Closed orbea closed 2 years ago
Can you run with -fsanitize=address
?
$ ./libtree /usr/lib64/jollygood/*
/usr/lib64/jollygood/bsnes.so
/usr/lib64/jollygood/cega.so
/usr/lib64/jollygood/gambatte.so
/usr/lib64/jollygood/genplus.so
/usr/lib64/jollygood/jollycv.so
/usr/lib64/jollygood/mednafen.so
├── libz.so.1 [ld.so.conf]
├── libFLAC.so.8 [ld.so.conf]
│ └── libogg.so.0 [ld.so.conf]
└── libzstd.so.1 [ld.so.conf]
/usr/lib64/jollygood/mesens.so
/usr/lib64/jollygood/mgba.so
/usr/lib64/jollygood/nestopia.so
/usr/lib64/jollygood/picodrive.so
/usr/lib64/jollygood/prosystem.so
/usr/lib64/jollygood/sameboy.so
=================================================================
==23028==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000140 at pc 0x0000004d3763 bp 0x7ffd378c02f0 sp 0x7ffd378c02e8
WRITE of size 8 at 0x611000000140 thread T0
#0 0x4d3762 in visited_files_append /tmp/libtree/libtree.c:765:33
#1 0x4ce48e in recurse /tmp/libtree/libtree.c:917:9
#2 0x4cc86c in print_tree /tmp/libtree/libtree.c:1460:22
#3 0x4cc4b3 in main /tmp/libtree/libtree.c:1625:12
#4 0x7f16910e401c in __libc_start_main (/lib64/libc.so.6+0x2401c)
#5 0x41f369 in _start /tmp/glibc-2.33/csu/../sysdeps/x86_64/start.S:120
0x611000000140 is located 0 bytes to the right of 256-byte region [0x611000000040,0x611000000140)
allocated by thread T0 here:
#0 0x49a6fd in malloc /tmp/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x4cca90 in libtree_state_init /tmp/libtree/libtree.c:1441:22
#2 0x4cc6de in print_tree /tmp/libtree/libtree.c:1451:5
#3 0x4cc4b3 in main /tmp/libtree/libtree.c:1625:12
#4 0x7f16910e401c in __libc_start_main (/lib64/libc.so.6+0x2401c)
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/libtree/libtree.c:765:33 in visited_files_append
Shadow bytes around the buggy address:
0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8020: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c227fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==23028==ABORTING
Oof, it's missing sizeof(...) in the realloc. I was joking I should make -fsanitize=address
an actual production level flag so nobody could blame me I should have used rust :laughing:.
Can you try again on the master branch? I've pushed a fix. Edit: seems there's still an issue...
Another fix was pushed, now it should work ;)
All good now with commit ced2987f07dba9e3890a2c0e17f1229b9c207984.
$ ./libtree /usr/lib64/jollygood/*
/usr/lib64/jollygood/bsnes.so
/usr/lib64/jollygood/cega.so
/usr/lib64/jollygood/gambatte.so
/usr/lib64/jollygood/genplus.so
/usr/lib64/jollygood/jollycv.so
/usr/lib64/jollygood/mednafen.so
├── libz.so.1 [ld.so.conf]
├── libFLAC.so.8 [ld.so.conf]
│ └── libogg.so.0 [ld.so.conf]
└── libzstd.so.1 [ld.so.conf]
/usr/lib64/jollygood/mesens.so
/usr/lib64/jollygood/mgba.so
/usr/lib64/jollygood/nestopia.so
/usr/lib64/jollygood/picodrive.so
/usr/lib64/jollygood/prosystem.so
/usr/lib64/jollygood/sameboy.so
/usr/lib64/jollygood/vecx.so
Thanks!
libtree: https://github.com/haampie/libtree/commit/7f7a39f5399142a5c91b05d637a593f7d8eb2009
Running the library on its own does not produce a segfault.
Although I don't think its related for reference the libraries are from this project.
https://gitlab.com/jgemu