GNOME Bugzilla – Bug 752919
AddressSanitizer: heap-buffer-overflow on address 0x606000d96320
Last modified: 2015-08-12 12:06:25 UTC
I compiled evolution with an address sanitizer on and it cannot be run due to an issue in the below code. My packages are: gnome-keyring-3.16.0-1.fc22.x86_64 p11-kit-0.23.1-1.fc22.x86_64 ==29167==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000d96320 at pc 0x7f7348af22b8 bp 0x7ffdbbd477f0 sp 0x7ffdbbd46f98 READ of size 32 at 0x606000d96320 thread T0 #0 0x7f7348af22b7 in __asan_memmove (/lib64/libasan.so.2+0x8d2b7) #1 0x7f72e4586d11 (/usr/lib64/pkcs11/gnome-keyring-pkcs11.so+0xcd11) #2 0x7f72e45846e5 (/usr/lib64/pkcs11/gnome-keyring-pkcs11.so+0xa6e5) #3 0x336b222a0e (/lib64/libp11-kit.so.0+0x336b222a0e) #4 0x336b2397d0 (/lib64/libp11-kit.so.0+0x336b2397d0) #5 0x334fa05b9e in ffi_closure_unix64_inner (/lib64/libffi.so.6+0x334fa05b9e) #6 0x334fa05f17 in ffi_closure_unix64 (/lib64/libffi.so.6+0x334fa05f17) #7 0x36a26546b8 (/lib64/libnss3.so+0x36a26546b8) #8 0x36a265515a (/lib64/libnss3.so+0x36a265515a) #9 0x36a265569c (/lib64/libnss3.so+0x36a265569c) #10 0x36a263f5de (/lib64/libnss3.so+0x36a263f5de) #11 0x36a264b0da in SECMOD_LoadModule (/lib64/libnss3.so+0x36a264b0da) #12 0x36a264b1df in SECMOD_LoadModule (/lib64/libnss3.so+0x36a264b1df) #13 0x36a261a39a (/lib64/libnss3.so+0x36a261a39a) #14 0x36a261ab57 in NSS_InitWithMerge (/lib64/libnss3.so+0x36a261ab57) #15 0x7f7343b9dc3a in camel_init /data/develop/local/evolution-data-server/camel/camel.c:161 #16 0x7f733432a9a9 in initialize_nss /data/develop/local/evolution/smime/lib/e-cert-db.c:482 #17 0x7f733432b097 in e_cert_db_class_init /data/develop/local/evolution/smime/lib/e-cert-db.c:598 #18 0x7f733432952a in e_cert_db_class_intern_init /data/develop/local/evolution/smime/lib/e-cert-db.c:90 #19 0x334fe2f43c in g_type_class_ref (/lib64/libgobject-2.0.so.0+0x334fe2f43c) #20 0x334fe16b3c in g_object_newv (/lib64/libgobject-2.0.so.0+0x334fe16b3c) #21 0x334fe172c3 in g_object_new (/lib64/libgobject-2.0.so.0+0x334fe172c3) #22 0x7f733432b28c in e_cert_db_peek /data/develop/local/evolution/smime/lib/e-cert-db.c:646 #23 0x7f73345772c8 in smime_component_init /data/develop/local/evolution/smime/gui/component.c:129 #24 0x7f72e9a3764b in book_shell_backend_constructed /data/develop/local/evolution/modules/addressbook/e-book-shell-backend.c:451 #25 0x334fe14fa3 (/lib64/libgobject-2.0.so.0+0x334fe14fa3) #26 0x334fe16f44 in g_object_new_valist (/lib64/libgobject-2.0.so.0+0x334fe16f44) #27 0x334fe172b0 in g_object_new (/lib64/libgobject-2.0.so.0+0x334fe172b0) #28 0x7f73452a4f3d in extensible_load_extension /data/develop/local/evolution-data-server/libedataserver/e-extensible.c:99 #29 0x7f734535a979 in e_type_traverse /data/develop/local/evolution-data-server/libedataserver/e-data-server-util.c:2756 #30 0x7f734535a944 in e_type_traverse /data/develop/local/evolution-data-server/libedataserver/e-data-server-util.c:2750 #31 0x7f73452a514d in e_extensible_load_extensions /data/develop/local/evolution-data-server/libedataserver/e-extensible.c:144 #32 0x7f73452a536f in e_extensible_list_extensions /data/develop/local/evolution-data-server/libedataserver/e-extensible.c:186 #33 0x7f7348791a1f in e_shell_load_modules /data/develop/local/evolution/shell/e-shell.c:1919 #34 0x40557d in main /data/develop/local/evolution/shell/main.c:618 #35 0x7f73443c46ff in __libc_start_main (/lib64/libc.so.6+0x206ff) #36 0x4043e8 in _start (/build/local/bin/evolution+0x4043e8) 0x606000d96320 is located 0 bytes to the right of 64-byte region [0x606000d962e0,0x606000d96320) allocated by thread T0 here: #0 0x7f7348afda0a in malloc (/lib64/libasan.so.2+0x98a0a) #1 0x36a221667c in PORT_Alloc_Util (/lib64/libnssutil3.so+0x36a221667c) #2 0x98b19cb7e2976dff (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memmove Shadow bytes around the buggy address: 0x0c0c801aac10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c801aac20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c801aac30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c801aac40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c801aac50: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00 =>0x0c0c801aac60: 00 00 00 00[fa]fa fa fa 00 00 00 00 00 00 03 fa 0x0c0c801aac70: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c801aac80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0c801aac90: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 05 0x0c0c801aaca0: fa fa fa fa 00 00 00 00 00 00 00 05 fa fa fa fa 0x0c0c801aacb0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==29167==ABORTING The backtrace is:
+ Trace 235299
Thread 1 (Thread 0x7f7349b84ac0 (LWP 29167))
Created attachment 308846 [details] [review] proposed patch for gnome-keyring; There was done a read of one item more than the array was allocated. This patch fixes the issue.
Thanks! Merged.