[Bug sanitizer/103930] New: asan intercepts fail if target library is only loaded (indirectly) through dlopen (e.g. plugin)

[Bug sanitizer/103930] New: asan intercepts fail if target library is only loaded (indirectly) through dlopen (e.g. plugin)

[source at stbuehler dot de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103930

            Bug ID: 103930
           Summary: asan intercepts fail if target library is only loaded
                    (indirectly) through dlopen (e.g. plugin)
           Product: gcc
           Version: 11.2.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: source at stbuehler dot de
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

Basically two problems:

a) the crash output is completely useless
b) asan should either reload intercept on dlopen automatically or
   provide some way to trigger it

Demo: (also on https://github.com/stbuehler/asan-dlopen-intercepts-bug)

main.c:
> #include <dlfcn.h>
> #include <stdio.h>
> 
> typedef void (*run_fn)();
> 
> int main() {
>   void *plugin = dlopen("./plugin.so", RTLD_NOW|RTLD_GLOBAL);
>   run_fn fn = (run_fn) dlsym(plugin, "run");
>   printf("Found plugin run function: %p\n", fn);
>   (*fn)();
> }

plugin.c:
> #include <stdio.h>
> #include <crypt.h>
> 
> void run() {
>   char *crypted = crypt("des", "12tMnfw882VDQ");
>   printf("Crypt output: %s\n", crypted);
> }

Makefile:
> override CFLAGS := -Wall -O2 -ggdb -fsanitize=address -fno-omit-frame-pointer
> # override WORKAROUND := -lcrypt
> 
> all: plugin.so main
> clean:
>     rm -f plugin.so main
> .PHONY: all clean
> 
> plugin.so: plugin.c Makefile
>     gcc -shared -o $@ -lcrypt $(CFLAGS) $<
> 
> main: main.c Makefile
>     gcc -o $@ -ldl $(WORKAROUND) $(CFLAGS) $<

Fails with:

> $ ./main
> Found plugin run function: 0x7fa33ea3b1a0
> AddressSanitizer:DEADLYSIGNAL
> =================================================================
> ==208926==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7ffed844e1b0 sp 0x7ffed844e1a8 T0)
> ==208926==Hint: pc points to the zero page.
> ==208926==The signal is caused by a READ memory access.
> ==208926==Hint: address points to the zero page.
>     #0 0x0  (<unknown module>)
> 
> AddressSanitizer can not provide additional info.
> SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
> ==208926==ABORTING

Compiler:

> $ gcc -v
> Using built-in specs.
> COLLECT_GCC=gcc
> COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
> OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
> OFFLOAD_TARGET_DEFAULT=1
> Target: x86_64-linux-gnu
> Configured with: ../src/configure -v --with-pkgversion='Debian 11.2.0-13' --with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-11 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-11-KdLYb3/gcc-11-11.2.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-KdLYb3/gcc-11-11.2.0/debian/tmp-gcn/usr --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-serialization=2
> Thread model: posix
> Supported LTO compression algorithms: zlib zstd
> gcc version 11.2.0 (Debian 11.2.0-13)

[Bug sanitizer/103930] asan intercepts fail if target library is only loaded (indirectly) through dlopen (e.g. plugin)

[jengelh at inai dot de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103930

Jan Engelhardt <jengelh at inai dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rguenther at suse dot de

--- Comment #1 from Jan Engelhardt <jengelh at inai dot de> ---
gcc version 12.2.1 20221020 [revision 0aaef83351473e8f4eb774f8f999bbe87a4866d7]
(SUSE Linux) 

Thread 5 "a.out" hit Breakpoint 2, __interceptor_crypt (key=0x602000007050 "",
salt=0x60b000015800 "") at
../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:9981
9981    INTERCEPTOR(char *, crypt, char *key, char *salt) {
(gdb) n
9983      COMMON_INTERCEPTOR_ENTER(ctx, crypt, key, salt);
(gdb) 
9984      COMMON_INTERCEPTOR_READ_RANGE(ctx, key, internal_strlen(key) + 1);
(gdb) 
9985      COMMON_INTERCEPTOR_READ_RANGE(ctx, salt, internal_strlen(salt) + 1);
(gdb) 
9986      char *res = REAL(crypt)(key, salt);
(gdb) disas
…
=> 0x00007ffff7862cdd <+125>:   lea    -0x28(%rbp),%rsp
   0x00007ffff7862ce1 <+129>:   mov    %r12,%rsi
   0x00007ffff7862ce4 <+132>:   mov    %rbx,%rdi
   0x00007ffff7862ce7 <+135>:   pop    %rbx
   0x00007ffff7862ce8 <+136>:   pop    %r12
   0x00007ffff7862cea <+138>:   pop    %r13
   0x00007ffff7862cec <+140>:   pop    %r14
   0x00007ffff7862cee <+142>:   pop    %r15
   0x00007ffff7862cf0 <+144>:   pop    %rbp
   0x00007ffff7862cf1 <+145>:   jmp    *0xeade1(%rip)        # 0x7ffff794dad8
<_ZN14__interception10real_cryptE>
…
(gdb) p _ZN14__interception10real_cryptE
$1 = (crypt_type) 0x0

[Bug sanitizer/103930] asan intercepts fail if target library is only loaded (indirectly) through dlopen (e.g. plugin)

[jengelh at inai dot de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103930

--- Comment #2 from Jan Engelhardt <jengelh at inai dot de> ---
Subissue a) "the crash output is completely useless" seems to have been
addressed in the past already; I observe in gcc 12 that

Found plugin run function: 0x7fecaa0e01a0
AddressSanitizer:DEADLYSIGNAL
=================================================================
==75097==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000000000 bp 0x7ffccfe3f0b0 sp 0x7ffccfe3f0a8 T0)
==75097==Hint: pc points to the zero page.
==75097==The signal is caused by a READ memory access.
==75097==Hint: address points to the zero page.
    #0 0x0  (<unknown module>)
    #1 0x4010ea in main main.c:10
    #2 0x7feca982c5af in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58

(But yeah, I remember a time when calling null pointer functions often meant no
usable stack trace, even in gdb. Not sure what that was about.)