367942 – Segfault vgPlain_do_sys_sigaction (m_signals.c:1138)

Bug 367942 - Segfault vgPlain_do_sys_sigaction (m_signals.c:1138)

Summary: Segfault vgPlain_do_sys_sigaction (m_signals.c:1138)

Status:	RESOLVED FIXED

Alias:	None

Product:	valgrind
Classification:	Developer tools
Component:	general (show other bugs)
Version:	3.10.0
Platform:	Debian stable Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	Julian Seward

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-08-29 00:57 UTC by geeknik
Modified:	2016-11-14 00:10 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description geeknik 2016-08-29 00:57:47 UTC

Valgrind 3.10.0-4 on Debian 8.5 x64. This Perl script crashed the Perl interpreter which crashed Valgrind. The Perl script is 100% expected to crash Perl, but I wouldn't expect that to crash Valgrind and after talking to a Perl developer, syscalls from Perl shouldn't crash Valgrind unless the syscall is something like kill(valgrind_pid, SIGSEGV). In this case it's performing a read (syscall 0) with garbage arguments. 

valgrind perl -e '{0!~0}map{$_=syscall$0++}Y..$:'

It'll hang here:

==20465== Syscall param read(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==

Tap Enter on your keyboard:

==20465== Syscall param write(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param open(filename) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param stat(file_name) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param stat(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param fstat(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param lstat(file_name) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param lstat(buf) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param poll(ufds.fd) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param poll(ufds.events) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param poll(ufds.revents) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x6 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param rt_sigaction(act->sa_handler) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4000 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param rt_sigaction(act->sa_mask) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4018 is not stack'd, malloc'd or (recently) free'd
==20465==
==20465== Syscall param rt_sigaction(act->sa_flags) points to unaddressable byte(s)
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)
==20465==  Address 0x4008 is not stack'd, malloc'd or (recently) free'd
==20465==
--20465-- VALGRIND INTERNAL ERROR: Valgrind received a signal 11 (SIGSEGV) - exiting
--20465-- si_code=1;  Faulting address: 0x400B;  sp: 0x802f2ccb0

valgrind: the 'impossible' happened:
   Killed by fatal signal

host stacktrace:
==20465==    at 0x38114E5C: vgSysWrap_linux_sys_rt_sigaction_before (syswrap-linux.c:3242)
==20465==    by 0x380F82D5: vgPlain_client_syscall (syswrap-main.c:1586)
==20465==    by 0x380F4B5A: handle_syscall (scheduler.c:1103)
==20465==    by 0x380F6226: vgPlain_scheduler (scheduler.c:1416)
==20465==    by 0x38105B60: thread_wrapper (syswrap-linux.c:103)
==20465==    by 0x38105B60: run_a_thread_NORETURN (syswrap-linux.c:156)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==20465==    at 0x5C8D809: syscall (syscall.S:38)
==20465==    by 0x59A94D: Perl_pp_syscall (pp_sys.c:5711)
==20465==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==20465==    by 0x452E96: S_run_body (perl.c:2525)
==20465==    by 0x452E96: perl_run (perl.c:2448)
==20465==    by 0x421834: main (perlmain.c:123)

Comment 1 Julian Seward 2016-10-19 11:51:41 UTC

There have been commits to the trunk which make V more robust to
bad parameters to rt_sigaction and friends.  Can you re-try with the
trunk, or with the upcoming 3.12.0 release?

Comment 2 geeknik 2016-11-14 00:10:43 UTC

valgrind-3.13.0.SVN does not appear to crash in this instance.