WinASan reports OOB read in crasphad getopt implementation on startup |
||
Issue descriptionSplitting from issue 635715 To reproduce, build chrome with these gn args: is_clang = true is_component_build = false target_cpu = "x86" is_debug = false is_asan = true Run chrome, but pipe stderr to a file so it makes it past the sandbox: C:\src\chromium\src\out\asan>.\chrome.exe 2>cr_err.txt You should get a report like this: C:\src\chromium\src\out\asan>type cr_err.txt ================================================================= ==17396==ERROR: AddressSanitizer: global-buffer-overflow on address 0x01e73ecb at pc 0x01c84fe8 bp 0x0098e768 sp 0x0098e754 READ of size 13 at 0x01e73ecb thread T0 #0 0x1c85002 in __asan_wrap_memcmp e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:629 #1 0xae99c0 in crashpad::getopt_internal C:\src\chromium\src\third_party\crashpad\crashpad\third_party\getopt\getopt.cc:262 #2 0xaea1ba in crashpad::getopt_long C:\src\chromium\src\third_party\crashpad\crashpad\third_party\getopt\getopt.cc:410 #3 0xf505fc in crashpad::HandlerMain C:\src\chromium\src\third_party\crashpad\crashpad\handler\handler_main.cc:198 #4 0xe46670 in crash_reporter::RunAsCrashpadHandler C:\src\chromium\src\components\crash\content\app\run_as_crashpad_handler_win.cc:41 #5 0xaa6300 in main C:\src\chromium\src\chrome\app\chrome_exe_main_win.cc:228 #6 0x1ca63fd in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:255 #7 0x76ac38f3 in BaseThreadInitThunk+0x23 (C:\Windows\SYSTEM32\KERNEL32.DLL+0x6b8138f3) #8 0x76f95de2 in RtlUnicodeStringToInteger+0x252 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e5de2) #9 0x76f95dad in RtlUnicodeStringToInteger+0x21d (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e5dad) 0x01e73ecb is located 53 bytes to the left of global variable '<string literal>' defined in '../../third_party/crashpad/crashpad/handler/handler_main.cc:175:8' (0x1e73f00) of size 9 '<string literal>' is ascii string 'database' 0x01e73ecb is located 0 bytes to the right of global variable '<string literal>' defined in '../../third_party/crashpad/crashpad/handler/handler_main.cc:174:8' (0x1e73ec0) of size 11 '<string literal>' is ascii string 'annotation' This suggests that getopt is doing memcmp when it should be using strncmp, or something like that.
,
Aug 9 2016
scottmg: do you have #409963 locally?
,
Aug 9 2016
When I build in almost this config, I get lots of these from Chrome tools
[20962->9459/30454 ~33] ACTION //third_party/ffmpeg:ffmpeg_yasm_action(//build/toolchain/win:clang_x86)
=================================================================
==4188==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x00b64b48 in thread T0
#0 0x108d18a in free e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:45
#1 0x74470ba1 in ltoa+0x1a1 (C:\WINDOWS\System32\ucrtbase.dll+0x10030ba1)
#2 0x774a9db2 in RtlProcessFlsData+0x122 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2a9db2)
#3 0x774aa032 in LdrShutdownProcess+0x82 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2aa032)
#4 0x774a9c75 in RtlExitUserProcess+0x95 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2a9c75)
#5 0x73feadc2 in ExitProcess+0x12 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b82adc2)
#6 0x10bf19e in exit_or_terminate_process d:\th\minkernel\crts\ucrt\src\appcrt\startup\exit.cpp:129
#7 0x10bf134 in common_exit d:\th\minkernel\crts\ucrt\src\appcrt\startup\exit.cpp:269
#8 0x10bf2fa in exit d:\th\minkernel\crts\ucrt\src\appcrt\startup\exit.cpp:282
#9 0x10a8c56 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:264
#10 0x73fd62c3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b8162c3)
#11 0x774e0608 in RtlSubscribeWnfStateChangeNotification+0x438 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e0608)
#12 0x774e05d3 in RtlSubscribeWnfStateChangeNotification+0x403 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e05d3)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:45 in free
One (only?) config difference is symbol_level=2, maybe why?
,
Aug 9 2016
This report suggests that our attempt to intercept malloc from ucrtbase.dll somehow failed. Can you run with ASAN_OPTIONS=verbosity=2 and pastebin that? Most of it will be gibberish.
,
Aug 9 2016
ucrtbase is part of your system, so even if you use the pre-canned chrome MSVC toolchain, there may be some difference in ucrtbase.dll.
,
Aug 9 2016
OK, I'll see if I get any more with verbosity=2. I'm on win10 w/ anniversary update, as far as ucrtbase goes.
,
Aug 9 2016
Here's one with verbosity=2 https://gist.github.com/sgraham/4513af69ec2961e671d9d34deb2c58d8
,
Aug 9 2016
Well, that's not it. I was expecting to see "Failed to intercept ucrtbase.dll import HeapAlloc" in there, and then this would all make sense.
,
Aug 9 2016
It looks like it's failing on all the alloc functions, but succeeding free so it thinks they're imbalanced?
,
Aug 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6b8d382bcb17358f00a8fd0142e5074393a7c049 commit 6b8d382bcb17358f00a8fd0142e5074393a7c049 Author: scottmg <scottmg@chromium.org> Date: Thu Aug 11 04:09:18 2016 Update Crashpad to 56b14bceefcec03fc11b3222c435522922f65640 c281e30f931a mac: Update the dyld_all_image_infos structure for 10.12 6dbf9526782d mac: Interpret the size returned by _NSGetExecutablePath() correctly 89835b30f8e6 posix: Correctly show the expected exit status in multiprocess tests 3887d99e4801 mac: Handle EXC_RESOURCE RESOURCE_TYPE_IO 335ef494677f mac: dyld fatal errors appear as exit(1) on 10.12 7b8de8a40474 Adapt dyld_images.proctype to running changes in 10.12 7c807242e0b1 mac: dyld fatal errors appear as abort() on 10.12 6f6242865d85 win: Handle the case when GetBytesBuffer returns error in HTTPTransportWin 26c9d3fa6d9b Update mini_chromium to 9c5463b4d4b3 18a839c81000 Update GYP to 93cc6e2c23e4 56b14bceefce win getopt: memcmp() -> strncmp() for ASan BUG=635990 Review-Url: https://codereview.chromium.org/2236493004 Cr-Commit-Position: refs/heads/master@{#411261} [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/README.chromium [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/AUTHORS [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/DEPS [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/compat/mac/AvailabilityMacros.h [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/compat/mac/kern/exc_resource.h [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/mach_o_image_annotations_reader_test.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_reader.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_reader_test.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_types.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_types.h [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_types/custom.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_types/dyld_images.proctype [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_types/loader.proctype [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_types/traits.h [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/snapshot/mac/process_types_test.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/test/multiprocess_posix.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/test/paths_mac.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/third_party/getopt/README.crashpad [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/third_party/getopt/getopt.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/util/mach/exception_types.cc [modify] https://crrev.com/6b8d382bcb17358f00a8fd0142e5074393a7c049/third_party/crashpad/crashpad/util/net/http_transport_win.cc
,
Aug 1
|
||
►
Sign in to add a comment |
||
Comment 1 by r...@chromium.org
, Aug 9 2016