Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add complete trace with 3rd step for CVE-2022-39173 #265

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add complete trace with 3rd step for CVE-2022-39173 #265

wants to merge 4 commits into from

Conversation

maxammann
Copy link
Contributor

No description provided.

@maxammann maxammann mentioned this pull request Jun 9, 2023
Closed
@maxammann
Copy link
Contributor Author

On this branch executing this command either hangs or returns that Asan did not trigger:

cargo test -p tlspuffin --target x86_64-unknown-linux-gnu --features "wolfssl530,asan" tls::vulnerabilities::tests::test_seed_cve_2022_

The hang is weird. The fact that the complete trace is invalid and no crash is produced is fine.

@maxammann
Copy link
Contributor Author

This is the hang in the child:

0x00007ffff75cd840 in ?? () from /usr/lib/llvm-10/lib/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.so
(gdb) bt
#0  0x00007ffff75cd840 in ?? () from /usr/lib/llvm-10/lib/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.so
#1  0x00007ffff75eb292 in ?? () from /usr/lib/llvm-10/lib/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.so
#2  0x00007ffff75e7984 in ?? () from /usr/lib/llvm-10/lib/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.so
#3  0x00007ffff7669437 in ?? () from /usr/lib/llvm-10/lib/clang/10.0.0/lib/linux/libclang_rt.asan-x86_64.so
#4  0x00007ffff75525a1 in __nptl_deallocate_tsd () at pthread_create.c:301
#5  0x00007ffff755362a in __nptl_deallocate_tsd () at pthread_create.c:256
#6  start_thread (arg=<optimized out>) at pthread_create.c:488
#7  0x00007ffff7321133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

@maxammann
Copy link
Contributor Author 

[Switching to process 240856]
0x00007ffff74c9a3a in __sanitizer::FutexWait(__sanitizer::atomic_uint32_t*, unsigned int) ()
   from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
(gdb) bt
#0  0x00007ffff74c9a3a in __sanitizer::FutexWait(__sanitizer::atomic_uint32_t*, unsigned int) ()
   from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
#1  0x00007ffff74caeb2 in __sanitizer::Semaphore::Wait() ()
   from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
#2  0x00007ffff74fa746 in __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> >::GetFromAllocator(__sanitizer::AllocatorStats*, unsigned long, unsigned int*, unsigned long) () from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
#3  0x00007ffff74fa7fd in __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > >::Refill(__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > >::PerClass*, __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> >*, unsigned long) ()
   from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
#4  0x00007ffff74facf9 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> >, __sanitizer::LargeMmapAllocatorPtrArrayDynamic>::Allocate(__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > >*, unsigned long, unsigned long) () from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
#5  0x00007ffff74fb01a in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) ()
   from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
#6  0x00007ffff74f68e6 in __asan::asan_realloc(void*, unsigned long, __sanitizer::BufferedStackTrace*) ()
   from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
#7  0x00007ffff759f46f in __interceptor_realloc.part.0 ()
   from /nix/store/572dbfdcc1zkzw96z6iw51i6p3q777qh-clang-wrapper-14.0.6/resource-root/lib/linux/libclang_rt.asan-x86_64.so
#8  0x000055555628085f in alloc::alloc::realloc () at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/alloc.rs:132
#9  alloc::alloc::Global::grow_impl (self=0x7ffff40f76f8, ptr=..., old_layout=..., new_layout=..., zeroed=false)
    at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/alloc.rs:209
#10 0x0000555556280c20 in <alloc::alloc::Global as core::alloc::Allocator>::grow (self=0x7ffff40f76f8, ptr=..., old_layout=..., new_layout=...)
    at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/alloc.rs:262
#11 0x000055555627fa06 in alloc::raw_vec::finish_grow (new_layout=..., current_memory=..., alloc=0x7ffff40f76f8)
    at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/raw_vec.rs:466
#12 0x0000555555947f77 in alloc::raw_vec::RawVec<T,A>::grow_amortized (self=0x7ffff40f76f8, len=111, additional=1)
    at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/raw_vec.rs:400
#13 0x000055555594d5d8 in alloc::raw_vec::RawVec<T,A>::reserve_for_push (self=0x7ffff40f76f8, len=111)
--Type <RET> for more, q to quit, c to continue without paging--
    at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/raw_vec.rs:298
#14 0x00005555559d5aba in alloc::vec::Vec<T,A>::push (self=0x7ffff40f76f8, value=...)
    at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/vec/mod.rs:1840
#15 0x0000555555775152 in tlspuffin::tls::fn_impl::fn_fields::fn_append_cipher_suite (suites=0x60300001ed30, suite=0x6020002bbfd0)
    at tlspuffin/src/tls/./fn_fields.rs:200
#16 0x00005555556f10ea in core::ops::function::Fn::call () at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/core/src/ops/function.rs:79
#17 0x00005555557fe0c9 in <F as puffin::algebra::dynamic_function::DescribableFunction<(R,T1,T2)>>::make_dynamic::{{closure}} (args=0x7ffff40f7da8)
    at puffin/src/algebra/dynamic_function.rs:210
#18 0x0000555555e64457 in <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call (self=0x611000c5de40, args=...)
    at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/alloc/src/boxed.rs:2002
#19 0x0000555555831b17 in core::ops::function::impls::<impl core::ops::function::Fn<A> for &F>::call (self=0x7ffff40f7e38, args=...)
    at /rustc/9eb3afe9ebe9c7d2b84b71002d44f4a0edac95e0/library/core/src/ops/function.rs:263
#20 0x00005555558a77b2 in puffin::algebra::term::Term<M>::evaluate (self=0x611000c5de00, context=0x7ffff40fd0b0) at puffin/src/algebra/term.rs:132

@maxammann
Copy link
Contributor Author

Reported upstream here: llvm/llvm-project#63224

@michaelmera michaelmera mentioned this pull request Mar 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@maxammann