AddressSanitizer

Andrew Bartlett abartlet at samba.org
Sun Sep 7 17:26:20 MDT 2014 

This tool was pointed out to me last week, and I understand Matthieu
Patou also looked at it a few months ago.

Either way, this tool is mean, and I have a branch with 12 patches found by it already.

The issues (in this case, reading .data that was not part of a variable,
something valgrind can't find) shows up like this:

=================================================================
==566==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f90e6d4e527 at pc 0x7f90e3eb65fa bp 0x7fffdbed9890 sp 0x7fffdbed9888
READ of size 1 at 0x7f90e6d4e527 thread T0
    #0 0x7f90e3eb65f9 in smb_raw_write_send ../source4/libcli/raw/rawreadwrite.c:273
    #1 0x7f90e3eb7197 in smb_raw_write ../source4/libcli/raw/rawreadwrite.c:343
    #2 0x7f90df8ee2eb in smbcli_write ../source4/libcli/clireadwrite.c:118
    #3 0x7f90e6883c22 in test_chained ../source4/torture/raw/open.c:1373
    #4 0x7f90e6852f09 in wrap_simple_1smb_test ../source4/torture/util_smb.c:819
    #5 0x7f90e0053643 in internal_torture_run_test ../lib/torture/torture.c:442
    #6 0x7f90e0053b39 in torture_run_tcase_restricted ../lib/torture/torture.c:506
    #7 0x7f90e0053fea in torture_run_suite_restricted ../lib/torture/torture.c:357
    #8 0x7f90e00541a5 in torture_run_suite ../lib/torture/torture.c:339
    #9 0x7f90e694a299 in run_matching ../source4/torture/smbtorture.c:93
    #10 0x7f90e694a2b6 in run_matching ../source4/torture/smbtorture.c:95
    #11 0x7f90e694b072 in torture_run_named_tests ../source4/torture/smbtorture.c:143
    #12 0x7f90e694cecc in main ../source4/torture/smbtorture.c:665
    #13 0x7f90d92a7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #14 0x7f90e6840b08 (/data/samba/git/samba/bin/default/source4/torture/smbtorture+0x2dfb08)

0x7f90e6d4e527 is located 57 bytes to the left of global variable '*.LC83' from '../source4/torture/raw/open.c' (0x7f90e6d4e560) of size 35
  '*.LC83' is ascii string '../source4/torture/raw/open.c:1447'
0x7f90e6d4e527 is located 2 bytes to the right of global variable '*.LC82' from '../source4/torture/raw/open.c' (0x7f90e6d4e520) of size 5
  '*.LC82' is ascii string 'test'
SUMMARY: AddressSanitizer: global-buffer-overflow ../source4/libcli/raw/rawreadwrite.c:273 smb_raw_write_send
Shadow bytes around the buggy address:
  0x0ff29cda1c50: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
  0x0ff29cda1c60: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff29cda1c70: 00 00 00 07 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x0ff29cda1c80: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff29cda1c90: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9
=>0x0ff29cda1ca0: f9 f9 f9 f9[05]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff29cda1cb0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
  0x0ff29cda1cc0: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
  0x0ff29cda1cd0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
  0x0ff29cda1ce0: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff29cda1cf0: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==566==ABORTING
UNEXPECTED(error): samba4.raw.open.chained-openx (subunit.RemotedTestCase)(dc)
REASON: _StringException: _StringException: was started but never finished!
command: /data/samba/git/samba/bin/smbtorture $LISTOPT --configfile=$SMB_CONF_PATH --maximum-runtime=$SELFTEST_MAXTIME --basedir=$SELFTEST_TMPDIR --format=subunit --option=torture:progress=no --target=samba4 //$SERVER/tmp -U$USERNAME%$PASSWORD --option=torture:sharedelay=10000 --option=torture:oplocktimeout=3 --option=torture:writetimeupdatedelay=50000 raw.open $LOADLIST 2>&1 | /data/samba/git/samba/selftest/filter-subunit $LISTOPT --fail-on-empty --prefix="samba4.raw.open." --suffix="(dc)"
expanded command: /data/samba/git/samba/bin/smbtorture $LISTOPT --configfile=/data/samba/git/samba/st/client/client.conf --maximum-runtime=1200 --basedir=/data/samba/git/samba/st/tmp --format=subunit --option=torture:progress=no --target=samba4 //localdc/tmp -UAdministrator%locDCpass1 --option=torture:sharedelay=10000 --option=torture:oplocktimeout=3 --option=torture:writetimeupdatedelay=50000 raw.open $LOADLIST 2>&1 | /data/samba/git/samba/selftest/filter-subunit $LISTOPT --fail-on-empty --prefix="samba4.raw.open." --suffix="(dc)"
ERROR: Testsuite[samba4.raw.open(dc)]
REASON: Exit code was 1

 errors[1]

To run, use gcc 4.8 or 4.9 and compile with:

LDFLAGS="-fsanitize=address" CFLAGS="-fno-omit-frame-pointer -O1
-fsanitize=address" ~/samba/config.abartlet && make -j

Run with:
SMBD_MAXTIME=15000 LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.1 make test

I used gcc 4.9 on debian testing.

Use the patches in
http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/asan otherwise the nss_wrapper and uid_wrapper issues will prevent it from operating pending a fix for those upstream.

I'll reply to this mail with the patches for master.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list