AddressSanitizer
Andrew Bartlett
abartlet at samba.org
Sun Sep 7 17:26:20 MDT 2014
This tool was pointed out to me last week, and I understand Matthieu
Patou also looked at it a few months ago.
Either way, this tool is mean, and I have a branch with 12 patches found by it already.
The issues (in this case, reading .data that was not part of a variable,
something valgrind can't find) shows up like this:
=================================================================
==566==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f90e6d4e527 at pc 0x7f90e3eb65fa bp 0x7fffdbed9890 sp 0x7fffdbed9888
READ of size 1 at 0x7f90e6d4e527 thread T0
#0 0x7f90e3eb65f9 in smb_raw_write_send ../source4/libcli/raw/rawreadwrite.c:273
#1 0x7f90e3eb7197 in smb_raw_write ../source4/libcli/raw/rawreadwrite.c:343
#2 0x7f90df8ee2eb in smbcli_write ../source4/libcli/clireadwrite.c:118
#3 0x7f90e6883c22 in test_chained ../source4/torture/raw/open.c:1373
#4 0x7f90e6852f09 in wrap_simple_1smb_test ../source4/torture/util_smb.c:819
#5 0x7f90e0053643 in internal_torture_run_test ../lib/torture/torture.c:442
#6 0x7f90e0053b39 in torture_run_tcase_restricted ../lib/torture/torture.c:506
#7 0x7f90e0053fea in torture_run_suite_restricted ../lib/torture/torture.c:357
#8 0x7f90e00541a5 in torture_run_suite ../lib/torture/torture.c:339
#9 0x7f90e694a299 in run_matching ../source4/torture/smbtorture.c:93
#10 0x7f90e694a2b6 in run_matching ../source4/torture/smbtorture.c:95
#11 0x7f90e694b072 in torture_run_named_tests ../source4/torture/smbtorture.c:143
#12 0x7f90e694cecc in main ../source4/torture/smbtorture.c:665
#13 0x7f90d92a7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#14 0x7f90e6840b08 (/data/samba/git/samba/bin/default/source4/torture/smbtorture+0x2dfb08)
0x7f90e6d4e527 is located 57 bytes to the left of global variable '*.LC83' from '../source4/torture/raw/open.c' (0x7f90e6d4e560) of size 35
'*.LC83' is ascii string '../source4/torture/raw/open.c:1447'
0x7f90e6d4e527 is located 2 bytes to the right of global variable '*.LC82' from '../source4/torture/raw/open.c' (0x7f90e6d4e520) of size 5
'*.LC82' is ascii string 'test'
SUMMARY: AddressSanitizer: global-buffer-overflow ../source4/libcli/raw/rawreadwrite.c:273 smb_raw_write_send
Shadow bytes around the buggy address:
0x0ff29cda1c50: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
0x0ff29cda1c60: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ff29cda1c70: 00 00 00 07 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
0x0ff29cda1c80: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ff29cda1c90: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9
=>0x0ff29cda1ca0: f9 f9 f9 f9[05]f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ff29cda1cb0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
0x0ff29cda1cc0: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
0x0ff29cda1cd0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
0x0ff29cda1ce0: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ff29cda1cf0: 00 00 00 07 f9 f9 f9 f9 00 00 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==566==ABORTING
UNEXPECTED(error): samba4.raw.open.chained-openx (subunit.RemotedTestCase)(dc)
REASON: _StringException: _StringException: was started but never finished!
command: /data/samba/git/samba/bin/smbtorture $LISTOPT --configfile=$SMB_CONF_PATH --maximum-runtime=$SELFTEST_MAXTIME --basedir=$SELFTEST_TMPDIR --format=subunit --option=torture:progress=no --target=samba4 //$SERVER/tmp -U$USERNAME%$PASSWORD --option=torture:sharedelay=10000 --option=torture:oplocktimeout=3 --option=torture:writetimeupdatedelay=50000 raw.open $LOADLIST 2>&1 | /data/samba/git/samba/selftest/filter-subunit $LISTOPT --fail-on-empty --prefix="samba4.raw.open." --suffix="(dc)"
expanded command: /data/samba/git/samba/bin/smbtorture $LISTOPT --configfile=/data/samba/git/samba/st/client/client.conf --maximum-runtime=1200 --basedir=/data/samba/git/samba/st/tmp --format=subunit --option=torture:progress=no --target=samba4 //localdc/tmp -UAdministrator%locDCpass1 --option=torture:sharedelay=10000 --option=torture:oplocktimeout=3 --option=torture:writetimeupdatedelay=50000 raw.open $LOADLIST 2>&1 | /data/samba/git/samba/selftest/filter-subunit $LISTOPT --fail-on-empty --prefix="samba4.raw.open." --suffix="(dc)"
ERROR: Testsuite[samba4.raw.open(dc)]
REASON: Exit code was 1
errors[1]
To run, use gcc 4.8 or 4.9 and compile with:
LDFLAGS="-fsanitize=address" CFLAGS="-fno-omit-frame-pointer -O1
-fsanitize=address" ~/samba/config.abartlet && make -j
Run with:
SMBD_MAXTIME=15000 LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.1 make test
I used gcc 4.9 on debian testing.
Use the patches in
http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/asan otherwise the nss_wrapper and uid_wrapper issues will prevent it from operating pending a fix for those upstream.
I'll reply to this mail with the patches for master.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list