Skip to content
GitLab
Open
Issue created by Administrator@rootContributor

CRASH at auto-restart syscall handling for SYSENTER

Created by: mgsiemens

The following app causes drrun to run into a segmentation fault, possibly due to

a bug in auto-restart syscall handling when SYSENTER is the gateway with some recent kernel changes. (cit. @derekbruening)

/* server.c */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <sys/wait.h>
#include <signal.h>

#define PORT "3490"  // the port users will be connecting to

#define BACKLOG 10	 // how many pending connections queue will hold

void sigchld_handler(int s)
{
	(void)s; // quiet unused variable warning

	// waitpid() might overwrite errno, so we save and restore it:
	int saved_errno = errno;

	while(waitpid(-1, NULL, WNOHANG) > 0);

	errno = saved_errno;
}


// get sockaddr, IPv4 or IPv6:
void *get_in_addr(struct sockaddr *sa)
{
	if (sa->sa_family == AF_INET) {
		return &(((struct sockaddr_in*)sa)->sin_addr);
	}

	return &(((struct sockaddr_in6*)sa)->sin6_addr);
}

int main(void)
{
	int sockfd, new_fd;  // listen on sock_fd, new connection on new_fd
	struct addrinfo hints, *servinfo, *p;
	struct sockaddr_storage their_addr; // connector's address information
	socklen_t sin_size;
	struct sigaction sa;
	int yes=1;
	char s[INET6_ADDRSTRLEN];
	int rv;

	memset(&hints, 0, sizeof hints);
	hints.ai_family = AF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	hints.ai_flags = AI_PASSIVE; // use my IP

	if ((rv = getaddrinfo(NULL, PORT, &hints, &servinfo)) != 0) {
		fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(rv));
		return 1;
	}

	// loop through all the results and bind to the first we can
	for(p = servinfo; p != NULL; p = p->ai_next) {
		if ((sockfd = socket(p->ai_family, p->ai_socktype,
				p->ai_protocol)) == -1) {
			perror("server: socket");
			continue;
		}

		if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes,
				sizeof(int)) == -1) {
			perror("setsockopt");
			exit(1);
		}

		if (bind(sockfd, p->ai_addr, p->ai_addrlen) == -1) {
			close(sockfd);
			perror("server: bind");
			continue;
		}

		break;
	}

	freeaddrinfo(servinfo); // all done with this structure

	if (p == NULL)  {
		fprintf(stderr, "server: failed to bind\n");
		exit(1);
	}

	if (listen(sockfd, BACKLOG) == -1) {
		perror("listen");
		exit(1);
	}

	sa.sa_handler = sigchld_handler; // reap all dead processes
	sigemptyset(&sa.sa_mask);
	sa.sa_flags = SA_RESTART;
	if (sigaction(SIGCHLD, &sa, NULL) == -1) {
		perror("sigaction");
		exit(1);
	}

	printf("server: waiting for connections...\n");

	while(1) {  // main accept() loop
		sin_size = sizeof their_addr;
		new_fd = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size);
		if (new_fd == -1) {
			perror("accept");
			continue;
		}

		inet_ntop(their_addr.ss_family,
			get_in_addr((struct sockaddr *)&their_addr),
			s, sizeof s);
		printf("server: got connection from %s\n", s);

		if (!fork()) { // this is the child process
			close(sockfd); // child doesn't need the listener
			if (send(new_fd, "Hello, world!", 13, 0) == -1)
				perror("send");
			close(new_fd);
			exit(0);
		}
		close(new_fd);  // parent doesn't need this
	}

	return 0;
}

Versions:

  • drrun version 7.91.18323
  • gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
  • Linux host 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  • gdb 8.1-0ubuntu3.2

App built via:

gcc -m32 server.c -o server

Execution via X86_32:

/home/mg/D.I.C.E/core/src/tracer/dynamorio/dynamorio-linux/build32/bin32/drrun -32 -debug -loglevel 4 -- /home/mg/tmp/server
<log dir=/home/mg/D.I.C.E/core/src/tracer/dynamorio/dynamorio-linux/build32/bin32/../logs/server.4122.00000000>
<Starting application /home/mg/tmp/server (4122)>
<Initial options = -no_dynamic_options -loglevel 4 -code_api -stack_size 56K -signal_stack_size 32K -max_elide_jmp 0 -max_elide_call 0 -early_inject -emulate_brk -no_inline_ignored_syscalls -native_exec_default_list '' -no_native_exec_managed_code -no_indcall2direct >
<Paste into GDB to debug DynamoRIO clients:
set confirm off
add-symbol-file '/home/mg/D.I.C.E/core/src/tracer/dynamorio/dynamorio-linux/build32/lib32/debug/libdynamorio.so' 0xf7c5bdd8
>
server: waiting for connections...
server: got connection from 127.0.0.1
<-- parent 4122 forked child 4168 -->
<log dir=/home/mg/D.I.C.E/core/src/tracer/dynamorio/dynamorio-linux/build32/bin32/../logs/server.4168.00000000>
<Stopping application /home/mg/tmp/server (4168)>
Segmentation fault

and nc localhost 3490 from a second shell to trigger the fork.

Additional context:

This problem did not appear on X86_64. For further details see the original discussion: https://groups.google.com/forum/#!topic/dynamorio-users/G_m3wqSxz9w ("Running an app that uses a SIGCHLD handler for zombie process reaping")