[cfe-dev] Address sanitizer failures in readdir and statfs on Mac

Alexander Potapenko glider at google.com
Fri Feb 21 23:30:53 PST 2014


We're running ASan tests on 10.9, but IIRC Chrome bots are still on 10.8.
However I doubt there's much difference between these two OSX versions.
On Feb 22, 2014 9:53 AM, "Kostya Serebryany" <kcc at google.com> wrote:

> +glider
> Are you certain that this is not a real bug in your code?
> Could you provide a minimal test case?
> Does test/asan/TestCases/Linux/interception_readdir_r_test.cc work on your
> machine?
> (or, simply, does 'make check-asan' work?)
>
> This might be something in 10.9 that has changed since 10.8.
> Afaict, we are still not testing asan on 10.9 (glider?)
> Could you please send a preprocessed source of a test calling readdir_r so
> that I can see the definition of struct dirent?
>
> Looking at your report I see:
> WRITE of size 48830 at 0x11617988 thread T0
> 0x11617988 is located 0 bytes to the right of 520-byte region
> [0x11617780,0x11617988)
>
> So, somewhere in your heap you've allocated 520 bytes of memory for
> dirent.
> Then our readdir_r interceptor does this:
>   int res = REAL(readdir_r)(dirp, entry, result);
>   if (!res) {
>     COMMON_INTERCEPTOR_WRITE_RANGE(ctx, result, sizeof(*result));
>
>     if (*result)
>       COMMON_INTERCEPTOR_WRITE_RANGE(ctx, *result, (*result)->d_reclen);
>   }
>
> Since we see "WRITE of size 48830", this is likely the second
> "COMMON_INTERCEPTOR_WRITE_RANGE"
> with d_reclen=48830. That's quite unexpected I think.
>
> --kcc
>
>
>
>
> On Sat, Feb 22, 2014 at 2:39 AM, Jason Haslam <jason.haslam at gmail.com>wrote:
>
>> I see address sanitizer failures with TOT clang in readdir_r on Mac OS
>> 10.9 like the following:
>>
>> =================================================================
>> *==61104==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x11617988 at pc 0x7fff36a bp 0xbffc2698 sp 0xbffc2684*
>> *WRITE of size 48830 at 0x11617988 thread T0*
>>     #0 0x7fff369 in wrap_readdir_r
>> (/Users/jason/llvm/build/release/lib/clang/3.5/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x12369)
>> ...
>> *0x11617988 is located 0 bytes to the right of 520-byte region
>> [0x11617780,0x11617988)*
>> *allocated by thread T0 here:*
>>     #0 0x800ab1f in wrap_malloc
>> (/Users/jason/llvm/build/release/lib/clang/3.5/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x1db1f)
>> ...
>> SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 wrap_readdir_r
>> ...
>> ==61104==ABORTING
>>
>> I get similar failures in statfs. Does anybody else see this? I got
>> around these issues with the attached patch. Is there a better way to fix
>> this without disabling these interceptors?
>>
>> Jason
>>
>>
>>
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140222/3943cbc7/attachment.html>


More information about the cfe-dev mailing list