From nobody Wed Jan 12 21:57:23 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7F0AE194BB63 for ; Wed, 12 Jan 2022 21:57:40 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic308-55.consmr.mail.gq1.yahoo.com (sonic308-55.consmr.mail.gq1.yahoo.com [98.137.68.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JZ1dH31n2z525w for ; Wed, 12 Jan 2022 21:57:39 +0000 (UTC) (envelope-from marklmi@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1642024651; bh=64uQu2v9wbIs5aQCs+m1hJzRMXjtCmBnYF/fa7Jrk6M=; h=From:Subject:Date:References:To:In-Reply-To:From:Subject:Reply-To; b=RIfXczfMnZACRGO2yf1+s4grF4Z1oC9QRKXzJlBWRlTUubB5l7D1BNoRjZeeXLZTGxqP38v1RlH1nBpSXRpW9N6h1VDoFlJAIZHbxZdLbMr5W9ChpM8HyWSFk/bSbttZVhyER15udO8qkAbh3TDkbBmVRENt+ih4CIigb4col1yINMHIHEKSWNv8nqnSe0xoB4XPxojagtfPKjxx5/HNyxunBF9l8k11/x1lPFyQHOz12KnB8OP6pTiHeIzPhr/lRwf3AavC7GCd3vrQORGKv6eMI65O0pYZsgWBZboo4YXljt9qtW24rTZo0hixu2Bh7N0R9XAWi+CjClq5TuRSCg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1642024651; bh=NCIYDSXJUaz4m8+udwpcfKkxL3aJhGJRFjbntz77yKZ=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=J9dWE1VzOz3kb8WMpCIQ3Ax4CM4aAN54DHxu2Lbyd1rCAdtIoQ6GBorvvQDTMmQBf5QwHl705E0I2/CGMUlQ0/gmfEmULKIqk7lyGeCBujksWHllrYpQkrpYZpAEcv39gx+oTBV8Fv08cNJ5TTPkSbrFVvDDu1g8WxtaWmPrt2xKfeKI6cwUim7Izn49+g2kb/EFRA883GNPFrWc+w6Ip6oPrlf7K/qE7S6SwRJLy1GBlBVYqFr6GQbWE0/hepjrQeXjoOgeeUzj/GFQo6T9VIL85zbqnLy9IzZypKL9rfWgEPaGe4nm6R7/1bEPyr9C0KH8Dx87N88TrxfRHwc2mg== X-YMail-OSG: UrE2ytQVM1lnorHmLxvEGQuIQSjIjOyCfuX0BLvIrai9HkAu3n2altM.rQ5h2pT hfUSBfbh89x7bNerzA9L_b9epAwpDIiXth_GYRGl5f9Z6omcqiFscxFHObuY.ulOrHTddj6cYRi3 Wwz__gx9SSHuerVJXto3HORQjKKb4wd_p5JoC.De82uw9kJbUz2FM68XbYRadNBgxpKp2dkYfndm 8RxR4nWhUT4RpAM4OHDHnSOaQtMTMj9EzptYoDtEPQJq4oVlU2Mu.tOeNBBW5YgLe1UMc2A8cPjP Ulzvm8Av4yro8LNf9nUCG335eGCufSnl.kt_nTHQB2xfmh6PlnLtD7mXIqypsG2VlaoYJTgAdUXB 9iX8LJilYVek4T04GvDvb_Jsq6g3msivKawQjNxFJqQCNw.H_oBGCd4Mj_IHRRCoEb4syMgA1mAR cvwB_7aJaXx_6aDv0Yicj0WkCIigjthCsOjEYCSp43vZhCMjIxKkZ9wmuuqWLa08_OxzxZKlMNPT 1eqd.zOkXE_Hh4Rq3H5Th4bXrdOFWWxmaYav3G2fj8Po.Os8SL14XkePrMMSqW9N0f4JDVnGO3qQ 4Sp0MHoYHRVK40CDQl3.M__ARpqcFdGQT5oOV4GCgWOpWcKi_PfNCcytKpsL3kmFLWP6l7C82bo0 PMCrKIynrbKfTJG3fe9NkocrGSYZnWZGbURxGUPQwxN8Rotg0vM1Js8sgOB60djDzACtvv4QtQhb LXE8CeSe8W9v3Urnk70pMOhE5NP_Q32354tIxfMd_TOBGV_KWUMLzLWQYnOys9ZeB4GSIJk8vkbs mPmJP0ZcMtk13sgJEqesithmqpUBtghUOoEkyP1RuRwa_zO6zluGsvTEfKphJmhngtUxlpih4.P7 PlBNw6cdRjOsdiBh8liFdAkbu23ev_PWdIuCBOHMoaVmdZ9SKJzQKeKFxMwA_HvSUB0fep4RWmpC 9b9HpnBR66QrdbeWZCMq_raRV3l_6s.QMdEl74epTlP47EEQ5zzcq57YbAYmSvYKzfAHbzeoduEC xXVoLzN2LQdwZtbz8u.F_rG1IQ_sc6Lm66RqijUIPVujuuWejyaZyTwzrJv99HbG3TpRJ83k3EIi C8qF23SinlMLju70IlAgNLaS_fdqZb950a7Bi5nIVy4WOZ7zg6qgwuyGb6VgUr.l5OeAYvoCyYn9 POU5Ud1.g.somub5XyIdxf5dyyUoVJo0rYjN0.yHpXYd55twuIHfGMUZWuj8TMxj55zk7jxWkPfr .5W.L3oxAd5vYqan3jnF2pesIKVR1Xz0_0fvn3bPr940pm08VrvxEfMJKl40yM4LdJXJ90wrVe22 SE.UFYYKw6tNu.OPpe9ZK3FDN.GvCiwyTmtNrqm2h4I.bBicMoPJdLw0AB0HbtstSpJyj3WZyX4r I6FKebPCdfjdhecVtitjx4ykPtKOoJm_7stmjRsPgOdR5bB.TFOPata6kBBtqlLVufp9L2qnzoTK ME4ADulDBWq_V0FU9FO89fbMKTgvWNW2cLoyPozpQ511VDp44FhZ3iueQfQNmn3FLW7WXRT1Vsdc aKZpY0JlHDCPmU_y0_kwK39GhUydFhcGmy1znK_5DTDW8syAyPOk2pWOzNmKeyskc4P0OE2O43tE UfYOPROXuZieZlN7j6qfv6aUoaNTYyUFIErDIKJdtzVkb7WvNB0hEPlDwBNHh7_j2.kJ2.AAS8kN 5lhvtiO2hklkvamfmx2UGlJpexR19PP96U7OCiCTmucljfviRTEuniyzIJJdf8blIckyUSX95o5a PlYiGjCq84yA0WDNCi4wLUKL8q8EQSl296AtpZT.i7gKjcaSM4SJAfHmCYsLOMofzmTGlD9CiHrV Wy4YhJEApeLoABCkGg32i6mZeW0KHfm_BrTV2CgCFjlBJsAqV5uB4G8ALAS_tRVCC_Qw7MU9sAxB 6Z02CgkGiz33B8JccWuTZ_rfFdaUtuviMStkMY_2y2JzSjHm0wyu6SBK7e5hFMdTRHdzjn6zOU3A IBXJZp1Vz6uJTc02MxFXRGYjcHW0d_cLDrGsi.7Y3DC6bQzdijnsuEN4qQuqPRzX456UmvLNkXhf Zyflo4YOfEUKCr6uOlKBbuyfvsxSJtlQz4OQVf0P21T0YVJXRkU8ZD_JcIRW.IwLAgEVhaIx9X4B lqpG3XeQ997UXXvWr8udBRFSTuJsHioaJr.Stj1lVVc009u0CVWwF.qy.rYBdEKXScVqG.EnpEAI Jb9bv2a4Zg1vxJMHM2UuRcsd8RYYpmkYPM6QwA_0PR4Yw_5G67Ee8sMlRCLUgDfmzUA8UmTqUfqU q X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.gq1.yahoo.com with HTTP; Wed, 12 Jan 2022 21:57:31 +0000 Received: by kubenode522.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID ad8f3321dcd301b102f51925a5772d9d; Wed, 12 Jan 2022 21:57:25 +0000 (UTC) From: Mark Millard Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: kyua run under WITH_ASAN= built world reports a global-buffer-overflow during cpio test. Date: Wed, 12 Jan 2022 13:57:23 -0800 References: <313A3FD8-1E8C-46C2-A400-E0A647F09464@yahoo.com> To: freebsd-current In-Reply-To: <313A3FD8-1E8C-46C2-A400-E0A647F09464@yahoo.com> Message-Id: X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4JZ1dH31n2z525w X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yahoo.com header.s=s2048 header.b=RIfXczfM; dmarc=pass (policy=reject) header.from=yahoo.com; spf=pass (mx1.freebsd.org: domain of marklmi@yahoo.com designates 98.137.68.31 as permitted sender) smtp.mailfrom=marklmi@yahoo.com X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; RWL_MAILSPIKE_POSSIBLE(0.00)[98.137.68.31:from]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[yahoo.com]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[yahoo.com:+]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; RCVD_IN_DNSWL_NONE(0.00)[98.137.68.31:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/20, country:US]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[yahoo.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 2022-Jan-12, at 01:54, Mark Millard wrote: > For the below it appears that the report from UBSAN is accurate. >=20 > =3D=3D85511=3D=3DERROR: AddressSanitizer: global-buffer-overflow on = address 0x0000010753ca at pc 0x000001139bda bp 0x7fffffffc2b0 sp = 0x7fffffffc2a8 > READ of size 1 at 0x0000010753ca thread T0 > #0 0x1139bd9 in hexdump = /usr/main-src/contrib/libarchive/test_utils/test_main.c:875:35 > #1 0x113b73c in assertion_text_file_contents = /usr/main-src/contrib/libarchive/test_utils/test_main.c:1182:3 > #2 0x1125d46 in basic_cpio = /usr/main-src/contrib/libarchive/cpio/test/test_basic.c:84:2 > #3 0x11259dc in test_basic = /usr/main-src/contrib/libarchive/cpio/test/test_basic.c:229:2 > #4 0x1144943 in test_run = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2 > #5 0x1144943 in main = /usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9 >=20 > 0x0000010753ca is located 54 bytes to the left of global variable = '' defined in = '/usr/main-src/contrib/libarchive/cpio/test/test_basic.c:229:13' = (0x1075400) of size 5 > '' is ascii string 'copy' > 0x0000010753ca is located 22 bytes to the left of global variable = '' defined in = '/usr/main-src/contrib/libarchive/cpio/test/test_basic.c:228:38' = (0x10753e0) of size 9 > '' is ascii string '1 block > ' > 0x0000010753ca is located 0 bytes to the right of global variable = '' defined in = '/usr/main-src/contrib/libarchive/cpio/test/test_basic.c:220:18' = (0x10753c0) of size 10 > '' is ascii string '2 blocks > ' > SUMMARY: AddressSanitizer: global-buffer-overflow = /usr/main-src/contrib/libarchive/test_utils/test_main.c:875:35 in = hexdump > Shadow bytes around the buggy address: > 0x40000020ea20: f9 f9 f9 f9 02 f9 f9 f9 00 01 f9 f9 00 02 f9 f9 > 0x40000020ea30: 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 00 f9 f9 f9 > 0x40000020ea40: 00 01 f9 f9 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 > 0x40000020ea50: 06 f9 f9 f9 07 f9 f9 f9 00 00 00 00 00 07 f9 f9 > 0x40000020ea60: f9 f9 f9 f9 04 f9 f9 f9 05 f9 f9 f9 00 00 00 00 > =3D>0x40000020ea70: 00 05 f9 f9 f9 f9 f9 f9 00[02]f9 f9 00 01 f9 f9 > 0x40000020ea80: 05 f9 f9 f9 01 f9 f9 f9 00 01 f9 f9 00 05 f9 f9 > 0x40000020ea90: 00 02 f9 f9 00 f9 f9 f9 00 02 f9 f9 07 f9 f9 f9 > 0x40000020eaa0: 00 01 f9 f9 07 f9 f9 f9 00 02 f9 f9 00 02 f9 f9 > 0x40000020eab0: 00 03 f9 f9 00 01 f9 f9 00 04 f9 f9 00 00 00 00 > 0x40000020eac0: 00 00 00 03 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07=20 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > =3D=3D85511=3D=3DABORTING >=20 > Well, contrib/libarchive/cpio/test/test_basic.c:84 is doing: >=20 > assertTextFileContents(se, "pack.err"); >=20 > which involves, in turn: >=20 > int > assertion_text_file_contents(const char *filename, int line, const = char *buff, const char *fn) > { > . . . > s =3D (int)strlen(buff); > contents =3D malloc(s * 2 + 128); > n =3D (int)fread(contents, 1, s * 2 + 128 - 1, f); > . . . > if (n > 0) { > hexdump(contents, buff, n, 0); > . . . >=20 > Nothing about the code seems to constrain n to fit the > size of the space for "pack.err" (9 bytes of "global" > space). >=20 > The report is for the ref[i + j] in the code: >=20 > static void > hexdump(const char *p, const char *ref, size_t l, size_t offset) > { > . . . > for (j =3D 0; j < 16 && i + j < l; j++) { > if (ref !=3D NULL && p[i + j] !=3D ref[i + j]) > . . . >=20 > where ref points to the space for "pack.err" and l was > given a copy of the value of n in the previously shown > code. >=20 > The i + j < l constraint need not avoid the code doing > ref[i + j] in a way that reaches outside the space for > "pack.err" --because of the supplied value of n (a.k.a. l) > not being sufficient to respect the space for "pack.err". pair below shows up in 13 reports: #0 0x1139bd9 in hexdump = /usr/main-src/contrib/libarchive/test_utils/test_main.c:875:35 #1 0x113b73c in assertion_text_file_contents = /usr/main-src/contrib/libarchive/test_utils/test_main.c:1182:3 So the above notes are just an illustration of a more general issue with the assertion_text_file_contents use of "hexdump(contents, buff, n, 0)". =3D=3D=3D Mark Millard marklmi at yahoo.com