Bug #2307
closed
Global buffer overflow in TestName::ImplictSha256Digest test case
Added by Davide Pesavento over 9 years ago.
Updated over 8 years ago.
Description
==4469==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000bb3a60 at pc 0x98ac3b bp 0x7fff002ac0d0 sp 0x7fff002ac0c0
READ of size 1 at 0x000000bb3a60 thread T0
#0 0x98ac3a in __copy_m<unsigned char> /usr/include/c++/4.9/bits/stl_algobase.h:378
#1 0x98ac3a in __copy_move_a<false, unsigned char const*, unsigned char*> /usr/include/c++/4.9/bits/stl_algobase.h:396
#2 0x98ac3a in __copy_move_a2<false, unsigned char const*, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char> > > /usr/include/c++/4.9/bits/stl_algobase.h:434
#3 0x98ac3a in copy<unsigned char const*, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char> > > /usr/include/c++/4.9/bits/stl_algobase.h:466
#4 0x98ac3a in ndn::EncodingImpl<true>::prependByteArray(unsigned char const*, unsigned long) ../src/encoding/encoding-buffer.hpp:418
#5 0x98ac3a in prependByteArrayBlock<true> ../src/encoding/encoding-buffer.hpp:241
#6 0x98ac3a in dataBlock ../src/encoding/block-helpers.hpp:70
#7 0x98ac3a in ndn::name::Component::Component(unsigned char const*, unsigned long) ../src/name-component.cpp:77
#8 0x695416 in ndn::Name::append(unsigned char const*, unsigned long) ../src/security/../name.hpp:157
#9 0x68ea5a in ndn::TestName::ImplictSha256Digest::test_method() ../tests/unit-tests/test-name.cpp:346
#10 0x6906da in ImplictSha256Digest_invoker ../tests/unit-tests/test-name.cpp:325
#11 0x44e8fe in invoke<void (*)()> /usr/include/boost/test/utils/callback.hpp:56
#12 0x44e8fe in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
#13 0x7f497b1ea5a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
#14 0x7f497b1c5865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
#15 0x7f497b1c60a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
#16 0x7f497b1ea6a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
#17 0x7f497b1d42f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
#18 0x7f497b2032d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#19 0x7f497b2032d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#20 0x7f497b1cf819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
#21 0x7f497b1e8283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
#22 0x8390cc in main /usr/include/boost/test/unit_test.hpp:59
#23 0x7f4979cd9ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#24 0x43bcd8 (/home/davide/ndn-cxx/build/unit-tests+0x43bcd8)
0x000000bb3a60 is located 32 bytes to the left of global variable '__PRETTY_FUNCTION__' from '../tests/unit-tests/test-name.cpp' (0xbb3a80) of size 225
'__PRETTY_FUNCTION__' is ascii string 'typename boost::detail::sp_dereference<T>::type boost::shared_ptr<T>::operator*() const [with T = boost::basic_wrap_stringstream<char>; typename boost::detail::sp_dereference<T>::type = boost::basic_wrap_stringstream<char>&]'
0x000000bb3a60 is located 0 bytes to the right of global variable 'DIGEST' from '../tests/unit-tests/test-name.cpp' (0xbb3a40) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow /usr/include/c++/4.9/bits/stl_algobase.h:378 __copy_m<unsigned char>
Shadow bytes around the buggy address:
0x00008016e6f0: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x00008016e700: 00 00 00 03 f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9
0x00008016e710: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x00008016e720: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 01 f9 f9
0x00008016e730: f9 f9 f9 f9 00 00 00 00 00 00 07 f9 f9 f9 f9 f9
=>0x00008016e740: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00[f9]f9 f9 f9
0x00008016e750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008016e760: 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9 f9
0x00008016e770: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008016e780: 00 00 00 00 00 00 00 07 f9 f9 f9 f9 05 f9 f9 f9
0x00008016e790: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==4469==ABORTING
Also notice the typo in the name of the test case ("Implict")
I cannot reproduce this error with valgrind.
Valgrind cannot detect global overflows, so I guess that's expected.
Still reproducible with ndn-cxx-0.3.0-6-gea71967
==11836==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000c4c400 at pc 0x91377c bp 0x7fff18087fa0 sp 0x7fff18087f90
READ of size 1 at 0x000000c4c400 thread T0
#0 0x91377b in __copy_m<unsigned char> /usr/include/c++/4.9/bits/stl_algobase.h:378
#1 0x91377b in __copy_move_a<false, unsigned char const*, unsigned char*> /usr/include/c++/4.9/bits/stl_algobase.h:396
#2 0x91377b in __copy_move_a2<false, unsigned char const*, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char> > > /usr/include/c++/4.9/bits/stl_algobase.h:434
#3 0x91377b in copy<unsigned char const*, __gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char> > > /usr/include/c++/4.9/bits/stl_algobase.h:466
#4 0x91377b in ndn::encoding::Encoder::prependByteArray(unsigned char const*, unsigned long) ../src/encoding/encoder.cpp:130
#5 0x914097 in ndn::encoding::Encoder::prependByteArrayBlock(unsigned int, unsigned char const*, unsigned long) ../src/encoding/encoder.cpp:243
#6 0x9d2bc4 in dataBlock ../src/encoding/block-helpers.hpp:126
#7 0x9d2bc4 in ndn::name::Component::Component(unsigned char const*, unsigned long) ../src/name-component.cpp:77
#8 0x7111fc in ndn::Name::append(unsigned char const*, unsigned long) ../src/security/../name.hpp:157
#9 0x709316 in ndn::TestName::ImplictSha256Digest::test_method() ../tests/unit-tests/test-name.cpp:369
#10 0x70b01e in ImplictSha256Digest_invoker ../tests/unit-tests/test-name.cpp:348
#11 0x44b018 in invoke<void (*)()> /usr/include/boost/test/utils/callback.hpp:56
#12 0x44b018 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
#13 0x7f59da5645a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
#14 0x7f59da53f865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
#15 0x7f59da5400a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
#16 0x7f59da5646a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
#17 0x7f59da54e2f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
#18 0x7f59da57d2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#19 0x7f59da57d2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#20 0x7f59da549819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
#21 0x7f59da562283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
#22 0x43e8eb in main /usr/include/boost/test/unit_test.hpp:59
#23 0x7f59d9053ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#24 0x43e2c8 (/home/davide/ndn-cxx/build/unit-tests+0x43e2c8)
0x000000c4c400 is located 32 bytes to the left of global variable 'nameOctets' from '../tests/unit-tests/test-name.cpp' (0xc4c420) of size 10
0x000000c4c400 is located 0 bytes to the right of global variable 'DIGEST' from '../tests/unit-tests/test-name.cpp' (0xc4c3e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow /usr/include/c++/4.9/bits/stl_algobase.h:378 __copy_m<unsigned char>
Shadow bytes around the buggy address:
0x000080181830: 00 00 00 00 00 00 00 03 f9 f9 f9 f9 00 00 06 f9
0x000080181840: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
0x000080181850: 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080181860: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 07 f9
0x000080181870: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x000080181880:[f9]f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
0x000080181890: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801818a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801818b0: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000801818c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
0x0000801818d0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==11836==ABORTING
Please post the complete commands you used to display those errors, starting from ./waf configure.
$ lsb_release -d
Description: Ubuntu 14.10
$ gcc --version
gcc (Ubuntu 4.9.1-16ubuntu6) 4.9.1
$ git clean -dfX # (or ./waf distclean)
$ CXXFLAGS="-pedantic -Wall -g3 -Werror -Wno-error=maybe-uninitialized -Og -fdiagnostics-color -fsanitize=address" LINKFLAGS=-fsanitize=address ./waf configure --debug --with-tests
$ ./waf
$ ./build/unit-tests -t TestName
- Status changed from New to In Progress
- Assignee set to Junxiao Shi
- Target version changed from v0.3 to v0.4
- Estimated time set to 0.50 h
Confirmed. Will try to resolve.
- Status changed from In Progress to Code review
- % Done changed from 0 to 100
- Category changed from Tests to Base
- Status changed from Code review to Closed
- Blocks Task #2589: CI: enable AddressSanitizer for unit tests added
- Start date deleted (
12/16/2014)
Also available in: Atom
PDF
Updated by 
Updated by