Re: CVS commit: src/lib/librumpuser

To: Robert Elz <kre%munnari.OZ.AU@localhost>
Subject: Re: CVS commit: src/lib/librumpuser
From: Kamil Rytarowski <n54%gmx.com@localhost>
Date: Wed, 1 Apr 2020 15:54:15 +0200

On 24.03.2020 19:37, Kamil Rytarowski wrote:
> On 24.03.2020 15:41, Robert Elz wrote:
>>     Date:        Tue, 24 Mar 2020 13:27:45 +0100
>>     From:        Kamil Rytarowski <n54%gmx.com@localhost>
>>     Message-ID:  <5ec1195a-f1c8-cd46-6a14-ea29da109f17%gmx.com@localhost>
>>
>>   | I patched it myself only when I reproduced the problems myself.
>>
>> I have no doubt that there's a bug that needs fixing - it is the fix
>> proposed that is wrong.   My guess is that most probably it is simply
>> doing nothing useful (no harm, no good either) but I need to confirm
>> that.   If it is, the correct fix is simply to delete the line (both
>> times it was changed).   If not, there's a more serious problem elsewhere
>> that needs fixing elsewhere (after which the line can be deleted!)
>>
>>   | OK. I will do it and please fix it in a better way.
>>
>> Working on it now.
>>
>
> Thanks.
>
>> I haven't seen the revert yet, when I do I will commit the fix (or a fix,
>> this one is somewhat debatble what is correct, though what is there now
>> is obviously wrong ... but just like the one in question, while wrong, it
>> is, in practice, harmless, at least in any normal use of librump).
>>
>> The fix for this issue needs to wait until the real problem the offending
>> line is there to deal with (if any, which I suspect is not the case) is
>> found.
>>
>
> ASan detects not a hypothetical, but factual momory corruption.
>
> I'm attaching a report from ASan.
>
> =================================================================
> ==11092==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000101e at pc 0x7f7ff6a10419 bp 0x7f7fe942fcb0 sp 0x7f7fe942fca8
> WRITE of size 1 at 0x60200000101e thread T30
>     #0 0x7f7ff6a10418 in handlereq
> /usr/src/lib/librumpuser/rumpuser_sp.c:984:18
>     #1 0x7f7ff6a10418 in spserver
> /usr/src/lib/librumpuser/rumpuser_sp.c:1280:7
>     #2 0x7f7ff660cf36 in pthread__create_tramp
> /usr/src/lib/libpthread/pthread.c:587:11
>
> 0x60200000101e is located 0 bytes to the right of 14-byte region
> [0x602000001010,0x60200000101e)
> allocated by thread T30 here:
>     #0 0x311793 in malloc (/usr/bin/rump_server+0x111793)
>     #1 0x7f7ff6a0e5bb in readframe
> /usr/src/lib/librumpuser/sp_common.c:505:18
>     #2 0x7f7ff6a0e5bb in spserver
> /usr/src/lib/librumpuser/rumpuser_sp.c:1268:13
>     #3 0x7f7ff660cf36 in pthread__create_tramp
> /usr/src/lib/libpthread/pthread.c:587:11
>
> Thread T30 created by T0 here:
>     #0 0x2e054d in pthread_create (/usr/bin/rump_server+0xe054d)
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow
> /usr/src/lib/librumpuser/rumpuser_sp.c:984:18 in handlereq
> Shadow bytes around the buggy address:
>   0x4c04000001b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c04000001c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c04000001d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c04000001e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c04000001f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x4c0400000200: fa fa 00[06]fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c0400000210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c0400000220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c0400000230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c0400000240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x4c0400000250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==11092==ABORTING
>
> Getting now more debug info is too time consuming (build times are
> excessive in my setup).
>

Ping? This still breaks.

References:
- Re: CVS commit: src/lib/librumpuser
  - From: Kamil Rytarowski
- Re: CVS commit: src/lib/librumpuser
  - From: Kamil Rytarowski
- Re: CVS commit: src/lib/librumpuser
  - From: Robert Elz
- Re: CVS commit: src/lib/librumpuser
  - From: Robert Elz
- Re: CVS commit: src/lib/librumpuser
  - From: Robert Elz
- Re: CVS commit: src/lib/librumpuser
  - From: Kamil Rytarowski

Prev by Date: Re: CVS commit: src/sys/modules/examples/fopsmapper
Next by Date: Re: CVS commit: src/sys/modules/examples/fopsmapper
Previous by Thread: Re: CVS commit: src/lib/librumpuser
Next by Thread: Re: CVS commit: src/lib/librumpuser
Indexes:

Home | Main Index | Thread Index | Old Index