[Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error

Tarantool development patches archive
 help / color / mirror / Atom feed

* [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error
@ 2020-09-04 16:35 Alexander V. Tikhonov
  2020-09-04 22:42 ` Vladislav Shpilevoy
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Alexander V. Tikhonov @ 2020-09-04 16:35 UTC (permalink / raw)
  To: Kirill Yukhin, Vladislav Shpilevoy; +Cc: tarantool-patches

Found ASAN error:

[001] +    ok 206 - =================================================================
[001] +==6889==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000031 at pc 0x0000005a72e7 bp 0x7ffe47c30c80 sp 0x7ffe47c30c78
[001] +WRITE of size 1 at 0x604000000031 thread T0
[001] +    #0 0x5a72e6 in mp_store_u8 /tarantool/src/lib/msgpuck/msgpuck.h:258:1
[001] +    #1 0x5a72e6 in mp_encode_uint /tarantool/src/lib/msgpuck/msgpuck.h:1768
[001] +    #2 0x4fa657 in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:957:16
[001] +    #3 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2
[001] +    #4 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
[001] +    #5 0x41f339 in _start (/tnt/test/unit/msgpack.test+0x41f339)
[001] +
[001] +0x604000000031 is located 0 bytes to the right of 33-byte region [0x604000000010,0x604000000031)
[001] +allocated by thread T0 here:
[001] +    #0 0x4cace3 in malloc (/tnt/test/unit/msgpack.test+0x4cace3)
[001] +    #1 0x4fa5db in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:945:18
[001] +    #2 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2
[001] +    #3 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
[001] +
[001] +SUMMARY: AddressSanitizer: heap-buffer-overflow /tarantool/src/lib/msgpuck/msgpuck.h:258:1 in mp_store_u8
[001] +Shadow bytes around the buggy address:
[001] +  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +=>0x0c087fff8000: fa fa 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +Shadow byte legend (one shadow byte represents 8 application bytes):
[001] +  Addressable:           00
[001] +  Partially addressable: 01 02 03 04 05 06 07
[001] +  Heap left redzone:       fa
[001] +  Freed heap region:       fd
[001] +  Stack left redzone:      f1
[001] +  Stack mid redzone:       f2
[001] +  Stack right redzone:     f3
[001] +  Stack after return:      f5
[001] +  Stack use after scope:   f8
[001] +  Global redzone:          f9
[001] +  Global init order:       f6
[001] +  Poisoned by user:        f7
[001] +  Container overflow:      fc
[001] +  Array cookie:            ac
[001] +  Intra object redzone:    bb
[001] +  ASan internal:           fe
[001] +  Left alloca redzone:     ca

Investigated the buffer size that was allocated was 33 bytes, but
it needed 34. The fix was to increase this buffer for another
mp_encode_array(1).

Part of https://github.com/tarantool/tarantool/issues/4360

Reviewed-by: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
---

Github: https://github.com/tarantool/msgpuck/tree/avtikhon/gh-4360-fix-asan-error
Issue: https://github.com/tarantool/tarantool/issues/4360

 test/msgpuck.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/msgpuck.c b/test/msgpuck.c
index 2d9bcbf..2759313 100644
--- a/test/msgpuck.c
+++ b/test/msgpuck.c
@@ -939,7 +939,7 @@ test_mp_print()
 	is(rc, -1, "mp_fprint I/O error");
 
 	/* Test mp_snprint max nesting depth. */
-	int mp_buff_sz = MP_PRINT_MAX_DEPTH * mp_sizeof_array(1) +
+	int mp_buff_sz = (MP_PRINT_MAX_DEPTH + 1) * mp_sizeof_array(1) +
 			 mp_sizeof_uint(1);
 	int exp_str_sz = 2 * (MP_PRINT_MAX_DEPTH + 1) + 3 + 1;
 	char *mp_buff = malloc(mp_buff_sz);
-- 
2.17.1

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error
  2020-09-04 16:35 [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error Alexander V. Tikhonov
@ 2020-09-04 22:42 ` Vladislav Shpilevoy
  2020-09-07  8:21 ` Leonid Vasiliev
  2020-09-08 13:50 ` Kirill Yukhin
  2 siblings, 0 replies; 5+ messages in thread
From: Vladislav Shpilevoy @ 2020-09-04 22:42 UTC (permalink / raw)
  To: Alexander V. Tikhonov, Kirill Yukhin; +Cc: tarantool-patches

Hi! Thanks for the patch!

LGTM.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error
  2020-09-04 16:35 [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error Alexander V. Tikhonov
  2020-09-04 22:42 ` Vladislav Shpilevoy
@ 2020-09-07  8:21 ` Leonid Vasiliev
  2020-09-08 13:50 ` Kirill Yukhin
  2 siblings, 0 replies; 5+ messages in thread
From: Leonid Vasiliev @ 2020-09-07  8:21 UTC (permalink / raw)
  To: Alexander V. Tikhonov, Kirill Yukhin; +Cc: tarantool-patches

Hi! Thank you for the patch.
LGTM.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error
  2020-09-04 16:35 [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error Alexander V. Tikhonov
  2020-09-04 22:42 ` Vladislav Shpilevoy
  2020-09-07  8:21 ` Leonid Vasiliev
@ 2020-09-08 13:50 ` Kirill Yukhin
  2 siblings, 0 replies; 5+ messages in thread
From: Kirill Yukhin @ 2020-09-08 13:50 UTC (permalink / raw)
  To: Alexander V. Tikhonov; +Cc: tarantool-patches, Vladislav Shpilevoy

Hello,

On 04 сен 19:35, Alexander V. Tikhonov wrote:
> Found ASAN error:
> 
> [001] +    ok 206 - =================================================================
> [001] +==6889==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000031 at pc 0x0000005a72e7 bp 0x7ffe47c30c80 sp 0x7ffe47c30c78
> [001] +WRITE of size 1 at 0x604000000031 thread T0
> [001] +    #0 0x5a72e6 in mp_store_u8 /tarantool/src/lib/msgpuck/msgpuck.h:258:1
> [001] +    #1 0x5a72e6 in mp_encode_uint /tarantool/src/lib/msgpuck/msgpuck.h:1768
> [001] +    #2 0x4fa657 in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:957:16
> [001] +    #3 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2
> [001] +    #4 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
> [001] +    #5 0x41f339 in _start (/tnt/test/unit/msgpack.test+0x41f339)
> [001] +
> [001] +0x604000000031 is located 0 bytes to the right of 33-byte region [0x604000000010,0x604000000031)
> [001] +allocated by thread T0 here:
> [001] +    #0 0x4cace3 in malloc (/tnt/test/unit/msgpack.test+0x4cace3)
> [001] +    #1 0x4fa5db in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:945:18
> [001] +    #2 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2
> [001] +    #3 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
> [001] +
> [001] +SUMMARY: AddressSanitizer: heap-buffer-overflow /tarantool/src/lib/msgpuck/msgpuck.h:258:1 in mp_store_u8
> [001] +Shadow bytes around the buggy address:
> [001] +  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +=>0x0c087fff8000: fa fa 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +Shadow byte legend (one shadow byte represents 8 application bytes):
> [001] +  Addressable:           00
> [001] +  Partially addressable: 01 02 03 04 05 06 07
> [001] +  Heap left redzone:       fa
> [001] +  Freed heap region:       fd
> [001] +  Stack left redzone:      f1
> [001] +  Stack mid redzone:       f2
> [001] +  Stack right redzone:     f3
> [001] +  Stack after return:      f5
> [001] +  Stack use after scope:   f8
> [001] +  Global redzone:          f9
> [001] +  Global init order:       f6
> [001] +  Poisoned by user:        f7
> [001] +  Container overflow:      fc
> [001] +  Array cookie:            ac
> [001] +  Intra object redzone:    bb
> [001] +  ASan internal:           fe
> [001] +  Left alloca redzone:     ca
> 
> Investigated the buffer size that was allocated was 33 bytes, but
> it needed 34. The fix was to increase this buffer for another
> mp_encode_array(1).
> 
> Part of https://github.com/tarantool/tarantool/issues/4360
> 
> Reviewed-by: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>

I've checked your patch into 2.5 and master.

--
Regards, Kirill Yukhin

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error
@ 2020-09-04 11:02 Alexander V. Tikhonov
  0 siblings, 0 replies; 5+ messages in thread
From: Alexander V. Tikhonov @ 2020-09-04 11:02 UTC (permalink / raw)
  To: Kirill Yukhin, Vladislav Shpilevoy; +Cc: tarantool-patches

Found ASAN error:

[001] +    ok 206 - =================================================================
[001] +==6889==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000031 at pc 0x0000005a72e7 bp 0x7ffe47c30c80 sp 0x7ffe47c30c78
[001] +WRITE of size 1 at 0x604000000031 thread T0
[001] +    #0 0x5a72e6 in mp_store_u8 /tarantool/src/lib/msgpuck/msgpuck.h:258:1
[001] +    #1 0x5a72e6 in mp_encode_uint /tarantool/src/lib/msgpuck/msgpuck.h:1768
[001] +    #2 0x4fa657 in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:957:16
[001] +    #3 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2
[001] +    #4 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
[001] +    #5 0x41f339 in _start (/tnt/test/unit/msgpack.test+0x41f339)
[001] +
[001] +0x604000000031 is located 0 bytes to the right of 33-byte region [0x604000000010,0x604000000031)
[001] +allocated by thread T0 here:
[001] +    #0 0x4cace3 in malloc (/tnt/test/unit/msgpack.test+0x4cace3)
[001] +    #1 0x4fa5db in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:945:18
[001] +    #2 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2
[001] +    #3 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
[001] +
[001] +SUMMARY: AddressSanitizer: heap-buffer-overflow /tarantool/src/lib/msgpuck/msgpuck.h:258:1 in mp_store_u8
[001] +Shadow bytes around the buggy address:
[001] +  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[001] +=>0x0c087fff8000: fa fa 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[001] +Shadow byte legend (one shadow byte represents 8 application bytes):
[001] +  Addressable:           00
[001] +  Partially addressable: 01 02 03 04 05 06 07
[001] +  Heap left redzone:       fa
[001] +  Freed heap region:       fd
[001] +  Stack left redzone:      f1
[001] +  Stack mid redzone:       f2
[001] +  Stack right redzone:     f3
[001] +  Stack after return:      f5
[001] +  Stack use after scope:   f8
[001] +  Global redzone:          f9
[001] +  Global init order:       f6
[001] +  Poisoned by user:        f7
[001] +  Container overflow:      fc
[001] +  Array cookie:            ac
[001] +  Intra object redzone:    bb
[001] +  ASan internal:           fe
[001] +  Left alloca redzone:     ca

Investigated the buffer size that was allocated was 33 bytes, but
it needed 34. The fix was to increase this buffer for another
mp_encode_array(1).

Part of https://github.com/tarantool/tarantool/issues/4360

Reviewed-by: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
---

Github: https://github.com/tarantool/msgpuck/tree/avtikhon/gh-4360-fix-asan-error
Issue: https://github.com/tarantool/tarantool/issues/4360

 test/msgpuck.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/msgpuck.c b/test/msgpuck.c
index 2d9bcbf..e8c5ae0 100644
--- a/test/msgpuck.c
+++ b/test/msgpuck.c
@@ -939,8 +939,8 @@ test_mp_print()
 	is(rc, -1, "mp_fprint I/O error");
 
 	/* Test mp_snprint max nesting depth. */
-	int mp_buff_sz = MP_PRINT_MAX_DEPTH * mp_sizeof_array(1) +
-			 mp_sizeof_uint(1);
+	int mp_buff_sz = (MP_PRINT_MAX_DEPTH + 1) * mp_sizeof_array(1) +
+			mp_sizeof_uint(1);
 	int exp_str_sz = 2 * (MP_PRINT_MAX_DEPTH + 1) + 3 + 1;
 	char *mp_buff = malloc(mp_buff_sz);
 	char *exp_str = malloc(exp_str_sz);
-- 
2.17.1

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-09-08 13:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-04 16:35 [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error Alexander V. Tikhonov
2020-09-04 22:42 ` Vladislav Shpilevoy
2020-09-07  8:21 ` Leonid Vasiliev
2020-09-08 13:50 ` Kirill Yukhin
  -- strict thread matches above, loose matches on Subject: below --
2020-09-04 11:02 Alexander V. Tikhonov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox