Package: clang Version: 1:9.0-49.1 Severity: normal
Hi,
(I guess that is either me doing something wrong or an upstream bug,
but I can't test non-debian clang versions and have no account for
reporting upstream anyhow nor a good idea where it belongs, so I would
appreciate if you could test this and/or pass on)
Given a shared library with function multi-versioning I want to fuzz
with libFuzzer, the compilation seems fine (expect a strange unused
warning), but the fuzzer crashes instantly:
$ CXX=clang++ ../reproducer.sh
| + clang++ -Wall -Wextra -fsanitize=fuzzer-no-link -fPIC -c foobar.cc
| foobar.cc:3:46: warning: unused function 'bar_impl' [-Wunused-function]
| __attribute__((target("sse4.2"))) static int bar_impl() { return 1; }
| ^
| 1 warning generated.
| + clang++ -Wall -Wextra -shared -o libfoobar.so foobar.o
| + clang++ -Wall -Wextra -fsanitize=fuzzer fuzzer.cc -L. -lfoobar -o fuzzer
| + LD_LIBRARY_PATH=. ./fuzzer
| Segmentation fault (core dumped)
The backtrace is:
| #0 0x0000000000001036 in ?? ()
| #1 0x00007f9dce37983f in bar_impl() [clone .resolver] () from ./libfoobar.so
| #2 0x00007f9dce5893da in elf_machine_rela (skip_ifunc=<optimized out>,
reloc_addr_arg=0x7f9dce37bfd8, version=<optimized out>, sym=<optimized out>,
reloc=0x7f9dce378888, map=0x7f9dce54a4f0) at ../sysdeps/x86_64/dl-machine.h:330
| #3 elf_dynamic_do_Rela (skip_ifunc=<optimized out>, lazy=<optimized out>,
nrelative=<optimized out>, relsize=<optimized out>, reladdr=<optimized out>,
map=0x7f9dce54a4f0) at do-rel.h:137
| #4 _dl_relocate_object (l=l@entry=0x7f9dce54a4f0, scope=<optimized out>,
reloc_mode=<optimized out>, consider_profiling=<optimized out>,
consider_profiling@entry=0) at dl-reloc.c:254
| #5 0x00007f9dce580d0a in dl_main (phdr=<optimized out>, phnum=<optimized
out>, user_entry=<optimized out>, auxv=<optimized out>) at rtld.c:2259
| #6 0x00007f9dce5957cf in _dl_sysdep_start
(start_argptr=start_argptr@entry=0x7fff3a3edc00,
dl_main=dl_main@entry=0x7f9dce57f3a0 <dl_main>) at ../elf/dl-sysdep.c:253
| #7 0x00007f9dce57ef04 in _dl_start_final (arg=0x7fff3a3edc00) at rtld.c:447
| #8 _dl_start (arg=0x7fff3a3edc00) at rtld.c:537
| #9 0x00007f9dce57e098 in _start () from /lib64/ld-linux-x86-64.so.2
| #10 0x0000000000000001 in ?? ()
| #11 0x00007fff3a3ef527 in ?? ()
| #12 0x0000000000000000 in ?? ()
The crash happens with clang versions 9 (1:9.0.1-12), 10 (1:10.0.0-4) &
11 (1:11~++20200411120955+c65e6079fc9-1~exp1). Note that bar_impl() or
bar() is not even called in the fuzzer.
clang-11 has gained the option -fsanitize-coverage-blacklist which
I found and tried on a whim and gives me the expected result:
$ cat ../blacklist.txt
| fun:*.resolver
$ CXX=clang++-11 CXXFLAGS="-fsanitize-coverage-blacklist=../blacklist.txt"
../reproducer.sh
| + clang++-11 -fsanitize-coverage-blacklist=../blacklist.txt -Wall -Wextra
-fsanitize=fuzzer-no-link -fPIC -c foobar.cc
| foobar.cc:3:46: warning: unused function 'bar_impl' [-Wunused-function]
| __attribute__((target("sse4.2"))) static int bar_impl() { return 1; }
| ^
| 1 warning generated.
| + clang++-11 -fsanitize-coverage-blacklist=../blacklist.txt -Wall -Wextra
-shared -o libfoobar.so foobar.o
| + clang++-11 -fsanitize-coverage-blacklist=../blacklist.txt -Wall -Wextra
-fsanitize=fuzzer fuzzer.cc -L. -lfoobar -o fuzzer
| + LD_LIBRARY_PATH=. ./fuzzer
[…]
| fuzzer: fuzzer.cc:8: int LLVMFuzzerTestOneInput(const uint8_t *, size_t):
Assertion `foo() == 2' failed.
[…]
(The existing -fsanitize-blacklist option did not have an effect.)
Attached is the reproducer.sh script I was using here.
Best regards
David Kalnischkies
reproducer.sh
Description: Bourne shell script
signature.asc
Description: PGP signature
