[Bug sanitizer/98669] New: SIGSEGV on pc=0 in crypt() with -fsanitize=address

[Bug sanitizer/98669] New: SIGSEGV on pc=0 in crypt() with -fsanitize=address

[marko.makela at mariadb dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

            Bug ID: 98669
           Summary: SIGSEGV on pc=0 in crypt() with -fsanitize=address
           Product: gcc
           Version: 10.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marko.makela at mariadb dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org, marxin at gcc dot gnu.org
  Target Milestone: ---

The following test program would crash when compiled with AddressSanitizer
instrumentation in GCC 10.2.1 for AMD64 on Debian GNU/Linux Sid (unstable):

cat > crypt.c << EOF
#include <crypt.h>
#include <stdio.h>

int main (int argc, char **argv)
{
  puts(crypt(*argv, "salt"));
}
EOF
gcc -fsanitize=address crypt.c -lcrypt
./a.out


AddressSanitizer:DEADLYSIGNAL
=================================================================
==664877==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000000000 bp 0x7fffb2b2b970 sp 0x7fffb2b2b958 T0)
==664877==Hint: pc points to the zero page.
==664877==The signal is caused by a READ memory access.
==664877==Hint: address points to the zero page.
    #0 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==664877==ABORTING


If I compile the same without -fsanitize=address, or with clang-10 or clang-11,
the program will complete normally, outputting a line of text.

I traced the crash to the second (!) invocation of the function
__interceptor_crypt():

gdb a.out
break __interceptor_crypt
continue
display/i $pc
continue
nexti
nexti
...

The trace would end with the following:

1: x/i $pc
=> 0x7ffff762ba4d <__interceptor_crypt(char*, char*)+125>:      
    jmp    *0xdf55d(%rip)        # 0x7ffff770afb0
<_ZN14__interception10real_cryptE>
(gdb) 
0x0000000000000000 in ?? ()

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |WAITING
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2021-01-14
                 CC|                            |doko at gcc dot gnu.org

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Thank you for the report.

However, I can't reproduce that on openSUSE Tumbleweed with GCC 10 installed:

$ g++-10 pr98669.C -lcrypt -fsanitize=address -g && ./a.out 
sasWQy9ecMDEs

same for older compilers:

$ g++-7 pr98669.C -lcrypt -fsanitize=address -g && ./a.out 
sasWQy9ecMDEs

$ g++-9 pr98669.C -lcrypt -fsanitize=address -g && ./a.out 
sasWQy9ecMDEs

@doko: Can you please try to reproduce that?

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[marko.makela at mariadb dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #2 from Marko Mäkelä <marko.makela at mariadb dot com> ---
I cannot reproduce this with Debian's gcc-9 package on my system:
Architecture: amd64
Version: 9.3.0-20

gcc-9 -fsanitize=address crypt.c -lcrypt && ./a.out 
sasWQy9ecMDEs

If I change the invocation to gcc or gcc-10, then it will crash as reported.

gcc --version
gcc (Debian 10.2.1-6) 10.2.1 20210110
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[doko at debian dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

Matthias Klose <doko at debian dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |doko at debian dot org

--- Comment #3 from Matthias Klose <doko at debian dot org> ---
I can see this as well, also with trunk 20210110 / GCC 11, both with gcc and
g++ (binutils 2.35 branch, glibc 2.31). Same for the current Ubuntu development
system (binutils 2.36 branch, glibc-2.32).

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[doko at debian dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #4 from Matthias Klose <doko at debian dot org> ---
$ /usr/lib/gcc-snapshot/bin/gcc -fsanitize=address crypt.c -lcrypt &&
LD_LIBRARY_PATH=/usr/lib/gcc-snapshot/lib ./a.out 
sasWQy9ecMDEs

looks like this happens with a compiler configured with --enable-default-pie.

Otoh, I still see:

$ gcc-10 -no-pie -fno-stack-protector -fsanitize=address crypt.c -lcrypt &&
./a.out
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2831466==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000000000 bp 0x7ffd02382710 sp 0x7ffd023826f8 T0)
==2831466==Hint: pc points to the zero page.
==2831466==The signal is caused by a READ memory access.
==2831466==Hint: address points to the zero page.
    #0 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==2831466==ABORTING

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #5 from Martin Liška <marxin at gcc dot gnu.org> ---
Based on the back-trace, it seems that:

1: x/i $pc
=> 0x7ffff762ba4d <__interceptor_crypt(char*, char*)+125>:      
    jmp    *0xdf55d(%rip)        # 0x7ffff770afb0
<_ZN14__interception10real_cryptE>
(gdb) 
0x0000000000000000 in ?? ()

'crypt' is not properly dlsymed from libcrypt.so.
@doko: Can you please send me your libasan.so.6 and libcrypt.so.1 via email?

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> ---
Can you please also check:

$ ASAN_OPTIONS=verbosity=111 ./a.out
...

?

You may see something like this:

'==23512==AddressSanitizer: failed to intercept '???'

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[doko at debian dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #7 from Matthias Klose <doko at debian dot org> ---
$ ASAN_OPTIONS=verbosity=111 ./a.out
==3598976==info->dlpi_name =    info->dlpi_addr = 0x5653263c7000
==3598976==info->dlpi_name = linux-vdso.so.1    info->dlpi_addr =
0x7fff7e8ed000
==3598976==info->dlpi_name = /usr/lib/x86_64-linux-gnu/libasan.so.6    
info->dlpi_addr = 0x7f2feae05000
==3598976==AddressSanitizer: failed to intercept '__isoc99_printf'
'==3598976==AddressSanitizer: failed to intercept '__isoc99_sprintf'
'==3598976==AddressSanitizer: failed to intercept '__isoc99_snprintf'
'==3598976==AddressSanitizer: failed to intercept '__isoc99_fprintf'
'==3598976==AddressSanitizer: failed to intercept '__isoc99_vprintf'
'==3598976==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
'==3598976==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
'==3598976==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
'==3598976==AddressSanitizer: failed to intercept 'crypt'
'==3598976==AddressSanitizer: failed to intercept 'crypt_r'
'==3598976==AddressSanitizer: failed to intercept '__cxa_throw'
'==3598976==AddressSanitizer: libc interceptors initialized
|| `[0x10007fff8000, 0x7fffffffffff]` || HighMem    ||
|| `[0x02008fff7000, 0x10007fff7fff]` || HighShadow ||
|| `[0x00008fff7000, 0x02008fff6fff]` || ShadowGap  ||
|| `[0x00007fff8000, 0x00008fff6fff]` || LowShadow  ||
|| `[0x000000000000, 0x00007fff7fff]` || LowMem     ||
MemToShadow(shadow): 0x00008fff7000 0x000091ff6dff 0x004091ff6e00
0x02008fff6fff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
thread_local_quarantine_size_kb=1024K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x7fff8000
==3598976==Installed the sigaction for signal 11
==3598976==Installed the sigaction for signal 7
==3598976==Installed the sigaction for signal 8
==3598976==SetCurrentThread: 0x7f2feb7d5000 for thread 0x7f2feaab5780
==3598976==T0: stack [0x7fff7e050000,0x7fff7e850000) size 0x800000;
local=0x7fff7e84d6ec
==3598976==Using libbacktrace symbolizer.
==3598976==AddressSanitizer Init done
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3598976==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000000000 bp 0x7fff7e84d6d0 sp 0x7fff7e84d6b8 T0)
==3598976==Hint: pc points to the zero page.
==3598976==The signal is caused by a READ memory access.
==3598976==Hint: address points to the zero page.
    #0 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==3598976==ABORTING

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #8 from Martin Liška <marxin at gcc dot gnu.org> ---
> '==3598976==AddressSanitizer: failed to intercept 'crypt'
> '==3598976==AddressSanitizer: failed to intercept 'crypt_r'

All right, this is the problem. Investigating now.

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[doko at debian dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #9 from Matthias Klose <doko at debian dot org> ---
The Debian GCC has a patch to make --as-needed the default.  It looks like
gcc-10 then links to an a.out which is not linked against libcrypt.  This seems
to work with gcc-9, but not with -10 and -11.

$ gcc-9 -fsanitize=address crypt.c -lcrypt && ldd a.out|egrep 'asan|crypt'
        libasan.so.5 => /usr/lib/x86_64-linux-gnu/libasan.so.5
(0x00007fc9606a7000)
        libcrypt.so.1 => /usr/lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007fc96066c000)


$ gcc-10 -fsanitize=address crypt.c -lcrypt && ldd a.out|egrep 'asan|crypt'
        libasan.so.6 => /usr/lib/x86_64-linux-gnu/libasan.so.6
(0x00007f90c79bf000)

 /usr/lib/gcc/x86_64-linux-gnu/10/collect2 -plugin
/usr/lib/gcc/x86_64-linux-gnu/10/liblto_plugin.so
-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/10/lto-wrapper
-plugin-opt=-fresolution=/tmp/ccwabMO2.res -plugin-opt=-pass-through=-lgcc
-plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lc
-plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_s --build-id
--eh-frame-hdr -m elf_x86_64 --hash-style=gnu --as-needed -dynamic-linker
/lib64/ld-linux-x86-64.so.2 -pie
/usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu/Scrt1.o
/usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu/crti.o
/usr/lib/gcc/x86_64-linux-gnu/10/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/10
-L/usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu
-L/usr/lib/gcc/x86_64-linux-gnu/10/../../../../lib -L/lib/x86_64-linux-gnu
-L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib
-L/usr/lib/gcc/x86_64-linux-gnu/10/../../..
/usr/lib/gcc/x86_64-linux-gnu/10/libasan_preinit.o --push-state --no-as-needed
-lasan --pop-state /tmp/ccsFKez1.o -lcrypt -lgcc --push-state --as-needed
-lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state
/usr/lib/gcc/x86_64-linux-gnu/10/crtendS.o
/usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu/crtn.o

so the link line looks like

--as-needed ... /usr/lib/gcc/x86_64-linux-gnu/10/libasan_preinit.o --push-state
--no-as-needed -lasan --pop-state /tmp/ccsFKez1.o -lcrypt ...

Explicitly linking with -lcrypt works:

$ gcc-10 -fsanitize=address crypt.c -Wl,--push-state,--no-as-needed -lcrypt
-Wl,--pop-state && ldd a.out|egrep 'asan|crypt'
        libasan.so.6 => /usr/lib/x86_64-linux-gnu/libasan.so.6
(0x00007ffb6ad5e000)
        libcrypt.so.1 => /usr/lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007ffb6ad23000)

But I fail to see why this worked with GCC 9.

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #10 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Maybe crypt/crypt_r wasn't intercepted before?
In any case, seems like self-inflicted problem, --as-needed by default is a
very bad idea.

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[doko at debian dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #11 from Matthias Klose <doko at debian dot org> ---
anway, guarding --as-needed in the Debian patch. %{!fsanitize=*:--as-needed}

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |RESOLVED
         Resolution|---                         |INVALID

--- Comment #12 from Martin Liška <marxin at gcc dot gnu.org> ---
Closing as it's a downstream issue.

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[marko.makela at mariadb dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

--- Comment #13 from Marko Mäkelä <marko.makela at mariadb dot com> ---
Thank you. I have reported this upstream:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980110

[Bug sanitizer/98669] SIGSEGV on pc=0 in crypt() with -fsanitize=address

[asn at samba dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98669

Andreas Schneider <asn at samba dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |asn at samba dot org

--- Comment #14 from Andreas Schneider <asn at samba dot org> ---
I've run into this with a python script:

==9542==AddressSanitizer: failed to intercept 'crypt'
==9542==AddressSanitizer: failed to intercept 'crypt_r'

[..]

AddressSanitizer:DEADLYSIGNAL
=================================================================
==29768==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000000000 bp 0x7ffcec4bf3c0 sp 0x7ffcec4beb58 T0)
==29768==Hint: pc points to the zero page.
==29768==The signal is caused by a READ memory access.
==29768==Hint: address points to the zero page.
    #0 0x0  (<unknown module>)
    #1 0x7f052cca4129 in crypt_crypt_impl
/usr/src/debug/python310-core-3.10.6-3.1.x86_64/Modules/_cryptmodule.c:44

In case someone runs into this as well. You can fix it by preloading
libcrypt.so.1!