koying / google-breakpad

Automatically exported from code.google.com/p/google-breakpad
0 stars 0 forks source link

minidump-2-core Asan violation on writea(1, &crashinfo.auxv, crashinfo.auxv_length) #537

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Repro: Run minidump-2-core with asan.

Dies with ASAN trace like:

=================================================================
==26730==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fffc17fa320 at pc 0x422d1c bp 0x7fffc17f93b0 sp 0x7fffc17f9390
READ of size 304 at 0x7fffc17fa320 thread T0
    #0 0x422d1b in __interceptor_write /usr/local/google/home/thakis/src/chrome/src/third_party/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:238
    #1 0x45e5ae in _ZL6writeaiPKvm /usr/local/google/home/ajwong/src/chromium/src/out/Debug/../../breakpad/src/tools/linux/md2core/minidump-2-core.cc:105
    #2 0x450dec in main /usr/local/google/home/ajwong/src/chromium/src/out/Debug/../../breakpad/src/tools/linux/md2core/minidump-2-core.cc:1131
    #3 0x7f041c0cc76c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
    #4 0x44c6ec in _start ??:0
Address 0x7fffc17fa320 is located in stack of thread T0 at offset 896 in frame
    #0 0x44c7bf in main /usr/local/google/home/ajwong/src/chromium/src/out/Debug/../../breakpad/src/tools/linux/md2core/minidump-2-core.cc:942
  This frame has 45 object(s):
    [32, 36) 'retval'
    [96, 100) 'argc.addr'
    [160, 168) 'argv.addr'
    [224, 228) 'argi'
    [288, 304) 'mapped_file'
    [352, 356) 'cleanup.dest.slot'
    [416, 432) 'dump'
    [480, 488) 'header'
    [544, 896) 'crashinfo'
    [928, 929) 'ok'
    [992, 996) 'i'
    [1056, 1064) 'dirent'
    [1120, 1136) 'ref.tmp'
    [1184, 1188) 'i31'
    [1248, 1256) 'dirent36'
    [1312, 1328) 'ref.tmp42'
    [1376, 1392) 'ref.tmp47'
    [1440, 1456) 'ref.tmp52'
    [1504, 1520) 'ref.tmp57'
    [1568, 1584) 'ref.tmp62'
    [1632, 1648) 'ref.tmp67'
    [1696, 1712) 'ref.tmp72'
    [1760, 1776) 'ref.tmp77'
    [1824, 1840) 'ref.tmp82'
    [1888, 1904) 'ref.tmp87'
    [1952, 1968) 'ref.tmp92'
    [2016, 2080) 'ehdr'
    [2112, 2120) 'offset'
    [2176, 2184) 'filesz'
    [2240, 2296) 'phdr'
    [2336, 2344) 'note_align'
    [2400, 2408) 'iter'
    [2464, 2472) 'ref.tmp147'
    [2528, 2536) 'ref.tmp152'
    [2592, 2600) 'ref.tmp153'
    [2656, 2664) 'mapping'
    [2720, 2732) 'nhdr'
    [2784, 2788) 'i206'
    [2848, 2852) 'i226'
    [2912, 2920) 'scratch'
    [2976, 2984) 'iter257'
    [3040, 3048) 'ref.tmp258'
    [3104, 3112) 'ref.tmp263'
    [3168, 3176) 'ref.tmp264'
    [3232, 3240) 'mapping270'
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x1000782f7410: 04 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2
  0x1000782f7420: 04 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2
  0x1000782f7430: 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x1000782f7440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000782f7450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000782f7460: 00 00 00 00[f2]f2 f2 f2 01 f4 f4 f4 f2 f2 f2 f2
  0x1000782f7470: 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2
  0x1000782f7480: 00 00 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2
  0x1000782f7490: 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2
  0x1000782f74a0: 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2
  0x1000782f74b0: 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==26730==ABORTING

I think the line of code is incorrectly doing &crashinfo.auxv and hsould just 
be writea(1, crashinfo.auxv, crashinfo.auxv_length).

Original issue reported on code.google.com by ajw...@chromium.org on 18 Jul 2013 at 10:57

GoogleCodeExporter commented 9 years ago

Original comment by thestig@chromium.org on 17 Dec 2013 at 10:28

GoogleCodeExporter commented 9 years ago
r1203

Original comment by thestig@chromium.org on 28 May 2014 at 5:58