From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp33.i.mail.ru (smtp33.i.mail.ru [94.100.177.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id E3FED469719 for ; Tue, 8 Sep 2020 16:50:30 +0300 (MSK) Date: Tue, 8 Sep 2020 16:50:29 +0300 From: Kirill Yukhin Message-ID: <20200908135029.6klbexkzmarnaxrd@tarantool.org> References: <3ef2f4a32d73df17724c705ae04b714f8f67972d.1599237308.git.avtikhon@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3ef2f4a32d73df17724c705ae04b714f8f67972d.1599237308.git.avtikhon@tarantool.org> Subject: Re: [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer size to fix ASAN error List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Alexander V. Tikhonov" Cc: tarantool-patches@dev.tarantool.org, Vladislav Shpilevoy Hello, On 04 сен 19:35, Alexander V. Tikhonov wrote: > Found ASAN error: > > [001] + ok 206 - ================================================================= > [001] +==6889==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000031 at pc 0x0000005a72e7 bp 0x7ffe47c30c80 sp 0x7ffe47c30c78 > [001] +WRITE of size 1 at 0x604000000031 thread T0 > [001] + #0 0x5a72e6 in mp_store_u8 /tarantool/src/lib/msgpuck/msgpuck.h:258:1 > [001] + #1 0x5a72e6 in mp_encode_uint /tarantool/src/lib/msgpuck/msgpuck.h:1768 > [001] + #2 0x4fa657 in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:957:16 > [001] + #3 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2 > [001] + #4 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) > [001] + #5 0x41f339 in _start (/tnt/test/unit/msgpack.test+0x41f339) > [001] + > [001] +0x604000000031 is located 0 bytes to the right of 33-byte region [0x604000000010,0x604000000031) > [001] +allocated by thread T0 here: > [001] + #0 0x4cace3 in malloc (/tnt/test/unit/msgpack.test+0x4cace3) > [001] + #1 0x4fa5db in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:945:18 > [001] + #2 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2 > [001] + #3 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) > [001] + > [001] +SUMMARY: AddressSanitizer: heap-buffer-overflow /tarantool/src/lib/msgpuck/msgpuck.h:258:1 in mp_store_u8 > [001] +Shadow bytes around the buggy address: > [001] + 0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > [001] + 0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > [001] + 0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > [001] + 0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > [001] + 0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > [001] +=>0x0c087fff8000: fa fa 00 00 00 00[01]fa fa fa fa fa fa fa fa fa > [001] + 0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > [001] + 0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > [001] + 0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > [001] + 0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > [001] + 0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > [001] +Shadow byte legend (one shadow byte represents 8 application bytes): > [001] + Addressable: 00 > [001] + Partially addressable: 01 02 03 04 05 06 07 > [001] + Heap left redzone: fa > [001] + Freed heap region: fd > [001] + Stack left redzone: f1 > [001] + Stack mid redzone: f2 > [001] + Stack right redzone: f3 > [001] + Stack after return: f5 > [001] + Stack use after scope: f8 > [001] + Global redzone: f9 > [001] + Global init order: f6 > [001] + Poisoned by user: f7 > [001] + Container overflow: fc > [001] + Array cookie: ac > [001] + Intra object redzone: bb > [001] + ASan internal: fe > [001] + Left alloca redzone: ca > > Investigated the buffer size that was allocated was 33 bytes, but > it needed 34. The fix was to increase this buffer for another > mp_encode_array(1). > > Part of https://github.com/tarantool/tarantool/issues/4360 > > Reviewed-by: Vladislav Shpilevoy I've checked your patch into 2.5 and master. -- Regards, Kirill Yukhin