Possible false positives from fd sanitizer [184380442]

WAI

Bug

Status Update

No update yet.

Description

gr...@gmail.com

created issue #1

Apr 3, 2021 07:54PM

Since android 11 programs stop when the file descriptor sanitizer detects issues with default fdsan error level setting.

This small test program, condensed from texlive's source code, stops with such an error when compiled with something like

armv7a-linux-androideabi30-clang -I$HOME/android-ndk/sysroot/usr/include/ -lz -o test test.c

and executed on device.

#include <zlib.h>
#include <stdio.h>
int open_output(FILE **f_ptr, char *mode) {
  *f_ptr = fopen ("test.gz", mode);
  return *f_ptr != NULL;
}
#define wopenout(f) (open_output ((FILE**)&(f), "wb") \
                     && (f = gzdopen(fileno((FILE*)f), "wb")))
int main() {
  gzFile fp;
  wopenout(fp);
  gzclose(fp);
}

The issue seem to be in the wopenout macro here, if I convert that to a normal function the error does not occur:

#include <zlib.h>
#include <stdio.h>
int open_output(FILE **f_ptr, char *mode) {
  *f_ptr = fopen ("test.gz", mode);
  return *f_ptr != NULL;
}
void wopenout (gzFile f) {
  open_output ((FILE**)&(f), "wb");
  f = gzdopen(fileno((FILE*)f), "wb");
}
int main() {
  gzFile fp;
  wopenout(fp);
  gzclose(fp);
}

Is it expected that fdsan should trigger when using a macro as defined above, but not when implementing the same code as a function?

This has been reproduced on a Pixel 4 XL and a Samsung galaxy tab A. Backtrace on Samsung device shows:

5547  5547 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
5547  5547 F DEBUG   : LineageOS Version: '18.1-20210328-UNOFFICIAL-gt510wifi'
5547  5547 F DEBUG   : Build fingerprint: 'samsung/gt510wifixx/gt510wifi:7.1.1/NMF26X/T550XXU1CQJ6:user/release-keys'
5547  5547 F DEBUG   : Revision: '8'
5547  5547 F DEBUG   : ABI: 'arm'
5547  5547 F DEBUG   : Timestamp: 2021-04-03 21:00:29+0200
5547  5547 F DEBUG   : pid: 5544, tid: 5544, name: test  >>> /data/local/tmp/test <<<
5547  5547 F DEBUG   : uid: 0
5547  5547 F DEBUG   : signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr --------
5547  5547 F DEBUG   : Abort message: 'fdsan: attempted to close file descriptor 3, expected to be unowned, actually owned by FILE* 0xae98000c'
5547  5547 F DEBUG   :     r0  00000000  r1  000015a8  r2  00000006  r3  be88bb98
5547  5547 F DEBUG   :     r4  000015a8  r5  be88bbac  r6  000015a8  r7  0000016b
5547  5547 F DEBUG   :     r8  00000014  r9  ae7b4660  r10 00000000  r11 00000003
5547  5547 F DEBUG   :     ip  be88bb98  sp  be88b988  lr  ae7fb9d5  pc  ae7fb9e8
5547  5547 F DEBUG   : backtrace:
5547  5547 F DEBUG   :       #00 pc 000659e8  /apex/com.android.runtime/lib/bionic/libc.so (fdsan_error(char const*, ...)+428) (BuildId: 7360e84ae5fb2b04e5b979e65db7b459)
5547  5547 F DEBUG   :       #01 pc 000656fb  /apex/com.android.runtime/lib/bionic/libc.so (android_fdsan_close_with_tag+470) (BuildId: 7360e84ae5fb2b04e5b979e65db7b459)
5547  5547 F DEBUG   :       #02 pc 00065d6b  /apex/com.android.runtime/lib/bionic/libc.so (close+6) (BuildId: 7360e84ae5fb2b04e5b979e65db7b459)
5547  5547 F DEBUG   :       #03 pc 0000eb8c  /system/lib/libz.so (gzclose_w+312) (BuildId: f05f28230eb6f67b5786dfe66384b5dc)
5547  5547 F DEBUG   :       #04 pc 0000061c  /data/local/tmp/test (main+144)

Comments

gr...@gmail.com <gr...@gmail.com> #2Apr 3, 2021 09:30PM

I have forgotten to check the return value of open_output in the "working" code. If I change wopenout to

void wopenout (gzFile f) {
  if (open_output ((FILE**)&(f), "wb"))
    f = gzdopen(fileno((FILE*)f), "wb");
}

I get the same error as with the macro, so I suppose there is a real fd issue in this code.

gr...@gmail.com <gr...@gmail.com> #3Apr 4, 2021 09:39AM

There's another error in the test program as well, -Wall warns that gzFile fp is uninitialized. After fixing that it works again for the function implementation, but not the macro-implementation. So, this gives an error:

#include <zlib.h>
#include <stdio.h>
int open_output(FILE **f_ptr, char *mode) {
  *f_ptr = fopen ("test.gz", mode);
  return *f_ptr != NULL;
}
#define wopenout(f) (open_output ((FILE**)&(f), "wb") \
		     && (f = gzdopen(fileno((FILE*)f), "wb")))
int main() {
  gzFile fp = NULL;
  wopenout(fp);
  gzclose(fp);
}

and this works:

#include <zlib.h>
#include <stdio.h>
int open_output(FILE **f_ptr, char *mode) {
  *f_ptr = fopen ("test.gz", mode);
  return *f_ptr != NULL;
}
void wopenout (gzFile f) {
  if (open_output ((FILE**)&(f), "wb"))
    f = gzdopen(fileno((FILE*)f), "wb");
}
int main() {
  gzFile fp = NULL;
  wopenout(fp);
  gzclose(fp);
}

and I cannot see why there should be a difference in behaviour. I also noticed that clang 11 gives a working program when using -O0, but -O1 or higher gives the fdsan error. clang 9 (which the ndk uses) gives the error for all optimization levels.

ra...@google.com <ra...@google.com> Apr 5, 2021 12:01PM

Assigned to en...@google.com.

gr...@gmail.com <gr...@gmail.com> #4Apr 5, 2021 01:42PM

Here's another minimal example, condensed from emacs, that fails:

#include <stdio.h>
int main()
{
  fdopen (2, "w");
  fclose (stderr);
}

My guess is that the sanitizer does not like that we do not use the fd fdopen returns when closing stream 2/stderr. If I change to this:

#include <stdio.h>
int main()
{
  FILE *err = fdopen (2, "w");
  fclose (err);
}

It compiles and runs without issues. Is there an actual problem in the first snippet?

en...@google.com <en...@google.com> #5Apr 5, 2021 04:48PM

Status: Won't Fix (Intended Behavior)

Is there an actual problem in the first snippet?

yes. you have two FILE*s that both think they own file descriptor 2. depending on what you're actually trying to do, you probably meant to use freopen(3) instead? https://man7.org/linux/man-pages/man3/fopen.3.html

gr...@gmail.com <gr...@gmail.com> #6May 10, 2021 07:20AM

Thanks for the feedback. The idea in the code is to open a line buffered copy of stderr, is that valid? I am still having some problems wrapping my head around the issue, so I would be greatful if you could have a look at the failing example below:

#include <stdlib.h>
#include <unistd.h>

/* If FD is not already open, arrange for it to be open with FLAGS.  */
static void
force_open (int fd, int flags)
{
  if (dup2 (fd, fd) < 0)
    {
      int n = open ("/dev/null", flags);
      if (n < 0 || (fd != n && (dup2 (n, fd) < 0 || close (n) == 0 != 0)))
	exit (EXIT_FAILURE);
    }
}

/* A stream that is like stderr, except line buffered.  It is NULL
   during startup, or if line buffering is not in use.  */
static FILE *buferr;

int
main()
{
  /* Make sure stderr are open to something, so that the file
   descriptor is not hijacked by later system calls.  */
  force_open (STDERR_FILENO, O_RDONLY);

  /* Set buferr if possible on platforms defining _PC_PIPE_BUF, as
     they support the notion of atomic writes to pipes.  */
  #ifdef _PC_PIPE_BUF
    buferr = fdopen (STDERR_FILENO, "w");
    if (buferr)
      setvbuf (buferr, NULL, _IOLBF, 0);
  #endif

  int err = buferr && (fflush (buferr) != 0 || ferror (buferr));
  if (err | (fclose (stderr) != 0))
    return 1;
  return 0;
}

Compiling and executing on device gives

fdsan: attempted to close file descriptor 2, expected to be unowned, actually owned by FILE* 0xaba9700c
Aborted

from the fclose (stderr) call, similar to in the previous very minimal example.

en...@google.com <en...@google.com> #7May 10, 2021 03:54PM

The idea in the code is to open a line buffered copy of stderr

in that case you just want setlinebuf(stderr). see https://man7.org/linux/man-pages/man3/setbuf.3.html for the various stdio facilities for manipulating buffering.