Re: Buildbot failure in Wildebeest Builder on whole buildset

[Mark Wielaard]

Hi,

On Fri, Dec 10, 2021 at 07:56:05PM +, build...@builder.wildebeest.org wrote:
> The Buildbot has detected a new failure on builder elfutils-centos-x86_64 
> while building elfutils.
> Full details are available at:
> https://builder.wildebeest.org/buildbot/#builders/1/builds/881
> 
> Buildbot URL: https://builder.wildebeest.org/buildbot/
> 
> Worker for this Build: centos-x86_64

This is the second time this week the centos-x86_64 builder hung (or
at least didn't produce any output for some time) during make
check. Frank rebuild it and then it all looked fine.

The missing testcase in the both cases was
run-debuginfod-federation-metrics.sh

But I have been unable to make that testcase hang when running make
check by hand.

Cheers,

Mark

[Bug libelf/28685] New: UBSan: member access within misaligned address 0x7ff316818032 for type 'struct Elf32_Phdr'

[evvers at ya dot ru via Elfutils-devel]

https://sourceware.org/bugzilla/show_bug.cgi?id=28685

Bug ID: 28685
   Summary: UBSan: member access within misaligned address
0x7ff316818032 for type 'struct Elf32_Phdr'
   Product: elfutils
   Version: unspecified
Status: UNCONFIRMED
  Severity: normal
  Priority: P2
 Component: libelf
  Assignee: unassigned at sourceware dot org
  Reporter: evvers at ya dot ru
CC: elfutils-devel at sourceware dot org
  Target Milestone: ---

Created attachment 13845
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13845&action=edit
File triggering an "alignment" check

Trying to integrate the fuzz target into the test suite in
https://github.com/evverx/elfutils/pull/49, I noticed that it triggered the
"alignment" check in both gcc and clang (which I think is a bug because
`--enable-sanitize-undefined` explicitly turns off misaligned access). It can
be reproduced by building elfutils with UBSan and passing the attachment to
`./src/stack`:

```
autoreconf -i -f
./configure --enable-maintainer-mode --enable-sanitize-undefined CFLAGS='-g -O1
-fno-omit-frame-pointer' CXXFLAGS='-g -O1 -fno-omit-frame-pointer'
make -j$(nproc) V=1
UBSAN_OPTIONS=print_stacktrace=1:print_summary=1
LD_LIBRARY_PATH="./libelf:./libdw"  ./src/stack --core ../oss-fuzz-41575
$ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1
LD_LIBRARY_PATH="./libelf:./libdw"  ./src/stack --core ../oss-fuzz-41575
gelf_xlate.h:42:1: runtime error: member access within misaligned address
0x7f019ba78032 for type 'struct Elf32_Phdr', which requires 4 byte alignment
0x7f019ba78032: note: pointer points here
 2b 00  48 00 00 00 00 10 00 ff  ff 7f 45 4c 46 01 01 01  0c 00 ff 00 00 00 00
00  00 04 00 3e ff 00
  ^
#0 0x7f019d8fa5ea in Elf32_cvt_Phdr
/home/vagrant/elfutils/libelf/gelf_xlate.h:42
#1 0x7f019d8f85f3 in elf32_xlatetom
/home/vagrant/elfutils/libelf/elf32_xlatetom.c:104
#2 0x7f019d827a76 in dwfl_segment_report_module
/home/vagrant/elfutils/libdwfl/dwfl_segment_report_module.c:472
#3 0x7f019d82c6db in _new.dwfl_core_file_report
/home/vagrant/elfutils/libdwfl/core-file.c:559
#4 0x402b0f in parse_opt /home/vagrant/elfutils/src/stack.c:595
#5 0x7f019ca7d471 in argp_parse (/lib64/libc.so.6+0x11e471)
#6 0x403d98 in main /home/vagrant/elfutils/src/stack.c:695
#7 0x7f019c98c55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
#8 0x7f019c98c60b in __libc_start_main_impl (/lib64/libc.so.6+0x2d60b)
#9 0x4024c4 in _start (/home/vagrant/elfutils/src/stack+0x4024c4)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior gelf_xlate.h:42:1 in
```

Interestingly, judging by
https://copr-be.cloud.fedoraproject.org/results/packit/evverx-elfutils-49/fedora-rawhide-i386/03030724-elfutils/builder-live.log.gz
(where I ran the unit tests on i386) the file simply crashed the fuzz target
there
```
FAIL: run-fuzz-dwfl-core.sh
===

...
StandaloneFuzzTargetMain: running 1 inputs
Running:
/builddir/build/BUILD/elfutils-0.186/tests/fuzz-dwfl-core-corpus/oss-fuzz-41575
timeout: the monitored command dumped core
./test-subr.sh: line 84: 20674 Segmentation fault 
LD_LIBRARY_PATH="${built_library_path}${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"
$VALGRIND_CMD "$@"
*** failure in
/builddir/build/BUILD/elfutils-0.186/tests/fuzz-dwfl-core-corpus/oss-fuzz-41575
FAIL run-fuzz-dwfl-core.sh (exit status: 1)

+ false
error: Bad exit status from /var/tmp/rpm-tmp.P3WRAR (%check)
```

On OSS-Fuzz (on x86_64) that file triggered an "oom" reported in
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41575
```
Running:
/mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/oom-fa37b37eafe95a0ed4ef155ccb7f8178f177061d
==9982== ERROR: libFuzzer: out-of-memory (malloc(4294971391))
   To change the out-of-memory limit use -rss_limit_mb=
#0 0x52f411 in __sanitizer_print_stack_trace
/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x470a38 in fuzzer::PrintStackTrace() cxa_noexception.cpp:0
#2 0x454bb5 in fuzzer::Fuzzer::HandleMalloc(unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:131:3
#3 0x454aca in fuzzer::MallocHook(void const volatile*, unsigned long)
/src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:100:6
#4 0x536a37 in __sanitizer::RunMallocHooks(void const*, unsigned long)
/src/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common.cpp:308:5
#5 0x4a6388 in __asan::Allocator::Allocate(unsigned long, unsigned long,
__sanitizer::BufferedStackTrace*, __asan::AllocType, bool)
/src/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:611:5
#6 0x4a6549 in Calloc
/src/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:748:17
#7 0x4a6549 in __asan::asan_calloc(unsigned long, unsigned long,
__sanitizer::BufferedStackTrace*)
/src/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:969:34
#8 0x525683 in __interceptor_calloc
/src