From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 55067 invoked by alias); 4 Jul 2019 12:35:14 -0000 Mailing-List: contact libffi-discuss-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libffi-discuss-owner@sourceware.org Received: (qmail 55058 invoked by uid 89); 4 Jul 2019 12:35:14 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-18.7 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=Ruby X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 04 Jul 2019 12:35:13 +0000 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1D50B308FFB1 for ; Thu, 4 Jul 2019 12:35:12 +0000 (UTC) Received: from oldenburg2.str.redhat.com (dhcp-192-180.str.redhat.com [10.33.192.180]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 774FA8E5F1; Thu, 4 Jul 2019 12:35:11 +0000 (UTC) From: Florian Weimer To: DJ Delorie Cc: libffi-discuss@sourceware.org Subject: Re: segfault in ffi_data_to_code_pointer References: Date: Thu, 04 Jul 2019 12:35:00 -0000 In-Reply-To: (DJ Delorie's message of "Wed, 26 Jun 2019 16:55:47 -0400") Message-ID: <87r276j7uq.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-SW-Source: 2019/txt/msg00022.txt.bz2 * DJ Delorie: > In src/closures.c, ffi_data_to_code_pointer() calls segment_holding() > to get a pointer to the code segment for a data segment. It doesn't > check for a NULL return, and I've got a test case where I run Ruby's > test suite (on a non-selinux aarch64 machine, if that matters) and > segment_holding() returns NULL and much hilarity ensues. > > The following patch fixes the segfault, but I don't know if > segment_holding() returning NULL is an expected case, or a symptom of > problems elsewhere? > >> diff -rup a/src/closures.c b/src/closures.c >> --- a/src/closures.c 2019-06-25 21:21:06.738743440 -0400 >> +++ b/src/closures.c 2019-06-25 21:22:00.769716129 -0400 >> @@ -621,7 +621,10 @@ void * >> ffi_data_to_code_pointer (void *data) >> { >> msegmentptr seg = segment_holding (gm, data); >> - return add_segment_exec_offset (data, seg); >> + if (seg) >> + return add_segment_exec_offset (data, seg); >> + else >> + return data; >> } I think you also need to fix the aarch64 code to avoid a null pointer dereference, like below. Also submitted as . I have verified that this fixes the Ruby build failure. Thanks, Florian diff --git a/src/aarch64/ffi.c b/src/aarch64/ffi.c index 6f6aac4..69e04d6 100644 --- a/src/aarch64/ffi.c +++ b/src/aarch64/ffi.c @@ -777,7 +777,8 @@ ffi_prep_closure_loc (ffi_closure *closure, /* Also flush the cache for code mapping. */ unsigned char *tramp_code = ffi_data_to_code_pointer (tramp); - ffi_clear_cache (tramp_code, tramp_code + FFI_TRAMPOLINE_SIZE); + if (tramp_code != NULL) + ffi_clear_cache (tramp_code, tramp_code + FFI_TRAMPOLINE_SIZE); #endif closure->cif = cif; diff --git a/src/closures.c b/src/closures.c index 4d7f945..18d3913 100644 --- a/src/closures.c +++ b/src/closures.c @@ -925,6 +925,8 @@ void * ffi_data_to_code_pointer (void *data) { msegmentptr seg = segment_holding (gm, data); + if (seg == NULL) + return NULL; return add_segment_exec_offset (data, seg); }