[LibOS] Race condition triggers ASan use‑after‑poison in execve path ( release_clear_child_tid ) #2148
Description
Description of the problem
exec_same fails on the Jenkins-SGX-24.04-Sanitizers job for PR #1795 with an ASan use‑after‑poison inside release_clear_child_tid(). Reproduces on main, so this is not PR‑specific.
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: use-after-poison (unallocated SGX memory?) while trying to store 4 bytes at 0x84c0990
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: the bad address is 0x84c0990 (0 from beginning of access)
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: location: release_clear_child_tid at libos_futex.c, libsysdb.so+0x49ab05 (addr = 0xeb25b05)
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: (for a full traceback, use GDB with a breakpoint at "libos_abort")
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan:
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: shadow bytes around the bad address:
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: 0x180010980f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: 0x18001098100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: 0x18001098110: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: 0x18001098120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
[2025-05-07T09:06:11.907Z] [2.257] [P1:libos] error: asan: =>0x18001098130: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
...
Root Cause:
thread_exit()enqueues acleanup_threadtask on the async‑worker queue; that task writes*clear_child_tid.- In the
libos_syscall_execve()path, the VMA of the thread’s TCB is freed before the async worker gets to run:gramine/libos/src/sys/libos_futex.c
Line 985 in ff71d7a
- When the worker eventually stores 0 to
*clear_child_tid, it writes to memory that has already been freed.
Steps to reproduce
- Build Gramine with SGX, ASAN, and UBSAN.
- Run exec_same test with args [arg_#1...arg_#49]
Expected results
The async‑worker thread should zero each exiting thread’s *clear_child_tid before that thread’s VMA is freed.
Actual results
libos_syscall_execve() frees the thread’s VMA first, and the async worker attempts to write to *clear_child_tid afterwards, resulting in a use‑after‑poison.