CRASH in raw2trace module mapping when VDSO in between segments of a library
With a proprietary app we're seeing crashes running opcode_mix. It turns out to be from ld-2.27.so with segments spanning the VDSO:
24, 24, 0x0000ffffbd3cc000, 0x0000ffffbd3ed000, 0x0000ffffbd3d0900, 0000000000000000, v#1,0, ld-2.27.so
25, 24, 0x0000ffffbd3fc000, 0x0000ffffbd3fe000, 0x0000ffffbd3d0900, 0000000000020dd0, v#1,0, ld-2.27.so
26, 24, 0x0000ffffbd40d000, 0x0000ffffbd410000, 0x0000ffffbd3d0900, 0000000000021750, v#1,0, ld-2.27.so
27, 27, 0x0000ffffbd40c000, 0x0000ffffbd40d000, 0x0000ffffbd40c300, 0000000000000000, v#1,4096 last_trace_module_start = 0xffffbd3cc000,
last_trace_module_size = 0x44000,
last_mapped_module_start = 0x7ffde94f4000
modvec_ = std::vector of length 28, capacity 32 = {{
<...>
}, {
path = 0x54bb2dfcd588,
orig_base = 0xffffbd3cc000,
map_base = 0x7ffde94f4000,
map_size = 0x44000,
is_external = 0x0
}, {
path = 0x54bb2dfcd7c0,
orig_base = 0xffffbd3cc000,
map_base = 0x7ffde94f4000,
map_size = 0x0,
is_external = 0x0
}, {
path = 0x54bb2dfcd9f8,
orig_base = 0xffffbd3cc000,
map_base = 0x7ffde94f4000,
map_size = 0x0,
is_external = 0x0
}, {
path = 0x54bb2dfcdc30,
orig_base = 0xffffbd40c000,
map_base = 0x54bb39395e94,
map_size = 0x1000,
is_external = 0x1
}},
last_orig_base_ = 0xffffbd3cc000,
last_map_size_ = 0x44000,
last_map_base_ = 0x7ffde94f4000,
(gdb) p/x 0xffffbd3cc000 + 0x44000
$6 = 0xffffbd410000So it is a bug in raw2trace handling an .so with separated segments with VDSO in between them. Surprising, since we put in effort to have per-segment instead of per-library module entries, and since DR's core has had several fixes to support things in ELF gaps in years past.