[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] linux-user/mmap: Should not return NULL on guest call mmap(
|
From: |
Maximilian Riemensberger |
|
Subject: |
[Qemu-devel] linux-user/mmap: Should not return NULL on guest call mmap(NULL, ...), causes crash inside glibc |
|
Date: |
Fri, 5 Jan 2018 19:13:08 +0100 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 |
Hi,
yesterday I hit the following problem when running an arm linux executable on
qemu-2.10 (qemu-arm-static through binfmt_misc)
1879
mmap2(NULL,8388608,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS|0x20000,-1,0)
= 0x00000000
1879 write(2,0xf6fd39d0,79) stx_test: allocatestack.c:514: allocate_stack:
Assertion `mem != NULL' failed.
The issue comes up when the executable creates and joins lots of
threads in a loop (it's a unit test). Eventually, glibc allocatestack
hits the mmap(NULL, ...) == NULL. Judging from the posix and linux
manuals mmap(NULL, ...) never returns NULL. Either it fails with MAP_FAILED
or it succeeds and returns non-NULL address.
AFAIK target_mmap() and mmap_find_vma() don't check the start address
after h2g().
More detailed straces below.
Cheers
Max
Guest strace: qemu-arm-static --strace [truncated and filtered]:
...
1879
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x00ffef88,parent_tidptr=0x00fff4b8,tls=0x00fff910,child_tidptr=0x00fff4b8)
= 2483
1879
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x00ffef88,parent_tidptr=0x00fff4b8,tls=0x00fff910,child_tidptr=0x00fff4b8)
= 2484
1879
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136)1879
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x017fef88,parent_tidptr=0x017ff4b8,tls=0x017ff910,child_tidptr=0x017ff4b8)
= 2485
1879
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM1879
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136)|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x01ffef88,parent_tidptr=0x01fff4b8,tls=0x01fff910,child_tidptr=0x01fff4b8)
= 2486
1879
clone(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x027fef88,parent_tidptr=0x027ff4b8,tls=0x027ff910,child_tidptr=0x027ff4b8)1879
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136) =
2487
1879 clone(CLONE_VM|CLONE_FS|CLONE_FILES1879
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136)|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,child_stack=0x02ffef88,parent_tidptr=0x02fff4b8,tls=0x02fff910,child_tidptr=0x02fff4b8)
= 2488
1879 mmap2(NULL,8388608,PROT_READ|PROT_WRITE,MAP_PRIVATE1879
futex(0xf61d5fa0,FUTEX_PRIVATE_FLAG|FUTEX_WAIT,0,NULL,0xf61d5fa0,-165847136)|MAP_ANONYMOUS|0x20000,-1,0)
= 0x00000000
1879 write(2,0xf6fd39d0,79)stx_test: allocatestack.c:514: allocate_stack:
Assertion `mem != NULL' failed.
1879 mmap2(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) =
0xf61ca000
Host strace: strace -f qemu-arm-static [truncated and filtered, different run
than above]:
mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) =
0x7f5344532000
clone(child_stack=0x7f5344d31db0,
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
parent_tidptr=0x7f5344d329d0, tls=0x7f5344d32700, child_tidptr=0x7f5344d329d0)
= 2492
[pid 2491] mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f53444b1000
[pid 2491] mmap(NULL, 225280, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0x7f534447a000
[pid 2491] mmap(NULL, 4143972352, PROT_NONE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f524d47a000
[pid 2491] mmap(0x7f534d46a000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f534d46a000
[pid 2491] openat(AT_FDCWD, "/proc/sys/vm/mmap_min_addr", O_RDONLY) = 3
...
[pid 2491] clone(child_stack=0x7f524cd1bdb0,
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
parent_tidptr=0x7f524cd1c9d0, tls=0x7f524cd1c700, child_tidptr=0x7f524cd1c9d0)
= 3092
[pid 2491] mmap(0x7f524e47a000, 8388608, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0 <unfinished ...>
[pid 2491] <... mmap resumed> ) = 0x7f524e47a000
[pid 2491] clone(child_stack=0x7f524cd9ddb0,
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
parent_tidptr=0x7f524cd9e9d0, tls=0x7f524cd9e700, child_tidptr=0x7f524cd9e9d0)
= 3093
[pid 2491] mmap(0x7f524dc7a000, 8388608, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0 <unfinished ...>
[pid 2491] <... mmap resumed> ) = 0x7f524dc7a000
[pid 2491] clone(strace: Process 3094 attached
[pid 2491] mmap(0x7f525b47a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0 <unfinished ...>
[pid 2491] <... mmap resumed> ) = 0x7f525b47a000
[pid 2491] mmap(0x7f525bc7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0 <unfinished ...>
[pid 2491] <... mmap resumed> ) = 0x7f525bc7a000
[pid 2491] mmap(0x7f525c47a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525c47a000
[pid 2491] mmap(0x7f525cc7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525cc7a000
[pid 2491] mmap(0x7f525d47a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525d47a000
[pid 2491] mmap(0x7f525ac7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525ac7a000
[pid 2491] mmap(0x7f525a47a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525a47a000
[pid 2491] mmap(0x7f5259c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5259c7a000
[pid 2491] mmap(0x7f525947a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525947a000
[pid 2491] mmap(0x7f5258c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5258c7a000
[pid 2491] mmap(0x7f525847a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525847a000
[pid 2491] mmap(0x7f5257c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5257c7a000
[pid 2491] mmap(0x7f525747a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525747a000
[pid 2491] mmap(0x7f5256c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5256c7a000
[pid 2491] mmap(0x7f525647a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525647a000
[pid 2491] mmap(0x7f5255c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5255c7a000
[pid 2491] mmap(0x7f525547a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525547a000
[pid 2491] mmap(0x7f5254c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5254c7a000
[pid 2491] mmap(0x7f525447a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525447a000
[pid 2491] mmap(0x7f5253c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5253c7a000
[pid 2491] mmap(0x7f525347a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525347a000
[pid 2491] mmap(0x7f5252c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5252c7a000
[pid 2491] mmap(0x7f525247a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525247a000
[pid 2491] mmap(0x7f5251c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5251c7a000
[pid 2491] mmap(0x7f525147a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525147a000
[pid 2491] mmap(0x7f5250c7a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f5250c7a000
[pid 2491] mmap(0x7f525047a000, 8388608, PROT_NONE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x7f525047a000
[pid 2491] clone(strace: Process 3095 attached
[pid 2491] clone(strace: Process 3096 attached
[pid 2491] clone(strace: Process 3097 attached
[pid 2491] clone(strace: Process 3098 attached
[pid 2491] clone(strace: Process 3099 attached
[pid 2491] clone(strace: Process 3100 attached
[pid 2491] mmap(0x7f524d47a000, 8388608, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0 <unfinished ...>
[pid 2491] <... mmap resumed> ) = 0x7f524d47a000
[pid 2491] write(2, "stx_test: allocatestack.c:514: a"..., 79stx_test:
allocatestack.c:514: allocate_stack: Assertion `mem != NULL' failed.
--
----------------------------------------------------------------------
Cadami UG (haftungsbeschränkt)
Waagstraße 10, 85386 Eching (near Munich), Germany
Office: c/o Wayra, Kaufingerstraße 15, 80331 Munich, Germany
Contact: +49-176-63360306, address@hidden, www.cadami.net
Geschäftsführer: Andreas Dotzler, Michael Heindlmaier,
Thomas Kühn, Maximilian Riemensberger
Sitz der Gesellschaft: Eching, HRB 219979 Amtsgericht München
USt-IdNr.: DE301293803
----------------------------------------------------------------------
- [Qemu-devel] linux-user/mmap: Should not return NULL on guest call mmap(NULL, ...), causes crash inside glibc,
Maximilian Riemensberger <=