From nobody Thu Jan 13 00:16:51 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9EFED19606C8 for ; Thu, 13 Jan 2022 00:17:04 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic301-20.consmr.mail.gq1.yahoo.com (sonic301-20.consmr.mail.gq1.yahoo.com [98.137.64.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JZ4k712b8z4l9j for ; Thu, 13 Jan 2022 00:17:03 +0000 (UTC) (envelope-from marklmi@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1642033016; bh=BLVWUJFJgV36nFs6gesOqsJ+m4Y+R99X+xSytLd1p/E=; h=From:Subject:Date:References:To:In-Reply-To:From:Subject:Reply-To; b=IJy2/SKvfnDVeJgUBahEFkjhzA17MNJJ4XGQ/TqKG6LnA0znpaokKudIR/Vsrcye92ekfRmevvsLc4xw8QRZCd6fN4uyJHtxXYJ6l/sh24drc+AHFVAdiihcNDCXjD64O5+9sxfYqFx+OY3qrC5JuDn7LfqXVl1DxUjyJ6ppzC6sBRhMK5mMsA34ITviZRsBSo7mMJhHTGzTy9dK4LBcFxlrZk1ffQCNsJKiOncyZ6iyoSTD4nWx3WGcK+ANU+ORGv4cpfoirGN3Jv30itNARYMNiRJIdGp9dxLbjfLyTWEveJTkJZG5nN3/TFAWM3i9IFdTsTmXArGXdge3gzGv/w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1642033016; bh=z7GTTM2WpHDQb0ZW++/hXAFBkPPD/CzvET8LuJlHCRZ=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=pdwibfZHdyA6+ZrPzH+y+WqdntZ2yoKRECqGUYJJ+ZvcBb1nOkzi83PPBQpG1/7dik1MPtrk879ecuQxK1maHvl0S6WgHwcgHAd1XDp9oi8Bd8ZY2VCYNwD4bsK82cY/WD3SPDjNSCKDwOfpIqP+7Zp+Qk+AuSQj33huE7v11PWHit4+tenvwhKFBd47RP1C7gYDhJzYffg4+K2KLIBNmvvjAsxCLrIJOic9rQhWLKcQvWnwygwHb3quu5dFrxpP4+WLePmX1lgGy4SaymVRpw5p2s1O1dSTcdor6oXavWB+3ystrNB0jM5zRH6pazoMRofIHiBT5nZJN0qgYxWHkg== X-YMail-OSG: JnduJhkVM1m3udu6TRduwdwqAMoWZEJp6rETxZhVJ5UShso5PbR4iRQYCybMx_T xaHrm6JjctSWW2pecoMBdIifJSaW7LRku0D41kED5Y64cyIWvRARTEFNiWqrEq5kuppAOnusUNYD NrJISCEcrt4qx7s3.uR7J.RPAq3nd64fkFBfRU7roDCd3n31PPQhqTMjptPjTwmW2drSjUaaDWpl bZ6maPi_MueZTw_mWYcEXked1LO_9VGd38GGvgrUajITBrsSLhlrJ3ePd3p_LhocJOYFpOXvNwtd yDIL9miripUe6p99UBBPppSfLPsmu4HFnEORfc5ReqcQBjyqsGChxGW6QLI9J_M5dH89bTbLQwcV 2TMihYYrhCC2En6R8npj37B9p5wfdrAELdXahYzorC39NTahQFajKA5gCR21KQ2T8TdVvW.nYEb8 K6yTcKfMcFsY565HSnLZF6tgqCP2DYJNKUbZRcdaton9GGBEtK.Y_w1R9flZdb6WI42CivHYoQ1G o6SfwYn9JA7PXXZ5G4PzFStoWnxZxjWMR_eei3K_VQrUVgexh9JdVwST8t6lrOKYG263lOlA3YIK APlyIsODST88WpCvm5itcms89AgKtzDRSM4N7gG3A9Y3QBnfLlgcMv.u96gg.HGcIef8pPRTgbfR ibqsKCtHaukTgTLlzGx1C26rnfvfBi7.n3mGv.KGVyHmO.GTbk2e4aLXMEAh0kf6sCOF815qVS_i jew8H.jH8hAAHSCUEn3Jr1ZoGPvW3pMdYjFZQ3bCXNsa00FnPTJZiscKutf6SHF3l8FjzVB_hWfV pqUwYCSV_jco9heHWip1pGJGKWEVO8yTXFex9h99Pm40pQVUjv.ESTlhhmlVruNS2niTFMib2b87 Nvbsk1AeVt4Jbz7f76EKHWAYwgWIFep9LlPzm2FyWJ6kj7S4vZmFGvj724apEjQgOlNz.D92celz BgygwzCyMVCDhR9thtpyP_wGFYk30V6itxvljaQEzMkzhBXrNw_ErtAdBTHOrdGDx3tFXO.IjpTP dcHpy3zTIbuhhZi5aLQc5iLHVHUdNfZgMSATRJ2Q838uRF3hz6j9wup3TICn1fHRzOshRNG2GFno .uo4mH_50naY0rLkIp8uly4kWYfPn.PRJkdgLHA7MGs74e5DRkDunPif35N7RzPthvftKUFFOw4U RtU0Lwz8hbM3xtIbUIoqE_9FmFsSUduY_sKhl.S.JYgpQzb31aZpxisNW3FTJ8uoJpbbk.BFT251 4MABJSwvQzc3J.wDI.BZXZau.JHcAe_x76ERExnttXjdB9f9gf3vg4fKcPKrUYZJn7I.rWtIMLBI lT_zHHd.5tOa5ucqmfpMvlvttiiIjuHrXPEEdtzkw2GVPZSOvIxWrBIkz6RUY1kytjyU36fM4XtB AJVZmGlH7shXuY4fFMsCPPYjwqMEEHElEfPDavxmy6AAlP0ip27clwhP5w3zCEwCah87yAuX2lEt qWaG4ByPrCQqbdqEAIEj5efAdi.KuerofbFfoY2sqEe4gHSfLkq.O954zqiEII6U7kcSpRVCinoH tzlzVJ_eN2ailMXTJixiusaSqfRdwudCf_JHH94QLK2KNL13PsDuiWz5vSkVVRP7dnAFIae9YQcb MabFLUCxwfd.U9p5qDwjaiKtqjwqMh88gk.gYlp9f7MzUr4tNR.AShF2Ew.JuOeOwUG7K0RPdwUz C5wO8PT.Pt3WWHXurH9j7d4IncSe3NLMGbwCPrxSKzSNLYSr_3g99PLw2nx5Zod6h_hNITISw6CX V.Wwiirz4t7VAdCay00jDU_h5bbSQxPnMoF5YLKOl3D8amr.TWc4kPUp3sJbMt52PKNu_a51iBVF E1EmlOacz0Ilo6Z5w95MQOcW4PDfuPFfsjmguKBHfQiKHNME2FsHRjGwmg3lzcJ6ClyF9krAWzG4 6rcXu8HCB8zm9bHFRlYpsW8b.XyQHs18IgUdfIWtLquuPQeDyau2r7nFpYAG8Dvk7x5zttxaqVwQ q4QbI_DcfBimJDwvTGCsZtE2JUWEoYsdfkS5qYDLFUbb.LokvFTH1ThSeu6MIBIH9K_nf1wM2Xvh reZXia9TeDOmyq28IZnKp4berV.KVGr8ghhoBi37t9_rP6CWBWYqwNxIuUkcGO2w9eU1n_BiMrei W6cR4OMgNZvCsNOL6Ksz4x1PqdDBAYLF6TCXSfYhM23js1C5QCvMrDE3VY2SVyrXwZVzSYWpk6VY yUCvqAcT.N4AQJZcFfcwxhh9hrP2m1KbOr.mMP0OYOamPYJMmX.R3Z7o5L2BmtSvdmtdJDjnhhlO TzA-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.gq1.yahoo.com with HTTP; Thu, 13 Jan 2022 00:16:56 +0000 Received: by kubenode516.mail-prod1.omega.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID ba6129f8b57145faa247b526a3f74515; Thu, 13 Jan 2022 00:16:52 +0000 (UTC) From: Mark Millard Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: The kyua in ASAN-built-world reports: the 65 __asan_report_{load4|store8|load8}_noabort examples Date: Wed, 12 Jan 2022 16:16:51 -0800 References: <604B4A79-EF86-49A9-9AF0-13716EE8D7EB@yahoo.com> To: freebsd-current In-Reply-To: <604B4A79-EF86-49A9-9AF0-13716EE8D7EB@yahoo.com> Message-Id: <1A24051A-7259-4A99-8F98-AD03431C6569@yahoo.com> X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4JZ4k712b8z4l9j X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yahoo.com header.s=s2048 header.b="IJy2/SKv"; dmarc=pass (policy=reject) header.from=yahoo.com; spf=pass (mx1.freebsd.org: domain of marklmi@yahoo.com designates 98.137.64.146 as permitted sender) smtp.mailfrom=marklmi@yahoo.com X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[yahoo.com:dkim]; FREEMAIL_FROM(0.00)[yahoo.com]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[yahoo.com:+]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; RCVD_IN_DNSWL_NONE(0.00)[98.137.64.146:from]; NEURAL_HAM_SHORT(-1.00)[-0.996]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/20, country:US]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[98.137.64.146:from] X-ThisMailContainsUnwantedMimeParts: N On 2022-Jan-12, at 14:59, Mark Millard wrote: > # kyua report --verbose | grep _noabort=20 > #7 0x1111227 in __asan_report_load4_noabort = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:122:1= > #7 0x111163a in __asan_report_store8_noabort = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:128:1= > . . . > #7 0x10ce357 in __asan_report_load8_noabort = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:123:1= > . . . >=20 > (The others are examples of the same 3 routines. In fact there is > only that one _load4_ example in the list. The rest are _load8_ or > _store8_ examples.) >=20 > But when I look, I find that all of these fail to actually report the > load* or store* information, instead running into another problem = while > trying to do that. It is this other problem that ends up being = reported. > It is the same problem for all of them. >=20 > Picking an example: >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D102427) > #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 > #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termin > ation.cpp:86:5 > #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp > #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202 > :11 > #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 > #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) /usr/main-src/contrib/llvm-project/compiler-rt/lib > /asan/asan_errors.cpp:390:7 > #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/a > san/asan_report.cpp:475:16 > #7 0x1111227 in __asan_report_load4_noabort = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:122:1= > . . . >=20 > In each case, __asan::AsanThread::GetStackFrameAccessByAddr attempts = to CHECK > ptr[0] =3D=3D kCurrentStackFrameMagic and the CHECK fails --so that is = what ends > up being reported. >=20 > My first guess would be that the load* and store* reports are for > misaligned stack accesses. But it is just a guess from my lack of > managing to think of anything else it would be checking where the > only context-usage apparently involved is: load or store with a size > in Bytes. >=20 There are 4 other examples of ptr[0] =3D=3D kCurrentStackFrameMagic = reports, ones that do not involve __asan_report_{load4|store8|load8}_noabort in the backtraces. 3 examples are during memcpy used by handle_signal . An example is: AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D210226) LLVMSymbolizer: error reading file: No such file or directory #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termin ation.cpp:86:5 #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202 :11 #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) /usr/main-src/contrib/llvm-project/compiler-rt/lib /asan/asan_errors.cpp:390:7 #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/a san/asan_report.cpp:475:16 #7 0x10ca344 in memcpy = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:827:5 #8 0x80147c861 in handle_signal = /usr/main-src/lib/libthr/thread/thr_sig.c:313:2 #9 0x80147b1f4 in thr_sighandler = /usr/main-src/lib/libthr/thread/thr_sig.c:246:2 #10 0x7fffffffe8a2 ([vdso]+0x2d2) #11 0x801e1d969 in __sys_wait4 = /usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li= bc/_wait4.S:4 #12 0x801488d1b in __thr_wait4 = /usr/main-src/lib/libthr/thread/thr_syscalls.c:581:8 #13 0x10d6953 in wait3 = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:2463:13 #14 0x11716a7 in dowait /usr/main-src/bin/sh/jobs.c:1181:9 #15 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7 #16 0x1142301 in evalsubshell /usr/main-src/bin/sh/eval.c:442:16 #17 0x113f7e1 in evaltree /usr/main-src/bin/sh/eval.c:234:4 #18 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #19 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 The other type of example is the one associated with sigaltstack : AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D102471) #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termin ation.cpp:86:5 #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202 :11 #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) /usr/main-src/contrib/llvm-project/compiler-rt/lib /asan/asan_errors.cpp:390:7 #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) /usr/main-src/contrib/llvm-project/compiler-rt/lib/a san/asan_report.cpp:475:16 #7 0x110154f in sigaltstack = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 #8 0x110e902 in __asan::PlatformUnpoisonStacks() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:= 3 #9 0x11127f5 in __asan_handle_no_return = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8= #10 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3 #11 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #12 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4 #13 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #14 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #15 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4 #16 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #17 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #18 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4 #19 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #20 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #21 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #22 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 This last is interesting in that it is the only example of sigaltstack being involved in this type of failure, despite: # kyua report --verbose | grep " sigaltstack /usr" | wc 665 3325 94430 Many/most of the other 664 seem to look similar to: =3D=3D80233=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on = address 0x7fffffffa458 at pc 0x00000110152e bp 0x7fffffffa430 sp = 0x7fffffff9bf8 WRITE of size 24 at 0x7fffffffa458 thread T0 #0 0x110152d in sigaltstack = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 #1 0x110e902 in __asan::PlatformUnpoisonStacks() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:= 3 #2 0x11127f5 in __asan_handle_no_return = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8= #3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3 #4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #5 0x1140639 in evalpipe /usr/main-src/bin/sh/eval.c:607:4 #6 0x1140639 in evaltree /usr/main-src/bin/sh/eval.c:285:4 #7 0x1146ef6 in evalbackcmd /usr/main-src/bin/sh/eval.c:699:4 #8 0x1151bfc in expbackq /usr/main-src/bin/sh/expand.c:476:2 #9 0x1151bfc in argstr /usr/main-src/bin/sh/expand.c:323:4 #10 0x1151178 in expandarg /usr/main-src/bin/sh/expand.c:241:2 #11 0x11427c8 in evalcommand /usr/main-src/bin/sh/eval.c:857:4 #12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #13 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4 #14 0x113f672 in evalfor /usr/main-src/bin/sh/eval.c:367:3 #15 0x113f672 in evaltree /usr/main-src/bin/sh/eval.c:257:4 #16 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #17 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #18 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4 #19 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #20 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #21 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #22 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #23 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c #24 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3 There is one example of a READ of size 8 instead of a WRITE of size 24. It looks like: =3D=3D82352=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on = address 0x7fffffffc780 at pc 0x00080148845e bp 0x7fffffffc6d0 sp = 0x7fffffffc6c8 READ of size 8 at 0x7fffffffc780 thread T0 #0 0x110152d in sigaltstack = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 #1 0x110e902 in __asan::PlatformUnpoisonStacks() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:= 3 #2 0x11127f5 in __asan_handle_no_return = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8= #3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3 #4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #5 0x113f42b in evaltree /usr/main-src/bin/sh/eval.c:238:4 #6 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #7 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 Address 0x7fffffffce58 is located in stack of thread T0 SUMMARY: AddressSanitizer: stack-buffer-overflow = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 in sigaltstack #0 0x110152d in sigaltstack = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 #1 0x110e902 in __asan::PlatformUnpoisonStacks() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:= 3 #2 0x11127f5 in __asan_handle_no_return = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8= #3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3 #4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #5 0x113f42b in evaltree /usr/main-src/bin/sh/eval.c:238:4 #6 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #7 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 Shadow bytes around the buggy address: 0x4ffffffff970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x4ffffffff9c0: 00 00 00 00 00 00 00 00 f3 f3 f3[f3]00 00 00 00 0x4ffffffff9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffa10: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Address 0x7fffffffce58 is located in stack of thread T0 =3D=3D82357=3D=3DABORTING There are various examples that look similar to: . . . =3D=3D80232=3D=3DABORTING #0 0x110152d in sigaltstack = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 #1 0x110e902 in __asan::PlatformUnpoisonStacks() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:= 3 #2 0x11127f5 in __asan_handle_no_return = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8= #3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3 #4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #5 0x1140639 in evalpipe /usr/main-src/bin/sh/eval.c:607:4 #6 0x1140639 in evaltree /usr/main-src/bin/sh/eval.c:285:4 #7 0x1146ef6 in evalbackcmd /usr/main-src/bin/sh/eval.c:699:4 #8 0x1151bfc in expbackq /usr/main-src/bin/sh/expand.c:476:2 #9 0x1151bfc in argstr /usr/main-src/bin/sh/expand.c:323:4 #10 0x1151178 in expandarg /usr/main-src/bin/sh/expand.c:241:2 #11 0x11427c8 in evalcommand /usr/main-src/bin/sh/eval.c:857:4 #12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #13 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4 #14 0x113f672 in evalfor /usr/main-src/bin/sh/eval.c:367:3 #15 0x113f672 in evaltree /usr/main-src/bin/sh/eval.c:257:4 #16 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #17 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #18 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4 #19 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #20 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #21 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 #22 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #23 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c #24 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3 Address 0x7fffffffa458 is located in stack of thread T0 SUMMARY: AddressSanitizer: stack-buffer-overflow = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 in sigaltstack Shadow bytes around the buggy address: 0x4ffffffff430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x4ffffffff480: 00 00 00 00 00 00 00 00 f3 f3 f3[f3]00 00 00 00 0x4ffffffff490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff4a0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff4b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff4c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff4d0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D=3D Mark Millard marklmi at yahoo.com