[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
out of bounds read in function strspn on make check
|
From: |
Hanno Böck |
|
Subject: |
out of bounds read in function strspn on make check |
|
Date: |
Fri, 30 Oct 2015 15:11:50 +0100 |
Hi,
Compiling bison with clang and address sanitizer and subsequently
running the test suite will expose an out of bounds read access.
This only shows up with gcc, I'm not sure why that's the case (gcc is
usually a bit behind in address sanitizer features, but this doesn't
look like a very unusual bug).
To reproduce:
/configure CFLAGS="-fsanitize=address" CC=clang
make
make check
Error message from Address Sanitizer:
==22406==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000065d6bf at pc 0x000000467cd1 bp 0x7ffd3639e1b0 sp 0x7ffd3639d960
READ of size 64 at 0x00000065d6bf thread T0
#0 0x467cd0 in strspn (/tmp/bison-3.0.4/src/bison+0x467cd0)
#1 0x569cb8 in add_param (/tmp/bison-3.0.4/src/bison+0x569cb8)
#2 0x562f9d in gram_parse (/tmp/bison-3.0.4/src/bison+0x562f9d)
#3 0x57c6e7 in reader (/tmp/bison-3.0.4/src/bison+0x57c6e7)
#4 0x51a44e in main (/tmp/bison-3.0.4/src/bison+0x51a44e)
#5 0x7fd923fcff9f in __libc_start_main
/var/tmp/portage/sys-libs/glibc-2.20-r2/work/glibc-2.20/csu/libc-start.c:289
#6 0x418ff5 in _start (/tmp/bison-3.0.4/src/bison+0x418ff5)
0x00000065d6bf is located 33 bytes to the left of global variable '<string
literal>' defined in 'src/parse-gram.y:811:32' (0x65d6e0) of size 44
'<string literal>' is ascii string 'missing identifier in parameter
declaration'
0x00000065d6bf is located 0 bytes to the right of global variable 'alphanum'
defined in 'src/parse-gram.y:783:21' (0x65d680) of size 63
SUMMARY: AddressSanitizer: global-buffer-overflow
(/tmp/bison-3.0.4/src/bison+0x467cd0) in strspn
Shadow bytes around the buggy address:
0x0000800c3a80: 03 f9 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
0x0000800c3a90: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 02 f9 f9
0x0000800c3aa0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x0000800c3ab0: 00 00 00 00 00 00 06 f9 f9 f9 f9 f9 00 00 00 00
0x0000800c3ac0: 00 00 00 04 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
=>0x0000800c3ad0: 00 00 00 00 00 00 00[07]f9 f9 f9 f9 00 00 00 00
0x0000800c3ae0: 00 04 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x0000800c3af0: 00 04 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
0x0000800c3b00: 00 00 00 06 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0000800c3b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800c3b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
--
Hanno Böck
http://hboeck.de/
mail/jabber: address@hidden
GPG: BBB51E42
pgpIKxMiSqd0N.pgp
Description: OpenPGP digital signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- out of bounds read in function strspn on make check,
Hanno Böck <=