Skip to content
GitLab
Closed
Issue created by Derek Bruening@derekbrueningContributor

DR can't satisfy reachability on Linux x64 for binaries built with -fPIE -pie

From rnk@google.com on April 05, 2012 12:34:57

kcc ran plain drrun over an asanified binary and got a message like this: <Application cat_proc_self_maps (32415). Internal Error Internal DynamoRIO Error: /home/rnk/dynamorio/core/heap.c:484 must_reach_region_end <= heap_allowable_region_end && "PR 215395 reachability contraints not satisfiable"

This occurs for any binary built with -fPIE and -pie, so it is not an asan specific issue.

I attached the /proc/pid/maps files for two binaries: one built pie and the other not. The important bit from the pie one is here:

7f265cfb1000-7f265d0a7000 r-xp 00000000 fc:00 1444440 /usr/lib/libstdc++.so.6.0.13 7f265d0a7000-7f265d2a7000 ---p 000f6000 fc:00 1444440 /usr/lib/libstdc++.so.6.0.13 7f265d2a7000-7f265d2ae000 r--p 000f6000 fc:00 1444440 /usr/lib/libstdc++.so.6.0.13 7f265d2ae000-7f265d2b0000 rw-p 000fd000 fc:00 1444440 /usr/lib/libstdc++.so.6.0.13 7f265d2b0000-7f265d2c5000 rw-p 00000000 00:00 0 7f265d2c5000-7f265d2c8000 r-xp 00000000 fc:01 21760587 /.../libdrpreload.so 7f265d2c8000-7f265d4c8000 ---p 00003000 fc:01 21760587 /.../libdrpreload.so 7f265d4c8000-7f265d4c9000 r--p 00003000 fc:01 21760587 /.../libdrpreload.so 7f265d4c9000-7f265d4ca000 rw-p 00004000 fc:01 21760587 /.../libdrpreload.so 7f265d4ca000-7f265d4d0000 rw-p 00000000 00:00 0 7f265d4d0000-7f265d82f000 r-xp 00000000 fc:01 21761811 /.../libdynamorio.so.3.2 7f265d82f000-7f265da2e000 ---p 0035f000 fc:01 21761811 /.../libdynamorio.so.3.2 7f265da2e000-7f265da4f000 r--p 0035e000 fc:01 21761811 /.../libdynamorio.so.3.2 7f265da4f000-7f265da73000 rw-p 0037f000 fc:01 21761811 /.../libdynamorio.so.3.2 7f265da73000-7f265da8d000 rw-p 00000000 00:00 0 7f265da8d000-7f265daad000 r-xp 00000000 fc:00 1839315 /lib/ld-2.11.1.so 7f265dc86000-7f265dc8a000 rw-p 00000000 00:00 0 7f265dca9000-7f265dcac000 rw-p 00000000 00:00 0 7f265dcac000-7f265dcad000 r--p 0001f000 fc:00 1839315 /lib/ld-2.11.1.so 7f265dcad000-7f265dcae000 rw-p 00020000 fc:00 1839315 /lib/ld-2.11.1.so 7f265dcae000-7f265dcaf000 rw-p 00000000 00:00 0 7f265dcaf000-7f265dcb0000 r-xp 00000000 fc:01 24775936 /.../cat_proc_self_maps 7f265deaf000-7f265deb0000 r--p 00000000 fc:01 24775936 /.../cat_proc_self_maps 7f265deb0000-7f265deb1000 rw-p 00001000 fc:01 24775936 /.../cat_proc_self_maps 7f265fb14000-7f265fb35000 rw-p 00000000 00:00 0 [heap] 7fff58102000-7fff58123000 rw-p 00000000 00:00 0 [stack] 7fff581ff000-7fff58200000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

Looks like it pushes libdynamorio.so up into the top part of the addrspace and ignores our preferred base?

For the normal binary it puts it here:

00400000-00401000 r-xp 00000000 fc:01 24775988 /.../cat_proc_self_maps 00600000-00601000 r--p 00000000 fc:01 24775988 /.../cat_proc_self_maps 00601000-00602000 rw-p 00001000 fc:01 24775988 /.../cat_proc_self_maps 0252e000-0254f000 rw-p 00000000 00:00 0 [heap] 71000000-7135f000 r-xp 00000000 fc:01 21761811 /.../libdynamorio.so.3.2 7135f000-7155e000 ---p 0035f000 fc:01 21761811 /.../libdynamorio.so.3.2 7155e000-7157f000 r--p 0035e000 fc:01 21761811 /.../libdynamorio.so.3.2 7157f000-715a3000 rw-p 0037f000 fc:01 21761811 /.../libdynamorio.so.3.2 715a3000-715bd000 rw-p 00000000 00:00 0 ... rest of DR's allocs go here.

It looks like there is address space reachable in 32-bits from libdynamorio, but we have to try harder to find it.

Original issue: http://code.google.com/p/dynamorio/issues/detail?id=719