From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <kyukhin@tarantool.org>
Received: from smtp33.i.mail.ru (smtp33.i.mail.ru [94.100.177.93])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id E3FED469719
 for <tarantool-patches@dev.tarantool.org>;
 Tue,  8 Sep 2020 16:50:30 +0300 (MSK)
Date: Tue, 8 Sep 2020 16:50:29 +0300
From: Kirill Yukhin <kyukhin@tarantool.org>
Message-ID: <20200908135029.6klbexkzmarnaxrd@tarantool.org>
References: <3ef2f4a32d73df17724c705ae04b714f8f67972d.1599237308.git.avtikhon@tarantool.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <3ef2f4a32d73df17724c705ae04b714f8f67972d.1599237308.git.avtikhon@tarantool.org>
Subject: Re: [Tarantool-patches] [PATCH msgpuck v2] test: correct buffer
	size to fix ASAN error
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
To: "Alexander V. Tikhonov" <avtikhon@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org, Vladislav Shpilevoy <v.shpilevoy@tarantool.org>

Hello,

On 04 сен 19:35, Alexander V. Tikhonov wrote:
> Found ASAN error:
> 
> [001] +    ok 206 - =================================================================
> [001] +==6889==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000031 at pc 0x0000005a72e7 bp 0x7ffe47c30c80 sp 0x7ffe47c30c78
> [001] +WRITE of size 1 at 0x604000000031 thread T0
> [001] +    #0 0x5a72e6 in mp_store_u8 /tarantool/src/lib/msgpuck/msgpuck.h:258:1
> [001] +    #1 0x5a72e6 in mp_encode_uint /tarantool/src/lib/msgpuck/msgpuck.h:1768
> [001] +    #2 0x4fa657 in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:957:16
> [001] +    #3 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2
> [001] +    #4 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
> [001] +    #5 0x41f339 in _start (/tnt/test/unit/msgpack.test+0x41f339)
> [001] +
> [001] +0x604000000031 is located 0 bytes to the right of 33-byte region [0x604000000010,0x604000000031)
> [001] +allocated by thread T0 here:
> [001] +    #0 0x4cace3 in malloc (/tnt/test/unit/msgpack.test+0x4cace3)
> [001] +    #1 0x4fa5db in test_mp_print /tarantool/src/lib/msgpuck/test/msgpuck.c:945:18
> [001] +    #2 0x509024 in main /tarantool/src/lib/msgpuck/test/msgpuck.c:1331:2
> [001] +    #3 0x7f3658fd909a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
> [001] +
> [001] +SUMMARY: AddressSanitizer: heap-buffer-overflow /tarantool/src/lib/msgpuck/msgpuck.h:258:1 in mp_store_u8
> [001] +Shadow bytes around the buggy address:
> [001] +  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [001] +=>0x0c087fff8000: fa fa 00 00 00 00[01]fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> [001] +Shadow byte legend (one shadow byte represents 8 application bytes):
> [001] +  Addressable:           00
> [001] +  Partially addressable: 01 02 03 04 05 06 07
> [001] +  Heap left redzone:       fa
> [001] +  Freed heap region:       fd
> [001] +  Stack left redzone:      f1
> [001] +  Stack mid redzone:       f2
> [001] +  Stack right redzone:     f3
> [001] +  Stack after return:      f5
> [001] +  Stack use after scope:   f8
> [001] +  Global redzone:          f9
> [001] +  Global init order:       f6
> [001] +  Poisoned by user:        f7
> [001] +  Container overflow:      fc
> [001] +  Array cookie:            ac
> [001] +  Intra object redzone:    bb
> [001] +  ASan internal:           fe
> [001] +  Left alloca redzone:     ca
> 
> Investigated the buffer size that was allocated was 33 bytes, but
> it needed 34. The fix was to increase this buffer for another
> mp_encode_array(1).
> 
> Part of https://github.com/tarantool/tarantool/issues/4360
> 
> Reviewed-by: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>

I've checked your patch into 2.5 and master.

--
Regards, Kirill Yukhin