Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Jan 2022 13:47:35 -0800
From:      Mark Millard <marklmi@yahoo.com>
To:        freebsd-current <freebsd-current@freebsd.org>
Subject:   Re: FYI: An example ASAN failure report during kyua test -k /usr/tests/Kyuafile (info for some more examples)
Message-ID:  <4A33AD5F-A930-4E2C-854B-E8498C2928EC@yahoo.com>
In-Reply-To: <E9CC5153-2F34-4BC5-B764-A31A504318D1@yahoo.com>
References:  <E9CC5153-2F34-4BC5-B764-A31A504318D1@yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2022-Jan-7, at 03:39, Mark Millard <marklmi@yahoo.com> wrote:

> Having done a buildworld with both WITH_ASAN=3D and WITH_UBSAN=3D
> after finding what to control to allow the build, I installed
> it in a directory tree for chroot use and have
> "kyua test -k /usr/tests/Kyuafile" running.
>=20
> I see evidence of one AddressSanitizer report. (kyua is still
> running.) The context is:
>=20
> # more =
/usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stdout.txt=20=

> Executing command [ mkdir /tmp/kyua.FKD2vh/434/work/mntpt ]
> mount -t tmpfs -o size=3D10M tmpfs /tmp/kyua.FKD2vh/434/work/mntpt
> Executing command [ touch a ]
> Executing command [ rm a ]
> Executing command [ dd if=3D/dev/zero of=3Da bs=3D1m count=3D15 ]
> Executing command [ rm a ]
>=20
> # more =
/usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stderr.txt=20=

> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> =3D=3D14384=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on =
address 0x7fffffffa948 at pc 0x000801f38f5a bp 0x7fffffffa830 sp =
0x7fffffffa828
> WRITE of size 8 at 0x7fffffffa948 thread T0
>    #0 0x801f38f59 in strtoimax_l =
/usr/main-src/lib/libc/stdlib/strtoimax.c:148:11
>    #1 0x10de6c8 in strtoimax =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:3441:18
>    #2 0x11a4723 in getq /usr/main-src/bin/test/test.c:560:6
>    #3 0x11a4523 in intcmp /usr/main-src/bin/test/test.c:584:7
>    #4 0x11a4523 in binop /usr/main-src/bin/test/test.c:351:10
>    #5 0x11a2f06 in primary /usr/main-src/bin/test/test.c:317:10
>    #6 0x11a2f06 in nexpr /usr/main-src/bin/test/test.c:275:9
>    #7 0x11a28cb in aexpr /usr/main-src/bin/test/test.c:261:8
>    #8 0x11a2a03 in aexpr /usr/main-src/bin/test/test.c:263:10
>    #9 0x11a228b in oexpr /usr/main-src/bin/test/test.c:247:8
>    #10 0x11a1fcf in testcmd /usr/main-src/bin/test/test.c:224:10
>    #11 0x1145289 in evalcommand /usr/main-src/bin/sh/eval.c:1107:16
>    #12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>    #13 0x113fb34 in evaltree /usr/main-src/bin/sh/eval.c:225:4
>    #14 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
>    #15 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
>    #16 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>    #17 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4
>    #18 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
>    #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>    #20 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
>    #21 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>    #22 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c
>    #23 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3
>=20
> Address 0x7fffffffa948 is located in stack of thread T0 at offset 264 =
in frame
>    #0 0x801f387ff in strtoimax_l =
/usr/main-src/lib/libc/stdlib/strtoimax.c:58
>=20
>  This frame has 1 object(s):
>    [32, 36) '__limit.i.i.i' <=3D=3D Memory access at offset 264 =
overflows this variable
> HINT: this may be a false positive if your program uses some custom =
stack unwind mechanism, swapcontext or vfork
>      (longjmp and C++ exceptions *are* supported)
> SUMMARY: AddressSanitizer: stack-buffer-overflow =
/usr/main-src/lib/libc/stdlib/strtoimax.c:148:11 in strtoimax_l
> Shadow bytes around the buggy address:
>  0x4ffffffff4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff500: f1 f1 f1 f1 00 00 00 00 f1 f1 f1 f1 f8 f3 f3 f3
>  0x4ffffffff510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =3D>0x4ffffffff520: 00 00 00 00 f3 f3 f3 f3 f3[f3]f3 f3 00 00 00 00
>  0x4ffffffff530: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
>  0x4ffffffff540: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00
>  0x4ffffffff550: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>  0x4ffffffff560: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>  0x4ffffffff570: f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
> Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07=20
>  Heap left redzone:       fa
>  Freed heap region:       fd
>  Stack left redzone:      f1
>  Stack mid redzone:       f2
>  Stack right redzone:     f3
>  Stack after return:      f5
>  Stack use after scope:   f8
>  Global redzone:          f9
>  Global init order:       f6
>  Poisoned by user:        f7
>  Container overflow:      fc
>  Array cookie:            ac
>  Intra object redzone:    bb
>  ASan internal:           fe
>  Left alloca redzone:     ca
>  Right alloca redzone:    cb
> =3D=3D14384=3D=3DABORTING
> Files left in work directory after failure: mntpt, mounterr
>=20

I've found some manually reproducible AddressSanitizer reports
and have a few other notes on some types of reports:

# env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/builtins/trap1.0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D =
kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D207414)
LLVMSymbolizer: error reading file: No such file or directory
    #0 0x1112b31 in __asan::CheckUnwind() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
    #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char =
const*, unsigned long long, unsigned long long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_termination.cpp:86:5
    #2 0x11153c1 in =
__asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, =
__asan::AsanThread::StackFrameAccess*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
    #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, =
unsigned long, __asan::StackAddressDescription*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:202:11
    #4 0x10bc5a3 in =
__asan::AddressDescription::AddressDescription(unsigned long, unsigned =
long, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:454:21
    #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, =
unsigned long, unsigned long, unsigned long, unsigned long, bool, =
unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39=
0:7
    #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned =
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47=
5:16
    #7 0x10ca344 in memcpy =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:827:5
    #8 0x80147c861 in handle_signal =
/usr/main-src/lib/libthr/thread/thr_sig.c:313:2
    #9 0x80147b1f4 in thr_sighandler =
/usr/main-src/lib/libthr/thread/thr_sig.c:246:2
    #10 0x7fffffffe8a2  ([vdso]+0x2d2)
    #11 0x801e1d969 in __sys_wait4 =
/usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li=
bc/_wait4.S:4
    #12 0x801488d1b in __thr_wait4 =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:581:8
    #13 0x10d6953 in wait3 =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:2463:13
    #14 0x11716a7 in dowait /usr/main-src/bin/sh/jobs.c:1181:9
    #15 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7
    #16 0x1142301 in evalsubshell /usr/main-src/bin/sh/eval.c:442:16
    #17 0x113f7e1 in evaltree /usr/main-src/bin/sh/eval.c:234:4
    #18 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
    #19 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3

# /bin/sh /usr/tests/bin/sh/execution/path1.0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D =
kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D207414)
    #0 0x1112b31 in __asan::CheckUnwind() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
    #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char =
const*, unsigned long long, unsigned long long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_termination.cpp:86:5
    #2 0x11153c1 in =
__asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, =
__asan::AsanThread::StackFrameAccess*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
    #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, =
unsigned long, __asan::StackAddressDescription*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:202:11
    #4 0x10bc5a3 in =
__asan::AddressDescription::AddressDescription(unsigned long, unsigned =
long, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:454:21
    #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, =
unsigned long, unsigned long, unsigned long, unsigned long, bool, =
unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39=
0:7
    #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned =
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47=
5:16
    #7 0x111163a in __asan_report_store8_noabort =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:128:1=

    #8 0x801e0f80c in bintime2timespec =
/usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/tmp/us=
r/include/sys/time.h:285:14
    #9 0x801e0f80c in __vdso_clock_gettime =
/usr/main-src/lib/libc/sys/__vdso_gettimeofday.c:195:2
    #10 0x801e0e0c0 in clock_gettime =
/usr/main-src/lib/libc/sys/clock_gettime.c:48:11
    #11 0x10d54da in clock_gettime =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:2189:13
    #12 0x11234f5 in __sanitizer::MonotonicNanoTime() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_linux_libcdep.cpp:860:3
    #13 0x10ba02c in =
__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp=
aceView> >::PopulateFreeArray(__sanitizer::AllocatorStats*, unsigned =
long, =
__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp=
aceView> >::RegionInfo*, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_primary64.h:790:45
    #14 0x10b9c4b in =
__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp=
aceView> >::GetFromAllocator(__sanitizer::AllocatorStats*, unsigned =
long, unsigned int*, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_primary64.h:220:11
    #15 0x10b9955 in =
__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocato=
r64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > =
>::Refill(__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeCla=
ssAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > =
>::PerClass*, =
__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp=
aceView> >*, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_local_cache.h:103:9
    #16 0x10b9615 in =
__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocato=
r64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > =
>::Allocate(__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::Lo=
calAddressSpaceView> >*, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_local_cache.h:39:11
    #17 0x10b9511 in =
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::A=
P64<__sanitizer::LocalAddressSpaceView> >, =
__sanitizer::LargeMmapAllocatorPtrArrayDynamic>::Allocate(__sanitizer::Siz=
eClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64=
<__sanitizer::LocalAddressSpaceView> > >*, unsigned long, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_combined.h:69:20
    #18 0x10b6086 in __asan::Allocator::Allocate(unsigned long, unsigned =
long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp=
:537:29
    #19 0x10b4818 in __asan::asan_malloc(unsigned long, =
__sanitizer::BufferedStackTrace*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp=
:980:34
    #20 0x110be9b in malloc =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:130:10
    #21 0x117aca3 in ckmalloc /usr/main-src/bin/sh/memalloc.c:71:6
    #22 0x119eafc in redirect /usr/main-src/bin/sh/redir.c:126:9
    #23 0x11450b3 in evalcommand /usr/main-src/bin/sh/eval.c:1092:3
    #24 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
    #25 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
    #26 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3

# env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/expansion/cmdsubst21.0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D =
kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D126718)
LLVMSymbolizer: error reading file: No such file or directory
    #0 0x1112b31 in __asan::CheckUnwind() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
    #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char =
const*, unsigned long long, unsigned long long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_termination.cpp:86:5
    #2 0x11153c1 in =
__asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, =
__asan::AsanThread::StackFrameAccess*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
    #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, =
unsigned long, __asan::StackAddressDescription*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:202:11
    #4 0x10bc5a3 in =
__asan::AddressDescription::AddressDescription(unsigned long, unsigned =
long, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:454:21
    #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, =
unsigned long, unsigned long, unsigned long, unsigned long, bool, =
unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39=
0:7
    #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned =
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47=
5:16
    #7 0x10ca202 in memcpy =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:827:5
    #8 0x80147c861 in handle_signal =
/usr/main-src/lib/libthr/thread/thr_sig.c:313:2
    #9 0x80147b1f4 in thr_sighandler =
/usr/main-src/lib/libthr/thread/thr_sig.c:246:2
    #10 0x7fffffffe8a2  ([vdso]+0x2d2)
    #11 0x801e1d8c9 in _sigsuspend =
/usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li=
bc/_sigsuspend.S:4
    #12 0x80147b997 in __thr_sigsuspend =
/usr/main-src/lib/libthr/thread/thr_sig.c:691:8
    #13 0x11716d7 in dowait /usr/main-src/bin/sh/jobs.c:1190:4
    #14 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7
    #15 0x115252f in expbackq /usr/main-src/bin/sh/expand.c:527:16
    #16 0x115252f in argstr /usr/main-src/bin/sh/expand.c:323:4
    #17 0x1151178 in expandarg /usr/main-src/bin/sh/expand.c:241:2
    #18 0x1142a0b in evalcommand /usr/main-src/bin/sh/eval.c:862:3
    #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
    #20 0x113f9e6 in evaltree /usr/main-src/bin/sh/eval.c:218:4
    #21 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
    #22 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3


By contrast, I'll note that:

# env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/expansion/cmdsubst6.0

did not report anything (but did in the kyua run).


I took one of the simpler backtraces that reports
"((ptr[0] =3D=3D kCurrentStackFrameMagic)) !=3D (0)" and
took a look:

AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D =
kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D326791)
    #0 0x10cfbd1 in __asan::CheckUnwind() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
    #1 0x10eb0ab in __sanitizer::CheckFailed(char const*, int, char =
const*, unsigned long long, unsigned long long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_termination.cpp:86:5
    #2 0x10d2461 in =
__asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, =
__asan::AsanThread::StackFrameAccess*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
    #3 0x1079643 in __asan::GetStackAddressInformation(unsigned long, =
unsigned long, __asan::StackAddressDescription*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:202:11
    #4 0x1079643 in =
__asan::AddressDescription::AddressDescription(unsigned long, unsigned =
long, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:454:21
    #5 0x107b13e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, =
unsigned long, unsigned long, unsigned long, unsigned long, bool, =
unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39=
0:7
    #6 0x10cd59c in __asan::ReportGenericError(unsigned long, unsigned =
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47=
5:16
    #7 0x10ce357 in __asan_report_load8_noabort =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:123:1=

    #8 0x8020ca16d in execl /usr/main-src/lib/libc/gen/exec.c:64:9
    #9 0x80253dcf2 in _system =
/usr/main-src/lib/libc/stdlib/system.c:89:3
    #10 0x801acec72 in __thr_system =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:545:8
    #11 0x10fe434 in systemf =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:3071:6
    #12 0x10f42bf in test_help =
/usr/main-src/contrib/libarchive/cat/test/test_help.c:52:6
    #13 0x1101b2c in test_run =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2
    #14 0x1101b2c in main =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9

 *** forcing core dump so failure can be debugged ***

Files left in work directory after failure: =
bsdcat_test.2022-01-07T10.54.27-000

Looking at lib/libc/gen/exec.c:64 showed:

        while (va_arg(ap, char *) !=3D NULL)

It appears to me  that the backtrace runs into another problem
during __asan_report_load8_noabort (already an error classification?)
and ends up reporting that other problem instead.

There are a fair number of other tests that also report such for
that line of code in execl.


While looking, I got (odd whitespace removed from the output and
split into more lines):

/usr/main-src/contrib/nvi/common/log.c:261:2: runtime error: member =
access within null pointer of type 'log_t'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/contrib/nvi/common/log.c:261:2 in
/usr/main-src/contrib/nvi/common/log.c:266:21: runtime error: member =
access within null pointer of type 'log_t'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/contrib/nvi/common/log.c:266:21 in
/usr/main-src/contrib/nvi/common/log.c:272:37: runtime error: member =
access within null pointer of type 'log_t'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/contrib/nvi/common/log.c:272:37 in=20

(Some of my activity is outside the chroot that has ASAN/UBSAN
but the above happened to be in the chroot.)

I also looked at:

=3D=3D99317=3D=3DERROR: AddressSanitizer: dynamic-stack-buffer-overflow =
on address 0x7fffffffa300 at pc 0x0008020ca271 bp 0x7fffffffa2d0 sp =
0x7fffffffa2c8
WRITE of size 8 at 0x7fffffffa300 thread T0
    #0 0x8020ca270 in execl /usr/main-src/lib/libc/gen/exec.c:74:10
    #1 0x80253dcf2 in _system =
/usr/main-src/lib/libc/stdlib/system.c:89:3
    #2 0x801acec72 in __thr_system =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:545:8
    #3 0x10fe434 in systemf =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:3071:6
    #4 0x10f45f9 in test_stdin =
/usr/main-src/contrib/libarchive/cat/test/test_stdin.c:37:6
    #5 0x1101b2c in test_run =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2
    #6 0x1101b2c in main =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9

Address 0x7fffffffa300 is located in stack of thread T0
SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow =
/usr/main-src/lib/libc/gen/exec.c:74:10 in execl
Shadow bytes around the buggy address:
  0x4ffffffff410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff450: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
=3D>0x4ffffffff460:[ca]ca ca ca cb cb cb cb f1 f1 f1 f1 00 00 00 f3
  0x4ffffffff470: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x4ffffffff480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff4a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x4ffffffff4b0: 04 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D99317=3D=3DABORTING
 *** forcing core dump so failure can be debugged ***

Files left in work directory after failure: =
bsdcat_test.2022-01-07T10.54.28-000

Looking at lib/libc/gen/exec.c:74 showed:

        argv[0] =3D arg;

There are a fair number of other tests that also report such for
that line of code in execl.



There are also examples of the likes of:

=3D=3D=3D> bin/pax/legacy_test:main
Result:     broken: TAP test program yielded invalid data: Load of =
'/tmp/kyua.FKD2vh/2679/stdout.txt' failed: Output did not contain any =
TAP plan and the program did not bail out
. . .
Standard error:
ld-elf.so.1: /lib/libthr.so.3: Undefined symbol =
"__asan_option_detect_stack_use_after_return"

where the test does not seem to have been able to run at all
because of the undefined symbol.


Overall going through trying to summarize the AddressSanitizer reports
looks much messier than doing so for the Undefined Behavior reports.

=3D=3D=3D
Mark Millard
marklmi at yahoo.com




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A33AD5F-A930-4E2C-854B-E8498C2928EC>