From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13647
Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail
From: r yang <decatf@gmail.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Infinite loop in malloc
Date: Fri, 25 Jan 2019 10:13:50 -0500
Message-ID: <20190125151350.GB20330@r>
Reply-To: musl@lists.openwall.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226";
	logging-data="212212"; mail-complaints-to="usenet@blaine.gmane.org"
User-Agent: Mutt/1.9.4 (2018-02-28)
To: musl@lists.openwall.com
Original-X-From: musl-return-13663-gllmg-musl=m.gmane.org@lists.openwall.com Fri Jan 25 16:16:25 2019
Return-path: <musl-return-13663-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by blaine.gmane.org with smtp (Exim 4.89)
	(envelope-from <musl-return-13663-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1gn3DS-000t2B-4Z
	for gllmg-musl@m.gmane.org; Fri, 25 Jan 2019 16:16:22 +0100
Original-Received: (qmail 5494 invoked by uid 550); 25 Jan 2019 15:16:19 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 3279 invoked from network); 25 Jan 2019 15:14:05 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=VnXByZlY4bRt+GYaQaptUrTL0/ORDtMjzx8kPXxnKE8=;
        b=PFbBgs4Ye6n6aRyGoEfd7ybx1okoYc/w7jiIp+cyZNqq6mrT+Vef2dKxnuXtggbXJL
         7ILlEuKKEND+O7jIRpmSBJadsbq/26/6BhDNwkri0hSDG3QaBY6T909cKm/JdHF34lkr
         FXE7IHdVswWgDp6rVuk/NXfpZH0r+9K2Ek3q2cA8Vd9x/DS+ZBSJqhuDyQFVpAT90ViO
         JQNOhZG++Urfujy4O1DBtq3PEM587jlTfmA1DFV8upYkslif1d61NA/7axYCVSobRqu4
         PFzdRJij2w2JvJ3diaXV3kK3s3m2ZQT/HCw98oB9DmQJ+lKkxRuDOYgwxxkn1PXelt7k
         1IGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=VnXByZlY4bRt+GYaQaptUrTL0/ORDtMjzx8kPXxnKE8=;
        b=VvWTRMnNxssQ1vpxYE6Y6cBVcla+Qm8Poxpdcqb/6GiuUPQk0GbBWOErRzfKYBr/FK
         iycKSk56L6Zx4Kcc61whF9DPDsAIhEMvCw/4XhqATi0qr6psSgb9b8pa/O1fd9U2cLkM
         HUgNv4RZTjt2LXcPU+aJhBY+wzItS1w6EayjmKKdHgyAihYsufNNL9H30Log2FIRPumi
         SZpmk0Xj7Hg+Stjm65Qh1997OQ8psJtITZ/Hj9yOHFDKo6+4woZL6Y1NN5yg5RoDBEMF
         ONwGT6o9erYxhT5/ZdBIcjffFhq1O8cApdr36FGsteTp8Wb2b38OQJGirwCmeV+2hyMk
         e7NA==
X-Gm-Message-State: AJcUukeUCx2FfGDn6zb/fVxHkapB6LqLuGZG4G25CeU/pRlALTLauCgU
	FJlsI1Hq1Q7VG1MMSOFFQcdVfYE=
X-Google-Smtp-Source: ALg8bN7LLvfiqPV3KMaM6c6db4EHnJ9rZCVETFWm2agd33LVLXm4SpSsfiSyPAW+0+Z63hkmDSmOpA==
X-Received: by 2002:a02:5184:: with SMTP id s126mr6923327jaa.12.1548429233325;
        Fri, 25 Jan 2019 07:13:53 -0800 (PST)
Content-Disposition: inline
Xref: news.gmane.org gmane.linux.lib.musl.general:13647
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/13647>

pmbootstrap is a development environment to build/install postmarketOS
(based on Alpine Linux) for Android devices. One of the things it does
is use qemu static to emulate an ARM based Alpine Linux chroot
environment.

There is a bug while compiling certain packages in the qemu ARM chroot.
The qemu process can get stuck in an infinite loop when calling malloc.

pmbootstrap uses Alpine Linux edge repositories. It's using the current
musl package version 1.1.20.

Here is a gdb backtrace.
#0  malloc (n=<optimized out>, n@entry=9) at src/malloc/malloc.c:320
#1  0x0000000060184ad3 in g_malloc (n_bytes=n_bytes@entry=9) at gmem.c:99
#2  0x000000006018bcab in g_strdup (str=<optimized out>, str@entry=0x60200abf "call_rcu") at gstrfuncs.c:363
#3  0x000000006016e31d in qemu_thread_create (thread=thread@entry=0x7ffe89fb1a10, name=name@entry=0x60200abf "call_rcu",
    start_routine=start_routine@entry=0x60174c00 <call_rcu_thread>, arg=arg@entry=0x0, mode=mode@entry=1) at /home/pmos/build/src/qemu-3.1.0/util/qemu-thread-posix.c:526
#4  0x0000000060174b99 in rcu_init_complete () at /home/pmos/build/src/qemu-3.1.0/util/rcu.c:327
#5  0x00000000601c4fac in __fork_handler (who=1) at src/thread/pthread_atfork.c:26
#6  0x00000000601be8db in fork () at src/process/fork.c:33
#7  0x000000006009d191 in do_fork (env=0x62ef0ed0, flags=flags@entry=17, newsp=newsp@entry=0, parent_tidptr=parent_tidptr@entry=0, newtls=newtls@entry=0,
    child_tidptr=child_tidptr@entry=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:5528
#8  0x00000000600af894 in do_syscall1 (cpu_env=cpu_env@entry=0x62ef0ed0, num=num@entry=2, arg1=arg1@entry=0, arg2=arg2@entry=-8700192, arg3=<optimized out>, arg4=8,
    arg5=1015744, arg6=-75664, arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:7042
#9  0x00000000600a835c in do_syscall (cpu_env=cpu_env@entry=0x62ef0ed0, num=2, arg1=0, arg2=-8700192, arg3=<optimized out>, arg4=<optimized out>, arg5=1015744, arg6=-75664,
    arg7=0, arg8=0) at /home/pmos/build/src/qemu-3.1.0/linux-user/syscall.c:11533
#10 0x00000000600c265f in cpu_loop (env=env@entry=0x62ef0ed0) at /home/pmos/build/src/qemu-3.1.0/linux-user/arm/cpu_loop.c:360
#11 0x00000000600417a2 in main (argc=<optimized out>, argv=0x7ffe89fb5958, envp=<optimized out>) at /home/pmos/build/src/qemu-3.1.0/linux-user/main.c:819


It is taking the malloc code path where n <= MMAP_THRESHOLD. None of
the conditions which break from the for loop are met.

In the first condition the mask value is never zero:
    mask = mal.binmap & -(1ULL<<i);
    if (!mask) { ... }

Examining the value in gdb:
(gdb) printf "%X\n", mask
204701

The bin head points to the bin itself so this condition is never met:
    c = mal.bins[j].head;
    if (c != BIN_TO_CHUNK(j)) { ... }

Examining the values in gdb:
(gdb) printf "%X\n", mal.bins[j].head
62337FC0
(gdb) printf "%X\n", (struct chunk *)((char *)(&mal.bins[j].head) - (2*sizeof(size_t)))
62337FC0


Reproducing this issue:
It is not always 100% reproducible. On occasion it will not get stuck
in an infinite loop. With my testing on 2 computers, will happen on
most attempts to compile.

$ git clone https://gitlab.com/postmarketOS/pmbootstrap.git
$ cd pmboostrap

Configure pmbootstrap
$ ./pmbootstrap.py init

Enter an Android device when prompted.
Use device: samsung-i9100
Leave other settings as the default.

Check out the pmaports repository that will reproduce this issue.
$ cd /path/to/pmboostrap/aports
$ git remote add ryang2678 https://gitlab.com/ryang2678/pmaports.git
$ git fetch ryang2678 debug-musl-malloc
$ git checkout debug-musl-malloc

Compile qemu static with debug symbols.
Alpine Linux doesn't provide a qemu package with debug symbols.
The debug-musl-malloc branch contains a qemu APKBUILD with debugging
enabled.
$ cd /path/to/pmboostrap
$ ./pmbootstrap.py build qemu

Try to compile networkmanager and wait for build to get stuck.
$ ./pmbootstrap.py build networkmanager --arch=armhf --force


To observe the stuck qemu process:

Enter chroot shell:
$ ./pmbootstrap.py chroot

Install musl debug symbols.
$ apk add musl-dbg

Get musl source code
$ cd /home/pmos
$ git clone git://git.musl-libc.org/musl
$ cd /home/pmos/musl
$ git checkout v1.1.20

Attach gdb to stuck process
$ gdb -tui /usr/bin/qemu-arm
directory /home/pmos/musl
attach <pid>