Discussion:
[Bug gdb/23326] New: make_output_phdrs mishandles inaccessible sections
timothywboddy at gmail dot com
2018-06-21 16:29:15 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23326

Bug ID: 23326
Summary: make_output_phdrs mishandles inaccessible sections
Product: gdb
Version: HEAD
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: timothywboddy at gmail dot com
Target Milestone: ---

When make_output_phdrs is run it always sets the PF_R bit, regardless of
whether or not it should:

static void
make_output_phdrs (bfd *obfd, asection *osec, void *ignored)
{
int p_flags = 0;
int p_type = 0;

/* FIXME: these constants may only be applicable for ELF. */
if (startswith (bfd_section_name (obfd, osec), "load"))
p_type = PT_LOAD;
else if (startswith (bfd_section_name (obfd, osec), "note"))
p_type = PT_NOTE;
else
p_type = PT_NULL;

p_flags |= PF_R; /* Segment is readable. */


This is wrong because most processes have some sections that are entirely
inaccessible (not readable, writable or executable). Three common cases
include:

1) 4k page guards immediately prior to stack areas for pthreads
2) Regions of 2MB or 2MB-1k used to align the writable area for a shared
library
3) Heap tails for heaps used by glibc malloc, which on a 64-bit process
reserves 64MB per heap but typically marks only a very small prefix of the heap
as RW when the heap is created. The remainder is marked as inaccessible, to
reserve the space if the heap should need to grow.

It is misleading to mark these as readable because it gives misinformation
about the actual state of the process as of the time the heap was created. It
is wasteful in terms of disk space and time to create the core, particularly in
case (3) that such incorrectly marked sections actually have images written to
the core.

This is a regression but I haven't checked how recent it is. Older versions of
gdb correctly handled inaccessible sections by writing phdrs for inaccessible
sections, with PF_R correctly turned off and no image in the core.
--
You are receiving this mail because:
You are on the CC list for the bug.
simon.marchi at ericsson dot com
2018-06-28 14:57:12 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23326

Simon Marchi <simon.marchi at ericsson dot com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |simon.marchi at ericsson dot com

--- Comment #1 from Simon Marchi <simon.marchi at ericsson dot com> ---
GDB takes the mapping info from /proc/<pid>/smaps, which contains the RWX
information. So it should be possible to use that information to conditionally
put the PF_R flag.

7f07cf9a0000-7f07cfb60000 r-xp 00000000 fd:01 395798
/lib/x86_64-linux-gnu/libc-2.23.so
Size: 1792 kB
KernelPageSize: 4 kB
MMUPageSize: 4 kB
Rss: 1088 kB
Pss: 16 kB
Shared_Clean: 1088 kB
Shared_Dirty: 0 kB
Private_Clean: 0 kB
Private_Dirty: 0 kB
Referenced: 1088 kB
Anonymous: 0 kB
LazyFree: 0 kB
AnonHugePages: 0 kB
ShmemPmdMapped: 0 kB
Shared_Hugetlb: 0 kB
Private_Hugetlb: 0 kB
Swap: 0 kB
SwapPss: 0 kB
Locked: 16 kB
VmFlags: rd ex mr mw me sd
7f07cfb60000-7f07cfd60000 ---p 001c0000 fd:01 395798
/lib/x86_64-linux-gnu/libc-2.23.so
Size: 2048 kB
KernelPageSize: 4 kB
MMUPageSize: 4 kB
Rss: 0 kB
Pss: 0 kB
Shared_Clean: 0 kB
Shared_Dirty: 0 kB
Private_Clean: 0 kB
Private_Dirty: 0 kB
Referenced: 0 kB
Anonymous: 0 kB
LazyFree: 0 kB
AnonHugePages: 0 kB
ShmemPmdMapped: 0 kB
Shared_Hugetlb: 0 kB
Private_Hugetlb: 0 kB
Swap: 0 kB
SwapPss: 0 kB
Locked: 0 kB
VmFlags: mr mw me sd


The second section looks like the 2MB section you are talking about.
This is a regression but I haven't checked how recent it is. Older versions of gdb correctly handled inaccessible sections by writing phdrs for inaccessible sections, with PF_R correctly turned off and no image in the core.
I tested with versions as old as 7.1 (from 2010) and all PH are readable.
--
You are receiving this mail because:
You are on the CC list for the bug.
timothywboddy at gmail dot com
2018-06-28 19:00:55 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23326

--- Comment #2 from Tim Boddy <timothywboddy at gmail dot com> ---
Thanks for looking at this, Simon!

Indeed, as you point out, the section starting at 0x7f07cfb60000 is not
readable at all as per the smaps but will be marked, incorrectly, in the phdr
when a core is created for that process.

A rather extreme example of all three types of extra inaccessible regions
handled badly (alignment gaps, stack guards and heap tails) is if you start
this python program, save the smaps, then save the core:



import threading
import time

for i in range(500):
t = threading.Thread(target=time.sleep, args=(3600,))
t.start()
print ("threads have been started")
--
You are receiving this mail because:
You are on the CC list for the bug.
timothywboddy at gmail dot com
2018-06-28 19:02:11 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23326

--- Comment #3 from Tim Boddy <timothywboddy at gmail dot com> ---
Can I trouble you to change the status? As I read your previous comment you
have confirmed the bug.
--
You are receiving this mail because:
You are on the CC list for the bug.
simon.marchi at ericsson dot com
2018-06-28 13:34:24 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23326

Simon Marchi <simon.marchi at ericsson dot com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Last reconfirmed| |2018-06-28
Ever confirmed|0 |1

--- Comment #4 from Simon Marchi <simon.marchi at ericsson dot com> ---
There you go.
--
You are receiving this mail because:
You are on the CC list for the bug.
timothywboddy at gmail dot com
2018-06-28 19:21:13 UTC
Permalink
https://sourceware.org/bugzilla/show_bug.cgi?id=23326

--- Comment #5 from Tim Boddy <timothywboddy at gmail dot com> ---
Thank you.
--
You are receiving this mail because:
You are on the CC list for the bug.
Loading...