[Mono-bugs] [Bug 631146] crash in mono runtime on certain (malformed) inputs

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Fri Aug 13 13:34:44 EDT 2010 

http://bugzilla.novell.com/show_bug.cgi?id=631146

http://bugzilla.novell.com/show_bug.cgi?id=631146#c1


--- Comment #1 from Ildar Isaev <iisaev at ispras.ru> 2010-08-13 17:34:43 UTC ---
Created an attachment (id=382954)
 --> (http://bugzilla.novell.com/attachment.cgi?id=382954)
another exploit input which results in a crash with a different stack trace

Stacktrace:


Native stacktrace:

    mono-2.6.7/inst/bin/mono [0x80dac8b]
    mono-2.6.7/inst/bin/mono [0x8115fbb]
    [0xb7f54410]
    mono-2.6.7/inst/bin/mono(mono_assembly_get_assemblyref+0xe1) [0x8131231]
    mono-2.6.7/inst/bin/mono(mono_assembly_load_reference+0x13e) [0x8133eae]
    mono-2.6.7/inst/bin/mono(mono_class_from_typeref+0x403) [0x81d71a3]
    mono-2.6.7/inst/bin/mono(mono_class_get_full+0x17c) [0x81d5c1c]
    mono-2.6.7/inst/bin/mono [0x81d6082]
    mono-2.6.7/inst/bin/mono(mono_class_get_full+0x119) [0x81d5bb9]
    mono-2.6.7/inst/bin/mono(mono_class_get+0x20) [0x81d5ce0]
    mono-2.6.7/inst/bin/mono [0x81967fa]
    mono-2.6.7/inst/bin/mono(mono_get_method_full+0xe7) [0x8195707]
    mono-2.6.7/inst/bin/mono(mono_get_method+0x27) [0x81957f7]
    mono-2.6.7/inst/bin/mono(mono_jit_exec+0x42) [0x80b7442]
    mono-2.6.7/inst/bin/mono(mono_main+0x19a5) [0x80b8e65]
    mono-2.6.7/inst/bin/mono [0x805bb51]
    /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7cde775]
    mono-2.6.7/inst/bin/mono [0x805ba81]

Debug info from gdb:

[Thread debugging using libthread_db enabled]
[New Thread 0xb7c946f0 (LWP 16624)]
[New Thread 0xb6d45b90 (LWP 16627)]
[New Thread 0xb6d76b90 (LWP 16626)]
[New Thread 0xb7b57b90 (LWP 16625)]
0xb7f54430 in __kernel_vsyscall ()
  4 Thread 0xb7b57b90 (LWP 16625)  0xb7f54430 in __kernel_vsyscall ()
  3 Thread 0xb6d76b90 (LWP 16626)  0xb7f54430 in __kernel_vsyscall ()
  2 Thread 0xb6d45b90 (LWP 16627)  0xb7f54430 in __kernel_vsyscall ()
  1 Thread 0xb7c946f0 (LWP 16624)  0xb7f54430 in __kernel_vsyscall ()

Thread 4 (Thread 0xb7b57b90 (LWP 16625)):
#0  0xb7f54430 in __kernel_vsyscall ()
#1  0xb7e5b0e5 in pthread_cond_wait@@GLIBC_2.3.2 () from
/lib/tls/i686/cmov/libpthread.so.0
#2  0x0820a461 in GC_wait_marker () at pthread_support.c:1785
#3  0x0820d23f in GC_help_marker (my_mark_no=2) at mark.c:1116
#4  0x08209245 in GC_mark_thread (id=0x0) at pthread_support.c:548
#5  0xb7e574ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#6  0xb7dac49e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 3 (Thread 0xb6d76b90 (LWP 16626)):
#0  0xb7f54430 in __kernel_vsyscall ()
#1  0xb7e5e8f6 in nanosleep () from /lib/tls/i686/cmov/libpthread.so.0
#2  0x081e18d8 in collection_thread (unused=0x0) at collection.c:34
#3  0xb7e574ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#4  0xb7dac49e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 2 (Thread 0xb6d45b90 (LWP 16627)):
#0  0xb7f54430 in __kernel_vsyscall ()
#1  0xb7e5d3f5 in sem_wait@@GLIBC_2.1 () from
/lib/tls/i686/cmov/libpthread.so.0
#2  0x081f8e48 in mono_sem_wait (sem=0x82d8124, alertable=0) at
mono-semaphore.c:102
#3  0x0811c2a8 in finalizer_thread (unused=0x0) at gc.c:1022
#4  0x081529b7 in start_wrapper (data=0x88001e8) at threads.c:666
#5  0x081ebade in thread_start_routine (args=0x8803684) at wthreads.c:286
#6  0x0820a0f3 in GC_start_routine (arg=0x35f20) at pthread_support.c:1390
#7  0xb7e574ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#8  0xb7dac49e in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 1 (Thread 0xb7c946f0 (LWP 16624)):
#0  0xb7f54430 in __kernel_vsyscall ()
#1  0xb7da8a87 in syscall () from /lib/tls/i686/cmov/libc.so.6
#2  0x08119d92 in mono_runtime_syscall_fork () at mini-posix.c:563
#3  0x080dadfc in mono_handle_native_sigsegv (signal=11, ctx=0xb7356d0c) at
mini-exceptions.c:1798
#4  0x08115fbb in mono_arch_handle_altstack_exception (sigctx=0xb7356d0c,
fault_addr=0xb7357000, stack_ovf=0)
    at exceptions-x86.c:1287
#5  <signal handler called>
#6  encode_public_tok (token=0xb73514b1 "", len=134217728) at assembly.c:144
#7  0x08131231 in mono_assembly_get_assemblyref (image=0x87eeca8, index=0,
aname=0xbfd6f670) at assembly.c:708
#8  0x08133eae in mono_assembly_load_reference (image=0x87eeca8, index=0) at
assembly.c:832
#9  0x081d71a3 in mono_class_from_typeref (image=0x87eeca8,
type_token=16777217) at class.c:171
#10 0x081d5c1c in mono_class_get_full (image=0x87eeca8, type_token=16777217,
context=0xa6c44008) at class.c:6201
#11 0x081d6082 in mono_class_create_from_typedef (image=0x87eeca8,
type_token=33554434) at class.c:4913
#12 0x081d5bb9 in mono_class_get_full (image=0x87eeca8, type_token=33554434,
context=0xa6c44008) at class.c:6198
#13 0x081d5ce0 in mono_class_get (image=0x87eeca8, type_token=33554434) at
class.c:6286
#14 0x081967fa in mono_get_method_from_token (image=0x87eeca8, token=100663298,
klass=0x0, context=0x0, 
    used_context=0xbfd6fb58) at loader.c:1548
#15 0x08195707 in mono_get_method_full (image=0x87eeca8, token=100663298,
klass=0x0, context=0x0) at loader.c:1638
#16 0x081957f7 in mono_get_method (image=0x87eeca8, token=100663298, klass=0x0)
at loader.c:1610
#17 0x080b7442 in mono_jit_exec (domain=0x34e70, assembly=0x88007a0, argc=1,
argv=0xbfd6fdb8) at driver.c:933
#18 0x080b8e65 in mono_main (argc=2, argv=0xbfd6fdb4) at driver.c:999
#19 0x0805bb51 in main (argc=808464432, argv=0x30303030) at main.c:34
#0  0xb7f54430 in __kernel_vsyscall ()

=================================================================
Got a SIGSEGV while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries 
used by your application.
=================================================================

Aborted

-- 
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.

More information about the mono-bugs mailing list