heap-buffer-overlow in OciUtilsTest.TestGetMountpointsUnder test |
|||
Issue descriptionLooks like new test that Luis added recently? Can you take a look? Log: https://build.chromium.org/p/chromiumos.chromium/builders/amd64-generic-tot-asan-informational/builds/14362/steps/UnitTest/logs/stdio run_oci-0.0.1-r344: [ RUN ] OciUtilsTest.TestGetMountpointsUnder run_oci-0.0.1-r344: Error: /var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest: failed with exit code 1 run_oci-0.0.1-r344: * ERROR: chromeos-base/run_oci-0.0.1-r344::chromiumos failed (test phase): run_oci-0.0.1-r344: * (no error message) run_oci-0.0.1-r344: * run_oci-0.0.1-r344: * Call stack: run_oci-0.0.1-r344: * ebuild.sh, line 93: Called src_test run_oci-0.0.1-r344: * environment, line 3588: Called platform_src_test run_oci-0.0.1-r344: * environment, line 3188: Called platform_pkg_test run_oci-0.0.1-r344: * environment, line 3170: Called platform_test 'run' '/build/amd64-generic/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest' run_oci-0.0.1-r344: * environment, line 3221: Called die run_oci-0.0.1-r344: * The specific snippet of code: run_oci-0.0.1-r344: * "${cmd[@]}" || die run_oci-0.0.1-r344: * run_oci-0.0.1-r344: * If you need support, post the output of `emerge --info '=chromeos-base/run_oci-0.0.1-r344::chromiumos'`, run_oci-0.0.1-r344: * the complete build log and the output of `emerge -pqv '=chromeos-base/run_oci-0.0.1-r344::chromiumos'`. run_oci-0.0.1-r344: run_oci-0.0.1-r344: * ASAN error detected: run_oci-0.0.1-r344: * ================================================================= run_oci-0.0.1-r344: * ==17==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000003ba at pc 0x7f40b4c2c907 bp 0x7ffe7e78a9f0 sp 0x7ffe7e78a178 run_oci-0.0.1-r344: * READ of size 37 at 0x6030000003ba thread T0 run_oci-0.0.1-r344: * #0 0x7f40b4c2c906 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0x3c906) run_oci-0.0.1-r344: * #1 0x7f40b4ce2cd8 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0xf2cd8) run_oci-0.0.1-r344: * #2 0x7f40b4cdf5b2 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0xef5b2) run_oci-0.0.1-r344: * #3 0x7f40b4bc532a (/usr/lib64/libgtest.so.0+0x4732a) run_oci-0.0.1-r344: * #4 0x7f40b4ba4d26 (/usr/lib64/libgtest.so.0+0x26d26) run_oci-0.0.1-r344: * #5 0x7f40b4ba6218 (/usr/lib64/libgtest.so.0+0x28218) run_oci-0.0.1-r344: * #6 0x7f40b4ba6a36 (/usr/lib64/libgtest.so.0+0x28a36) run_oci-0.0.1-r344: * #7 0x7f40b4bb0bf6 (/usr/lib64/libgtest.so.0+0x32bf6) run_oci-0.0.1-r344: * #8 0x7f40b4bc609a (/usr/lib64/libgtest.so.0+0x4809a) run_oci-0.0.1-r344: * #9 0x7f40b4bb0881 (/usr/lib64/libgtest.so.0+0x32881) run_oci-0.0.1-r344: * #10 0x7f40b4ce54e5 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0xf54e5) run_oci-0.0.1-r344: * #11 0x7f40b39fc735 (/lib64/libc.so.6+0x20735) run_oci-0.0.1-r344: * #12 0x7f40b4c11ab8 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0x21ab8) run_oci-0.0.1-r344: * run_oci-0.0.1-r344: * 0x6030000003ba is located 0 bytes to the right of 26-byte region [0x6030000003a0,0x6030000003ba) run_oci-0.0.1-r344: * allocated by thread T0 here: run_oci-0.0.1-r344: * #0 0x7f40b4cdc0e2 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0xec0e2) run_oci-0.0.1-r344: * #1 0x7f40b455d888 (/usr/lib64/libstdc++.so.6+0xc4888) run_oci-0.0.1-r344: * #2 0x7f40b4cdf5b2 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0xef5b2) run_oci-0.0.1-r344: * #3 0x7f40b4bc532a (/usr/lib64/libgtest.so.0+0x4732a) run_oci-0.0.1-r344: * #4 0x7f40b4ba4d26 (/usr/lib64/libgtest.so.0+0x26d26) run_oci-0.0.1-r344: * #5 0x7f40b4ba6218 (/usr/lib64/libgtest.so.0+0x28218) run_oci-0.0.1-r344: * #6 0x7f40b4ba6a36 (/usr/lib64/libgtest.so.0+0x28a36) run_oci-0.0.1-r344: * #7 0x7f40b4bb0bf6 (/usr/lib64/libgtest.so.0+0x32bf6) run_oci-0.0.1-r344: * #8 0x7f40b4bc609a (/usr/lib64/libgtest.so.0+0x4809a) run_oci-0.0.1-r344: * #9 0x7f40b4bb0881 (/usr/lib64/libgtest.so.0+0x32881) run_oci-0.0.1-r344: * #10 0x7f40b4ce54e5 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0xf54e5) run_oci-0.0.1-r344: * #11 0x7f40b39fc735 (/lib64/libc.so.6+0x20735) run_oci-0.0.1-r344: * #12 0x7f40b4c11ab8 (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0x21ab8) run_oci-0.0.1-r344: * run_oci-0.0.1-r344: * SUMMARY: AddressSanitizer: heap-buffer-overflow (/var/cache/portage/chromeos-base/run_oci/out/Default/run_oci_unittest+0x3c906) run_oci-0.0.1-r344: * Shadow bytes around the buggy address: run_oci-0.0.1-r344: * 0x0c067fff8020: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd run_oci-0.0.1-r344: * 0x0c067fff8030: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd run_oci-0.0.1-r344: * 0x0c067fff8040: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa run_oci-0.0.1-r344: * 0x0c067fff8050: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd run_oci-0.0.1-r344: * 0x0c067fff8060: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd run_oci-0.0.1-r344: * =>0x0c067fff8070: fd fd fa fa 00 00 00[02]fa fa fa fa fa fa fa fa run_oci-0.0.1-r344: * 0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa run_oci-0.0.1-r344: * 0x0c067fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa run_oci-0.0.1-r344: * 0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa run_oci-0.0.1-r344: * 0x0c067fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa run_oci-0.0.1-r344: * 0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa run_oci-0.0.1-r344: * Shadow byte legend (one shadow byte represents 8 application bytes): run_oci-0.0.1-r344: * Addressable: 00 run_oci-0.0.1-r344: * Partially addressable: 01 02 03 04 05 06 07 run_oci-0.0.1-r344: * Heap left redzone: fa run_oci-0.0.1-r344: * Freed heap region: fd run_oci-0.0.1-r344: * Stack left redzone: f1 run_oci-0.0.1-r344: * Stack mid redzone: f2 run_oci-0.0.1-r344: * Stack right redzone: f3 run_oci-0.0.1-r344: * Stack after return: f5 run_oci-0.0.1-r344: * Stack use after scope: f8 run_oci-0.0.1-r344: * Global redzone: f9 run_oci-0.0.1-r344: * Global init order: f6 run_oci-0.0.1-r344: * Poisoned by user: f7 run_oci-0.0.1-r344: * Container overflow: fc run_oci-0.0.1-r344: * Array cookie: ac run_oci-0.0.1-r344: * Intra object redzone: bb run_oci-0.0.1-r344: * ASan internal: fe run_oci-0.0.1-r344: * Left alloca redzone: ca run_oci-0.0.1-r344: * Right alloca redzone: cb run_oci-0.0.1-r344: * ==17==ABORTING
,
Sep 15 2017
,
Sep 15 2017
Should be fixed by https://chromium-review.googlesource.com/c/chromiumos/platform2/+/669282
,
Sep 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/0a97ace7f1fe4c398c555286cf38a0952b49d33b commit 0a97ace7f1fe4c398c555286cf38a0952b49d33b Author: Luis Hector Chavez <lhchavez@google.com> Date: Sat Sep 16 04:25:42 2017 run_oci: Fix GetMountpointsUnder It was reading beyond the length of |mountpoint| if |root.value()| was larger. This change uses std::string::compare instead of std::equals. BUG= chromium:765662 TEST=cros_workon_make --board=${BOARD} --test run_oci (with USE=asan) Change-Id: I02f7381cdff9e8dfbf8f5a58ce86d3c6e5378da4 Reviewed-on: https://chromium-review.googlesource.com/669282 Commit-Ready: Luis Hector Chavez <lhchavez@chromium.org> Tested-by: Luis Hector Chavez <lhchavez@chromium.org> Reviewed-by: Mitsuru Oshima <oshima@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/0a97ace7f1fe4c398c555286cf38a0952b49d33b/run_oci/run_oci_utils.cc
,
Sep 16 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by xiy...@chromium.org
, Sep 15 2017