GNOME Bugzilla – Bug 758572
ASAN crash in make check
Last modified: 2017-03-16 16:31:00 UTC
On running make check after configuring like below reports ASAN crash. ./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" This is latest release version - 2.9.3. Please check. Total 9 tests, no errors Testing HTMLparser : 32 of 38 functions ... ================================================================= ==15451== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000047b199 at pc 0x2ab7ce0b1c5d bp 0x7fff53e13400 sp 0x7fff53e133f8 READ of size 1 at 0x00000047b199 thread T0 #0 0x2ab7ce0b1c5c (/home4/libxml2-2.9.3/.libs/libxml2.so.2.9.3+0x24ec5c) #1 0x2ab7cdf9c91e (/home4/libxml2-2.9.3/.libs/libxml2.so.2.9.3+0x13991e) #2 0x2ab7cdff059c (/home4/libxml2-2.9.3/.libs/libxml2.so.2.9.3+0x18d59c) #3 0x41d1c2 (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41d1c2) #4 0x41fbe2 (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41fbe2) #5 0x41caa4 (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41caa4) #6 0x41b1ec (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41b1ec) #7 0x2ab7ce510ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4) #8 0x41a868 (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41a868) 0x00000047b199 is located 7 bytes to the left of global variable '*.LC14 (testapi.c)' (0x47b1a0) of size 10 '*.LC14 (testapi.c)' is ascii string 'test/ent2' 0x00000047b199 is located 50 bytes to the right of global variable '*.LC13 (testapi.c)' (0x47b160) of size 7 '*.LC13 (testapi.c)' is ascii string '<foo/>' Shadow bytes around the buggy address: 0x0000800875e0: 00 00 00 00 00 00 00 01 f9 f9 f9 f9 00 00 00 00 0x0000800875f0: 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x000080087600: 00 04 f9 f9 f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 0x000080087610: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 06 f9 f9 f9 0x000080087620: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 =>0x000080087630: f9 f9 f9[f9]00 02 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 0x000080087640: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 0x000080087650: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9 0x000080087660: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00 0x000080087670: 02 f9 f9 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 0x000080087680: 00 00 01 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==15451== ABORTING make: *** [runtests] Error 1
Total 9 tests, no errors Testing HTMLparser : 32 of 38 functions ... ================================================================= ==38860== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000047b199 at pc 0x2b1caf0b9c7d bp 0x7fff570fa6f0 sp 0x7fff570fa6e8 READ of size 1 at 0x00000047b199 thread T0 #0 0x2b1caf0b9c7c (/home4/libxml2-2.9.3/.libs/libxml2.so.2.9.3+0x24ec7c) /home4/libxml2-2.9.3/buf.c:908 #1 0x2b1caefa493e (/home4/libxml2-2.9.3/.libs/libxml2.so.2.9.3+0x13993e) /home4/libxml2-2.9.3/xmlIO.c:3038 #2 0x2b1caeff85bc (/home4/libxml2-2.9.3/.libs/libxml2.so.2.9.3+0x18d5bc) /home4/libxml2-2.9.3/HTMLparser.c:4978 #3 0x41d1c2 (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41d1c2) /home4/libxml2-2.9.3/testapi.c:1484 #4 0x41fbe2 (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41fbe2) /home4/libxml2-2.9.3/testapi.c:2784 #5 0x41caa4 (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41caa4) /home4/libxml2-2.9.3/testapi.c:1249 #6 0x41b1ec (/home4/libxml2-2.9.3/.libs/lt-testapi+0x41b1ec) /home4/libxml2-2.9.3/testapi.c:154
This is a false positive because the test code is passing nonsensical string lengths into parsing APIs, so global-buffer-overflow reads are expected. The test code needs to be fixed to pass in actual string lengths to the API. Unfortunately, the file looks like it was generated, so there are something like 20-50 different locations where the correct string length needs to be passed in. This is the first crash I see on Mac OS X 10.11.2 with libxml v2.9.3: Application Specific Information: ================================================================ ==5338==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000107e30084 at pc 0x00010833ca7c bp 0x7fff57e5b7b0 sp 0x7fff57e5af68 READ of size 122 at 0x000107e30084 thread T0 #0 0x10833ca7b in __asan_memmove (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x39a7b) #1 0x10803a64a in xmlBufAdd buf.c:908 #2 0x107f3e9aa in xmlParserInputBufferCreateMem xmlIO.c:3038 #3 0x107f818b6 in htmlCreateMemoryParserCtxt HTMLparser.c:4978 #4 0x107da624b in test_HTMLparser testapi.c:1484 #5 0x107da576e in testlibxml2 testapi.c:1249 #6 0x107da51a4 in main testapi.c:154 #7 0x7fff941c25ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #8 0x0 (<unknown module>) 0x000107e30084 is located 60 bytes to the left of global variable '<string literal>' defined in 'testapi.c:397:37' (0x107e300c0) of size 7 '<string literal>' is ascii string '<foo/>' 0x000107e30084 is located 0 bytes to the right of global variable '<string literal>' defined in 'testapi.c:396:37' (0x107e30080) of size 4 '<string literal>' is ascii string 'foo' SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memmove Shadow bytes around the buggy address: 0x100020fc5fc0: 00 03 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 0x100020fc5fd0: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x100020fc5fe0: 00 02 f9 f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 0x100020fc5ff0: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x100020fc6000: f9 f9 f9 f9 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 =>0x100020fc6010:[04]f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 0x100020fc6020: 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 0x100020fc6030: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x100020fc6040: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x100020fc6050: 00 00 06 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 0x100020fc6060: 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 00 05 f9 f9
(In reply to David Kilzer from comment #2) > This is the first crash I see on Mac OS X 10.11.2 with libxml v2.9.3: > > Application Specific Information: > ================================================================ > ==5338==ERROR: AddressSanitizer: global-buffer-overflow on address > 0x000107e30084 at pc 0x00010833ca7c bp 0x7fff57e5b7b0 sp 0x7fff57e5af68 > READ of size 122 at 0x000107e30084 thread T0 Oops! This is the first crash when running "make tests". The crash in Comment #0 is closer to what I see when running "make check" on OS X 10.11.2.
Created attachment 323350 [details] [review] Proposed Patch v1 Fix all the ASan out-of-bounds reads.
This was fixed in e6b97476a0bcc023f6fc05bddcbc140001f9832f. <https://git.gnome.org/browse/libxml2/commit/?id=e6b97476a0bcc023f6fc05bddcbc140001f9832f>