[Mono-bugs] [Bug 631146] New: crash in mono runtime on certain (malformed) inputs

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Fri Aug 13 13:31:59 EDT 2010 

http://bugzilla.novell.com/show_bug.cgi?id=631146

http://bugzilla.novell.com/show_bug.cgi?id=631146#c0


           Summary: crash in mono runtime on certain (malformed) inputs
    Classification: Mono
           Product: Mono: Runtime
           Version: 2.6.x
          Platform: x86
        OS/Version: Ubuntu
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: misc
        AssignedTo: mono-bugs at lists.ximian.com
        ReportedBy: iisaev at ispras.ru
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---


Created an attachment (id=382953)
 --> (http://bugzilla.novell.com/attachment.cgi?id=382953)
exploit input

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8)
Gecko/2009033100 Ubuntu/9.04 (jaunty) Firefox/3.0.8

A number of bugs discovered in mono by Avalanche dynamic program analysis tool
(http://code.google.com/p/avalanche/). Mono crashes on certain exploit inputs
(attached).

Reproducible: Always

Steps to Reproduce:
mono-2.6.7/inst/bin/mono exploit_0_0
Actual Results:  
** (exploit_0_0:16070): WARNING **: type 0x00 not handled in
do_mono_metadata_parse_type on image
/space/iisaev/avalanche5/branches/separate-analysis/exploit_0_0
Stacktrace:


Native stacktrace:

    mono-2.6.7/inst/bin/mono [0x80dac8b]
    mono-2.6.7/inst/bin/mono [0x8115fbb]
    [0xb8090410]
    mono-2.6.7/inst/bin/mono(mono_main+0x19a5) [0x80b8e65]
    mono-2.6.7/inst/bin/mono [0x805bb51]
    /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7e1a775]
    mono-2.6.7/inst/bin/mono [0x805ba81]
Cannot access memory at address 0x0

Debug info from gdb:

[Thread debugging using libthread_db enabled]
[New Thread 0xb7dd06f0 (LWP 16070)]
[New Thread 0xb6e81b90 (LWP 16073)]
[New Thread 0xb6eb2b90 (LWP 16072)]
[New Thread 0xb7c93b90 (LWP 16071)]
0xb8090430 in __kernel_vsyscall ()
  4 Thread 0xb7c93b90 (LWP 16071)  0xb8090430 in __kernel_vsyscall ()
  3 Thread 0xb6eb2b90 (LWP 16072)  0xb8090430 in __kernel_vsyscall ()
  2 Thread 0xb6e81b90 (LWP 16073)  0xb8090430 in __kernel_vsyscall ()
  1 Thread 0xb7dd06f0 (LWP 16070)  0xb8090430 in __kernel_vsyscall ()

Thread 4 (Thread 0xb7c93b90 (LWP 16071)):
#0  0xb8090430 in __kernel_vsyscall ()
#1  0xb7f970e5 in pthread_cond_wait@@GLIBC_2.3.2 () from
/lib/tls/i686/cmov/libpthread.so.0
#2  0x0820a461 in GC_wait_marker () at pthread_support.c:1785
#3  0x0820d23f in GC_help_marker (my_mark_no=2) at mark.c:1116
#4  0x08209245 in GC_mark_thread (id=0x0) at pthread_support.c:548
#5  0xb7f934ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#6  0xb7ee849e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 3 (Thread 0xb6eb2b90 (LWP 16072)):
#0  0xb8090430 in __kernel_vsyscall ()
#1  0xb7f9a8f6 in nanosleep () from /lib/tls/i686/cmov/libpthread.so.0
#2  0x081e18d8 in collection_thread (unused=0x0) at collection.c:34
#3  0xb7f934ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#4  0xb7ee849e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 2 (Thread 0xb6e81b90 (LWP 16073)):
#0  0xb8090430 in __kernel_vsyscall ()
#1  0xb7f993f5 in sem_wait@@GLIBC_2.1 () from
/lib/tls/i686/cmov/libpthread.so.0
#2  0x081f8e48 in mono_sem_wait (sem=0x82d8124, alertable=0) at
mono-semaphore.c:102
#3  0x0811c2a8 in finalizer_thread (unused=0x0) at gc.c:1022
#4  0x081529b7 in start_wrapper (data=0x8417268) at threads.c:666
#5  0x081ebade in thread_start_routine (args=0x841a68c) at wthreads.c:286
#6  0x0820a0f3 in GC_start_routine (arg=0x35f20) at pthread_support.c:1390
#7  0xb7f934ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#8  0xb7ee849e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 1 (Thread 0xb7dd06f0 (LWP 16070)):
#0  0xb8090430 in __kernel_vsyscall ()
#1  0xb7ee4a87 in syscall () from /lib/tls/i686/cmov/libc.so.6
#2  0x08119d92 in mono_runtime_syscall_fork () at mini-posix.c:563
#3  0x080dadfc in mono_handle_native_sigsegv (signal=11, ctx=0xb7492d0c) at
mini-exceptions.c:1798
#4  0x08115fbb in mono_arch_handle_altstack_exception (sigctx=0xb7492d0c,
fault_addr=0x4, stack_ovf=0)
    at exceptions-x86.c:1287
#5  <signal handler called>
#6  0x0819d809 in mono_runtime_run_main (method=0x8406224, argc=1,
argv=0xbf9ae208, exc=0x0) at object.c:3339
#7  0x080b8e65 in mono_main (argc=2, argv=0xbf9ae204) at driver.c:999
#8  0x0805bb51 in main (argc=) at main.c:34
#0  0xb8090430 in __kernel_vsyscall ()

=================================================================
Got a SIGSEGV while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries 
used by your application.
=================================================================

Aborted


Aborted


Expected Results:  
No crash

-- 
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the mono-bugs mailing list