Issue metadata
Sign in to add a comment
|
asan errors in midis |
||||||||||||||||||||||||
Issue descriptionI am getting Asan errors after I instrumented alsa-lib with sanitizers. Steps: ^[[31;01m*^[[0m ASAN error detected: ^[[31;01m*^[[0m ================================================================= ^[[31;01m*^[[0m ==17==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000a74 at pc 0x7f8a6d7034a6 bp 0x7ffdff7d8200 sp 0x7ffdff7d81f8 ^[[31;01m*^[[0m WRITE of size 1 at 0x602000000a74 thread T0 ^[[31;01m*^[[0m #0 0x7f8a6d7034a5 in snd_midi_event_encode_byte /build/amd64-generic/tmp/portage/media-libs/alsa-lib-1.1.5/work/alsa-lib-1.1.5-abi_x86_64.amd64/src/seq/../../../alsa-lib-1.1.5/src/seq/seq_midi_event.c:425:26 ^[[31;01m*^[[0m #1 0x56189c3ba2aa in midis::SeqHandler::EncodeMidiBytes(int, _snd_seq*, unsigned char const*, unsigned long, snd_midi_event*) /build/amd64-generic/var/cache/portage/chromeos-base/midis/out/Default/../../../../../../../tmp/portage/chromeos-base/midis-0.0.1-r852/work/midis-0.0.1/platform2/midis/seq_handler.cc:351:18 ^[[31;01m*^[[0m #2 0x56189c29b181 in midis::SeqHandlerTest_TestEncodeBytes_Test::TestBody() /build/amd64-generic/var/cache/portage/chromeos-base/midis/out/Default/../../../../../../../tmp/portage/chromeos-base/midis-0.0.1-r852/work/midis-0.0.1/platform2/midis/tests/seq_handler_test.cc:94:3 ^[[31;01m*^[[0m #3 0x7f8a6f2a25f3 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) (/usr/lib64/libgtest.so.0+0x465f3) ^[[31;01m*^[[0m #4 0x7f8a6f2861a0 in testing::Test::Run() (/usr/lib64/libgtest.so.0+0x2a1a0) ^[[31;01m*^[[0m #5 0x7f8a6f2872ff in testing::TestInfo::Run() (/usr/lib64/libgtest.so.0+0x2b2ff) ^[[31;01m*^[[0m #6 0x7f8a6f2879f6 in testing::TestCase::Run() (/usr/lib64/libgtest.so.0+0x2b9f6) ^[[31;01m*^[[0m #7 0x7f8a6f2909a6 in testing::internal::UnitTestImpl::RunAllTests() (/usr/lib64/libgtest.so.0+0x349a6) ^[[31;01m*^[[0m #8 0x7f8a6f2a33c3 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) (/usr/lib64/libgtest.so.0+0x473c3) ^[[31;01m*^[[0m #9 0x7f8a6f29055e in testing::UnitTest::Run() (/usr/lib64/libgtest.so.0+0x3455e) ^[[31;01m*^[[0m #10 0x56189c355924 in RUN_ALL_TESTS() /build/amd64-generic/var/cache/portage/chromeos-base/midis/out/Default/../../../../../../../usr/include/gtest/gtest.h:2233:46 ^[[31;01m*^[[0m #11 0x56189c355924 in main /build/amd64-generic/var/cache/portage/chromeos-base/midis/out/Default/../../../../../../../tmp/portage/chromeos-base/midis-0.0.1-r852/work/midis-0.0.1/platform2/common-mk/testrunner.cc:16 ^[[31;01m*^[[0m #12 0x7f8a6c96d735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289 ^[[31;01m*^[[0m #13 0x56189c18c188 in _start (/var/cache/portage/chromeos-base/midis/out/Default/midis_testrunner+0x32188) ^[[31;01m*^[[0m ^[[31;01m*^[[0m 0x602000000a74 is located 0 bytes to the right of 4-byte region [0x602000000a70,0x602000000a74) ^[[31;01m*^[[0m allocated by thread T0 here: ^[[31;01m*^[[0m #0 0x56189c232bf3 in __interceptor_malloc (/var/cache/portage/chromeos-base/midis/out/Default/midis_testrunner+0xd8bf3) ^[[31;01m*^[[0m #1 0x7f8a6d7027b8 in snd_midi_event_new /build/amd64-generic/tmp/portage/media-libs/alsa-lib-1.1.5/work/alsa-lib-1.1.5-abi_x86_64.amd64/src/seq/../../../alsa-lib-1.1.5/src/seq/seq_midi_event.c:159:14 ^[[31;01m*^[[0m #2 0x56189c29ae23 in midis::SeqHandlerTest_TestEncodeBytes_Test::TestBody() /build/amd64-generic/var/cache/portage/chromeos-base/midis/out/Default/../../../../../../../tmp/portage/chromeos-base/midis-0.0.1-r852/work/midis-0.0.1/platform2/midis/tests/seq_handler_test.cc:93:3 ^[[31;01m*^[[0m #3 0x7f8a6f2a25f3 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) (/usr/lib64/libgtest.so.0+0x465f3) ^[[31;01m*^[[0m #4 0x7f8a6f2861a0 in testing::Test::Run() (/usr/lib64/libgtest.so.0+0x2a1a0) ^[[31;01m*^[[0m #5 0x7f8a6f2872ff in testing::TestInfo::Run() (/usr/lib64/libgtest.so.0+0x2b2ff) ^[[31;01m*^[[0m #6 0x7f8a6f2879f6 in testing::TestCase::Run() (/usr/lib64/libgtest.so.0+0x2b9f6) ^[[31;01m*^[[0m #7 0x7f8a6f2909a6 in testing::internal::UnitTestImpl::RunAllTests() (/usr/lib64/libgtest.so.0+0x349a6) ^[[31;01m*^[[0m #8 0x7f8a6f2a33c3 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) (/usr/lib64/libgtest.so.0+0x473c3) ^[[31;01m*^[[0m #9 0x7f8a6f29055e in testing::UnitTest::Run() (/usr/lib64/libgtest.so.0+0x3455e) ^[[31;01m*^[[0m #10 0x56189c355924 in RUN_ALL_TESTS() /build/amd64-generic/var/cache/portage/chromeos-base/midis/out/Default/../../../../../../../usr/include/gtest/gtest.h:2233:46 ^[[31;01m*^[[0m #11 0x56189c355924 in main /build/amd64-generic/var/cache/portage/chromeos-base/midis/out/Default/../../../../../../../tmp/portage/chromeos-base/midis-0.0.1-r852/work/midis-0.0.1/platform2/common-mk/testrunner.cc:16 ^[[31;01m*^[[0m #12 0x7f8a6c96d735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r18/work/glibc-2.23/csu/../csu/libc-start.c:289 ^[[31;01m*^[[0m #13 0x56189c18c188 in _start (/var/cache/portage/chromeos-base/midis/out/Default/midis_testrunner+0x32188) ^[[31;01m*^[[0m ^[[31;01m*^[[0m SUMMARY: AddressSanitizer: heap-buffer-overflow /build/amd64-generic/tmp/portage/media-libs/alsa-lib-1.1.5/work/alsa-lib-1.1.5-abi_x86_64.amd64/src/seq/../../../alsa-lib-1.1.5/src/seq/seq_midi_event.c:425:26 in snd_midi_event_encode_byte ^[[31;01m*^[[0m Shadow bytes around the buggy address: ^[[31;01m*^[[0m 0x0c047fff80f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa fd fa ^[[31;01m*^[[0m 0x0c047fff8100: fa fa 00 00 fa fa 00 00 fa fa fd fa fa fa fd fd ^[[31;01m*^[[0m 0x0c047fff8110: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa fd fd ^[[31;01m*^[[0m 0x0c047fff8120: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa 00 00 ^[[31;01m*^[[0m 0x0c047fff8130: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa fd fa ^[[31;01m*^[[0m =>0x0c047fff8140: fa fa fd fd fa fa fd fa fa fa fd fd fa fa[04]fa ^[[31;01m*^[[0m 0x0c047fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ^[[31;01m*^[[0m 0x0c047fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ^[[31;01m*^[[0m 0x0c047fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ^[[31;01m*^[[0m 0x0c047fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ^[[31;01m*^[[0m 0x0c047fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ^[[31;01m*^[[0m Shadow byte legend (one shadow byte represents 8 application bytes): ^[[31;01m*^[[0m Addressable: 00 ^[[31;01m*^[[0m Partially addressable: 01 02 03 04 05 06 07 ^[[31;01m*^[[0m Heap left redzone: fa ^[[31;01m*^[[0m Freed heap region: fd ^[[31;01m*^[[0m Stack left redzone: f1 ^[[31;01m*^[[0m Stack mid redzone: f2 ^[[31;01m*^[[0m Stack right redzone: f3 ^[[31;01m*^[[0m Stack after return: f5 ^[[31;01m*^[[0m Stack use after scope: f8 ^[[31;01m*^[[0m Global redzone: f9 ^[[31;01m*^[[0m Global init order: f6
,
May 17 2018
This looks like an overflow in the alsa-lib itself. Let me look at the call-stack. Might be a good opportunity to fix upstream alsa-lib!
,
May 17 2018
Can you share what is the input buffer which causes this error? I would like to inspect it, since I think the snd_midi_event_encode_byte is not handling it correctly.
,
May 17 2018
Sorry, no idea about the input buffer, I found this when running midis unit tests. Btw, stack trace points to the location platform2/midis/tests/seq_handler_test.cc:94:3
,
May 17 2018
wait, so this is not a fuzzer error? Seems odd that you would run the unit tests with ASAN as well.
,
May 17 2018
We actually have a builder for ASan testing that runs unit tests and VM Tests with Asan images. https://uberchromegw.corp.google.com/i/chromiumos/builders/amd64-generic-asan But its testing is shallow since most libraries are not built with ASan. (And when building full system with instrumentation, portage env can't handle the instrumented libraries so I had to disable unit tests on the fuzzer builder)
,
Jul 7
pmalani@ Are you looking at it? To repro: $ ./setup_board --board=amd64-generic --skip_chroot_upgrade --profile=fuzzer $ ./build_packages --board=amd64-generic --skip_chroot_upgrade --nousepkg midis $ FEATURES=test emerge-amd64-generic midis
,
Aug 7
,
Aug 21
Just looked at this now. There seems to be a bug in the alsa-lib function we are using. I've sent an email to the alsa-devel mailing list regarding next steps.
,
Aug 23
Just to update the bug: - Reported the bug and explanation to the ALSA LIB maintainer. maintainer asked me to verify a patch which he/she provided which I confirmed fixes the issue. - Maintainer has included the patch in the upstream ALSA git tree. Next steps: - I have pinged vapier@ to include the patch in the upstream portage ebuild for alsa-lib - pmalani@ to add the patch to the alsa-lib ebuild in portage-stable.
,
Aug 30
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/c63919d7c78f57739bd9bc509c75b5de107d8aad commit c63919d7c78f57739bd9bc509c75b5de107d8aad Author: Hsin-Yu Chao <hychao@chromium.org> Date: Thu Aug 30 16:52:52 2018 alsa-lib: Apply upstream patches This change copies alsa-lib-1.1.6 from portage-stable and applies below patch from upstream. 7c5c0500 seq: Fix signedness in MIDI encoder/decoder a8491636 control_hw: Fix issue when applying seccomp policy BUG= chromium:870321 , chromium:843791 TEST=emerge and deploy alsa-lib, apply seccomp policy file for adhd to verify ioctl doesn't get blocked. Run midis unit tests with fuzzer and asan. Change-Id: Ide0fcf97a3c4c3f20cde52d9964cb75a87d3fc13 Reviewed-on: https://chromium-review.googlesource.com/1175652 Commit-Ready: Hsinyu Chao <hychao@chromium.org> Tested-by: Hsinyu Chao <hychao@chromium.org> Reviewed-by: Prashant Malani <pmalani@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/alsa-lib-1.1.6-r2.ebuild [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/files/0001-control_hw-Fix-issue-when-applying-seccomp-policy.patch [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/files/alsa-lib-1.1.6-missing_files.patch [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/files/0002-seq-Fix-signedness-in-MIDI-encoder-decoder.patch [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/Manifest [add] https://crrev.com/c63919d7c78f57739bd9bc509c75b5de107d8aad/media-libs/alsa-lib/metadata.xml
,
Aug 30
This should no longer be occuring. Please re-open if this particular failure is still being seen on the fuzzer
,
Aug 30
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by manojgupta@chromium.org
, May 16 2018