Trinity Bug Log

[rennergade]

This issue is going to be used for bugs that Tristan finds using trinity. We can assign them as we find them.

@TristanB22 post each bug you find with a backtrace if possible, and any additional information you can figure out. (I'll post the first one for example).

[rennergade]

Bug 1: CopyPathFromUser
cause: User supplied bad src address (0x20)

Thread 14 "sel_ldr" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7572640 (LWP 1097775)]
0x00007ffff78ba06e in __strncpy_avx2 () from /usr/lib/libc.so.6
@ [#14:__strncpy_avx2()] bt
#0  0x00007ffff78ba06e in __strncpy_avx2 () from /usr/lib/libc.so.6
#1  0x000055555559ac80 in NaClCopyInFromUserZStr (nap=0x7fffd408a300, dst_buffer=0x7ffff75718a0 "", dst_buffer_bytes=1024, src_usr_addr=20) at src/trusted/service_runtime/nacl_copy.c:62
#2  0x0000555555576cb3 in CopyPathFromUser (nap=0x7fffd408a300, dest=0x7ffff75718a0 "", num_bytes=1024, src=20) at src/trusted/service_runtime/nacl_syscall_common.c:678
#3  0x000055555557fb6e in NaClSysStatfs (natp=0x7fffd4099a30, pathname=0x14 <error: Cannot access memory at address 0x14>, buf=0x0) at src/trusted/service_runtime/nacl_syscall_common.c:5046
#4  0x0000555555583fea in NaClSysStatfsDecoder (natp=0x7fffd4099a30) at scons-out/dbg-linux-x86-64/gen/native_client/src/trusted/service_runtime/nacl_syscall_handlers.c:6333
#5  0x000055555559d9d4 in NaClSyscallCSegHook (ntcp=0x7fffd4099a30) at src/trusted/service_runtime/nacl_syscall_hook.c:149
#6  0x0000555555592470 in NaClSyscallSegRegsSaved () at src/trusted/service_runtime/arch/x86_64/nacl_syscall_64.S:211
#7  0x00007ffff7571d90 in ?? ()
#8  0x00005555555727e8 in NaClAppThreadLauncher (state=0xfffeffac) at src/trusted/service_runtime/nacl_app_thread.c:340
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
@ [#14:__strncpy_avx2()] 

[rennergade]

Bug 2: SendTo/get_sockaddr
cause: user supplied bad dest/addrlen

[Switching to Thread 0x7ffff74cd640 (LWP 1097784)]
0x00007ffff7f2b13d in rustposix::interface::types::get_sockaddr () from /home/lind/lind_project/lind/lindenv/librustposix.so
@ [#23:rustposix::interface::types::get_sockaddr()] bt
#0  0x00007ffff7f2b13d in rustposix::interface::types::get_sockaddr () from /home/lind/lind_project/lind/lindenv/librustposix.so
#1  0x00007ffff7f2bfba in dispatcher () from /home/lind/lind_project/lind/lindenv/librustposix.so
#2  0x00005555555e13db in lind_sendto (sockfd=23, buf=0x1cf5fe0e0000, len=62189, flags=8419, dest_addr=0x1cf580c00100, addrlen=405045352, cageid=7) at src/shared/platform/lind_platform.c:186
#3  0x000055555557ef47 in NaClSysSendto (natp=0x7fffd4171960, sockfd=23, buf=0xfe0e0000, len=62189, flags=8419, dest_addr=0x80c00100, addrlen=405045352) at src/trusted/service_runtime/nacl_syscall_common.c:4782
#4  0x0000555555583c09 in NaClSysSendtoDecoder (natp=0x7fffd4171960) at scons-out/dbg-linux-x86-64/gen/native_client/src/trusted/service_runtime/nacl_syscall_handlers.c:5589
#5  0x000055555559d9d4 in NaClSyscallCSegHook (ntcp=0x7fffd4171960) at src/trusted/service_runtime/nacl_syscall_hook.c:149
#6  0x0000555555592470 in NaClSyscallSegRegsSaved () at src/trusted/service_runtime/arch/x86_64/nacl_syscall_64.S:211
#7  0x00007ffff74ccd90 in ?? ()
#8  0x00005555555727e8 in NaClAppThreadLauncher (state=0xfffeffac) at src/trusted/service_runtime/nacl_app_thread.c:340

[jesings]

Both of these so far are variations on the EFAULT issue which I started to attempt to tackle like 2 years ago but it was too difficult (we would be required to check the NaCl Vmmap for every pointer we had).

[rennergade]

Bug 3: epoll_create
Seems to deadlock in the epoll_object_allocator

stack backtrace:
   0: std::panicking::begin_panic
             at /rustc/003d8d3f56848b6f3833340e859b089a09aea36a/library/std/src/panicking.rs:543:12
   1: std::sys::unix::rwlock::RWLock::read
             at /rustc/003d8d3f56848b6f3833340e859b089a09aea36a/library/std/src/sys/unix/rwlock.rs:49:13
   2: std::sys_common::rwlock::MovableRWLock::read
             at /rustc/003d8d3f56848b6f3833340e859b089a09aea36a/library/std/src/sys_common/rwlock.rs:84:18
   3: std::sync::rwlock::RwLock<T>::read
             at /rustc/003d8d3f56848b6f3833340e859b089a09aea36a/library/std/src/sync/rwlock.rs:206:13
   4: rustposix::safeposix::cage::Cage::get_next_fd
             at /home/lind/lind_project/src/safeposix-rust/src/safeposix/cage.rs:105:25
   5: rustposix::safeposix::syscalls::net_calls::<impl rustposix::safeposix::cage::Cage>::_epoll_object_allocator
             at /home/lind/lind_project/src/safeposix-rust/src/safeposix/syscalls/net_calls.rs:1265:30
   6: rustposix::safeposix::syscalls::net_calls::<impl rustposix::safeposix::cage::Cage>::epoll_create_syscall
             at /home/lind/lind_project/src/safeposix-rust/src/safeposix/syscalls/net_calls.rs:1288:16
   7: rustposix::safeposix::dispatcher::dispatcher::{{closure}}
             at /home/lind/lind_project/src/safeposix-rust/src/safeposix/dispatcher.rs:93:16
   8: dispatcher
             at /home/lind/lind_project/src/safeposix-rust/src/safeposix/dispatcher.rs:355:13
   9: lind_epoll_create
             at /home/lind/lind_project/src/native_client/src/shared/platform/lind_platform.c:222:5
  10: NaClSysEpollCreate
             at /home/lind/lind_project/src/native_client/src/trusted/service_runtime/nacl_syscall_common.c:5541:9
  11: NaClSysEpollCreateDecoder
             at /home/lind/lind_project/src/native_client/scons-out/dbg-linux-x86-64/gen/native_client/src/trusted/service_runtime/nacl_syscall_handlers.c:6913:10
  12: NaClSyscallCSegHook
             at /home/lind/lind_project/src/native_client/src/trusted/service_runtime/nacl_syscall_hook.c:149:15
  13: <unknown>
             at /home/lind/lind_project/src/native_client/src/trusted/service_runtime/arch/x86_64/nacl_syscall_64.S:211
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
fatal runtime error: failed to initiate panic, error 5