    #3 0x544ecc in srunner_run_tcase /home/zubin/check/src/check_run.c:401
    #4 0x544ecc in srunner_iterate_suites /home/zubin/check/src/check_run.c:218
    #5 0x544ecc in srunner_run_tagged /home/zubin/check/src/check_run.c:813
    #6 0x51dfd4 in setup /home/zubin/check/tests/check_check_master.c:865:3
    #7 0x5340f4 in main /home/zubin/check/tests/check_check_main.c:35:3
    #8 0x7fde79db0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41d169 in _start (/home/zubin/check/tests/check_check+0x41d169)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726) in gsignal
==103006==ABORTING
ASAN:DEADLYSIGNAL
=================================================================
==103011==ERROR: AddressSanitizer: FPE on unknown address 0x03e800019263 (pc 0x7fde7a5ae727 bp 0x7ffd2fff3c30 sp 0x7ffd2fff38a0 T0)
    #0 0x7fde7a5ae726 in gsignal (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726)
    #1 0x544ecc in tcase_run_tfun_fork /home/zubin/check/src/check_run.c:496:9
    #2 0x544ecc in srunner_iterate_tcase_tfuns /home/zubin/check/src/check_run.c:252
    #3 0x544ecc in srunner_run_tcase /home/zubin/check/src/check_run.c:401
    #4 0x544ecc in srunner_iterate_suites /home/zubin/check/src/check_run.c:218
    #5 0x544ecc in srunner_run_tagged /home/zubin/check/src/check_run.c:813
    #6 0x51dfd4 in setup /home/zubin/check/tests/check_check_master.c:865:3
    #7 0x5340f4 in main /home/zubin/check/tests/check_check_main.c:35:3
    #8 0x7fde79db0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #9 0x41d169 in _start (/home/zubin/check/tests/check_check+0x41d169)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726) in gsignal
==103011==ABORTING
ASAN:DEADLYSIGNAL
=================================================================
==103013==ERROR: AddressSanitizer: FPE on unknown address 0x03e800019265 (pc 0x7fde7a5ae727 bp 0x7ffd2fff3c30 sp 0x7ffd2fff3890 T0)
    #0 0x7fde7a5ae726 in gsignal (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726)
    #1 0x51c7a3 in test_mark_point_fn /home/zubin/check/tests/check_check_sub.c:2567:3
    #2 0x544ecc in tcase_run_tfun_fork /home/zubin/check/src/check_run.c:496:9
    #3 0x544ecc in srunner_iterate_tcase_tfuns /home/zubin/check/src/check_run.c:252
    #4 0x544ecc in srunner_run_tcase /home/zubin/check/src/check_run.c:401
    #5 0x544ecc in srunner_iterate_suites /home/zubin/check/src/check_run.c:218
    #6 0x544ecc in srunner_run_tagged /home/zubin/check/src/check_run.c:813
    #7 0x51dfd4 in setup /home/zubin/check/tests/check_check_master.c:865:3
    #8 0x5340f4 in main /home/zubin/check/tests/check_check_main.c:35:3
    #9 0x7fde79db0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41d169 in _start (/home/zubin/check/tests/check_check+0x41d169)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/lib/x86_64-linux-gnu/libpthread.so.0+0x12726) in gsignal
==103013==ABORTING

Kindly requesting the team to have a look and validate.

Thanks.

[brarcher]

Thanks for running Check with Clang's ASAN and sharing the results.

As a part of Check's own tests there are several cases which intentionally raise SIGFPE (here and here) and SIGSEGV (here, here, and here) to verify that the behavior can be caught and reported. I do not think that the sanitizer output shows failures in Check itself, but instead show that some of Check's tests are intentionally doing bad things. The type and number of signals reported by ASAN is expected.

It is interesting that the ASAN reports show the state from the parent process observing the signal rather that the children which forked and caused the signal. Might the ASAN output from the forked children (which is where the tests run) not being captured or reported?