NetBSD Problem Report #59042
From christos@astron.com Thu Jan 30 19:13:45 2025
Return-Path: <christos@astron.com>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 5293F1A923A
for <gnats-bugs@gnats.NetBSD.org>; Thu, 30 Jan 2025 19:13:45 +0000 (UTC)
Message-Id: <20250130191342.804D76C28E@quasar.astron.com>
Date: Thu, 30 Jan 2025 19:13:42 +0000 (UTC)
From: christos@zoulas.com
Reply-To: christos@zoulas.com
To: gnats-bugs@NetBSD.org
Subject: libfuzzer coredumps trying to print stack trace
X-Send-Pr-Version: 3.95
>Number: 59042
>Category: toolchain
>Synopsis: libfuzzer coredumps trying to print stack trace
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: toolchain-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jan 30 19:15:00 +0000 2025
>Originator: Christos Zoulas
>Release: NetBSD 10.99.12
>Organization:
Warm Fuzzy Feelings, Inc.
>Environment:
System: NetBSD quasar.astron.com 10.99.12 NetBSD 10.99.12 (QUASAR) #40: Mon Jan 27 14:52:42 EST 2025 christos@quasar.astron.com:/usr/src/sys/arch/amd64/compile/QUASAR amd64
Architecture: x86_64
Machine: amd64
>Description:
If the libfuzzer callback fails, then the system is unable to handle
it, because the libc constructors have not been called.
/usr/src/sys/lib/libunwind/libunwind.c:25:
static LocalAddressSpace sThisAddressSpace(MyCFIParser::findPCRange);
Then we die trying to dereference:
/usr/src/sys/lib/libunwind/AddressSpace.hpp:397:
(*findPCRange)(
*this, header + (int32_t)get32(n->hdr_start + (entries - 1) * 8 + 4),
tmp, n->last_pc);
>How-To-Repeat:
[2:11pm] 374>cat x.cc
#include <sys/types.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
return -1;
}
[2:11pm] 375>clang++ -g -fsanitize=fuzzer,address x.cc -o x
[2:11pm] 376>paxctl +a x
[2:11pm] 377>./x
INFO: Seed: 821425815
INFO: Loaded 1 modules (1 inline 8-bit counters): 1 [0x59e008, 0x59e009),
INFO: Loaded 1 PC tables (1 PCs): 1 [0x5764b8,0x5764c8),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
assertion "Res == 0" failed: file "/net/quasar/src-5/NetBSD/src/external/bsd/compiler_rt/lib/clang/lib/netbsd/fuzzer-m64/../../../../../../../../sys/external/bsd/compiler_rt/dist/lib/fuzzer/FuzzerLoop.cpp", line 575, function "void fuzzer::Fuzzer::ExecuteCallback(const uint8_t *, size_t)"
==18000== ERROR: libFuzzer: deadly signal
#0 0x45a8a7 in __sanitizer_print_stack_trace /net/quasar/src-5/NetBSD/src/external/bsd/compiler_rt/lib/clang/lib/netbsd/asan-m64/../../../../../../../../sys/external/bsd/compiler_rt/dist/lib/asan/asan_stack.cc:38:3
#1 0x4409f5 in fuzzer::PrintStackTrace() (/net/quasar/u-5/christos/src/file/src/Test_libmagic_1/./x+0x4409f5)
#2 0x430bc3 in fuzzer::Fuzzer::CrashCallback() (/net/quasar/u-5/christos/src/file/src/Test_libmagic_1/./x+0x430bc3)
#3 0x430b80 in fuzzer::Fuzzer::StaticCrashSignalCallback() (/net/quasar/u-5/christos/src/file/src/Test_libmagic_1/./x+0x430b80)
#4 0x7f7ff7b0e68f (/usr/lib/libc.so.12+0x19968f)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
Base64:
>Fix:
Low level code that can be called very early should not require
complex features like constructors, or something needs to make
sure that constructors have been called.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home