Skip to content

Binaries built with libasan randomly segfault with kernel 6.7.arch3-1

Description:

I'm not completely sure who to blame here (kernel or libasan), but tonight our upstream systemd CI cron job noticed a bug when running tests with sanitizers, where the sanitized binaries randomly crash with SIGSEGV. This can be reproduced quite easily with a simple hello world program, can be reproduced with both gcc and clang, and the issue disappears after downgrading the kernel to 6.6.10-arch1-1.

Additional info:

# pacman -Q clang compiler-rt gcc linux
clang 16.0.6-1
compiler-rt 16.0.6-2
gcc 13.2.1-3
linux 6.7.arch3-1

Steps to reproduce:

// main.c
#include <stdio.h>

int main(void) {
        puts("Hello world");
        return 0;
}
# gcc -o main main.c -fsanitize=address
# for _ in {0..50}; do ./main || break; done
Hello world
AddressSanitizer:DEADLYSIGNAL
=================================================================
==751==ERROR: AddressSanitizer: SEGV on unknown address 0x6382b470ee78 (pc 0x757056cf538f bp 0x000000000000 sp 0x7ffd0eaf58c0 T0)
==751==The signal is caused by a READ memory access.
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.
# clang -o main main.c -fsanitize=address
# for _ in {0..50}; do ./main || break; done
Hello world
Hello world
Hello world
Hello world
Segmentation fault (core dumped)
[  274.499336] kernel: get_sigframe: 10 callbacks suppressed
[  274.499342] kernel: signal: main[811] overflowed sigaltstack
...
[  274.540419] systemd[1]: Started Process Core Dump (PID 812/UID 0).
[  274.540934] audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-812-0 comm="systemd" exe="/usr/lib/systemd/>
[  274.530644] kernel: audit: type=1130 audit(1705318187.949:147): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@5-812-0 comm="sys>
[  274.613988] systemd-coredump[813]: [🡕] Process 811 (main) of user 0 dumped core.
                                      
                                      Stack trace of thread 811:
                                      #0  0x000062a5071665c0 n/a (n/a + 0x0)
                                      ELF object binary architecture: AMD x86-64
[  274.617160] systemd[1]: systemd-coredump@5-812-0.service: Deactivated successfully.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information