Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix memory read overflow on a local variable
The function 'CreateFrame' is copying 2 objects of type RawBattOrSample.
But, there is only one instance in frame_header (line 794).
This issue was found with llvm ASAN.
=================================================================
==17892==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x002eeb34 at pc 0x00fd0559 bp 0x002eea84 sp 0x002eea
74
READ of size 8 at 0x002eeb34 thread T0
==17892==*** WARNING: Failed to initialize DbgHelp! ***
==17892==*** Most likely this means that the app is already ***
==17892==*** using DbgHelp, possibly with incompatible flags. ***
==17892==*** Due to technical reasons, symbolization might crash ***
==17892==*** or produce wrong results. ***
#0 0xfd0573 in __asan_memcpy d:\src\llvm\llvm\projects\compiler-rt\lib\asan\asan_interceptors.cc:413
chromium#1 0xafdf7f in battor::`anonymous namespace'::CreateFrame+0x132 (D:\src\chromium\src\out\ninja\battor_agent_unittest
s.exe+0x40df7f)
chromium#2 0xb0a92a in battor::BattOrAgentTest_StopTracingFailsIfDataFrameMissingByte_Test::TestBody D:\src\chromium\src\too
ls\battor_agent\battor_agent_unittest.cc:799
chromium#3 0xd302e3 in testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,void>+0xec (D:\src\chromium\src\
out\ninja\battor_agent_unittests.exe+0x6402e3)
chromium#4 0xd2fec9 in testing::Test::Run D:\src\chromium\src\testing\gtest\src\gtest.cc:2474
chromium#5 0xd318e3 in testing::TestInfo::Run D:\src\chromium\src\testing\gtest\src\gtest.cc:2656
chromium#6 0xd3296c in testing::TestCase::Run D:\src\chromium\src\testing\gtest\src\gtest.cc:2774
chromium#7 0xd43548 in testing::internal::UnitTestImpl::RunAllTests+0x80a (D:\src\chromium\src\out\ninja\battor_agent_unitte
sts.exe+0x653548)
chromium#8 0xd42cac in testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,bool>+0xec (D:
\src\chromium\src\out\ninja\battor_agent_unittests.exe+0x652cac)
chromium#9 0xd429b2 in testing::UnitTest::Run+0x1c8 (D:\src\chromium\src\out\ninja\battor_agent_unittests.exe+0x6529b2)
chromium#10 0xddab3d in base::TestSuite::Run D:\src\chromium\src\base\test\test_suite.cc:266
chromium#11 0xddc695 in base::`anonymous namespace'::LaunchUnitTestsInternal D:\src\chromium\src\base\test\launcher\unit_tes
t_launcher.cc:209
chromium#12 0xddc3a6 in base::LaunchUnitTests D:\src\chromium\src\base\test\launcher\unit_test_launcher.cc:453
chromium#13 0xdda7b9 in main D:\src\chromium\src\base\test\run_all_unittests.cc:12
chromium#14 0xfefdf8 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253
chromium#15 0x749b3369 in BaseThreadInitThunk+0x11 (C:\Windows\syswow64\kernel32.dll+0x7dd73369)
chromium#16 0x76f49901 in RtlInitializeExceptionChain+0x62 (C:\Windows\SysWOW64\ntdll.dll+0x7dea9901)
chromium#17 0x76f498d4 in RtlInitializeExceptionChain+0x35 (C:\Windows\SysWOW64\ntdll.dll+0x7dea98d4)
Address 0x002eeb34 is located in stack of thread T0 at offset 116 in frame
#0 0xb0a73f in battor::BattOrAgentTest_StopTracingFailsIfDataFrameMissingByte_Test::TestBody D:\src\chromium\src\too
ls\battor_agent\battor_agent_unittest.cc:784
This frame has 16 object(s):
[16, 22) 'cal_frame_header'
[48, 52) 'cal_frame'
[64, 68) 'ref.tmp'
[80, 86) 'frame_header'
[112, 116) 'frame' <== Memory access at offset 116 overflows this variable
[128, 132) 'frame_bytes'
[144, 148) 'ref.tmp2'
[160, 168) 'gtest_ar_'
[192, 196) 'ref.tmp12'
[208, 212) 'temp.lvalue'
[224, 248) 'ref.tmp14'
[288, 296) 'gtest_ar'
[320, 324) 'ref.tmp17'
[336, 340) 'ref.tmp19'
[352, 356) 'ref.tmp21'
[368, 372) 'temp.lvalue23'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp, SEH and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow d:\src\llvm\llvm\projects\compiler-rt\lib\asan\asan_interceptors.cc:413
in __asan_memcpy
Shadow bytes around the buggy address:
0x3005dd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3005dd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3005dd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3005dd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3005dd50: 00 00 00 00 00 00 00 00 f1 f1 06 f2 f2 f2 04 f2
=>0x3005dd60: 04 f2 06 f2 f2 f2[04]f2 04 f2 04 f2 00 f2 f2 f2
0x3005dd70: 04 f2 04 f2 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2
0x3005dd80: 04 f2 04 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
0x3005dd90: 00 00 00 00 00 00 00 00 f1 f1 04 f3 00 00 00 00
0x3005dda0: 00 00 00 00 00 00 00 00 f1 f1 04 f2 04 f2 04 f3
0x3005ddb0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17892==ABORTING
[1/1] BattOrAgentTest.StopTracingFailsIfDataFrameMissingByte (CRASHED)
1 test crashed:
BattOrAgentTest.StopTracingFailsIfDataFrameMissingByte (../../tools/battor_agent/battor_agent_unittest.cc:784)
Tests took 0 seconds.
R=nednguyen@google.com, chrisha@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2575993002
Cr-Commit-Position: refs/heads/master@{#442594}- Loading branch information
