Open GoldBinocle opened 2 years ago
Hello @GoldBinocle , I'm worried this message "HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork" Did you try to reproduce this behavior without a debugger?
Hi, @DmitriyEshenko. Actually, any ASAN (Google Address Sanitizer) report associated with buffer-overflow/underflow has this message "HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork", but that's very likely a bug. I can't reproduce the crash without ASAN. Actually, many real buffer-overflow/underflow bugs do not crash the program without ASAN support. ASAN is used to detected this kind of behavior and abort the program so that we can locate the bug and fix it.
Hello @GoldBinocle , I'm worried this message "HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork" Did you try to reproduce this behavior without a debugger?
For example, this bug has the message but it's a real bug.
I did tested accel-ppp for same conditions (disable clang sanitizer) with valgrind and didnt got any alert.
Also as ASAN says it might be false positive on swapcontext, and we have exactly context switching in call trace: `
` I dont say bug exist or not, but on my opinion this is looks more like false positive.
Using version
accel-ppp version 1.12.0-149-gff91c73
. The issue #154 can be triggered even by remote client.Steps to reproduce
access-pppd
, use pptp server:The running configuration
/etc/accel-ppp.conf
is:use
chap-secrets
and the/etc/ppp/chap-secrets.ppp
is as follows:Install pptp client:
Run the client:
(Hint: we need to follow the forked subprocesses and control them, therefore we used the
strace -f
to execute the pptp client instead of simply usingpptpsetup --create pptpd --server 127.0.0.1 --username fouzhe --password 123 --start
.)Kill (
Ctrl^C
) the client after authentication succeeded. Then theaccel-pppd
will crash due tostack-buffer-underflow
.Address 0x7feb635ecc40 is located in stack of thread T4 at offset 0 in frame
0 0x7feb656005df in ev_ses_finished /root/projects/accel-ppp/accel-pppd/extra/pppd_compat.c:340
This frame has 7 object(s): [32, 4128) 'fname.i' (line 497) <== Memory access at offset 0 partially underflows this variable [4256, 4320) 'argv' (line 342) <== Memory access at offset 0 partially underflows this variable [4352, 4480) 'env' (line 343) <== Memory access at offset 0 partially underflows this variable [4512, 5536) 'env_mem' (line 344) <== Memory access at offset 0 partially underflows this variable [5664, 5681) 'ipaddr' (line 345) <== Memory access at offset 0 partially underflows this variable [5728, 5745) 'peer_ipaddr' (line 346) <== Memory access at offset 0 partially underflows this variable [5792, 5920) 'set' (line 385) <== Memory access at offset 0 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions are supported) Thread T4 created by T0 here:
0 0x484d4c in pthread_create /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
SUMMARY: AddressSanitizer: stack-buffer-underflow /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy Shadow bytes around the buggy address: 0x0ffdec6b5930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffdec6b5940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffdec6b5950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffdec6b5960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ffdec6b5970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ffdec6b5980: 00 00 00 00 00 00 00 00[f1]f1 f1 f1 f8 f8 f8 f8 0x0ffdec6b5990: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ffdec6b59a0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ffdec6b59b0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ffdec6b59c0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ffdec6b59d0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1340656==ABORTING