thread_stats.malloced_by_size[class_id] overflow in asan_allocator.cc

GoogleCodeExporter commented 9 years ago

What version of the product are you using? On what operating system?

Clang 3.7, x86_64-unknown-linux-gnu

Please provide any additional information below.

Performing static analysis for ASan via Coverity Prevent tool, I've noticed, 
that thread_stats.malloced_by_size[class_id] from can be overflowed in Allocate 
function from asan_allocator.cc.

Here:

$ cat lib/asan/asan_allocator.cc
....................................
  uptr class_id =
      Min(kNumberOfSizeClasses, SizeClassMap::ClassID(needed_size));
  thread_stats.malloced_by_size[class_id]++;

If class_id == kNumberOfSizeClasses == 255, than we access 
thread_stats.malloced_by_size[255] and overflow thread_stats.malloced_by_size 
array.

Original issue reported on code.google.com by chefM...@gmail.com on 26 Jun 2015 at 6:21

GoogleCodeExporter commented 9 years ago

Original comment by samso...@google.com on 26 Jun 2015 at 6:31

Changed state: Accepted

GoogleCodeExporter commented 9 years ago

Should be fixed in r240816, thanks for the report!

Original comment by samso...@google.com on 26 Jun 2015 at 7:18

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

Thank you, Alexey.

Original comment by chefM...@gmail.com on 26 Jun 2015 at 7:47

GoogleCodeExporter commented 9 years ago

Adding Project:AddressSanitizer as part of GitHub migration.

Original comment by ramosian.glider@gmail.com on 30 Jul 2015 at 9:14

Added labels: ProjectAddressSanitizer

canistation / address-sanitizer

thread_stats.malloced_by_size[class_id] overflow in asan_allocator.cc #397