shim fails to initialize with tor's --enable-fragile-hardening (asan)

[sporksmith]

In Tor we're trying to run simulations with a tor binary built with AddressSanitizer; specifically using the --enable-fragile-hardening flag to tor's configure script.

Initially, the asan instrumentation in the tor binary inspects LD_PRELOAD and refuses to run because our LD_PRELOAD'd libraries might interfere with its instrumentation. In particular we get an error in the tor's shimlog -- since the shim's initialization hasn't run yet the write isn't interposed, and STDOUT_FILENO is the shimlog file.

We're able to cirumvent that check by setting ASAN_OPTIONS=verify_asan_link_order=0 in the tor process's environment. google/sanitizers#796 (comment)

After doing that, the tor process runs, but all output goes to the shimlog; it appears that the shim is never getting initialized.

I'm able to reproduce this issue with tor-0.4.7.9 and shadow's tor-minimal test.

More debugging info follows...

[sporksmith]

I'm unable to attach gdb to the tor process using shadow's --debug-hosts flag; when I try to attach the process has already exited. IIUC since the shim's initialization code never runs, it never gets blocked, and it runs and exits "normally" before we can attach.

I tried running shadow itself under gdb instead, setting a breakpoint on _managedthread_fork_exec, and setting follow-fork-mode to child when it's about to start the first tor process.

Initially I ran into an internal gdb error related to vfork. I locally changed the vfork in ManagedThread to fork instead as a workaround.

After doing that, and following the fork in gdb, the child tor process stops at SIGABRT. It looks like it's running into trouble running asan's global destructor; i.e. this is already after tor tried and failed to run without ever initializing properly:

Thread 2.1 "tor" received signal SIGABRT, Aborted.
(gdb) bt
#0  0x00007ffff6a96a7c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6a42476 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff6a287f3 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff6816327 in std::sys::unix::abort_internal () at library/std/src/sys/unix/mod.rs:317
#4  0x00007ffff680b64f in std::panicking::rust_panic () at library/std/src/panicking.rs:738
#5  0x00007ffff680b456 in std::panicking::rust_panic_with_hook () at library/std/src/panicking.rs:706
#6  0x00007ffff680b151 in std::panicking::begin_panic_handler::{closure#0} () at library/std/src/panicking.rs:577
#7  0x00007ffff68083bc in std::sys_common::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::{closure_env#0}, !> () at library/std/src/sys_common/backtrace.rs:138
#8  0x00007ffff680aeb2 in std::panicking::begin_panic_handler () at library/std/src/panicking.rs:575
#9  0x00007ffff66ffc63 in core::panicking::panic_fmt () at library/core/src/panicking.rs:65
#10 0x00007ffff66ffd3d in core::panicking::panic () at library/core/src/panicking.rs:115
#11 0x00007ffff67109ae in core::option::Option<&shadow_shim_helper_rs::shim_shmem::ProcessShmem>::unwrap<&shadow_shim_helper_rs::shim_shmem::ProcessShmem> (self=...)
    at /rustc/6b3ede3f7bc502eba7bbd202b4b9312d812adcd7/library/core/src/option.rs:778
#12 0x00007ffff67091c7 in shadow_shim_helper_rs::shim_shmem::export::shimshmem_getProcessStraceFd (process=0x0) at lib/shadow-shim-helper-rs/src/shim_shmem.rs:561
#13 0x00007ffff6706bfe in shim_sys_handle_syscall_locally () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#14 0x00007ffff6707ed2 in shim_syscallv () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#15 0x00007ffff6704563 in shim_api_syscallv () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#16 0x00007ffff7faf085 in syscall () from /home/jnewsome/projects/shadow/dev/build/src/lib/libc_preload/libshadow_libc.so
#17 0x00007ffff7facf75 in sched_yield () from /home/jnewsome/projects/shadow/dev/build/src/lib/libc_preload/libshadow_libc.so
#18 0x00007ffff74d9985 in __sanitizer::StopTheWorld (callback=<optimized out>, argument=<optimized out>) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_stoptheworld_linux_libcdep.cpp:456
#19 0x00007ffff74e348e in __lsan::LockStuffAndStopTheWorldCallback (info=<optimized out>, size=<optimized out>, data=0x7fffffffe690) at ../../../../src/libsanitizer/lsan/lsan_common_linux.cpp:128
#20 0x00007ffff6b74ed0 in dl_iterate_phdr () from /lib/x86_64-linux-gnu/libc.so.6
#21 0x00007ffff74e37f0 in __lsan::LockStuffAndStopTheWorld (callback=callback@entry=0x7ffff74e1cf0 <__lsan::CheckForLeaksCallback(__sanitizer::SuspendedThreadsList const&, void*)>, argument=argument@entry=0x7fffffffe6e0)
    at ../../../../src/libsanitizer/lsan/lsan_common_linux.cpp:145
#22 0x00007ffff74e2c2c in __lsan::CheckForLeaks () at ../../../../src/libsanitizer/lsan/lsan_common.cpp:603
#23 0x00007ffff74e2ee9 in __lsan::DoLeakCheck () at ../../../../src/libsanitizer/lsan/lsan_common.cpp:643
#24 __lsan::DoLeakCheck () at ../../../../src/libsanitizer/lsan/lsan_common.cpp:638
#25 0x00007ffff6a45a56 in __cxa_finalize () from /lib/x86_64-linux-gnu/libc.so.6
#26 0x00007ffff7424bb7 in __do_global_dtors_aux () from /lib/x86_64-linux-gnu/libasan.so.6
#27 0x00007fffffffe8f0 in ?? ()

[stevenengler]

I think you'll also need to disable shadow's libc preload. #2346

[sporksmith]

This time I tried setting a breakpoint on _shim_load (the shim's global constructor) before following the fork. It looks like it is getting run:

(gdb) bt
#0  0x00007ffff6702e78 in _shim_load () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#1  0x00007ffff6702fbb in shim_ensure_init () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#2  0x00007ffff6707e9f in shim_syscallv () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#3  0x00007ffff6704563 in shim_api_syscallv () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#4  0x00007ffff7faf085 in syscall () from /home/jnewsome/projects/shadow/dev/build/src/lib/libc_preload/libshadow_libc.so
#5  0x00007ffff7fa97e0 in getrlimit () from /home/jnewsome/projects/shadow/dev/build/src/lib/libc_preload/libshadow_libc.so
#6  0x00007ffff74d20a8 in __sanitizer::setlim (res=res@entry=4, lim=lim@entry=0) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp:94
#7  0x00007ffff74d2454 in __sanitizer::DisableCoreDumperIfNecessary () at ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp:107
#8  0x00007ffff74c062f in __asan::AsanInitInternal () at ../../../../src/libsanitizer/asan/asan_rtl.cpp:462
#9  0x00007ffff7fc95be in ?? () from /lib64/ld-linux-x86-64.so.2
#10 0x00007ffff7fe32ea in ?? () from /lib64/ld-linux-x86-64.so.2

We invoke _shim_load from all of our LD_PRELOAD'd syscall wrappers in case another global constructor runs before ours; it looks like that's what's happening here. Still digging for why the intialization seems not to be working...

[sporksmith]

I think you'll also need to disable shadow's libc preload. #2346

Ah thanks - I thought I remembered there being an issue for this already but couldn't find it.

It's not immediately clear to me that the libc preload would break asan, since e.g. we don't override the memory allocation APIs. Disabling it will also break name resolution, so hopefully we don't have to.

I'll try it though and see if it gets us further...

[sporksmith]

Yes, with --use-preload-libc=false, _shim_load gets called first when it runs as a global constructor, instead of getting called by a syscall wrapper in the libc preload, and ends up working as expected.

It looks like when _shim_load gets called "early", during asan's initialization, getenv doesn't find any environment variables. In particular we find that there is no SHADOW_SPAWNED environment variable, and skip the regular shim initialization. Even if we remove that check, it'll also not find the other environment variables it needs to init properly. I guess libc's getenv doesn't work until some later global initialization is done.

There are various ways we could arrange to run the initialization later, though letting asan's initialization run and make syscalls before shadow's initialization runs could end up causing other complications.

[sporksmith]

I tried changing _shim_load to keep looking for SHADOW_SPAWNED every time it runs until it finds it, so that we do initialize later.

In that case we run into another problem with the libc preload - it ends up recursing and blowing the stack when handling a syscall:

#0  0x00007ffff6704758 in shimlogger_log () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#1  0x00007ffff67ce937 in logger_log (logger=0x606000000020, level=LOGLEVEL_TRACE, fileName=0x7ffff68b8328 "/home/jnewsome/projects/shadow/dev/src/lib/shim/shim_seccomp.c", 
    functionName=0x7ffff68b8400 <__FUNCTION__.2> "_shim_seccomp_handle_sigsys", lineNumber=52, format=0x7ffff68b8310 "Trapped syscall %lld") at logger.c:174
#2  0x00007ffff6705319 in _shim_seccomp_handle_sigsys () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#3  <signal handler called>
#4  0x00007ffff74cde24 in __sanitizer::internal_mmap (addr=addr@entry=0x0, length=length@entry=4096, prot=prot@entry=3, flags=34, fd=-1, offset=offset@entry=0) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_linux.cpp:179
#5  0x00007ffff74d18c6 in __sanitizer::MmapNamed (name=0x7ffff750b4f3 "DTLS_Resize", flags=34, prot=3, length=4096, addr=0x0) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cpp:391
#6  __sanitizer::MmapOrDie (size=size@entry=4096, mem_type=mem_type@entry=0x7ffff750b4f3 "DTLS_Resize", raw_report=raw_report@entry=false) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cpp:46
#7  0x00007ffff74df79e in __sanitizer::DTLS_Resize (new_size=256) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_tls_get_addr.cpp:57
#8  __sanitizer::DTLS_on_tls_get_addr (arg_void=arg_void@entry=0x7ffff696d468, res=res@entry=0x7ffff23980d0, static_tls_begin=0, static_tls_end=0) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_tls_get_addr.cpp:100
#9  0x00007ffff7454886 in __interceptor___tls_get_addr (arg=0x7ffff696d468) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:5309
#10 __interceptor___tls_get_addr (arg=0x7ffff696d468) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:5303
#11 0x00007ffff6708229 in shimtlsvar_ptr () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#12 0x00007ffff6702ee2 in _shim_load () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#13 0x00007ffff6702fbb in shim_ensure_init () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#14 0x00007ffff6707e9f in shim_syscallv () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#15 0x00007ffff67080df in shim_syscall () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#16 0x00007ffff6705442 in _shim_seccomp_handle_sigsys () from /home/jnewsome/projects/shadow/dev/build/src/lib/shim/libshadow-shim.so
#17 <signal handler called

The asan code hijacks control when we try to access thread-local-storage. It tries to call mmap, which goes to our seccomp signal handler, which tries again to access thread-local-storage, and so on.

[sporksmith]

Actually we run into the same problem with the libc preload disabled.

I suspect we may have gotten further in #2346 before 9cee888 changed the shim to make more use of "native" thread local storage, which is what asan is intercepting.

We could revert that, and maybe ought to since in general it's a dependency on the libc runtime that can cause complications such as this one. That has some other drawbacks though - e.g. our simple thread-local-storage implementation leaked per-thread storage.

[sporksmith]

I suspect we may have gotten further in #2346 before 9cee888 changed the shim to make more use of "native" thread local storage, which is what asan is intercepting.

Actually #2346 was filed a couple months before 9cee888 was committed. I suppose it's possible both the user and Steven when debugging weren't using shadow @ head, but it seems unlikely. hmm.

[sporksmith]

Removing the shim's dependencies on libc (including native thread local storage) should mostly solve this #2919

[sporksmith]

I got tor with --enable-fragile-hardening working in our tor-minimal test locally. Here's a draft PR with my changes: #3022

Specifically this was with tor at 34da50718a4395936736c32e8cc24876d2f7e10c, configured with ./configure --enable-fragile-hardening --prefix=$HOME/opt/tor-asan.

The test passes with "stock" tor.

I also tried injecting a use-after-free, and verified that asan caught it.

I tried setting up one of the tor processes to shut down gracefully so that asan's leak detection would run, but it tries to vfork a new process, which we don't support. Based on the error messages and what I can find online (e.g. google/sanitizers#1306) it looks like the child process is going to then try using ptrace, which we also don't support. spawning new processes is on the roadmap, but we haven't seriously considered trying to allow or emulate ptrace. I think it might be feasible, but unlikely within the scope of our current milestones.

~mergeable changes:

• Enable unblocked syscall latency in the tor minimal test. asan uses a spin loop during thread creation.

• Drop the sched_yield exception from our seccomp filter. asan uses an inlined sched_yield syscall in its spin loop which we otherwise weren't intercepting. Luckily we don't need this exception anymore.

Hacks:

• Hack up shim initialization to try again later if env variables don't work yet. Real fix is to finish migrating off of env variable usage.

• Hard-code the shim not to use native thread local storage even if it appears to be available. asan intercepts internal function calls used to access thread-local-storage. Right now this comes with some significant limitations, so we wouldn't want to merge that. We could make it an option for asan compatibility in the short/medium term. I think in the longer term we could improve our non-native-TLS implementation s.t. we could just use it by default.