heap overflow from signal array bounds changes

[derekbruening]

From [email protected] on September 26, 2011 14:00:09

in r992 I am deterministically seeing the vfork test fail in both 32-bit and 64-bit with a heap overflow. I have never seen this prior to r992 .
all signs point to a bug in r992 ( issue #336 ).

bin32/drrun -ops "-msgbox_mask 12" -debug suite/tests/bin/linux.vfork /home/bruening/work/build/build_x86_dbg_tests/suite/tests/bin/linux.execve-sub
<Starting application linux.vfork (12615)>
<Initial options = -msgbox_mask 12 >
parent is running under DynamoRIO
trying vfork() #1
child is running under DynamoRIO
<-- execve /home/bruening/work/build/build_x86_dbg_tests/suite/tests/bin/linux.execve-sub -->
<Starting application linux.execve-sub (12622)>
parent waiting for child
<Initial options = -msgbox_mask 12 >
it_worked
<Stopping application linux.execve-sub (12622)>
child has exited
trying vfork() #2
<Application linux.vfork (12615). Internal Error Internal DynamoRIO Error: /home/bruening/dr/git/src/core/heap.c:3522 is_region_memset_to_char(p+size, alloc_size-size, HEAP_PAD_BYTE)
(Error occurred @1430 frags)
version 3.0.992, custom build
-msgbox_mask 12
0x1d4db844 0xf754b16b
0x1d4db9a4 0xf75d9b3b
0x1d4dba44 0xf75d4842
0x1d4dba74 0xf75d49e7
0x1d4dbaa4 0xf76bde9d
0x1d4dbac4 0xf76bff81
0x1d4dbb14 0xf76acf83
0x1d4dbb44 0xf74d4461
0x1d4dbb94 0xf74d4ed0
0x1d4dbc54 0xf76b6ceb>

(gdb) bt
#0 0xf768c362 in syscall_0args () from /home/bruening/work/build/build_x86_dbg_tests/lib32/debug/libdynamorio.so
#1 0x1d48c5b8 in ?? ()
#2 0xf76afcd0 in os_read (f=0, buf=0x1d4db24f, count=1) at /home/bruening/dr/git/src/core/linux/os.c:3292
#3 0xf754fc20 in notify (priority=SYSLOG_ERROR, internal=false, synch=false, substitution_num=3, prefix=0xf77025c8 "SYSLOG_ERROR",
fmt=0xf7703d1c "Application %s (%s). Internal Error %s") at /home/bruening/dr/git/src/core/utils.c:1874
#4 0xf7550072 in report_dynamorio_problem (dcontext=0x1d486240, dumpcore_flag=8, exception_addr=0x0,
report_ebp=0x1d4db844 "\244\271M\035k\261T", <incomplete sequence \367>,
fmt=0xf7702558 "Internal DynamoRIO Error: %s:%d %s\n(Error occurred @%d frags)") at /home/bruening/dr/git/src/core/utils.c:2083
#5 0xf754b16b in internal_error (file=0xf7711e48 "/home/bruening/dr/git/src/core/heap.c", line=3522,
expr=0xf77155d8 "is_region_memset_to_char(p+size, alloc_size-size, HEAP_PAD_BYTE)") at /home/bruening/dr/git/src/core/utils.c:183
#6 0xf75d9b3b in common_heap_free (tu=0x1d482094, p_void=0x1d507978, size=260, which=ACCT_OTHER)
at /home/bruening/dr/git/src/core/heap.c:3521
#7 0xf75d4842 in common_global_heap_free (tu=0x1d482094, p=0x1d507978, size=260, which=ACCT_OTHER)
at /home/bruening/dr/git/src/core/heap.c:2522
#8 0xf75d49e7 in global_heap_free (p=0x1d507978, size=260, which=ACCT_OTHER) at /home/bruening/dr/git/src/core/heap.c:2550
#9 0xf76bde9d in handler_free (dcontext=0x1d506600, p=0x1d507978, size=260) at /home/bruening/dr/git/src/core/linux/signal.c:707
#10 0xf76bff81 in signal_thread_exit (dcontext=0x1d506600) at /home/bruening/dr/git/src/core/linux/signal.c:1485
#11 0xf76acf83 in os_thread_exit (dcontext=0x1d506600) at /home/bruening/dr/git/src/core/linux/os.c:1991
#12 0xf74d4461 in dynamo_thread_exit_common (dcontext=0x1d506600, id=12622, other_thread=true)
at /home/bruening/dr/git/src/core/dynamo.c:2317
#13 0xf74d4ed0 in dynamo_other_thread_exit (tr=0x1d506838) at /home/bruening/dr/git/src/core/dynamo.c:2413
#14 0xf76b6ceb in pre_system_call (dcontext=0x1d486240) at /home/bruening/dr/git/src/core/linux/os.c:5064
#15 0xf754113f in handle_system_call (dcontext=0x1d486240) at /home/bruening/dr/git/src/core/dispatch.c:1749
#16 0xf753892f in dispatch_enter_dynamorio (dcontext=0x1d486240) at /home/bruening/dr/git/src/core/dispatch.c:728
#17 0xf7535011 in dispatch (dcontext=0x1d486240) at /home/bruening/dr/git/src/core/dispatch.c:141

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=561

[derekbruening]

From [email protected] on September 26, 2011 11:16:18

I missed this because I mentally lumped it in with the thread tests that fail non-deterministically for me due to issue #500. I missed the allocation of some signal-indexed arrays in signal_thread_inherit.

[derekbruening]

From [email protected] on September 26, 2011 11:56:18

Fixed in r1000 .

Status: Fixed