Is crash tested with AddressSanitizer?

[JoeyJiao]

I'm using crash for parsing sym -l output but it crashes with segment fault.
So I tried to enable -fsanitize=address for crash tool, but it reports below double-free during crash startup.

So is it possible for you to test crash with AddressSanitizer enabled?

thanks

==13580==ERROR: AddressSanitizer: attempting double-free on 0x6020012fb630 in thread T0:
#0 0x7f9e6dc54187 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x107187)
#1 0x563f8540f7ea in free_ikconfig /home/jiangenj/workspace/github/crash/kernel.c:10188
#2 0x563f854109e0 in read_in_kernel_config /home/jiangenj/workspace/github/crash/kernel.c:10394
#3 0x563f8546d40b in restore_sanity /home/jiangenj/workspace/github/crash/cmdline.c:1223
#4 0x563f85470c82 in process_command_line /home/jiangenj/workspace/github/crash/cmdline.c:63
#5 0x563f8533acb4 in main_loop /home/jiangenj/workspace/github/crash/main.c:825
#6 0x563f8558edc2 in captured_command_loop /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/main.c:258
#7 0x563f8558d4c9 in catch_errors /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/exceptions.c:557
#8 0x563f8558fe85 in captured_main /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/main.c:1064
#9 0x563f8558d4c9 in catch_errors /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/exceptions.c:557
#10 0x563f85590220 in gdb_main /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/main.c:1079
#11 0x563f85590220 in gdb_main_entry /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/main.c:1099
#12 0x563f85339296 in main /home/jiangenj/workspace/github/crash/main.c:707
#13 0x7f9e6d7c7bba in __libc_start_main ../csu/libc-start.c:308
#14 0x563f8533a2e9 in _start (/home/jiangenj/bin/crash-extensions/crash64+0x10c2e9)

0x6020012fb630 is located 0 bytes inside of 3-byte region [0x6020012fb630,0x6020012fb633)
freed by thread T0 here:
#0 0x7f9e6dc54187 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x107187)
#1 0x563f8543328c in arm64_get_section_size_bits /home/jiangenj/workspace/github/crash/arm64.c:1078
#2 0x563f8543328c in arm64_init /home/jiangenj/workspace/github/crash/arm64.c:378

previously allocated by thread T0 here:
#0 0x7f9e6dbdf0b5 in strdup (/lib/x86_64-linux-gnu/libasan.so.5+0x920b5)
#1 0x563f8540f231 in add_ikconfig_entry /home/jiangenj/workspace/github/crash/kernel.c:10140
#2 0x563f8540f49e in setup_ikconfig /home/jiangenj/workspace/github/crash/kernel.c:10160
#3 0x563f85410779 in read_in_kernel_config /home/jiangenj/workspace/github/crash/kernel.c:10380
#4 0x563f8540f9a4 in get_kernel_config /home/jiangenj/workspace/github/crash/kernel.c:10204
#5 0x563f85433ce1 in arm64_get_section_size_bits /home/jiangenj/workspace/github/crash/arm64.c:1075
#6 0x563f85433ce1 in arm64_init /home/jiangenj/workspace/github/crash/arm64.c:378

SUMMARY: AddressSanitizer: double-free (/lib/x86_64-linux-gnu/libasan.so.5+0x107187) in __interceptor_free
==13580==ABORTING

[crash-utility]

----- Original Message -----

I'm using crash for parsing sym -l output but it crashes with segment fault. So I tried to enable -fsanitize=address for crash tool, but it reports below double-free during crash startup. So is it possible for you to test crash with AddressSanitizer enabled?

I don't know how. However, I'm more interested in why the double-free is happening. It looks like it's associated with this recent ARM64 commit from [email protected], which calls the get_kernel_config() utility function, which had never been used before: commit a566cb7 Author: Dave Anderson <[email protected]> Date: Thu Sep 19 15:29:27 2019 -0400 Determine the ARM64 SECTION_SIZE_BITS value using the following order of precedence: (1) from the VMCOREINFO data if it exists (2) from the in-kernel configuration data if it exists (3) the default value ([email protected]) It seems like it should be relatively straight forward to debug. Can you take a look at the string-handling w/respect to get_kernel_config() and arm64_get_section_size_bits()? I'm on holiday until next week, but upon a quick glance, it appears that the free(string) should not be done here in arm64_get_section_size_bits(): if ((string = pc->read_vmcoreinfo("NUMBER(SECTION_SIZE_BITS)"))) { machdep->section_size_bits = atol(string); free(string); } else if (kt->ikconfig_flags & IKCONFIG_AVAIL) { if ((ret = get_kernel_config("CONFIG_MEMORY_HOTPLUG", NULL)) == IKCONFIG_Y) { if ((ret = get_kernel_config("CONFIG_HOTPLUG_SIZE_BITS", &string)) == IKCONFIG_STR) { machdep->section_size_bits = atol(string); ============================> free(string); } } } If you comment it out, does the problem go away? Thanks, Dave

…

thanks ==13580==ERROR: AddressSanitizer: attempting double-free on 0x6020012fb630 in thread T0: #0 0x7f9e6dc54187 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x107187) #1 0x563f8540f7ea in free_ikconfig /home/jiangenj/workspace/github/crash/kernel.c:10188 #2 0x563f854109e0 in read_in_kernel_config /home/jiangenj/workspace/github/crash/kernel.c:10394 #3 0x563f8546d40b in restore_sanity /home/jiangenj/workspace/github/crash/cmdline.c:1223 #4 0x563f85470c82 in process_command_line /home/jiangenj/workspace/github/crash/cmdline.c:63 #5 0x563f8533acb4 in main_loop /home/jiangenj/workspace/github/crash/main.c:825 #6 0x563f8558edc2 in captured_command_loop /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/main.c:258 #7 0x563f8558d4c9 in catch_errors /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/exceptions.c:557 #8 0x563f8558fe85 in captured_main /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/main.c:1064 #9 0x563f8558d4c9 in catch_errors /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/exceptions.c:557 #10 0x563f85590220 in gdb_main /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/main.c:1079 #11 0x563f85590220 in gdb_main_entry /home/jiangenj/workspace/github/crash/gdb-7.6/gdb/main.c:1099 #12 0x563f85339296 in main /home/jiangenj/workspace/github/crash/main.c:707 #13 0x7f9e6d7c7bba in __libc_start_main ../csu/libc-start.c:308 #14 0x563f8533a2e9 in _start (/home/jiangenj/bin/crash-extensions/crash64+0x10c2e9) 0x6020012fb630 is located 0 bytes inside of 3-byte region [0x6020012fb630,0x6020012fb633) freed by thread T0 here: #0 0x7f9e6dc54187 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x107187) #1 0x563f8543328c in arm64_get_section_size_bits /home/jiangenj/workspace/github/crash/arm64.c:1078 #2 0x563f8543328c in arm64_init /home/jiangenj/workspace/github/crash/arm64.c:378 previously allocated by thread T0 here: #0 0x7f9e6dbdf0b5 in strdup (/lib/x86_64-linux-gnu/libasan.so.5+0x920b5) #1 0x563f8540f231 in add_ikconfig_entry /home/jiangenj/workspace/github/crash/kernel.c:10140 #2 0x563f8540f49e in setup_ikconfig /home/jiangenj/workspace/github/crash/kernel.c:10160 #3 0x563f85410779 in read_in_kernel_config /home/jiangenj/workspace/github/crash/kernel.c:10380 #4 0x563f8540f9a4 in get_kernel_config /home/jiangenj/workspace/github/crash/kernel.c:10204 #5 0x563f85433ce1 in arm64_get_section_size_bits /home/jiangenj/workspace/github/crash/arm64.c:1075 #6 0x563f85433ce1 in arm64_init /home/jiangenj/workspace/github/crash/arm64.c:378 SUMMARY: AddressSanitizer: double-free (/lib/x86_64-linux-gnu/libasan.so.5+0x107187) in __interceptor_free ==13580==ABORTING -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #44

[JoeyJiao]

Then I would strongly recommand you to enable it by default, it really can find bugs escpecially these memory coruption bugs for this great crash tool.
To enable it is pretty simple, just make some changes to the compile flags:

201c201
< CRASH_CFLAGS=-g -D${TARGET} ${TARGET_CFLAGS} ${GDB_FLAGS} ${CFLAGS}

CRASH_CFLAGS=-g -O0 -D${TARGET} ${TARGET_CFLAGS} ${GDB_FLAGS} ${CFLAGS} -fsanitize=address -fno-omit-frame-pointer
231c231
< @echo "${LDFLAGS} -lz -ldl -rdynamic" > ${GDB}/gdb/mergelibs

---

  @echo "${LDFLAGS} -lz -ldl -rdynamic **-fsanitize=address** -fno-omit-frame-pointer" > ${GDB}/gdb/mergelibs

541c541
< ${CC} ${LDFLAGS} -o ${PROGRAM}d ${DAEMON_OBJECT_FILES} build_data.o -lz

  ${CC} ${LDFLAGS} -o ${PROGRAM}d ${DAEMON_OBJECT_FILES} build_data.o -lz **-fsanitize=address** -fno-omit-frame-pointer

570c570

[JoeyJiao]

And yes, comment the free line out can fix the double free.

[JoeyJiao]

https://github.com/google/sanitizers/wiki/AddressSanitizer is the description of -fsanitize=address.

A pull request here #46.

For the double free, not sure if it will be the final fix, so didn't upload the change.

[crash-utility]

Yes, it does look like it could be useful, but I don't think I will add it as a default. CFLAGS and LDFLAGS settings are done on the fly by configure.c each time "make" is entered, so manually modifying them directly in the Makefile is not how it all works. Maybe you could add them to CFLAGS.extra and LDFLAGS.extra and run "make".

[crash-utility]

And yes, comment the free line out can fix the double free.
b265bad