Fix fast parser small-buffer padding#608
Open
ahtcx wants to merge 1 commit into
Open
Conversation
Owner
|
Much appreciated, thank you |
Collaborator
|
@ahtcx: Are you, by any chance, using ASan for this? I'm able to reproduce this with ASan with v1.4.2: =================================================================
==3787669==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffe8fa9cbd2 at pc 0x7fe189cabf01 bp 0x7ffe8fa9cb70 sp 0x7ffe8fa9c318
READ of size 3 at 0x7ffe8fa9cbd2 thread T0
#0 0x7fe189cabf00 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7fe189cac466 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7fe189cac466 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x5596a7cf9903 in cell_eq /home/azeem/Downloads/zsv-603/zsv-603-repro.c:11
#4 0x5596a7cf9ebc in on_row /home/azeem/Downloads/zsv-603/zsv-603-repro.c:34
#5 0x5596a7d013a1 in zsv_finish (/home/azeem/Downloads/zsv-603/zsv-603-repro+0xa3a1)
#6 0x5596a7cfa2b3 in main /home/azeem/Downloads/zsv-603/zsv-603-repro.c:71
#7 0x7fe1899fcd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7fe1899fce3f in __libc_start_main_impl ../csu/libc-start.c:392
#9 0x5596a7cf96f4 in _start (/home/azeem/Downloads/zsv-603/zsv-603-repro+0x26f4)
Address 0x7ffe8fa9cbd2 is located in stack of thread T0 at offset 18 in frame
#0 0x5596a7cf97c8 in cell_eq /home/azeem/Downloads/zsv-603/zsv-603-repro.c:9
This frame has 1 object(s):
[32, 56) 'c' (line 9) <== Memory access at offset 18 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
0x100051f4b920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100051f4b930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100051f4b940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100051f4b950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100051f4b960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100051f4b970: 00 00 00 00 00 00 00 00 f1 f1[f1]f1 00 00 00 f3
0x100051f4b980: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100051f4b990: 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3
0x100051f4b9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100051f4b9b0: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00
0x100051f4b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3787669==ABORTING |
Author
|
@iamazeem No, sorry I should have mentionned before but I'm compiling zsv with the Swift C interopability language features. |
Owner
|
I'd like to include a test for this, which should fail (or perhaps seg fault) without this change, and should succeed with this change. @ahtcx any suggestions on the simplest way to come up with that? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The v1.4.1 regression described in #603 still happens in v1.4.2 for me. I'm not very familiar with C nor the codebase, so I got AI to write this MR. I hope it's relevant, if not feel free to close the MR. Thanks!