FYI: An example ASAN failure report during kyua test -k /usr/tests/Kyuafile

Reply: Mark Millard : "Re: FYI: An example ASAN failure report during kyua test -k /usr/tests/Kyuafile (info for some more examples)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Millard <marklmi_at_yahoo.com>
Date: Fri, 07 Jan 2022 11:39:03 UTC
Having done a buildworld with both WITH_ASAN= and WITH_UBSAN=
after finding what to control to allow the build, I installed
it in a directory tree for chroot use and have
"kyua test -k /usr/tests/Kyuafile" running.

I see evidence of one AddressSanitizer report. (kyua is still
running.) The context is:

# more /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stdout.txt 
Executing command [ mkdir /tmp/kyua.FKD2vh/434/work/mntpt ]
mount -t tmpfs -o size=10M tmpfs /tmp/kyua.FKD2vh/434/work/mntpt
Executing command [ touch a ]
Executing command [ rm a ]
Executing command [ dd if=/dev/zero of=a bs=1m count=15 ]
Executing command [ rm a ]

# more /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stderr.txt 
=================================================================
==14384==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa948 at pc 0x000801f38f5a bp 0x7fffffffa830 sp 0x7fffffffa828
WRITE of size 8 at 0x7fffffffa948 thread T0
    #0 0x801f38f59 in strtoimax_l /usr/main-src/lib/libc/stdlib/strtoimax.c:148:11
    #1 0x10de6c8 in strtoimax /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:3441:18
    #2 0x11a4723 in getq /usr/main-src/bin/test/test.c:560:6
    #3 0x11a4523 in intcmp /usr/main-src/bin/test/test.c:584:7
    #4 0x11a4523 in binop /usr/main-src/bin/test/test.c:351:10
    #5 0x11a2f06 in primary /usr/main-src/bin/test/test.c:317:10
    #6 0x11a2f06 in nexpr /usr/main-src/bin/test/test.c:275:9
    #7 0x11a28cb in aexpr /usr/main-src/bin/test/test.c:261:8
    #8 0x11a2a03 in aexpr /usr/main-src/bin/test/test.c:263:10
    #9 0x11a228b in oexpr /usr/main-src/bin/test/test.c:247:8
    #10 0x11a1fcf in testcmd /usr/main-src/bin/test/test.c:224:10
    #11 0x1145289 in evalcommand /usr/main-src/bin/sh/eval.c:1107:16
    #12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
    #13 0x113fb34 in evaltree /usr/main-src/bin/sh/eval.c:225:4
    #14 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
    #15 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
    #16 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
    #17 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4
    #18 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
    #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
    #20 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
    #21 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
    #22 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c
    #23 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3

Address 0x7fffffffa948 is located in stack of thread T0 at offset 264 in frame
    #0 0x801f387ff in strtoimax_l /usr/main-src/lib/libc/stdlib/strtoimax.c:58

  This frame has 1 object(s):
    [32, 36) '__limit.i.i.i' <== Memory access at offset 264 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/main-src/lib/libc/stdlib/strtoimax.c:148:11 in strtoimax_l
Shadow bytes around the buggy address:
  0x4ffffffff4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x4ffffffff500: f1 f1 f1 f1 00 00 00 00 f1 f1 f1 f1 f8 f3 f3 f3
  0x4ffffffff510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x4ffffffff520: 00 00 00 00 f3 f3 f3 f3 f3[f3]f3 f3 00 00 00 00
  0x4ffffffff530: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
  0x4ffffffff540: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00
  0x4ffffffff550: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x4ffffffff560: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x4ffffffff570: f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14384==ABORTING
Files left in work directory after failure: mntpt, mounterr




===
Mark Millard
marklmi at yahoo.com