Re: The kyua in ASAN-built-world reports: the 65 __asan_report_{load4|store8|load8}_noabort examples
Date: Thu, 13 Jan 2022 00:16:51 UTC
On 2022-Jan-12, at 14:59, Mark Millard <marklmi@yahoo.com> wrote:
> # kyua report --verbose | grep _noabort
> #7 0x1111227 in __asan_report_load4_noabort /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:122:1
> #7 0x111163a in __asan_report_store8_noabort /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:128:1
> . . .
> #7 0x10ce357 in __asan_report_load8_noabort /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:123:1
> . . .
>
> (The others are examples of the same 3 routines. In fact there is
> only that one _load4_ example in the list. The rest are _load8_ or
> _store8_ examples.)
>
> But when I look, I find that all of these fail to actually report the
> load* or store* information, instead running into another problem while
> trying to do that. It is this other problem that ends up being reported.
> It is the same problem for all of them.
>
> Picking an example:
>
> =================================================================
> AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] == kCurrentStackFrameMagic)) != (0)" (0x0, 0x0) (tid=102427)
> #0 0x1112b31 in __asan::CheckUnwind() /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
> #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_termin
> ation.cpp:86:5
> #2 0x11153c1 in __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, __asan::AsanThread::StackFrameAccess*) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
> #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, unsigned long, __asan::StackAddressDescription*) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.cpp:202
> :11
> #4 0x10bc5a3 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.cpp:454:21
> #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) /usr/main-src/contrib/llvm-project/compiler-rt/lib
> /asan/asan_errors.cpp:390:7
> #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/a
> san/asan_report.cpp:475:16
> #7 0x1111227 in __asan_report_load4_noabort /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:122:1
> . . .
>
> In each case, __asan::AsanThread::GetStackFrameAccessByAddr attempts to CHECK
> ptr[0] == kCurrentStackFrameMagic and the CHECK fails --so that is what ends
> up being reported.
>
> My first guess would be that the load* and store* reports are for
> misaligned stack accesses. But it is just a guess from my lack of
> managing to think of anything else it would be checking where the
> only context-usage apparently involved is: load or store with a size
> in Bytes.
>
There are 4 other examples of ptr[0] == kCurrentStackFrameMagic reports,
ones that do not involve __asan_report_{load4|store8|load8}_noabort in
the backtraces.
3 examples are during memcpy used by handle_signal . An example is:
AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] == kCurrentStackFrameMagic)) != (0)" (0x0, 0x0) (tid=210226)
LLVMSymbolizer: error reading file: No such file or directory
#0 0x1112b31 in __asan::CheckUnwind() /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
#1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_termin
ation.cpp:86:5
#2 0x11153c1 in __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, __asan::AsanThread::StackFrameAccess*) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
#3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, unsigned long, __asan::StackAddressDescription*) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.cpp:202
:11
#4 0x10bc5a3 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.cpp:454:21
#5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) /usr/main-src/contrib/llvm-project/compiler-rt/lib
/asan/asan_errors.cpp:390:7
#6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/a
san/asan_report.cpp:475:16
#7 0x10ca344 in memcpy /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:827:5
#8 0x80147c861 in handle_signal /usr/main-src/lib/libthr/thread/thr_sig.c:313:2
#9 0x80147b1f4 in thr_sighandler /usr/main-src/lib/libthr/thread/thr_sig.c:246:2
#10 0x7fffffffe8a2 ([vdso]+0x2d2)
#11 0x801e1d969 in __sys_wait4 /usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/libc/_wait4.S:4
#12 0x801488d1b in __thr_wait4 /usr/main-src/lib/libthr/thread/thr_syscalls.c:581:8
#13 0x10d6953 in wait3 /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:2463:13
#14 0x11716a7 in dowait /usr/main-src/bin/sh/jobs.c:1181:9
#15 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7
#16 0x1142301 in evalsubshell /usr/main-src/bin/sh/eval.c:442:16
#17 0x113f7e1 in evaltree /usr/main-src/bin/sh/eval.c:234:4
#18 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
#19 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3
The other type of example is the one associated with sigaltstack :
AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] == kCurrentStackFrameMagic)) != (0)" (0x0, 0x0) (tid=102471)
#0 0x1112b31 in __asan::CheckUnwind() /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3
#1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_termin
ation.cpp:86:5
#2 0x11153c1 in __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, __asan::AsanThread::StackFrameAccess*) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp
#3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, unsigned long, __asan::StackAddressDescription*) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.cpp:202
:11
#4 0x10bc5a3 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.cpp:454:21
#5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) /usr/main-src/contrib/llvm-project/compiler-rt/lib
/asan/asan_errors.cpp:390:7
#6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/a
san/asan_report.cpp:475:16
#7 0x110154f in sigaltstack /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:10044:5
#8 0x110e902 in __asan::PlatformUnpoisonStacks() /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:3
#9 0x11127f5 in __asan_handle_no_return /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8
#10 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3
#11 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#12 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
#13 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#14 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#15 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
#16 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#17 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#18 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
#19 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#20 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#21 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
#22 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3
This last is interesting in that it is the only example of
sigaltstack being involved in this type of failure, despite:
# kyua report --verbose | grep " sigaltstack /usr" | wc
665 3325 94430
Many/most of the other 664 seem to look similar to:
==80233==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa458 at pc 0x00000110152e bp 0x7fffffffa430 sp 0x7fffffff9bf8
WRITE of size 24 at 0x7fffffffa458 thread T0
#0 0x110152d in sigaltstack /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:10044:5
#1 0x110e902 in __asan::PlatformUnpoisonStacks() /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:3
#2 0x11127f5 in __asan_handle_no_return /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8
#3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3
#4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#5 0x1140639 in evalpipe /usr/main-src/bin/sh/eval.c:607:4
#6 0x1140639 in evaltree /usr/main-src/bin/sh/eval.c:285:4
#7 0x1146ef6 in evalbackcmd /usr/main-src/bin/sh/eval.c:699:4
#8 0x1151bfc in expbackq /usr/main-src/bin/sh/expand.c:476:2
#9 0x1151bfc in argstr /usr/main-src/bin/sh/expand.c:323:4
#10 0x1151178 in expandarg /usr/main-src/bin/sh/expand.c:241:2
#11 0x11427c8 in evalcommand /usr/main-src/bin/sh/eval.c:857:4
#12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#13 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
#14 0x113f672 in evalfor /usr/main-src/bin/sh/eval.c:367:3
#15 0x113f672 in evaltree /usr/main-src/bin/sh/eval.c:257:4
#16 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#17 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#18 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4
#19 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#20 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#21 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#22 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#23 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c
#24 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3
There is one example of a READ of size 8 instead of a
WRITE of size 24. It looks like:
==82352==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffc780 at pc 0x00080148845e bp 0x7fffffffc6d0 sp 0x7fffffffc6c8
READ of size 8 at 0x7fffffffc780 thread T0
#0 0x110152d in sigaltstack /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:10044:5
#1 0x110e902 in __asan::PlatformUnpoisonStacks() /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:3
#2 0x11127f5 in __asan_handle_no_return /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8
#3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3
#4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#5 0x113f42b in evaltree /usr/main-src/bin/sh/eval.c:238:4
#6 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
#7 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3
Address 0x7fffffffce58 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:10044:5 in sigaltstack
#0 0x110152d in sigaltstack /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:10044:5
#1 0x110e902 in __asan::PlatformUnpoisonStacks() /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:3
#2 0x11127f5 in __asan_handle_no_return /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8
#3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3
#4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#5 0x113f42b in evaltree /usr/main-src/bin/sh/eval.c:238:4
#6 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4
#7 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3
Shadow bytes around the buggy address:
0x4ffffffff970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x4ffffffff9c0: 00 00 00 00 00 00 00 00 f3 f3 f3[f3]00 00 00 00
0x4ffffffff9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffffa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffffa10: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Address 0x7fffffffce58 is located in stack of thread T0
==82357==ABORTING
There are various examples that look similar to:
. . .
==80232==ABORTING
#0 0x110152d in sigaltstack /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:10044:5
#1 0x110e902 in __asan::PlatformUnpoisonStacks() /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:3
#2 0x11127f5 in __asan_handle_no_return /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8
#3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3
#4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#5 0x1140639 in evalpipe /usr/main-src/bin/sh/eval.c:607:4
#6 0x1140639 in evaltree /usr/main-src/bin/sh/eval.c:285:4
#7 0x1146ef6 in evalbackcmd /usr/main-src/bin/sh/eval.c:699:4
#8 0x1151bfc in expbackq /usr/main-src/bin/sh/expand.c:476:2
#9 0x1151bfc in argstr /usr/main-src/bin/sh/expand.c:323:4
#10 0x1151178 in expandarg /usr/main-src/bin/sh/expand.c:241:2
#11 0x11427c8 in evalcommand /usr/main-src/bin/sh/eval.c:857:4
#12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#13 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4
#14 0x113f672 in evalfor /usr/main-src/bin/sh/eval.c:367:3
#15 0x113f672 in evaltree /usr/main-src/bin/sh/eval.c:257:4
#16 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#17 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#18 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4
#19 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#20 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#21 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3
#22 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4
#23 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c
#24 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3
Address 0x7fffffffa458 is located in stack of thread T0
SUMMARY: AddressSanitizer: stack-buffer-overflow /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:10044:5 in sigaltstack
Shadow bytes around the buggy address:
0x4ffffffff430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x4ffffffff480: 00 00 00 00 00 00 00 00 f3 f3 f3[f3]00 00 00 00
0x4ffffffff490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff4a0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4ffffffff4d0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
===
Mark Millard
marklmi at yahoo.com