[llvm-bugs] [Bug 33514] New: False heap buffer overflow error in ASan after r304824

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Jun 19 10:43:50 PDT 2017 

https://bugs.llvm.org/show_bug.cgi?id=33514

            Bug ID: 33514
           Summary: False heap buffer overflow error in ASan after r304824
           Product: new-bugs
           Version: 4.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P
         Component: new bugs
          Assignee: unassignedbugs at nondot.org
          Reporter: hans at chromium.org
                CC: evstupac at gmail.com, kcc at google.com,
                    llvm-bugs at lists.llvm.org, qcolombet at apple.com

Created attachment 18661
  --> https://bugs.llvm.org/attachment.cgi?id=18661&action=edit
creduced repro

A Chrome test started failing under ASan after r304824. Reproduction in a
Chromium build:

#include <string>
#include <vector>
using namespace std;

struct DataView {
  DataView() {}
  bool ReadBinary(std::vector<uint8_t> *v) const {
    v->push_back(1);
    return true;
  }
};

void g(const std::string &s) {
  volatile void* p = (volatile void*)&s;
}

bool f(const DataView &data_view) {
  std::vector<uint8_t> binary;
  if (!data_view.ReadBinary(&binary))
      return false;
  g(std::string(binary.data(), binary.data() + binary.size()));
  return true;
}

int main() {
  DataView d;
  f(d);
  return 0;
}


$ ../../third_party/llvm-build/Release+Asserts/bin/clang -fsanitize=address
-fsanitize-coverage=trace-pc-guard -O2 -g1 -nostdinc++
-isystem../../buildtools/third_party/libc++/trunk/include
-isystem../../buildtools/third_party/libc++abi/trunk/include /tmp/a.cc
./libc++.so -Wl,-rpath=\$ORIGIN/. && ASAN_OPTIONS=symbolize=1 ./a.out
=================================================================
==66042==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000011 at pc 0x0000004e4c59 bp 0x7ffd344de930 sp 0x7ffd344de928
READ of size 1 at 0x602000000011 thread T0
    #0 0x4e4c58 in __init<unsigned char *>
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/string:1847:35
    #1 0x4e4c58 in basic_string<unsigned char *>
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/string:1856
    #2 0x4e4c58 in f(DataView const&) /tmp/a.cc:17
    #3 0x4e4fe9 in main /tmp/a.cc:23:3
    #4 0x7fb6289b7f44 in __libc_start_main
/build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287
    #5 0x41999b in _start
(/usr/local/google/work/chromium/src/out/asan/a.out+0x41999b)

0x602000000011 is located 0 bytes to the right of 1-byte region
[0x602000000010,0x602000000011)
allocated by thread T0 here:
    #0 0x4b9363 in malloc
(/usr/local/google/work/chromium/src/out/asan/a.out+0x4b9363)
    #1 0x7fb629a5dc1d in operator new(unsigned long)
out/asan/../../buildtools/third_party/libc++/trunk/src/new.cpp:70:17
    #2 0x4e5177 in __allocate
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/new:226:10
    #3 0x4e5177 in allocate
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1786
    #4 0x4e5177 in allocate
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/memory:1541
    #5 0x4e5177 in __split_buffer
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/__split_buffer:309
    #6 0x4e5177 in void std::__1::vector<unsigned char,
std::__1::allocator<unsigned char> >::__push_back_slow_path<unsigned char
const>(unsigned char const&)
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/vector:1572
    #7 0x7ffd344de99f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/work/chromium/src/out/asan/../../buildtools/third_party/libc++/trunk/include/string:1847:35
in __init<unsigned char *>
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==66042==ABORTING




Attaching a creduced repro that's harder to read but might be easier to read
and work with:

$ clang -std=c++11 -fsanitize=address -fsanitize-coverage=trace-pc-guard -O2
-g1 /tmp/c.cc && ASAN_OPTIONS=symbolize=1 ./a.out
==67194==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000011 at pc 0x0000005274de bp 0x7ffd10d72850 sp 0x7ffd10d72848

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20170619/613bee9a/attachment.html>

More information about the llvm-bugs mailing list