Closed gy741 closed 6 years ago
Status: Tried to replicate this issue in 2 separate environments. Both failed. This comment documents the attempt in OpenBSD-6.2 with clang
Modified a single line in Makefile
DEVFLAGS = -O0 -g3 -DDEBUG -fsanitize=address -Wall
Then executed gmake
$ gmake
cc -g -pthread -O3 -c -o src/0.o src/0.c
cc -g -pthread -O3 -c -o src/bswap.o src/bswap.c
cc -g -pthread -O3 -c -o src/c.o src/c.c
cc -g -pthread -O3 -c -o src/getline.o src/getline.c
cc -g -pthread -O3 -c -o src/mt.o src/mt.c
cc -g -pthread -O3 -c -o src/p.o src/p.c
cc -g -pthread -O3 -c -o src/r.o src/r.c
cc -g -pthread -O3 -c -o src/k.o src/k.c
cc -g -pthread -O3 -c -o src/kc.o src/kc.c
cc -g -pthread -O3 -c -o src/kx.o src/kx.c
cc -g -pthread -O3 -c -o src/kg.o src/kg.c
cc -g -pthread -O3 -c -o src/km.o src/km.c
cc -g -pthread -O3 -c -o src/kn.o src/kn.c
cc -g -pthread -O3 -c -o src/ko.o src/ko.c
cc -g -pthread -O3 -c -o src/ks.o src/ks.c
cc -g -pthread -O3 -c -o src/v.o src/v.c
cc -g -pthread -O3 -c -o src/va.o src/va.c
cc -g -pthread -O3 -c -o src/vc.o src/vc.c
cc -g -pthread -O3 -c -o src/vd.o src/vd.c
cc -g -pthread -O3 -c -o src/vf.o src/vf.c
cc -g -pthread -O3 -c -o src/vg.o src/vg.c
cc -g -pthread -O3 -c -o src/vq.o src/vq.c
cc -g -pthread -O3 -c -o src/main.o src/main.c
cc -g -pthread -O3 src/0.o src/bswap.o src/c.o src/getline.o src/mt.o src/p.o src/r.o src/k.o src/kc.o src/kx.o src/kg.o src/km.o src/kn.o src/ko.o src/ks.o src/v.o src/va.o src/vc.o src/vd.o src/vf.o src/vg.o src/vq.o src/main.o -o k -lm
src/v.o: In function `glueSS':
src/v.c:28: warning: warning: sprintf() is often misused, please use snprintf()
src/c.o: In function `filexist':
src/c.c:50: warning: warning: strcpy() is almost always misused, please use strlcpy()
src/c.o: In function `backslash_d':
src/c.c:465: warning: warning: strcat() is almost always misused, please use strlcat()
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/0.t.o src/0.c
cc: error: unsupported option '-fsanitize=address' for target 'amd64-unknown-openbsd6.2'
gmake: *** [Makefile:129: src/0.t.o] Error 1
Status: In Fedora-27 with gcc. I made the same change to Makefile
DEVFLAGS = -O0 -g3 -DDEBUG -fsanitize=address -Wall
Then ran make
$ make
cc -g -pthread -O3 -c -o src/0.o src/0.c
cc -g -pthread -O3 -c -o src/bswap.o src/bswap.c
cc -g -pthread -O3 -c -o src/c.o src/c.c
cc -g -pthread -O3 -c -o src/getline.o src/getline.c
cc -g -pthread -O3 -c -o src/mt.o src/mt.c
cc -g -pthread -O3 -c -o src/p.o src/p.c
cc -g -pthread -O3 -c -o src/r.o src/r.c
cc -g -pthread -O3 -c -o src/k.o src/k.c
cc -g -pthread -O3 -c -o src/kc.o src/kc.c
cc -g -pthread -O3 -c -o src/kx.o src/kx.c
cc -g -pthread -O3 -c -o src/kg.o src/kg.c
cc -g -pthread -O3 -c -o src/km.o src/km.c
cc -g -pthread -O3 -c -o src/kn.o src/kn.c
cc -g -pthread -O3 -c -o src/ko.o src/ko.c
cc -g -pthread -O3 -c -o src/ks.o src/ks.c
cc -g -pthread -O3 -c -o src/v.o src/v.c
cc -g -pthread -O3 -c -o src/va.o src/va.c
cc -g -pthread -O3 -c -o src/vc.o src/vc.c
cc -g -pthread -O3 -c -o src/vd.o src/vd.c
cc -g -pthread -O3 -c -o src/vf.o src/vf.c
cc -g -pthread -O3 -c -o src/vg.o src/vg.c
cc -g -pthread -O3 -c -o src/vq.o src/vq.c
cc -g -pthread -O3 -c -o src/main.o src/main.c
cc -g -pthread -O3 src/0.o src/bswap.o src/c.o src/getline.o src/mt.o src/p.o src/r.o src/k.o src/kc.o src/kx.o src/kg.o src/km.o src/kn.o src/ko.o src/ks.o src/v.o src/va.o src/vc.o src/vd.o src/vf.o src/vg.o src/vq.o src/main.o -o k -lm -ldl
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/0.t.o src/0.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/bswap.t.o src/bswap.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/c.t.o src/c.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/getline.t.o src/getline.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/mt.t.o src/mt.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/p.t.o src/p.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/r.t.o src/r.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/k.t.o src/k.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/kc.t.o src/kc.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/kx.t.o src/kx.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/kg.t.o src/kg.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/km.t.o src/km.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/kn.t.o src/kn.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/ko.t.o src/ko.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/ks.t.o src/ks.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/v.t.o src/v.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/va.t.o src/va.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/vc.t.o src/vc.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/vd.t.o src/vd.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/vf.t.o src/vf.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/vg.t.o src/vg.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/vq.t.o src/vq.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/main.t.o src/main.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall -c -o src/tests.t.o src/tests.c
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall src/0.t.o src/bswap.t.o src/c.t.o src/getline.t.o src/mt.t.o src/p.t.o src/r.t.o src/k.t.o src/kc.t.o src/kx.t.o src/kg.t.o src/km.t.o src/kn.t.o src/ko.t.o src/ks.t.o src/v.t.o src/va.t.o src/vc.t.o src/vd.t.o src/vf.t.o src/vg.t.o src/vq.t.o src/main.t.o src/tests.t.o -o k_test -lm -ldl
/usr/bin/ld: cannot find /usr/lib64/libasan.so.4.0.0
collect2: error: ld returned 1 exit status
make: *** [Makefile:108: k_test] Error 1
Planned next step: The Fedora/gcc result is a bit more descriptive. Will try to get /usr/lib64/libasan.so.4.0.0 installed.
Status: was able to replicate global-buffer-overflow on Fedora/gcc:
$ sudo dnf install asan
Installed:
libasan.x86_64 7.3.1-2.fc27
Complete!
$ make
cc -g -pthread -O0 -g3 -DDEBUG -fsanitize=address -Wall src/0.t.o src/bswap.t.o src/c.t.o src/getline.t.o src/mt.t.o src/p.t.o src/r.t.o src/k.t.o src/kc.t.o src/kx.t.o src/kg.t.o src/km.t.o src/kn.t.o src/ko.t.o src/ks.t.o src/v.t.o src/va.t.o src/vc.t.o src/vd.t.o src/vf.t.o src/vg.t.o src/vq.t.o src/main.t.o src/tests.t.o -o k_test -lm -ldl
$ ./k_test
t:0
=================================================================
==1601==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004d16ff at pc 0x00000041afa2 bp 0x7ffe49455e40 sp 0x7ffe49455e30
READ of size 1 at 0x0000004d16ff thread T0
#0 0x41afa1 in mark_adverb src/p.c:213
#1 0x41d62b in wd_ src/p.c:337
#2 0x41cfe8 in wd src/p.c:314
#3 0x433256 in XN src/k.c:54
#4 0x4331df in X src/k.c:50
#5 0x48be9e in tc src/tests.c:40
#6 0x4a6cbe in testsBook src/tests.c:965
#7 0x48c4f1 in test src/tests.c:68
#8 0x439b42 in kinit src/kc.c:164
#9 0x48bb78 in main src/main.c:6
#10 0x7f911744c009 in __libc_start_main (/lib64/libc.so.6+0x21009)
#11 0x403349 in _start (/home/tom/konak/k_test+0x403349)
0x0000004d16ff is located 43 bytes to the right of global variable '*.LC984' defined in 'src/tests.c' (0x4d16c0) of size 20
'*.LC984' is ascii string '1 0 1 0 0 2 0 1 2 1'
0x0000004d16ff is located 1 bytes to the left of global variable '*.LC985' defined in 'src/tests.c' (0x4d1700) of size 10
'*.LC985' is ascii string '+/1 2 3 4'
SUMMARY: AddressSanitizer: global-buffer-overflow src/p.c:213 in mark_adverb
Shadow bytes around the buggy address:
0x000080092280: 00 05 f9 f9 f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9
0x000080092290: 00 06 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
0x0000800922a0: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 01
0x0000800922b0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
0x0000800922c0: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800922d0: 00 00 00 02 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9[f9]
0x0000800922e0: 00 02 f9 f9 f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9
0x0000800922f0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
0x000080092300: 04 f9 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
0x000080092310: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 06 f9 f9
0x000080092320: f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1601==ABORTING
$
Hello.
I found a global-buffer-overflow bug in kona.
Please confirm.
Thanks.
Steps to reproduce: 1.Compile the source code with ASan. 2.Execute the following command : ./k_test
========================================== [Acknowledgement] This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]