Project

General

Profile

Actions

Bug #2307

closed

Global buffer overflow in TestName::ImplictSha256Digest test case

Added by Davide Pesavento about 10 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Base
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
0.50 h

Description

==4469==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000bb3a60 at pc 0x98ac3b bp 0x7fff002ac0d0 sp 0x7fff002ac0c0
READ of size 1 at 0x000000bb3a60 thread T0
    #0 0x98ac3a in __copy_m<unsigned char> /usr/include/c++/4.9/bits/stl_algobase.h:378
    #1 0x98ac3a in __copy_move_a<false, unsigned char const*, unsigned char*> /usr/include/c++/4.9/bits/stl_algobase.h:396
    #2 0x98ac3a in __copy_move_a2<false, unsigned char const*, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char> > > /usr/include/c++/4.9/bits/stl_algobase.h:434
    #3 0x98ac3a in copy<unsigned char const*, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char> > > /usr/include/c++/4.9/bits/stl_algobase.h:466
    #4 0x98ac3a in ndn::EncodingImpl<true>::prependByteArray(unsigned char const*, unsigned long) ../src/encoding/encoding-buffer.hpp:418
    #5 0x98ac3a in prependByteArrayBlock<true> ../src/encoding/encoding-buffer.hpp:241
    #6 0x98ac3a in dataBlock ../src/encoding/block-helpers.hpp:70
    #7 0x98ac3a in ndn::name::Component::Component(unsigned char const*, unsigned long) ../src/name-component.cpp:77
    #8 0x695416 in ndn::Name::append(unsigned char const*, unsigned long) ../src/security/../name.hpp:157
    #9 0x68ea5a in ndn::TestName::ImplictSha256Digest::test_method() ../tests/unit-tests/test-name.cpp:346
    #10 0x6906da in ImplictSha256Digest_invoker ../tests/unit-tests/test-name.cpp:325
    #11 0x44e8fe in invoke<void (*)()> /usr/include/boost/test/utils/callback.hpp:56
    #12 0x44e8fe in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #13 0x7f497b1ea5a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
    #14 0x7f497b1c5865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
    #15 0x7f497b1c60a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
    #16 0x7f497b1ea6a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
    #17 0x7f497b1d42f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
    #18 0x7f497b2032d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #19 0x7f497b2032d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #20 0x7f497b1cf819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
    #21 0x7f497b1e8283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
    #22 0x8390cc in main /usr/include/boost/test/unit_test.hpp:59
    #23 0x7f4979cd9ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #24 0x43bcd8 (/home/davide/ndn-cxx/build/unit-tests+0x43bcd8)

0x000000bb3a60 is located 32 bytes to the left of global variable '__PRETTY_FUNCTION__' from '../tests/unit-tests/test-name.cpp' (0xbb3a80) of size 225
  '__PRETTY_FUNCTION__' is ascii string 'typename boost::detail::sp_dereference<T>::type boost::shared_ptr<T>::operator*() const [with T = boost::basic_wrap_stringstream<char>; typename boost::detail::sp_dereference<T>::type = boost::basic_wrap_stringstream<char>&]'
0x000000bb3a60 is located 0 bytes to the right of global variable 'DIGEST' from '../tests/unit-tests/test-name.cpp' (0xbb3a40) of size 32

SUMMARY: AddressSanitizer: global-buffer-overflow /usr/include/c++/4.9/bits/stl_algobase.h:378 __copy_m<unsigned char>
Shadow bytes around the buggy address:
  0x00008016e6f0: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008016e700: 00 00 00 03 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
  0x00008016e710: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00008016e720: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 01 f9 f9
  0x00008016e730: f9 f9 f9 f9 00 00 00 00 00 00 07 f9 f9 f9 f9 f9
=>0x00008016e740: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00[f9]f9 f9 f9
  0x00008016e750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008016e760: 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9 f9
  0x00008016e770: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008016e780: 00 00 00 00 00 00 00 07 f9 f9 f9 f9 05 f9 f9 f9
  0x00008016e790: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==4469==ABORTING

Related issues 1 (0 open1 closed)

Blocks NFD - Task #2589: CI: enable AddressSanitizer for unit testsClosedDavide Pesavento

Actions
Actions #1

Updated by Davide Pesavento about 10 years ago

Also notice the typo in the name of the test case ("Implict")

Actions #2

Updated by Junxiao Shi almost 10 years ago

I cannot reproduce this error with valgrind.

Actions #3

Updated by Davide Pesavento almost 10 years ago

Valgrind cannot detect global overflows, so I guess that's expected.

Actions #4

Updated by Davide Pesavento almost 10 years ago

Still reproducible with ndn-cxx-0.3.0-6-gea71967

==11836==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000c4c400 at pc 0x91377c bp 0x7fff18087fa0 sp 0x7fff18087f90
READ of size 1 at 0x000000c4c400 thread T0
    #0 0x91377b in __copy_m<unsigned char> /usr/include/c++/4.9/bits/stl_algobase.h:378
    #1 0x91377b in __copy_move_a<false, unsigned char const*, unsigned char*> /usr/include/c++/4.9/bits/stl_algobase.h:396
    #2 0x91377b in __copy_move_a2<false, unsigned char const*, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char> > > /usr/include/c++/4.9/bits/stl_algobase.h:434
    #3 0x91377b in copy<unsigned char const*, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char> > > /usr/include/c++/4.9/bits/stl_algobase.h:466
    #4 0x91377b in ndn::encoding::Encoder::prependByteArray(unsigned char const*, unsigned long) ../src/encoding/encoder.cpp:130
    #5 0x914097 in ndn::encoding::Encoder::prependByteArrayBlock(unsigned int, unsigned char const*, unsigned long) ../src/encoding/encoder.cpp:243
    #6 0x9d2bc4 in dataBlock ../src/encoding/block-helpers.hpp:126
    #7 0x9d2bc4 in ndn::name::Component::Component(unsigned char const*, unsigned long) ../src/name-component.cpp:77
    #8 0x7111fc in ndn::Name::append(unsigned char const*, unsigned long) ../src/security/../name.hpp:157
    #9 0x709316 in ndn::TestName::ImplictSha256Digest::test_method() ../tests/unit-tests/test-name.cpp:369
    #10 0x70b01e in ImplictSha256Digest_invoker ../tests/unit-tests/test-name.cpp:348
    #11 0x44b018 in invoke<void (*)()> /usr/include/boost/test/utils/callback.hpp:56
    #12 0x44b018 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #13 0x7f59da5645a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
    #14 0x7f59da53f865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
    #15 0x7f59da5400a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
    #16 0x7f59da5646a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
    #17 0x7f59da54e2f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
    #18 0x7f59da57d2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #19 0x7f59da57d2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
    #20 0x7f59da549819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
    #21 0x7f59da562283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
    #22 0x43e8eb in main /usr/include/boost/test/unit_test.hpp:59
    #23 0x7f59d9053ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #24 0x43e2c8 (/home/davide/ndn-cxx/build/unit-tests+0x43e2c8)

0x000000c4c400 is located 32 bytes to the left of global variable 'nameOctets' from '../tests/unit-tests/test-name.cpp' (0xc4c420) of size 10
0x000000c4c400 is located 0 bytes to the right of global variable 'DIGEST' from '../tests/unit-tests/test-name.cpp' (0xc4c3e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow /usr/include/c++/4.9/bits/stl_algobase.h:378 __copy_m<unsigned char>
Shadow bytes around the buggy address:
  0x000080181830: 00 00 00 00 00 00 00 03 f9 f9 f9 f9 00 00 06 f9
  0x000080181840: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
  0x000080181850: 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080181860: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 07 f9
  0x000080181870: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x000080181880:[f9]f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x000080181890: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801818a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801818b0: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000801818c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
  0x0000801818d0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==11836==ABORTING
Actions #5

Updated by Junxiao Shi almost 10 years ago

Please post the complete commands you used to display those errors, starting from ./waf configure.

Actions #6

Updated by Davide Pesavento almost 10 years ago

$ lsb_release -d
Description:    Ubuntu 14.10

$ gcc --version
gcc (Ubuntu 4.9.1-16ubuntu6) 4.9.1

$ git clean -dfX  # (or ./waf distclean)

$ CXXFLAGS="-pedantic -Wall -g3 -Werror -Wno-error=maybe-uninitialized -Og -fdiagnostics-color -fsanitize=address" LINKFLAGS=-fsanitize=address ./waf configure --debug --with-tests

$ ./waf

$ ./build/unit-tests -t TestName
Actions #7

Updated by Junxiao Shi almost 10 years ago

  • Status changed from New to In Progress
  • Assignee set to Junxiao Shi
  • Target version changed from v0.3 to v0.4
  • Estimated time set to 0.50 h

Confirmed. Will try to resolve.

Actions #8

Updated by Junxiao Shi almost 10 years ago

  • Status changed from In Progress to Code review
  • % Done changed from 0 to 100
Actions #9

Updated by Junxiao Shi almost 10 years ago

  • Category changed from Tests to Base
  • Status changed from Code review to Closed
Actions #10

Updated by Davide Pesavento almost 10 years ago

  • Blocks Task #2589: CI: enable AddressSanitizer for unit tests added
Actions #11

Updated by Davide Pesavento about 9 years ago

  • Start date deleted (12/16/2014)
Actions

Also available in: Atom PDF