Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Jan 2022 18:58:30 -0800
From:      Mark Millard <marklmi@yahoo.com>
To:        freebsd-current <freebsd-current@freebsd.org>
Subject:   Re: FYI: An example ASAN failure report during kyua test -k /usr/tests/Kyuafile (info for some more examples)
Message-ID:  <6DB6844A-107A-45CA-9041-E851FACB3E90@yahoo.com>
In-Reply-To: <4A33AD5F-A930-4E2C-854B-E8498C2928EC@yahoo.com>
References:  <E9CC5153-2F34-4BC5-B764-A31A504318D1@yahoo.com> <4A33AD5F-A930-4E2C-854B-E8498C2928EC@yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2022-Jan-9, at 13:47, Mark Millard <marklmi@yahoo.com> wrote:

> On 2022-Jan-7, at 03:39, Mark Millard <marklmi@yahoo.com> wrote:
>=20
>> Having done a buildworld with both WITH_ASAN=3D and WITH_UBSAN=3D
>> after finding what to control to allow the build, I installed
>> it in a directory tree for chroot use and have
>> "kyua test -k /usr/tests/Kyuafile" running.
>>=20
>> I see evidence of one AddressSanitizer report. (kyua is still
>> running.) The context is:
>>=20
>> # more =
/usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stdout.txt=20=

>> Executing command [ mkdir /tmp/kyua.FKD2vh/434/work/mntpt ]
>> mount -t tmpfs -o size=3D10M tmpfs /tmp/kyua.FKD2vh/434/work/mntpt
>> Executing command [ touch a ]
>> Executing command [ rm a ]
>> Executing command [ dd if=3D/dev/zero of=3Da bs=3D1m count=3D15 ]
>> Executing command [ rm a ]
>>=20
>> # more =
/usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stderr.txt=20=

>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> =3D=3D14384=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on =
address 0x7fffffffa948 at pc 0x000801f38f5a bp 0x7fffffffa830 sp =
0x7fffffffa828
>> WRITE of size 8 at 0x7fffffffa948 thread T0
>>   #0 0x801f38f59 in strtoimax_l =
/usr/main-src/lib/libc/stdlib/strtoimax.c:148:11
>>   #1 0x10de6c8 in strtoimax =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:3441:18
>>   #2 0x11a4723 in getq /usr/main-src/bin/test/test.c:560:6
>>   #3 0x11a4523 in intcmp /usr/main-src/bin/test/test.c:584:7
>>   #4 0x11a4523 in binop /usr/main-src/bin/test/test.c:351:10
>>   #5 0x11a2f06 in primary /usr/main-src/bin/test/test.c:317:10
>>   #6 0x11a2f06 in nexpr /usr/main-src/bin/test/test.c:275:9
>>   #7 0x11a28cb in aexpr /usr/main-src/bin/test/test.c:261:8
>>   #8 0x11a2a03 in aexpr /usr/main-src/bin/test/test.c:263:10
>>   #9 0x11a228b in oexpr /usr/main-src/bin/test/test.c:247:8
>>   #10 0x11a1fcf in testcmd /usr/main-src/bin/test/test.c:224:10
>>   #11 0x1145289 in evalcommand /usr/main-src/bin/sh/eval.c:1107:16
>>   #12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>>   #13 0x113fb34 in evaltree /usr/main-src/bin/sh/eval.c:225:4
>>   #14 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
>>   #15 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
>>   #16 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>>   #17 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4
>>   #18 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
>>   #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>>   #20 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
>>   #21 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>>   #22 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c
>>   #23 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3
>>=20
>> Address 0x7fffffffa948 is located in stack of thread T0 at offset 264 =
in frame
>>   #0 0x801f387ff in strtoimax_l =
/usr/main-src/lib/libc/stdlib/strtoimax.c:58
>>=20
>> This frame has 1 object(s):
>>   [32, 36) '__limit.i.i.i' <=3D=3D Memory access at offset 264 =
overflows this variable
>> HINT: this may be a false positive if your program uses some custom =
stack unwind mechanism, swapcontext or vfork
>>     (longjmp and C++ exceptions *are* supported)
>> SUMMARY: AddressSanitizer: stack-buffer-overflow =
/usr/main-src/lib/libc/stdlib/strtoimax.c:148:11 in strtoimax_l
>> Shadow bytes around the buggy address:
>> 0x4ffffffff4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x4ffffffff4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x4ffffffff4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> 0x4ffffffff500: f1 f1 f1 f1 00 00 00 00 f1 f1 f1 f1 f8 f3 f3 f3
>> 0x4ffffffff510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> =3D>0x4ffffffff520: 00 00 00 00 f3 f3 f3 f3 f3[f3]f3 f3 00 00 00 00
>> 0x4ffffffff530: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
>> 0x4ffffffff540: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00
>> 0x4ffffffff550: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>> 0x4ffffffff560: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>> 0x4ffffffff570: f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
>> Shadow byte legend (one shadow byte represents 8 application bytes):
>> Addressable:           00
>> Partially addressable: 01 02 03 04 05 06 07=20
>> Heap left redzone:       fa
>> Freed heap region:       fd
>> Stack left redzone:      f1
>> Stack mid redzone:       f2
>> Stack right redzone:     f3
>> Stack after return:      f5
>> Stack use after scope:   f8
>> Global redzone:          f9
>> Global init order:       f6
>> Poisoned by user:        f7
>> Container overflow:      fc
>> Array cookie:            ac
>> Intra object redzone:    bb
>> ASan internal:           fe
>> Left alloca redzone:     ca
>> Right alloca redzone:    cb
>> =3D=3D14384=3D=3DABORTING
>> Files left in work directory after failure: mntpt, mounterr
>>=20
>=20
> I've found some manually reproducible AddressSanitizer reports
> and have a few other notes on some types of reports:
>=20
> # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/builtins/trap1.0
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D =
kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D207414)
> LLVMSymbolizer: error reading file: No such file or directory
>    #0 0x1112b31 in __asan::CheckUnwind() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
>    #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char =
const*, unsigned long long, unsigned long long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_termination.cpp:86:5
>    #2 0x11153c1 in =
__asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, =
__asan::AsanThread::StackFrameAccess*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
>    #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, =
unsigned long, __asan::StackAddressDescription*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:202:11
>    #4 0x10bc5a3 in =
__asan::AddressDescription::AddressDescription(unsigned long, unsigned =
long, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:454:21
>    #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, =
unsigned long, unsigned long, unsigned long, unsigned long, bool, =
unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39=
0:7
>    #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned =
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47=
5:16
>    #7 0x10ca344 in memcpy =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:827:5
>    #8 0x80147c861 in handle_signal =
/usr/main-src/lib/libthr/thread/thr_sig.c:313:2
>    #9 0x80147b1f4 in thr_sighandler =
/usr/main-src/lib/libthr/thread/thr_sig.c:246:2
>    #10 0x7fffffffe8a2  ([vdso]+0x2d2)
>    #11 0x801e1d969 in __sys_wait4 =
/usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li=
bc/_wait4.S:4
>    #12 0x801488d1b in __thr_wait4 =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:581:8
>    #13 0x10d6953 in wait3 =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:2463:13
>    #14 0x11716a7 in dowait /usr/main-src/bin/sh/jobs.c:1181:9
>    #15 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7
>    #16 0x1142301 in evalsubshell /usr/main-src/bin/sh/eval.c:442:16
>    #17 0x113f7e1 in evaltree /usr/main-src/bin/sh/eval.c:234:4
>    #18 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
>    #19 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3
>=20
> # /bin/sh /usr/tests/bin/sh/execution/path1.0
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D =
kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D207414)
>    #0 0x1112b31 in __asan::CheckUnwind() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
>    #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char =
const*, unsigned long long, unsigned long long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_termination.cpp:86:5
>    #2 0x11153c1 in =
__asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, =
__asan::AsanThread::StackFrameAccess*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
>    #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, =
unsigned long, __asan::StackAddressDescription*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:202:11
>    #4 0x10bc5a3 in =
__asan::AddressDescription::AddressDescription(unsigned long, unsigned =
long, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:454:21
>    #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, =
unsigned long, unsigned long, unsigned long, unsigned long, bool, =
unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39=
0:7
>    #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned =
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47=
5:16
>    #7 0x111163a in __asan_report_store8_noabort =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:128:1=

>    #8 0x801e0f80c in bintime2timespec =
/usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/tmp/us=
r/include/sys/time.h:285:14
>    #9 0x801e0f80c in __vdso_clock_gettime =
/usr/main-src/lib/libc/sys/__vdso_gettimeofday.c:195:2
>    #10 0x801e0e0c0 in clock_gettime =
/usr/main-src/lib/libc/sys/clock_gettime.c:48:11
>    #11 0x10d54da in clock_gettime =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:2189:13
>    #12 0x11234f5 in __sanitizer::MonotonicNanoTime() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_linux_libcdep.cpp:860:3
>    #13 0x10ba02c in =
__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp=
aceView> >::PopulateFreeArray(__sanitizer::AllocatorStats*, unsigned =
long, =
__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp=
aceView> >::RegionInfo*, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_primary64.h:790:45
>    #14 0x10b9c4b in =
__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp=
aceView> >::GetFromAllocator(__sanitizer::AllocatorStats*, unsigned =
long, unsigned int*, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_primary64.h:220:11
>    #15 0x10b9955 in =
__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocato=
r64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > =
>::Refill(__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeCla=
ssAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > =
>::PerClass*, =
__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp=
aceView> >*, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_local_cache.h:103:9
>    #16 0x10b9615 in =
__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocato=
r64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > =
>::Allocate(__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::Lo=
calAddressSpaceView> >*, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_local_cache.h:39:11
>    #17 0x10b9511 in =
__sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::A=
P64<__sanitizer::LocalAddressSpaceView> >, =
__sanitizer::LargeMmapAllocatorPtrArrayDynamic>::Allocate(__sanitizer::Siz=
eClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64=
<__sanitizer::LocalAddressSpaceView> > >*, unsigned long, unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_allocator_combined.h:69:20
>    #18 0x10b6086 in __asan::Allocator::Allocate(unsigned long, =
unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp=
:537:29
>    #19 0x10b4818 in __asan::asan_malloc(unsigned long, =
__sanitizer::BufferedStackTrace*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp=
:980:34
>    #20 0x110be9b in malloc =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:130:10
>    #21 0x117aca3 in ckmalloc /usr/main-src/bin/sh/memalloc.c:71:6
>    #22 0x119eafc in redirect /usr/main-src/bin/sh/redir.c:126:9
>    #23 0x11450b3 in evalcommand /usr/main-src/bin/sh/eval.c:1092:3
>    #24 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>    #25 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
>    #26 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3
>=20
> # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/expansion/cmdsubst21.0
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D =
kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D126718)
> LLVMSymbolizer: error reading file: No such file or directory
>    #0 0x1112b31 in __asan::CheckUnwind() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
>    #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char =
const*, unsigned long long, unsigned long long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_termination.cpp:86:5
>    #2 0x11153c1 in =
__asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, =
__asan::AsanThread::StackFrameAccess*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
>    #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, =
unsigned long, __asan::StackAddressDescription*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:202:11
>    #4 0x10bc5a3 in =
__asan::AddressDescription::AddressDescription(unsigned long, unsigned =
long, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:454:21
>    #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, =
unsigned long, unsigned long, unsigned long, unsigned long, bool, =
unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39=
0:7
>    #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned =
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47=
5:16
>    #7 0x10ca202 in memcpy =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:827:5
>    #8 0x80147c861 in handle_signal =
/usr/main-src/lib/libthr/thread/thr_sig.c:313:2
>    #9 0x80147b1f4 in thr_sighandler =
/usr/main-src/lib/libthr/thread/thr_sig.c:246:2
>    #10 0x7fffffffe8a2  ([vdso]+0x2d2)
>    #11 0x801e1d8c9 in _sigsuspend =
/usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li=
bc/_sigsuspend.S:4
>    #12 0x80147b997 in __thr_sigsuspend =
/usr/main-src/lib/libthr/thread/thr_sig.c:691:8
>    #13 0x11716d7 in dowait /usr/main-src/bin/sh/jobs.c:1190:4
>    #14 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7
>    #15 0x115252f in expbackq /usr/main-src/bin/sh/expand.c:527:16
>    #16 0x115252f in argstr /usr/main-src/bin/sh/expand.c:323:4
>    #17 0x1151178 in expandarg /usr/main-src/bin/sh/expand.c:241:2
>    #18 0x1142a0b in evalcommand /usr/main-src/bin/sh/eval.c:862:3
>    #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
>    #20 0x113f9e6 in evaltree /usr/main-src/bin/sh/eval.c:218:4
>    #21 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
>    #22 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3
>=20
>=20
> By contrast, I'll note that:
>=20
> # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/expansion/cmdsubst6.0
>=20
> did not report anything (but did in the kyua run).
>=20
>=20
> I took one of the simpler backtraces that reports
> "((ptr[0] =3D=3D kCurrentStackFrameMagic)) !=3D (0)" and
> took a look:
>=20
> AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D =
kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D326791)
>    #0 0x10cfbd1 in __asan::CheckUnwind() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
>    #1 0x10eb0ab in __sanitizer::CheckFailed(char const*, int, char =
const*, unsigned long long, unsigned long long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_termination.cpp:86:5
>    #2 0x10d2461 in =
__asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, =
__asan::AsanThread::StackFrameAccess*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
>    #3 0x1079643 in __asan::GetStackAddressInformation(unsigned long, =
unsigned long, __asan::StackAddressDescription*) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:202:11
>    #4 0x1079643 in =
__asan::AddressDescription::AddressDescription(unsigned long, unsigned =
long, bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.=
cpp:454:21
>    #5 0x107b13e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, =
unsigned long, unsigned long, unsigned long, unsigned long, bool, =
unsigned long) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39=
0:7
>    #6 0x10cd59c in __asan::ReportGenericError(unsigned long, unsigned =
long, unsigned long, unsigned long, bool, unsigned long, unsigned int, =
bool) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47=
5:16
>    #7 0x10ce357 in __asan_report_load8_noabort =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:123:1=

>    #8 0x8020ca16d in execl /usr/main-src/lib/libc/gen/exec.c:64:9
>    #9 0x80253dcf2 in _system =
/usr/main-src/lib/libc/stdlib/system.c:89:3
>    #10 0x801acec72 in __thr_system =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:545:8
>    #11 0x10fe434 in systemf =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:3071:6
>    #12 0x10f42bf in test_help =
/usr/main-src/contrib/libarchive/cat/test/test_help.c:52:6
>    #13 0x1101b2c in test_run =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2
>    #14 0x1101b2c in main =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9
>=20
> *** forcing core dump so failure can be debugged ***
>=20
> Files left in work directory after failure: =
bsdcat_test.2022-01-07T10.54.27-000
>=20
> Looking at lib/libc/gen/exec.c:64 showed:
>=20
>        while (va_arg(ap, char *) !=3D NULL)
>=20
> It appears to me  that the backtrace runs into another problem
> during __asan_report_load8_noabort (already an error classification?)
> and ends up reporting that other problem instead.
>=20
> There are a fair number of other tests that also report such for
> that line of code in execl.
>=20
>=20
> While looking, I got (odd whitespace removed from the output and
> split into more lines):
>=20
> /usr/main-src/contrib/nvi/common/log.c:261:2: runtime error: member =
access within null pointer of type 'log_t'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/contrib/nvi/common/log.c:261:2 in
> /usr/main-src/contrib/nvi/common/log.c:266:21: runtime error: member =
access within null pointer of type 'log_t'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/contrib/nvi/common/log.c:266:21 in
> /usr/main-src/contrib/nvi/common/log.c:272:37: runtime error: member =
access within null pointer of type 'log_t'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/contrib/nvi/common/log.c:272:37 in=20
>=20
> (Some of my activity is outside the chroot that has ASAN/UBSAN
> but the above happened to be in the chroot.)
>=20
> I also looked at:
>=20
> =3D=3D99317=3D=3DERROR: AddressSanitizer: =
dynamic-stack-buffer-overflow on address 0x7fffffffa300 at pc =
0x0008020ca271 bp 0x7fffffffa2d0 sp 0x7fffffffa2c8
> WRITE of size 8 at 0x7fffffffa300 thread T0
>    #0 0x8020ca270 in execl /usr/main-src/lib/libc/gen/exec.c:74:10
>    #1 0x80253dcf2 in _system =
/usr/main-src/lib/libc/stdlib/system.c:89:3
>    #2 0x801acec72 in __thr_system =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:545:8
>    #3 0x10fe434 in systemf =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:3071:6
>    #4 0x10f45f9 in test_stdin =
/usr/main-src/contrib/libarchive/cat/test/test_stdin.c:37:6
>    #5 0x1101b2c in test_run =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2
>    #6 0x1101b2c in main =
/usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9
>=20
> Address 0x7fffffffa300 is located in stack of thread T0
> SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow =
/usr/main-src/lib/libc/gen/exec.c:74:10 in execl
> Shadow bytes around the buggy address:
>  0x4ffffffff410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff450: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca
> =3D>0x4ffffffff460:[ca]ca ca ca cb cb cb cb f1 f1 f1 f1 00 00 00 f3
>  0x4ffffffff470: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
>  0x4ffffffff480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x4ffffffff4a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>  0x4ffffffff4b0: 04 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2
> Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07=20
>  Heap left redzone:       fa
>  Freed heap region:       fd
>  Stack left redzone:      f1
>  Stack mid redzone:       f2
>  Stack right redzone:     f3
>  Stack after return:      f5
>  Stack use after scope:   f8
>  Global redzone:          f9
>  Global init order:       f6
>  Poisoned by user:        f7
>  Container overflow:      fc
>  Array cookie:            ac
>  Intra object redzone:    bb
>  ASan internal:           fe
>  Left alloca redzone:     ca
>  Right alloca redzone:    cb
> =3D=3D99317=3D=3DABORTING
> *** forcing core dump so failure can be debugged ***
>=20
> Files left in work directory after failure: =
bsdcat_test.2022-01-07T10.54.28-000
>=20
> Looking at lib/libc/gen/exec.c:74 showed:
>=20
>        argv[0] =3D arg;
>=20
> There are a fair number of other tests that also report such for
> that line of code in execl.
>=20
>=20
>=20
> There are also examples of the likes of:
>=20
> =3D=3D=3D> bin/pax/legacy_test:main
> Result:     broken: TAP test program yielded invalid data: Load of =
'/tmp/kyua.FKD2vh/2679/stdout.txt' failed: Output did not contain any =
TAP plan and the program did not bail out
> . . .
> Standard error:
> ld-elf.so.1: /lib/libthr.so.3: Undefined symbol =
"__asan_option_detect_stack_use_after_return"
>=20
> where the test does not seem to have been able to run at all
> because of the undefined symbol.
>=20
>=20
> Overall going through trying to summarize the AddressSanitizer reports
> looks much messier than doing so for the Undefined Behavior reports.
>=20

For:

+/usr/main-src/sys/contrib/zlib/deflate.c:1262:31: runtime error: load =
of misaligned address 0x6310000148cd for type 'ushf' (aka 'unsigned =
short'), which requires 2 byte alignment
+0x6310000148cd: note: pointer points here
+ 19 86 a0 f0 d7 21 54  2f 17 85 a6 45 e3 21 a7  5e a6 24 d5 4a c5 c9 02 =
 6f cd b8 04 55 b8 d8 49  a1
+             ^=20

and many other examples at that source line, the line looks
like:

    register ush scan_start =3D *(ushf*)scan;

in "local uInt longest_match(s, cur_match)".

Similarly for various other lines involving
*(ushf*) in an expression.

There are a lot of examples of the likes of:

=3D=3D82301=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on =
address 0x7fffffffce58 at pc 0x00000110152e bp 0x7fffffffce30 sp =
0x7fffffffc5f8
WRITE of size 24 at 0x7fffffffce58 thread T0
    #0 0x110152d in sigaltstack =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:10044:5
    #1 0x110e902 in __asan::PlatformUnpoisonStacks() =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:=
3
    #2 0x11127f5 in __asan_handle_no_return =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8=

    #3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3
    #4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
    #5 0x113f42b in evaltree /usr/main-src/bin/sh/eval.c:238:4
    #6 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
    #7 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3

Address 0x7fffffffce58 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-buffer-overflow =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:10044:5 in sigaltstack
Shadow bytes around the buggy address:
  0x4ffffffff970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x4ffffffff9c0: 00 00 00 00 00 00 00 00 f3 f3 f3[f3]00 00 00 00
  0x4ffffffff9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffa10: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

where bin/sh/eval.c:1151 (and 1152) is a common point
and is:

                shellexec(argv, envp, path, cmdentry.u.index);
                /*NOTREACHED*/

There is an example of the following:

=3D=3D82356=3D=3DABORTING
    #0 0x80148845d in __thr_fcntl =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:207:30
    #1 0x801e18a44 in fcntl /usr/main-src/lib/libc/sys/fcntl.c:56:10
    #2 0x119ef2b in redirect /usr/main-src/bin/sh/redir.c:146:13
    #3 0x11450b3 in evalcommand /usr/main-src/bin/sh/eval.c:1092:3
    #4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
    #5 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
    #6 0x113f672 in evalfor /usr/main-src/bin/sh/eval.c:367:3
    #7 0x113f672 in evaltree /usr/main-src/bin/sh/eval.c:257:4
    #8 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
    #9 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3

Address 0x7fffffffc780 is located in stack of thread T0 at offset 128 in =
frame
    #0 0x8014881df in __thr_fcntl =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:195

  This frame has 1 object(s):
    [32, 56) 'ap' (line 198) <=3D=3D Memory access at offset 128 =
overflows this variable
HINT: this may be a false positive if your program uses some custom =
stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow =
/usr/main-src/lib/libthr/thread/thr_syscalls.c:207:30 in __thr_fcntl
Shadow bytes around the buggy address:
  0x4ffffffff8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff8e0: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
=3D>0x4ffffffff8f0:[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff900: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
  0x4ffffffff910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff930: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f8 f8 f8 f8
  0x4ffffffff940: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb


lib/libthr/thread/thr_syscalls.c is the middle line of:

        } else {
                ret =3D __sys_fcntl(fd, cmd, va_arg(ap, void *));
        }

in __thr_fcntl .

lib/libc/sys/fcntl.c:56 is:

        return (((int (*)(int, int, ...))
            __libc_interposing[INTERPOS_fcntl])(fd, cmd, arg));

but there seems to be only one report with those listed.

So: bin/sh/redir.c:146 is:

                        if ((i =3D fcntl(fd, F_DUPFD_CLOEXEC, 10)) =3D=3D =
-1) {

in redirect.


There are examples like the following that needs a modal setting
to enable the original intent of the test:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D14624=3D=3DERROR: AddressSanitizer: requested allocation size =
0xffffffffffffffff (0x800 after adjustments for alignment, red zones =
etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x10bbdfd in malloc =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:129:3
    #1 0x8011583c6 in atf_dynstr_init_rep =
/usr/main-src/contrib/atf/atf-c/detail/dynstr.c:230:26
    #2 0x10e76db in atfu_init_rep_body =
/usr/main-src/contrib/atf/atf-c/detail/dynstr_test.c:207:15
    #3 0x80116bfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #4 0x8011725e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #5 0x801171d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #6 0x801171d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11
    #7 0x106359c in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #8 0x801112007  (<unknown module>)

=3D=3D14624=3D=3DHINT: if you don't care about these errors you may set =
allocator_may_return_null=3D1
SUMMARY: AddressSanitizer: allocation-size-too-big =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:129:3 in malloc



There is:

=3D=3D20145=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on =
address 0x611000000140 at pc 0x00080197634c bp 0x7fffffffb190 sp =
0x7fffffffb188
WRITE of size 1 at 0x611000000140 thread T0
    #0 0x80197634b in strnunvisx =
/usr/main-src/contrib/libc-vis/unvis.c:547:7
    #1 0x10a4da4 in strnunvisx =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:9250:13
    #2 0x10a4a48 in strunvisx =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:9239:13
    #3 0x10dc94e in atfu_strvis_basic_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_vis.c:81:3
    #4 0x80115cfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #5 0x8011635e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #6 0x801162d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #7 0x801162d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11

0x611000000140 is located 0 bytes to the right of 256-byte region =
[0x611000000040,0x611000000140)
allocated by thread T0 here:
    #0 0x10b276d in malloc =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:129:3
    #1 0x10dc7ba in atfu_strvis_basic_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_vis.c:71:2
    #2 0x80115cfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x8011635e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #4 0x801162d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #5 0x801162d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11
    #6 0x1059f0c in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #7 0x801103007  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow =
/usr/main-src/contrib/libc-vis/unvis.c:547:7 in strnunvisx
Shadow bytes around the buggy address:
  0x4c21ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c21ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c21fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c2200000000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x4c2200000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x4c2200000020: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x4c2200000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c2200000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c2200000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c2200000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c2200000070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D20145=3D=3DABORTING

where contrib/libc-vis/unvis.c:547 is:

        *dst =3D '\0';

in strnunvisx and contrib/netbsd-tests/lib/libc/gen/t_vis.c:81 is:

                ATF_REQUIRE(strunvisx(dstbuf, visbuf,
                    styles[i] & (VIS_HTTP1808|VIS_MIMESTYLE)) > 0);

using strunvisx. So, looking:

int
strunvisx(char *dst, const char *src, int flag)
{
        return strnunvisx(dst, (size_t)~0, src, flag);
}

So allowing being out of bounds, by effectively disabling
CHECKSPACE() in strnunvisx, is not surprising.



=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D20511=3D=3DERROR: AddressSanitizer: stack-buffer-underflow on =
address 0x7fffffffc220 at pc 0x000801a784c3 bp 0x7fffffffbcb0 sp =
0x7fffffffbca8
READ of size 4 at 0x7fffffffc220 thread T0
    #0 0x801a784c2 in compat_setservent =
/usr/main-src/lib/libc/net/getservent.c:855:7
    #1 0x801a9144d in nsdispatch =
/usr/main-src/lib/libc/net/nsdispatch.c:729:14
    #2 0x10e2feb in servent_fill_test_data =
/usr/main-src/lib/libc/tests/nss/getserv_test.c:290:2
    #3 0x10e2feb in run_tests =
/usr/main-src/lib/libc/tests/nss/getserv_test.c:443:7
    #4 0x10e2dd4 in atfu_build_snapshot_body =
/usr/main-src/lib/libc/tests/nss/getserv_test.c:502:2
    #5 0x801165fb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #6 0x80116c5e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #7 0x80116bd70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #8 0x80116bd70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11

Address 0x7fffffffc220 is located in stack of thread T0 at offset 0 in =
frame
    #0 0x10e2e1f in run_tests =
/usr/main-src/lib/libc/tests/nss/getserv_test.c:415

  This frame has 4 object(s):
    [32, 48) 'param.i' (line 74)
    [64, 96) 'td' (line 416)
    [128, 160) 'td_snap' (line 416)
    [192, 224) 'td_2pass' (line 416)
HINT: this may be a false positive if your program uses some custom =
stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow =
/usr/main-src/lib/libc/net/getservent.c:855:7 in compat_setservent
Shadow bytes around the buggy address:
  0x4ffffffff7f0: f2 f2 f2 f2 00 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3
  0x4ffffffff800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x4ffffffff840: 00 00 00 00[f1]f1 f1 f1 f8 f8 f2 f2 00 00 00 00
  0x4ffffffff850: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
  0x4ffffffff860: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff870: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x4ffffffff880: f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f3 f3 f3 f3 f3
  0x4ffffffff890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D20511=3D=3DABORTING

Looking around at this I wonder if var_arg handling is a
false-positive context fairly generally.


There is:

=3D=3D=3D> lib/libcrypt/crypt_test:crypt_salts
Result:     broken: Empty test result or no new line
Start time: 2022-01-07T10:55:18.806257Z
End time:   2022-01-07T10:55:19.183751Z
Duration:   0.377s

Metadata:
    allowed_architectures is empty
    allowed_platforms is empty
    description =3D crypt(3) salt consistency checks
    has_cleanup =3D false
    is_exclusive =3D false
    required_configs is empty
    required_disk_space =3D 0
    required_files is empty
    required_memory =3D 0
    required_programs is empty
    required_user is empty
    timeout =3D 300

Standard error:
*** Expected check failure: Old-style/bad inputs fail on FreeBSD: =
/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:142: Test 22 =
^A^BUZoIyj/Hy/c !=3D ^A^Bwyd0KZo65Jo

*** Expected check failure: Old-style/bad inputs fail on FreeBSD: =
/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:142: Test 23 =
a_Av8awQ0AsR6 !=3D a_C10Dk/ExaG.

*** Check failed: =
/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:142: Test 24 =
~<FF>UZoIyj/Hy/c !=3D ~<FF>.5OTsRVjwLo

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D2331=3D=3DERROR: AddressSanitizer: global-buffer-overflow on =
address 0x0000010449c1 at pc 0x0008011c1ccd bp 0x7fffffffb950 sp =
0x7fffffffb948
READ of size 1 at 0x0000010449c1 thread T0
    #0 0x8011c1ccc in crypt_des =
/usr/main-src/secure/lib/libcrypt/crypt-des.c:651:24
    #1 0x80119032f in crypt_r /usr/main-src/lib/libcrypt/crypt.c:130:6
    #2 0x10a798d in crypt =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:9881:15
    #3 0x10dc8f2 in atfu_crypt_salts_body =
/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:127:16
    #4 0x80115bfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #5 0x8011625e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #6 0x801161d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #7 0x801161d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11

0x0000010449c1 is located 63 bytes to the left of global variable =
'<string literal>' defined in =
'/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:91:12' =
(0x1044a00) of size 14
  '<string literal>' is ascii string 'CCX.K.MFy4Ois'
0x0000010449c1 is located 31 bytes to the left of global variable =
'<string literal>' defined in =
'/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:90:12' =
(0x10449e0) of size 14
  '<string literal>' is ascii string 'CCNf8Sbh3HDfQ'
0x0000010449c1 is located 0 bytes to the right of global variable =
'<string literal>' defined in =
'/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:88:36' =
(0x10449c0) of size 1
  '<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow =
/usr/main-src/secure/lib/libcrypt/crypt-des.c:651:24 in crypt_des
Shadow bytes around the buggy address:
  0x4000002088e0: 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
  0x4000002088f0: 00 00 05 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9
  0x400000208900: 00 00 05 f9 f9 f9 f9 f9 00 02 f9 f9 00 00 05 f9
  0x400000208910: f9 f9 f9 f9 00 02 f9 f9 00 00 05 f9 f9 f9 f9 f9
  0x400000208920: 00 07 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 01 f9 f9
=3D>0x400000208930: 00 00 05 f9 f9 f9 f9 f9[01]f9 f9 f9 00 06 f9 f9
  0x400000208940: 00 06 f9 f9 00 06 f9 f9 00 06 f9 f9 00 06 f9 f9
  0x400000208950: 00 06 f9 f9 00 01 f9 f9 00 06 f9 f9 00 06 f9 f9
  0x400000208960: 00 06 f9 f9 00 06 f9 f9 00 06 f9 f9 00 06 f9 f9
  0x400000208970: 00 06 f9 f9 02 f9 f9 f9 03 f9 f9 f9 03 f9 f9 f9
  0x400000208980: 00 01 f9 f9 00 02 f9 f9 00 02 f9 f9 00 02 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D2331=3D=3DABORTING

secure/lib/libcrypt/crypt-des.c:651 is:

                salt =3D (ascii_to_bin(setting[1]) << 6)
                     |  ascii_to_bin(setting[0]);


There is:

=3D=3D14241=3D=3DERROR: AddressSanitizer: attempting double-free on =
0x602000001870 in thread T0:
    #0 0x10cbd02 in free =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:111:3
    #1 0x1108577 in (anonymous =
namespace)::atfu_tc_dnvlist_take_binary__default_value::body() const =
/usr/main-src/lib/libnv/tests/dnv_tests.cc:542:2
    #2 0x8011b4fb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x801171e42 in atf::tests::tc::run(std::__1::basic_string<char, =
std::__1::char_traits<char>, std::__1::allocator<char> > const&) const =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:296:23
    #4 0x801171e42 in (anonymous =
namespace)::run_tc(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&, std::__1::basic_string<char, =
std::__1::char_traits<char>, std::__1::alloc
ator<char> > const&, atf::fs::path const&) =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:545:13
    #5 0x801171e42 in (anonymous namespace)::safe_main(int, char**, void =
(*)(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&)) =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:627
:19
    #6 0x801171e42 in atf::tests::run_tp(int, char**, void =
(*)(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&)) =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:651:16

0x602000001870 is located 0 bytes inside of 6-byte region =
[0x602000001870,0x602000001876)
freed by thread T0 here:
    #0 0x10cbd02 in free =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:111:3
    #1 0x110856f in (anonymous =
namespace)::atfu_tc_dnvlist_take_binary__default_value::body() const =
/usr/main-src/lib/libnv/tests/dnv_tests.cc:541:2
    #2 0x8011b4fb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x801171e42 in atf::tests::tc::run(std::__1::basic_string<char, =
std::__1::char_traits<char>, std::__1::allocator<char> > const&) const =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:296:23
    #4 0x801171e42 in (anonymous =
namespace)::run_tc(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&, std::__1::basic_string<char, =
std::__1::char_traits<char>, std::__1::alloc
ator<char> > const&, atf::fs::path const&) =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:545:13
    #5 0x801171e42 in (anonymous namespace)::safe_main(int, char**, void =
(*)(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&)) =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:627
:19
    #6 0x801171e42 in atf::tests::run_tp(int, char**, void =
(*)(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&)) =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:651:16
    #7 0x10735ec in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #8 0x80113a007  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x10c2be4 in strdup =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors.=
cpp:439:3
    #1 0x11084e3 in set_binary_value(void*&, unsigned long&, char =
const*) /usr/main-src/lib/libnv/tests/dnv_tests.cc:474:10
    #2 0x11084e3 in (anonymous =
namespace)::atfu_tc_dnvlist_take_binary__default_value::body() const =
/usr/main-src/lib/libnv/tests/dnv_tests.cc:534:2
    #3 0x8011b4fb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #4 0x801171e42 in atf::tests::tc::run(std::__1::basic_string<char, =
std::__1::char_traits<char>, std::__1::allocator<char> > const&) const =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:296:23
    #5 0x801171e42 in (anonymous =
namespace)::run_tc(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&, std::__1::basic_string<char, =
std::__1::char_traits<char>, std::__1::allocator<char> > const&, =
atf::fs::path const&) /usr/main-src/contrib/atf/atf-c++/tests.cpp:545:13
    #6 0x801171e42 in (anonymous namespace)::safe_main(int, char**, void =
(*)(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&)) =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:627:19
    #7 0x801171e42 in atf::tests::run_tp(int, char**, void =
(*)(std::__1::vector<atf::tests::tc*, =
std::__1::allocator<atf::tests::tc*> >&)) =
/usr/main-src/contrib/atf/atf-c++/tests.cpp:651:16
    #8 0x10735ec in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #9 0x80113a007  (<unknown module>)

SUMMARY: AddressSanitizer: double-free =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:111:3 in free
=3D=3D14241=3D=3DABORTING

Hmm . . .

ATF_TEST_CASE_WITHOUT_HEAD(dnvlist_take_binary__empty);
ATF_TEST_CASE_BODY(dnvlist_take_binary__empty)
{
        nvlist_t *nvl;
        void *default_val, *actual_val;
        size_t default_size, actual_size;

        nvl =3D nvlist_create(0);
        set_binary_value(default_val, default_size, =
"\xa8\x89\x49\xff\xe2\x08");

        actual_val =3D dnvlist_take_binary(nvl, "123", &actual_size, =
default_val,
            default_size);
        ATF_REQUIRE_EQ(default_size, actual_size);
        ATF_REQUIRE_EQ(memcmp(actual_val, default_val, actual_size), 0);

        free(actual_val);
        free(default_val);
        nvlist_destroy(nvl);
}

There are a number of other tests with similar code that also
report double-free .


=3D=3D=3D> sys/capsicum/functional:test_root
. . .
AddressSanitizer:DEADLYSIGNAL
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D9539=3D=3DERROR: AddressSanitizer: SEGV on unknown address =
0x000000000000 (pc 0x0000011fe40b bp 0x7fffffffc4f0 sp 0x7fffffffbcb0 =
T0)
=3D=3D9539=3D=3DThe signal is caused by a READ memory access.
=3D=3D9539=3D=3DHint: address points to the zero page.
AddressSanitizer: CHECK failed: sanitizer_procmaps_bsd.cpp:69 "((Err)) =
=3D=3D ((0))" (0xffffffffffffffff, 0x0) (tid=3D101026)
AddressSanitizer: CHECK failed: sanitizer_procmaps_bsd.cpp:69 "((Err)) =
=3D=3D ((0))" (0xffffffffffffffff, 0x0) (tid=3D101026)

=3D=3D=3D> sys/capsicum/functional:test_unprivileged
. . .
[uid:977] /usr/tests/sys/capsicum/mini-me immediately returning =
(geteuid() =3D=3D 0) =3D 0
AddressSanitizer:DEADLYSIGNAL
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D9645=3D=3DERROR: AddressSanitizer: SEGV on unknown address =
0x000000000000 (pc 0x0000011fe40b bp 0x7fffffffc4f0 sp 0x7fffffffbcb0 =
T0)
=3D=3D9645=3D=3DThe signal is caused by a READ memory access.
=3D=3D9645=3D=3DHint: address points to the zero page.
AddressSanitizer: CHECK failed: sanitizer_procmaps_bsd.cpp:69 "((Err)) =
=3D=3D ((0))" (0xffffffffffffffff, 0x0) (tid=3D101076)
AddressSanitizer: CHECK failed: sanitizer_procmaps_bsd.cpp:69 "((Err)) =
=3D=3D ((0))" (0xffffffffffffffff, 0x0) (tid=3D101076)





Below are some reports that are likely for deliberate error
handling tests where AddressSanitizer activity messes up the
original purpose of the test.

There is:

Standard output:
Executing command [ echo ok |/usr/tests/lib/libc/ssp/h_fgets 10 ]
Executing command [ /usr/tests/lib/libc/ssp/h_fgets 10 ]
Executing command [ echo 0123456789abc |/usr/tests/lib/libc/ssp/h_fgets =
13 ]
Executing command [ /usr/tests/lib/libc/ssp/h_fgets 13 ]

Standard error:
Fail: program did not receive a signal
stdout:
/usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying =
zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/lib/libc/stdio/fread.c:133:10 in=20

stderr:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D22446=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on =
address 0x7fffffffd9ca at pc 0x0000010af17a bp 0x7fffffffcfd0 sp =
0x7fffffffc798
WRITE of size 12 at 0x7fffffffd9ca thread T0
    #0 0x10af179 in __asan_memcpy =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors_=
memintrinsics.cpp:22:3
    #1 0x801b66afe in fgets /usr/main-src/lib/libc/stdio/fgets.c:110:9
    #2 0x1070456 in fgets =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:1252:15
    #3 0x10d9b37 in main =
/usr/main-src/contrib/netbsd-tests/lib/libc/ssp/h_fgets.c:42:8

Address 0x7fffffffd9ca is located in stack of thread T0 at offset 42 in =
frame
    #0 0x10d99ff in main =
/usr/main-src/contrib/netbsd-tests/lib/libc/ssp/h_fgets.c:39

  This frame has 1 object(s):
    [32, 42) 'b' (line 40) <=3D=3D Memory access at offset 42 overflows =
this variable
HINT: this may be a false positive if your program uses some custom =
stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors_=
memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x4ffffffffae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x4ffffffffb30: 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3 00 00 00 00
  0x4ffffffffb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffffb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D22446=3D=3DABORTING

This is a very short program [(c) NetBSD]:

#include <sys/cdefs.h>
__COPYRIGHT("@(#) Copyright (c) 2008\
 The NetBSD Foundation, inc. All rights reserved.");
__RCSID("$NetBSD: h_fgets.c,v 1.1 2010/12/27 02:04:19 pgoyette Exp $");

#include <stdio.h>
#include <stdlib.h>

int
main(int argc, char *argv[])
{
        char b[10];
        int len =3D atoi(argv[1]);
        (void)fgets(b, len, stdin);
        (void)printf("%s\n", b);

        return 0;
}

The report is correct for the len =3D=3D 13 test case but this
is another example of needing to avoid AddressSanitizer
messing up the purpose of the test relative to normal
usage (no ASAN).

There are other such examples.

Also:

=3D=3D21507=3D=3DERROR: AddressSanitizer: invalid alignment requested in =
aligned_alloc: 512, alignment must be a power of two and the requested =
size 0x1 must be a multiple of alignment (thread T0)
    #0 0x10b1eb2 in aligned_alloc =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:176:3
    #1 0x10dbc69 in atfu_aligned_alloc_basic_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/stdlib/t_posix_memalign.c:105:=
7
    #2 0x80115afb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x8011615e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #4 0x801160d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #5 0x801160d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11
    #6 0x1058f7c in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #7 0x801101007  (<unknown module>)

=3D=3D21507=3D=3DHINT: if you don't care about these errors you may set =
allocator_may_return_null=3D1
SUMMARY: AddressSanitizer: invalid-aligned-alloc-alignment =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:176:3 in aligned_alloc
=3D=3D21507=3D=3DABORTING


=3D=3D21509=3D=3DERROR: AddressSanitizer: invalid alignment requested in =
posix_memalign: 4, alignment must be a power of two and a multiple of =
sizeof(void*) =3D=3D 8 (thread T0)
    #0 0x10b1ff7 in posix_memalign =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:210:3
    #1 0x10db8c7 in atfu_posix_memalign_basic_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/stdlib/t_posix_memalign.c:69:9=

    #2 0x80115afb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x8011615e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #4 0x801160d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #5 0x801160d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11
    #6 0x1058f7c in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #7 0x801101007  (<unknown module>)

=3D=3D21509=3D=3DHINT: if you don't care about these errors you may set =
allocator_may_return_null=3D1
SUMMARY: AddressSanitizer: invalid-posix-memalign-alignment =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:210:3 in posix_memalign
=3D=3D21509=3D=3DABORTING


=3D=3D21665=3D=3DERROR: AddressSanitizer: SEGV on unknown address =
0xfffffffffffffff8 (pc 0x000801cd5174 bp 0x7fffffffc390 sp =
0x7fffffffbb48 T0)
=3D=3D21665=3D=3DThe signal is caused by a READ memory access.
    #0 0x801cd5174 in strlen =
/usr/main-src/lib/libc/amd64/string/strlen.S:47
    #1 0x10dcfe9 in atfu_access_fault_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_access.c:107:3
    #2 0x80115dfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x8011645e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #4 0x801163d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #5 0x801163d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11
    #6 0x1059efc in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #7 0x801104007  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV =
/usr/main-src/lib/libc/amd64/string/strlen.S:47 in strlen
=3D=3D21665=3D=3DABORTING


=3D=3D21670=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on =
address 0x619000000480 at pc 0x000001097bbb bp 0x7fffffffc390 sp =
0x7fffffffbb50
READ of size 1025 at 0x619000000480 thread T0
    #0 0x1097bba in access =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:7185:5
    #1 0x10ddcc3 in atfu_access_toolong_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_access.c:202:3
    #2 0x80115dfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x8011645e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #4 0x801163d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #5 0x801163d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11

0x619000000480 is located 0 bytes to the right of 1024-byte region =
[0x619000000080,0x619000000480)
allocated by thread T0 here:
    #0 0x10b275d in malloc =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.=
cpp:129:3
    #1 0x10ddc07 in atfu_access_toolong_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_access.c:190:8
    #2 0x80115dfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x8011645e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #4 0x801163d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #5 0x801163d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11
    #6 0x1059efc in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #7 0x801104007  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:7185:5 in access
Shadow bytes around the buggy address:
  0x4c3200000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c3200000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c3200000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c3200000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4c3200000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=3D>0x4c3200000090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c32000000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c32000000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c32000000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c32000000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x4c32000000e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07=20
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
=3D=3D21670=3D=3DABORTING


=3D=3D21729=3D=3DERROR: AddressSanitizer: SEGV on unknown address =
0xffffffffffffffff (pc 0x000801203dd9 bp 0x7fffffffc3b0 sp =
0x7fffffffc030 T0)
=3D=3D21729=3D=3DThe signal is caused by a READ memory access.
    #0 0x801203dd9 in __thr_setcontext =
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7
    #1 0x10db6a3 in atfu_setcontext_err_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_getcontext.c:96:2
    #2 0x80115bfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x8011625e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #4 0x801161d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #5 0x801161d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11
    #6 0x1058ddc in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #7 0x801102007  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV =
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in __thr_setcontext
=3D=3D21729=3D=3DABORTING


=3D=3D21744=3D=3DERROR: AddressSanitizer: negative-size-param: (size=3D8)
    #0 0x107bbd0 in setitimer =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:2258:5
    #1 0x10dca40 in atfu_setitimer_err_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_getitimer.c:164:2
    #2 0x80115bfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #3 0x8011625e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #4 0x801161d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #5 0x801161d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11

Address 0xffffffffffffffff is a wild pointer inside of access range of =
size 0x000000000001.
SUMMARY: AddressSanitizer: negative-size-param =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:2258:5 in setitimer
=3D=3D21744=3D=3DABORTING


=3D=3D21982=3D=3DERROR: AddressSanitizer: negative-size-param: (size=3D4)
    #0 0x1087b38 in read_pollfd(void*, __sanitizer::__sanitizer_pollfd*, =
unsigned int) =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:3953:5
    #1 0x1087b38 in poll =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:3969:20
    #2 0x10dd956 in atfu_poll_err_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_poll.c:230:2
    #3 0x80115cfb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #4 0x8011635e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #5 0x801162d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #6 0x801162d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11

Address 0xffffffffffffffff is a wild pointer inside of access range of =
size 0x000000000001.
SUMMARY: AddressSanitizer: negative-size-param =
/usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti=
zer_common_interceptors.inc:3953:5 in read_pollfd(void*, =
__sanitizer::__sanitizer_pollfd*, unsigned int)
=3D=3D21982=3D=3DABORTING


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D22204=3D=3DERROR: AddressSanitizer: SEGV on unknown address =
0x000000000008 (pc 0x0000010dec62 bp 0x7fffffffc3d0 sp 0x7fffffffc120 =
T0)
=3D=3D22204=3D=3DThe signal is caused by a WRITE memory access.
=3D=3D22204=3D=3DHint: address points to the zero page.
    #0 0x10dec62 in atfu_wait6_coredumped_body =
/usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_wait.c:165:14
    #1 0x80115ffb4 in atf_tc_run =
/usr/main-src/contrib/atf/atf-c/tc.c:1054:5
    #2 0x8011665e3 in run_tc =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15
    #3 0x801165d70 in controlled_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15
    #4 0x801165d70 in atf_tp_main =
/usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11
    #5 0x105b1ac in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7
    #6 0x801106007  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV =
/usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_wait.c:165:14 in =
atfu_wait6_coredumped_body
=3D=3D22204=3D=3DABORTING


=3D=3D=3D> lib/libexecinfo/backtrace_test:backtrace_fmt_basic
Result:     failed: 6 checks failed; see output for more details
. . .

Standard output:
got nptrs=3D19 ncalls=3D12 (min_frames: 4, max_frames: 9)
backtrace is:
#0: __interceptor_backtrace
#1: myfunc3
#2: myfunc2
#3: myfunc1
#4: myfunc1
#5: myfunc1
#6: myfunc1
#7: myfunc1
#8: myfunc1
#9: myfunc1
#10: myfunc1
#11: myfunc1
#12: myfunc1
#13: myfunc1
#14: myfunc1
#15: myfunc
#16: atfu_backtrace_fmt_basic_body
#17: =
_ZN6__asan9Allocator10DeallocateEPvmmPN11__sanitizer18BufferedStackTraceEN=
S_9AllocTypeE
#18: =
_ZNK6__asan24GlobalAddressDescription27PointsInsideTheSameVariableERKS0_

Standard error:
*** Check failed: =
/usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:95: =
strings[0] !=3D "myfunc3" (__interceptor_backtrace !=3D myfunc3)
*** Check failed: =
/usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:96: =
strings[1] !=3D "myfunc2" (myfunc3 !=3D myfunc2)
*** Check failed: =
/usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:99: =
strings[j] !=3D "myfunc1" (myfunc2 !=3D myfunc1)
*** Check failed: =
/usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:107: =
strings[j] !=3D frames[i].name (myfunc1 !=3D myfunc)
*** Check failed: =
/usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:107: =
strings[j] !=3D frames[i].name (myfunc !=3D =
atfu_backtrace_fmt_basic_body)
*** Check failed: =
/usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:107: =
strings[j] !=3D frames[i].name (atfu_backtrace_fmt_basic_body !=3D =
atf_tc_run)

The extra levels of calls involved mess up the test.



That is all for now. There is lots more that I've not looked
at (yet?).

=3D=3D=3D
Mark Millard
marklmi at yahoo.com




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6DB6844A-107A-45CA-9041-E851FACB3E90>