GNOME Bugzilla – Bug 794056
Migration test failure
Last modified: 2018-03-05 18:56:58 UTC
epiphany 3.27.92 webkit2gtk 2.19.91 Debian Build log excerpt ================= 6/9 Migration test FAIL 0.29 s 7/9 SQLite test OK 0.07 s 8/9 String test OK 0.12 s 9/9 URI helpers test OK 0.11 s OK: 8 FAIL: 1 SKIP: 0 TIMEOUT: 0 The output from the failed tests: 6/9 Migration test FAIL 0.29 s --- command --- G_TEST_SRCDIR='/<<PKGBUILDDIR>>/tests' G_TEST_BUILDDIR='/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/tests' GSETTINGS_SCHEMA_DIR='/<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/data' GSETTINGS_BACKEND='memory' /<<PKGBUILDDIR>>/obj-x86_64-linux-gnu/tests/test-ephy-migration --- stdout --- /lib/ephy-profile-utils/do_migration_simple: OK /lib/ephy-profile-utils/do_migration_invalid: --- stderr --- *** stack smashing detected ***: <unknown> terminated -------
The difficulty here is that I can't reproduce it on its own. I tried valgrind, but I forgot that valgrind doesn't work anymore, due to Gigacage. valgrind tries to shadow the entire address space, meaning it needs to allocate one byte for every byte of virtual memory allocated by WebKit. valgrind basically has no chance. It's exactly the same trace as https://bugs.webkit.org/show_bug.cgi?id=183329, actually, except in this case it's totally expected for valgrind to fail. I can't reproduce in gdb, either. I will try asan next.
asan is great: --- command --- G_TEST_SRCDIR='/buildstream/build/tests' G_TEST_BUILDDIR='/buildstream/build/_builddir/tests' GSETTINGS_SCHEMA_DIR='/buildstream/build/_builddir/data' GSETTINGS_BACKEND='memory' /buildstream/build/_builddir/tests/test-ephy-migration --- stdout --- /lib/ephy-profile-utils/do_migration_simple: OK /lib/ephy-profile-utils/do_migration_invalid: --- stderr --- Gtk-Message: 17:50:39.895: Failed to load module "pk-gtk-module" Gtk-Message: 17:50:39.895: Failed to load module "canberra-gtk-module" Gtk-Message: 17:50:39.897: Failed to load module "pk-gtk-module" Gtk-Message: 17:50:39.897: Failed to load module "canberra-gtk-module" ================================================================= ==1619==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffafa09700 at pc 0x7f035542357a bp 0x7fffafa095f0 sp 0x7fffafa095e8 WRITE of size 8 at 0x7fffafa09700 thread T0 #0 0x7f0355423579 in ephy_profile_utils_do_migration ../lib/ephy-profile-utils.c:133 #1 0x55d54a7b8c2f in test_do_migration_invalid ../tests/ephy-migration-test.c:75 #2 0x7f0354eeb9c9 in test_case_run /buildstream/build/glib/gtestutils.c:2255 #3 0x7f0354eeb9c9 in g_test_run_suite_internal /buildstream/build/glib/gtestutils.c:2339 #4 0x7f0354eeb8fa in g_test_run_suite_internal /buildstream/build/glib/gtestutils.c:2351 #5 0x7f0354eeb8fa in g_test_run_suite_internal /buildstream/build/glib/gtestutils.c:2351 #6 0x7f0354eebb91 in g_test_run_suite /buildstream/build/glib/gtestutils.c:2426 #7 0x7f0354eebbb0 in g_test_run /buildstream/build/glib/gtestutils.c:1692 #8 0x55d54a7b8d08 in main ../tests/ephy-migration-test.c:101 #9 0x7f03541f2f29 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20f29) #10 0x55d54a7b8049 in _start (/buildstream/build/_builddir/tests/test-ephy-migration+0x6049) Address 0x7fffafa09700 is located in stack of thread T0 at offset 208 in frame #0 0x7f0355423175 in ephy_profile_utils_do_migration ../lib/ephy-profile-utils.c:101 This frame has 3 object(s): [32, 36) 'status' [96, 104) 'error' [160, 208) 'argv' <== Memory access at offset 208 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ../lib/ephy-profile-utils.c:133 in ephy_profile_utils_do_migration Shadow bytes around the buggy address: 0x100075f39290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100075f392a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100075f392b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100075f392c0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 0x100075f392d0: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 =>0x100075f392e0:[f2]f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 0x100075f392f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100075f39300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100075f39310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100075f39320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100075f39330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1619==ABORTING
The following fix has been pushed: 0ad97ba profile-utils: Fix off-by-two buffer overflow
Created attachment 369362 [details] [review] profile-utils: Fix off-by-two buffer overflow Ubuntu gets bonus points for discovering this by running our tests. I'm used to seeing off-by-one errors. Off by two is more unusual, but that's what we have here.
Thanks, I confirm that the test passes now here.