<p dir="ltr">There are intercepors for various uninstrumented libc functions invisible to the tool otherwise. They are used to report addressability bugs in the data passed into libc.<br>
Some interceptors can be disabled using ASAN_OPTIONS (not sure about readdir(), need to look that up), though you can't disable them just for third party libraries.<br>
Keep in mind that although you sometimes can make ASan ignore a heap corruption this doesn't fix the bug, and something may break later due to this wild write.</p>
<div class="gmail_quote">On Feb 23, 2014 3:17 AM, "Jason Haslam" <<a href="mailto:jason.haslam@gmail.com">jason.haslam@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">The code in question is in Qt. I think that it must have been a real bug in the code since I can no longer reproduce after trying the most recent version of Qt. I also haven’t been able reproduce the error in a minimal sample. I’m pretty sure that I started seeing the issue when I switched from 10.8 to 10.9, but that doesn’t mean that it’s not a bug in the client code.<div>
<br></div><div>On a slightly different topic, I’m a little confused about why I even get errors in Qt the first place since it was built without address sanitizer instrumentation. I didn't expect to see any errors there. Is there any way that I can ignore errors in third party libraries like this?</div>
<div><br></div><div>In any case, I apologize for the false alarm. Thanks for the help!<br><div><br></div><div>Jason</div><div><br></div><div><br><div><div>On Feb 21, 2014, at 10:53 PM, Kostya Serebryany <<a href="mailto:kcc@google.com" target="_blank">kcc@google.com</a>> wrote:</div>
<br><blockquote type="cite"><div dir="ltr"><div>+glider</div>Are you certain that this is not a real bug in your code? <div>Could you provide a minimal test case? </div><div>Does test/asan/TestCases/Linux/interception_readdir_r_test.cc work on your machine? </div>
<div>(or, simply, does 'make check-asan' work?)</div><div><br></div><div>This might be something in 10.9 that has changed since 10.8.</div><div>Afaict, we are still not testing asan on 10.9 (glider?)</div><div>Could you please send a preprocessed source of a test calling readdir_r so that I can see the definition of struct dirent?</div>
<div><br></div><div>Looking at your report I see: </div>WRITE of size 48830 at 0x11617988 thread T0<br>0x11617988 is located 0 bytes to the right of 520-byte region [0x11617780,0x11617988)<div><br></div><div>So, somewhere in your heap you've allocated 520 bytes of memory for dirent. </div>
<div>Then our readdir_r interceptor does this: </div><div><div> int res = REAL(readdir_r)(dirp, entry, result);</div><div> if (!res) { </div><div> COMMON_INTERCEPTOR_WRITE_RANGE(ctx, result, sizeof(*result)); </div>
<div> if (*result) </div><div> COMMON_INTERCEPTOR_WRITE_RANGE(ctx, *result, (*result)->d_reclen);</div><div> } </div></div><div><br></div><div>Since we see "WRITE of size 48830", this is likely the second "COMMON_INTERCEPTOR_WRITE_RANGE"</div>
<div>with d_reclen=48830. That's quite unexpected I think. </div><div><br></div><div>--kcc </div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Feb 22, 2014 at 2:39 AM, Jason Haslam <span dir="ltr"><<a href="mailto:jason.haslam@gmail.com" target="_blank">jason.haslam@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">I see address sanitizer failures with TOT clang in readdir_r on Mac OS 10.9 like the following:<div>
<br></div><div><div style="margin:0px;font-size:11px;font-family:Menlo">=================================================================</div><div style="margin:0px;font-size:11px;font-family:Menlo;color:rgb(195,55,32)">
<b>==61104==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x11617988 at pc 0x7fff36a bp 0xbffc2698 sp 0xbffc2684</b></div><div style="margin:0px;font-size:11px;font-family:Menlo;color:rgb(83,48,225)"><b>WRITE of size 48830 at 0x11617988 thread T0</b></div>
<div style="margin:0px;font-size:11px;font-family:Menlo"> #0 0x7fff369 in wrap_readdir_r (/Users/jason/llvm/build/release/lib/clang/3.5/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x12369)</div><div style="margin:0px;font-size:11px;font-family:Menlo">
...</div><div style="margin:0px;font-size:11px;font-family:Menlo;color:rgb(52,189,38)"><b>0x11617988 is located 0 bytes to the right of 520-byte region [0x11617780,0x11617988)</b></div><div style="margin:0px;font-size:11px;font-family:Menlo;color:rgb(213,59,211)">
<b>allocated by thread T0 here:</b></div><div style="margin:0px;font-size:11px;font-family:Menlo"> #0 0x800ab1f in wrap_malloc (/Users/jason/llvm/build/release/lib/clang/3.5/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1db1f)</div>
<div style="margin:0px;font-size:11px;font-family:Menlo">...</div><div style="margin:0px;font-size:11px;font-family:Menlo">SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 wrap_readdir_r</div><div style="margin:0px;font-size:11px;font-family:Menlo">
...</div><div style="margin:0px;font-size:11px;font-family:Menlo">==61104==ABORTING</div></div><div><br></div><div>I get similar failures in statfs. Does anybody else see this? I got around these issues with the attached patch. Is there a better way to fix this without disabling these interceptors?</div>
<span><font color="#888888"><div><br></div><div>Jason</div><div><br></div><div></div></font></span></div><br><div style="word-wrap:break-word"><div></div>
</div><br>_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@cs.uiuc.edu" target="_blank">cfe-dev@cs.uiuc.edu</a><br>
<a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div></div></div></blockquote></div>