AddressSanitizer

Andrew Bartlett abartlet at samba.org
Mon Sep 8 04:13:54 MDT 2014 

On Sun, 2014-09-07 at 18:43 -0700, Matthieu Patou wrote:
> Hi Andrew,
> 
> I'm glad that you brought it up.
> On 09/07/2014 04:26 PM, Andrew Bartlett wrote:
> > This tool was pointed out to me last week, and I understand Matthieu
> > Patou also looked at it a few months ago.
> >
> > Either way, this tool is mean, and I have a branch with 12 patches found by it already.
> I do agree, I also think that we should have some kind of automation to 
> run make test on it.

I'm thinking a build farm host like the one we use for callcatcher and
lcov (perhaps even the same one, if that isn't an insane combination). 

> >
> > The issues (in this case, reading .data that was not part of a variable,
> > something valgrind can't find) shows up like this:
> That's interesting, I though that ASAN will find at most what valgrind 
> finds but with a much smaller impact on performances.

Indeed.  I really enjoyed that it found a new class of errors. 

> One thing that's for sure is that ASAN won't find memory leaks (but 
> there is extensions to the ASAN framework to add it).
> > =================================================================
> > ==566==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f90e6d4e527 at pc 0x7f90e3eb65fa bp 0x7fffdbed9890 sp 0x7fffdbed9888
> > READ of size 1 at 0x7f90e6d4e527 thread T0
> >      #0 0x7f90e3eb65f9 in smb_raw_write_send ../source4/libcli/raw/rawreadwrite.c:273
> >      #1 0x7f90e3eb7197 in smb_raw_write ../source4/libcli/raw/rawreadwrite.c:343
> >      #2 0x7f90df8ee2eb in smbcli_write ../source4/libcli/clireadwrite.c:118
> >      #3 0x7f90e6883c22 in test_chained ../source4/torture/raw/open.c:1373
> >      #4 0x7f90e6852f09 in wrap_simple_1smb_test ../source4/torture/util_smb.c:819
> >      #5 0x7f90e0053643 in internal_torture_run_test ../lib/torture/torture.c:442
> >      #6 0x7f90e0053b39 in torture_run_tcase_restricted ../lib/torture/torture.c:506
> >      #7 0x7f90e0053fea in torture_run_suite_restricted ../lib/torture/torture.c:357
> >      #8 0x7f90e00541a5 in torture_run_suite ../lib/torture/torture.c:339
> >      #9 0x7f90e694a299 in run_matching ../source4/torture/smbtorture.c:93
> >      #10 0x7f90e694a2b6 in run_matching ../source4/torture/smbtorture.c:95
> >      #11 0x7f90e694b072 in torture_run_named_tests ../source4/torture/smbtorture.c:143
> >      #12 0x7f90e694cecc in main ../source4/torture/smbtorture.c:665
> >      #13 0x7f90d92a7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
> >      #14 0x7f90e6840b08 (/data/samba/git/samba/bin/default/source4/torture/smbtorture+0x2dfb08)
> >
> > 0x7f90e6d4e527 is located 57 bytes to the left of global variable '*.LC83' from '../source4/torture/raw/open.c' (0x7f90e6d4e560) of size 35
> >    '*.LC83' is ascii string '../source4/torture/raw/open.c:1447'
> > 0x7f90e6d4e527 is located 2 bytes to the right of global variable '*.LC82' from '../source4/torture/raw/open.c' (0x7f90e6d4e520) of size 5
> >    '*.LC82' is ascii string 'test'
> > SUMMARY: AddressSanitizer: global-buffer-overflow ../source4/libcli/raw/rawreadwrite.c:273 smb_raw_write_send
> > Shadow bytes around the buggy address:
> >    0x0ff29cda1c50: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
> >    0x0ff29cda1c60: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
> >    0x0ff29cda1c70: 00 00 00 07 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
> >    0x0ff29cda1c80: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
> >    0x0ff29cda1c90: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9
> > =>0x0ff29cda1ca0: f9 f9 f9 f9[05]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
> >    0x0ff29cda1cb0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
> >    0x0ff29cda1cc0: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
> >    0x0ff29cda1cd0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
> >    0x0ff29cda1ce0: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
> >    0x0ff29cda1cf0: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 00 00 00 04
> > Shadow byte legend (one shadow byte represents 8 application bytes):
> >    Addressable:           00
> >    Partially addressable: 01 02 03 04 05 06 07
> >    Heap left redzone:       fa
> >    Heap right redzone:      fb
> >    Freed heap region:       fd
> >    Stack left redzone:      f1
> >    Stack mid redzone:       f2
> >    Stack right redzone:     f3
> >    Stack partial redzone:   f4
> >    Stack after return:      f5
> >    Stack use after scope:   f8
> >    Global redzone:          f9
> >    Global init order:       f6
> >    Poisoned by user:        f7
> >    Contiguous container OOB:fc
> >    ASan internal:           fe
> > ==566==ABORTING
> > UNEXPECTED(error): samba4.raw.open.chained-openx (subunit.RemotedTestCase)(dc)
> > REASON: _StringException: _StringException: was started but never finished!
> > command: /data/samba/git/samba/bin/smbtorture $LISTOPT --configfile=$SMB_CONF_PATH --maximum-runtime=$SELFTEST_MAXTIME --basedir=$SELFTEST_TMPDIR --format=subunit --option=torture:progress=no --target=samba4 //$SERVER/tmp -U$USERNAME%$PASSWORD --option=torture:sharedelay=10000 --option=torture:oplocktimeout=3 --option=torture:writetimeupdatedelay=50000 raw.open $LOADLIST 2>&1 | /data/samba/git/samba/selftest/filter-subunit $LISTOPT --fail-on-empty --prefix="samba4.raw.open." --suffix="(dc)"
> > expanded command: /data/samba/git/samba/bin/smbtorture $LISTOPT --configfile=/data/samba/git/samba/st/client/client.conf --maximum-runtime=1200 --basedir=/data/samba/git/samba/st/tmp --format=subunit --option=torture:progress=no --target=samba4 //localdc/tmp -UAdministrator%locDCpass1 --option=torture:sharedelay=10000 --option=torture:oplocktimeout=3 --option=torture:writetimeupdatedelay=50000 raw.open $LOADLIST 2>&1 | /data/samba/git/samba/selftest/filter-subunit $LISTOPT --fail-on-empty --prefix="samba4.raw.open." --suffix="(dc)"
> > ERROR: Testsuite[samba4.raw.open(dc)]
> > REASON: Exit code was 1
> >
> >   errors[1]
> >
> > To run, use gcc 4.8 or 4.9 and compile with:
> >
> > LDFLAGS="-fsanitize=address" CFLAGS="-fno-omit-frame-pointer -O1
> > -fsanitize=address" ~/samba/config.abartlet && make -j
> Why not adding an option to waf to enable it (if the compiler supports 
> it) ? I'm not so sure that -O1 is needed is it ? What about 
> -fno-omit-frame-pointer ?

Both were recommended on the AddressSanitizer pages.

> >
> > Run with:
> > SMBD_MAXTIME=15000 LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.1 make test
> Why do we need the preload ? it seems that binaries and libraries are 
> linked with asan:
> 
> mat at stable:~$ ldd /usr/local/src/samba/bin/shared/libsamba-policy.so.0  
> | grep asan
>          libasan.so.1 => /usr/lib/x86_64-linux-gnu/libasan.so.1 
> (0x00007f5235df8000)

It just caused segfaults without it.  That's why I posted my exact
directions, because it took a little work to find the right
configuration.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list