AddressSanitizer

Matthieu Patou mat at samba.org
Sun Sep 7 19:43:02 MDT 2014 

Hi Andrew,

I'm glad that you brought it up.
On 09/07/2014 04:26 PM, Andrew Bartlett wrote:
> This tool was pointed out to me last week, and I understand Matthieu
> Patou also looked at it a few months ago.
>
> Either way, this tool is mean, and I have a branch with 12 patches found by it already.
I do agree, I also think that we should have some kind of automation to 
run make test on it.
Please note that on ubuntu it won't work because openldap is linked with 
system heimdal.
So we have a mix of system and built-in libraries, and there is nothing 
we can do because the system heimdal didn't come from waf misdetecting 
those libraries but from openldap that brings them.

For instance:
mat at mat-x240:/usr/local/src/samba [(iolab2013)]$ ldd 
bin/shared/libsmbconf.so.0  | grep heim
     libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 
(0x00007f1161ef0000)
     libheimbase-samba4.so.1 => 
/usr/local/src/samba/bin/shared/private/libheimbase-samba4.so.1 
(0x00007f115ff7a000)
     libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 
(0x00007f115ec91000)

>
> The issues (in this case, reading .data that was not part of a variable,
> something valgrind can't find) shows up like this:
That's interesting, I though that ASAN will find at most what valgrind 
finds but with a much smaller impact on performances.
One thing that's for sure is that ASAN won't find memory leaks (but 
there is extensions to the ASAN framework to add it).
> =================================================================
> ==566==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f90e6d4e527 at pc 0x7f90e3eb65fa bp 0x7fffdbed9890 sp 0x7fffdbed9888
> READ of size 1 at 0x7f90e6d4e527 thread T0
>      #0 0x7f90e3eb65f9 in smb_raw_write_send ../source4/libcli/raw/rawreadwrite.c:273
>      #1 0x7f90e3eb7197 in smb_raw_write ../source4/libcli/raw/rawreadwrite.c:343
>      #2 0x7f90df8ee2eb in smbcli_write ../source4/libcli/clireadwrite.c:118
>      #3 0x7f90e6883c22 in test_chained ../source4/torture/raw/open.c:1373
>      #4 0x7f90e6852f09 in wrap_simple_1smb_test ../source4/torture/util_smb.c:819
>      #5 0x7f90e0053643 in internal_torture_run_test ../lib/torture/torture.c:442
>      #6 0x7f90e0053b39 in torture_run_tcase_restricted ../lib/torture/torture.c:506
>      #7 0x7f90e0053fea in torture_run_suite_restricted ../lib/torture/torture.c:357
>      #8 0x7f90e00541a5 in torture_run_suite ../lib/torture/torture.c:339
>      #9 0x7f90e694a299 in run_matching ../source4/torture/smbtorture.c:93
>      #10 0x7f90e694a2b6 in run_matching ../source4/torture/smbtorture.c:95
>      #11 0x7f90e694b072 in torture_run_named_tests ../source4/torture/smbtorture.c:143
>      #12 0x7f90e694cecc in main ../source4/torture/smbtorture.c:665
>      #13 0x7f90d92a7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
>      #14 0x7f90e6840b08 (/data/samba/git/samba/bin/default/source4/torture/smbtorture+0x2dfb08)
>
> 0x7f90e6d4e527 is located 57 bytes to the left of global variable '*.LC83' from '../source4/torture/raw/open.c' (0x7f90e6d4e560) of size 35
>    '*.LC83' is ascii string '../source4/torture/raw/open.c:1447'
> 0x7f90e6d4e527 is located 2 bytes to the right of global variable '*.LC82' from '../source4/torture/raw/open.c' (0x7f90e6d4e520) of size 5
>    '*.LC82' is ascii string 'test'
> SUMMARY: AddressSanitizer: global-buffer-overflow ../source4/libcli/raw/rawreadwrite.c:273 smb_raw_write_send
> Shadow bytes around the buggy address:
>    0x0ff29cda1c50: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
>    0x0ff29cda1c60: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
>    0x0ff29cda1c70: 00 00 00 07 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
>    0x0ff29cda1c80: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
>    0x0ff29cda1c90: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9
> =>0x0ff29cda1ca0: f9 f9 f9 f9[05]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
>    0x0ff29cda1cb0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
>    0x0ff29cda1cc0: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
>    0x0ff29cda1cd0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
>    0x0ff29cda1ce0: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
>    0x0ff29cda1cf0: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 00 00 00 04
> Shadow byte legend (one shadow byte represents 8 application bytes):
>    Addressable:           00
>    Partially addressable: 01 02 03 04 05 06 07
>    Heap left redzone:       fa
>    Heap right redzone:      fb
>    Freed heap region:       fd
>    Stack left redzone:      f1
>    Stack mid redzone:       f2
>    Stack right redzone:     f3
>    Stack partial redzone:   f4
>    Stack after return:      f5
>    Stack use after scope:   f8
>    Global redzone:          f9
>    Global init order:       f6
>    Poisoned by user:        f7
>    Contiguous container OOB:fc
>    ASan internal:           fe
> ==566==ABORTING
> UNEXPECTED(error): samba4.raw.open.chained-openx (subunit.RemotedTestCase)(dc)
> REASON: _StringException: _StringException: was started but never finished!
> command: /data/samba/git/samba/bin/smbtorture $LISTOPT --configfile=$SMB_CONF_PATH --maximum-runtime=$SELFTEST_MAXTIME --basedir=$SELFTEST_TMPDIR --format=subunit --option=torture:progress=no --target=samba4 //$SERVER/tmp -U$USERNAME%$PASSWORD --option=torture:sharedelay=10000 --option=torture:oplocktimeout=3 --option=torture:writetimeupdatedelay=50000 raw.open $LOADLIST 2>&1 | /data/samba/git/samba/selftest/filter-subunit $LISTOPT --fail-on-empty --prefix="samba4.raw.open." --suffix="(dc)"
> expanded command: /data/samba/git/samba/bin/smbtorture $LISTOPT --configfile=/data/samba/git/samba/st/client/client.conf --maximum-runtime=1200 --basedir=/data/samba/git/samba/st/tmp --format=subunit --option=torture:progress=no --target=samba4 //localdc/tmp -UAdministrator%locDCpass1 --option=torture:sharedelay=10000 --option=torture:oplocktimeout=3 --option=torture:writetimeupdatedelay=50000 raw.open $LOADLIST 2>&1 | /data/samba/git/samba/selftest/filter-subunit $LISTOPT --fail-on-empty --prefix="samba4.raw.open." --suffix="(dc)"
> ERROR: Testsuite[samba4.raw.open(dc)]
> REASON: Exit code was 1
>
>   errors[1]
>
> To run, use gcc 4.8 or 4.9 and compile with:
>
> LDFLAGS="-fsanitize=address" CFLAGS="-fno-omit-frame-pointer -O1
> -fsanitize=address" ~/samba/config.abartlet && make -j
Why not adding an option to waf to enable it (if the compiler supports 
it) ? I'm not so sure that -O1 is needed is it ? What about 
-fno-omit-frame-pointer ?
>
> Run with:
> SMBD_MAXTIME=15000 LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.1 make test
Why do we need the preload ? it seems that binaries and libraries are 
linked with asan:

mat at stable:~$ ldd /usr/local/src/samba/bin/shared/libsamba-policy.so.0  
| grep asan
         libasan.so.1 => /usr/lib/x86_64-linux-gnu/libasan.so.1 
(0x00007f5235df8000)


> I used gcc 4.9 on debian testing.
>
> Use the patches in
> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/asan otherwise the nss_wrapper and uid_wrapper issues will prevent it from operating pending a fix for those upstream.
>
> I'll reply to this mail with the patches for master.
>
Matthieu.

-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list