Date: Fri, 26 Feb 2016 18:21:20 +0100 From: Dimitry Andric <dim@FreeBSD.org> To: Howard Su <howard0su@gmail.com> Cc: current@freebsd.org Subject: Re: buffer overflow warning in /bin/sh Message-ID: <0353BD46-1397-4DAC-9115-6D2355E7F42D@FreeBSD.org> In-Reply-To: <CAAvnz_owSKcJ71LJa2F4MnnWKjV251CH-mBsVMFcS=riN=bK_Q@mail.gmail.com> References: <CAAvnz_owSKcJ71LJa2F4MnnWKjV251CH-mBsVMFcS=riN=bK_Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_B61D0859-2942-42C8-885C-42F4FE89BFF1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 26 Feb 2016, at 04:21, Howard Su <howard0su@gmail.com> wrote: >=20 > I got the error when compiling GENERIC kernel with address sanitizer > /bin/sh: > --- vers.c --- > MAKE=3Dmake sh /usr/home/howardsu/freebsd/sys/conf/newvers.sh > = GENERIC=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D4132=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on = address > 0x7fffffffc9c0 at pc 0x00000045fdc7 bp 0x7fffffffc930 sp = 0x7fffffffc0f0 > WRITE of size 312 at 0x7fffffffc9c0 thread T0 > #0 0x45fdc6 (/bin/sh+0x45fdc6) > #1 0x801431767 (/lib/libc.so.7+0x7c767) > #2 0x42ff5e (/bin/sh+0x42ff5e) > #3 0x4b6b00 (/bin/sh+0x4b6b00) > #4 0x49686e (/bin/sh+0x49686e) > #5 0x495572 (/bin/sh+0x495572) > #6 0x48c3f9 (/bin/sh+0x48c3f9) > #7 0x489920 (/bin/sh+0x489920) > #8 0x4acde8 (/bin/sh+0x4acde8) > #9 0x4aca4d (/bin/sh+0x4aca4d) > #10 0x40fb0e (/bin/sh+0x40fb0e) > #11 0x80071afff (<unknown module>) >=20 > Address 0x7fffffffc9c0 is located in stack of thread > T0=3D=3D4132=3D=3DAddressSanitizer CHECK failed: > = /usr/home/howardsu/freebsd/lib/libclang_rt/asan/../../../contrib/compiler-= rt/lib/asan/asan_thread.cc:246 > "((ptr[0] =3D=3D kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) > #0 0x422b9d (/bin/sh+0x422b9d) > #1 0x41de09 (/bin/sh+0x41de09) > #2 0x41f301 (/bin/sh+0x41f301) > #3 0x4728be (/bin/sh+0x4728be) > #4 0x474589 (/bin/sh+0x474589) > #5 0x47502a (/bin/sh+0x47502a) > #6 0x45fdef (/bin/sh+0x45fdef) > #7 0x801431767 (/lib/libc.so.7+0x7c767) > #8 0x42ff5e (/bin/sh+0x42ff5e) > #9 0x4b6b00 (/bin/sh+0x4b6b00) > #10 0x49686e (/bin/sh+0x49686e) > #11 0x495572 (/bin/sh+0x495572) > #12 0x48c3f9 (/bin/sh+0x48c3f9) > #13 0x489920 (/bin/sh+0x489920) > #14 0x4acde8 (/bin/sh+0x4acde8) > #15 0x4aca4d (/bin/sh+0x4aca4d) > #16 0x40fb0e (/bin/sh+0x40fb0e) > #17 0x80071afff (<unknown module>) >=20 > *** [vers.c] Error code 1 >=20 > I am using latest -Current and add the following flags to = /etc/make.conf. > # CFLAGS+=3D -g -fsanitize=3Daddress -fno-omit-frame-pointer >=20 > I rebuild /bin/sh as a first step. with the /bin/sh I got the above = error. > I would like to understand how to get symbols. The following command > doesn't work at all. > addr2line -e /bin/sh 0x422b9d >=20 > =E2=80=8BAny idea?=E2=80=8B Please recompile and reinstall world, using WITH_CLANG_EXTRAS=3Dy in /etc/src.conf. This will install the /usr/bin/llvm-symbolizer command, which is needed by AddressSanitizer to resolve symbols. On my system with the projects/clang380-import branch installed, I get the following AdressSanitizer report. It does not look completely similar to your case, though: $ sh sys/conf/newvers.sh =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D9912=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on = address 0xbfbfe380 at pc 0x08121f12 bp 0xbfbfe354 sp 0xbfbfe34c WRITE of size 4 at 0xbfbfe380 thread T0 #0 0x8121f11 in readtoken1 = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:1419:= 22 #1 0x812597d in xxreadtoken = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:930:1= 1 #2 0x811c90f in readtoken = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:827:6= #3 0x812341c in simplecmd = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:647:7= #4 0x812341c in command = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:592 #5 0x8122e19 in pipeline = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:376:7= #6 0x811cc57 in andor = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:347:6= #7 0x811cc57 in list = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:278 #8 0x8126501 in parsebackq = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:1182:= 6 #9 0x811f36c in readtoken1 = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:1556:= 11 #10 0x812597d in xxreadtoken = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:930:1= 1 #11 0x811c90f in readtoken = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:827:6= #12 0x811c7c9 in parsecmd = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:224:6= #13 0x811046f in cmdloop = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/main.c:217:7 #14 0x811015e in main = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/main.c:178:3 #15 0x80557c9 in _start1 (/bin/sh+0x80557c9) Address 0xbfbfe380 is located in stack of thread T0 at offset 32 in = frame #0 0x811e8ff in readtoken1 = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:1400 This frame has 3 object(s): [16, 20) 'bqlist' [32, 128) 'state_static' <=3D=3D Memory access at offset 32 is = inside this variable [160, 170) 'buf' HINT: this may be a false positive if your program uses some custom = stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow = /share/dim/src/freebsd/base/projects/clang380-import/bin/sh/parser.c:1419:= 22 in readtoken1 Shadow bytes around the buggy address: 0x57f7fc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x57f7fc30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x57f7fc40: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 00 00 0x57f7fc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x57f7fc60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 04 f2 =3D>0x57f7fc70:[f3]f3 f3 f3 f3 f3 00 00 00 00 00 00 f2 f2 f2 f2 0x57f7fc80: 00 02 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x57f7fc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x57f7fca0: 00 00 00 00 00 00 00 00 f1 f1 04 f2 04 f2 04 f2 0x57f7fcb0: 04 f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x57f7fcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D9912=3D=3DABORTING This may be a false positive though. I'm currently trying to run this under valgrind, but the valgrind port crashes with: valgrind: m_syswrap/syswrap-freebsd.c:3302 (void = vgSysWrap_freebsd_sys_fcntl_before(ThreadId, SyscallArgLayout *, = SyscallArgs *, SyscallStatus *, UWord *)): Assertion 'Unimplemented = functionality' failed. valgrind: valgrind host stacktrace: =3D=3D6180=3D=3D at 0x38043152: ??? (in = /usr/local/lib/valgrind/memcheck-amd64-freebsd) =3D=3D6180=3D=3D by 0x380434D7: ??? (in = /usr/local/lib/valgrind/memcheck-amd64-freebsd) =3D=3D6180=3D=3D by 0x380434BD: ??? (in = /usr/local/lib/valgrind/memcheck-amd64-freebsd) =3D=3D6180=3D=3D by 0x380B2DF4: ??? (in = /usr/local/lib/valgrind/memcheck-amd64-freebsd) =3D=3D6180=3D=3D by 0x3809AE77: ??? (in = /usr/local/lib/valgrind/memcheck-amd64-freebsd) =3D=3D6180=3D=3D by 0x38099F2F: ??? (in = /usr/local/lib/valgrind/memcheck-amd64-freebsd) =3D=3D6180=3D=3D by 0x380985F7: ??? (in = /usr/local/lib/valgrind/memcheck-amd64-freebsd) =3D=3D6180=3D=3D by 0x380A5E50: ??? (in = /usr/local/lib/valgrind/memcheck-amd64-freebsd) sched status: running_tid=3D1 Thread 1: status =3D VgTs_Runnable =3D=3D6180=3D=3D at 0x51AF0DA: _fcntl (in /lib/libc.so.7) =3D=3D6180=3D=3D by 0x50B4CDB: fcntl (in /lib/libc.so.7) =3D=3D6180=3D=3D by 0x40DD20: setinputfile (input.c:369) =3D=3D6180=3D=3D by 0x412F9D: procargs (options.c:113) =3D=3D6180=3D=3D by 0x411571: main (main.c:147) So it is fairly unusable now. :-( -Dimitry --Apple-Mail=_B61D0859-2942-42C8-885C-42F4FE89BFF1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.29 iEYEARECAAYFAlbQiZUACgkQsF6jCi4glqNDFQCgyRHNHbpOUsW0VSX1nJuPtOwb bIAAoMry66dR0hIYNTdveq0eWYQHFIPQ =s/zp -----END PGP SIGNATURE----- --Apple-Mail=_B61D0859-2942-42C8-885C-42F4FE89BFF1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0353BD46-1397-4DAC-9115-6D2355E7F42D>