Bram Moolenaar wrote:
> Yegappan Lakshmanan wrote:
>
>> Running the message_test executable with address sanitizer
>> enabled and the following test code in message_test.c:
>>
>> trunc_string((char_u *)"a text that fits", buf, 34, 40);
>>
>> produces a buffer overflow in utf_head_off():
>>
>> AddressSanitizer: global-buffer-overflow mbyte.c:3740 in utf_head_off
>
> I ran the test with valgrind but it did not report a problem.
> Do you have more information/
Valgrind does not detect overflows in global and stack variables.
Asan detects them.
I can reproduce the bug detected by asan with vim-7.4.2067:
$ diff --git a/src/message_test.c b/src/message_test.c
index 41b8875..d894677 100644
--- a/src/message_test.c
+++ b/src/message_test.c
@@ -59,6 +59,8 @@ test_trunc_string(void)
trunc_string((char_u *)"a text that nott fits", buf, 20, 40);
assert(STRCMP(buf, "a text t...nott fits") == 0);
+
+ trunc_string((char_u *)"a text that fits", buf, 34, 40);
}
$ make run_message_test
gcc -c -I. -Iproto -DHAVE_CONFIG_H -g -O0 -Wall -Wextra -Wshadow
-Wmissing-prototypes -Wunreachable-code -U_FORTIFY_SOURCE
-D_FORTIFY_SOURCE=1 -g -O0 -fsanitize=address -fno-omit-frame-pointer
-DEXITFREE -o objects/message_test.o message_test.c
gcc -c -I. -Iproto -DHAVE_CONFIG_H -g -O0 -Wall -Wextra -Wshadow
-Wmissing-prototypes -Wunreachable-code -U_FORTIFY_SOURCE
-D_FORTIFY_SOURCE=1 -g -O0 -fsanitize=address -fno-omit-frame-pointer
-DEXITFREE version.c -o objects/version.o
link.sh: $LINK_AS_NEEDED set to 'yes': invoking linker directly.
gcc -L/usr/local/lib -Wl,--as-needed -o message_test
objects/arabic.o objects/buffer.o objects/blowfish.o objects/charset.o
objects/crypt.o objects/crypt_zip.o objects/dict.o objects/diff.o
objects/digraph.o objects/edit.o objects/eval.o objects/evalfunc.o
objects/ex_cmds.o objects/ex_cmds2.o objects/ex_docmd.o
objects/ex_eval.o objects/ex_getln.o objects/farsi.o objects/fileio.o
objects/fold.o objects/getchar.o objects/hardcopy.o objects/hashtab.o
objects/if_cscope.o objects/if_xcmdsrv.o objects/list.o objects/mark.o
objects/memline.o objects/menu.o objects/misc1.o objects/misc2.o
objects/move.o objects/mbyte.o objects/normal.o objects/ops.o
objects/option.o objects/os_unix.o objects/pathdef.o
objects/popupmnu.o objects/quickfix.o objects/regexp.o
objects/screen.o objects/search.o objects/sha256.o objects/spell.o
objects/syntax.o objects/tag.o objects/term.o objects/ui.o
objects/undo.o objects/userfunc.o objects/version.o objects/window.o
objects/netbeans.o objects/channel.o objects/json.o
objects/memfile.o objects/message_test.o -lSM -lICE -lXpm -lXt
-lX11 -lXdmcp -lSM -lICE -lm -ltinfo -lnsl -lselinux -lacl -lattr
-lgpm -ldl -g -O0 -fsanitize=address -fno-omit-frame-pointer
link.sh: Linked fine
./message_test
=================================================================
==12311==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000009878ff at pc 0x000000656c25 bp 0x7fff79da7820 sp
0x7fff79da7810
READ of size 1 at 0x0000009878ff thread T0
#0 0x656c24 in utf_head_off /home/dope/sb/vim/src/mbyte.c:3740
#1 0x8d3d11 in trunc_string /home/dope/sb/vim/src/message.c:300
#2 0x8e0107 in test_trunc_string /home/dope/sb/vim/src/message_test.c:63
#3 0x8e0258 in main /home/dope/sb/vim/src/message_test.c:77
#4 0x7f48b066dabf in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
#5 0x406168 in _start (/home/dope/sb/vim/src/message_test+0x406168)
0x0000009878ff is located 34 bytes to the right of global variable
'*.LC114' defined in 'message_test.c' (0x9878a0) of size 61
'*.LC114' is ascii string 'strcmp((char *)(buf), (char *)("a text
t...nott fits")) == 0'
0x0000009878ff is located 1 bytes to the left of global variable
'*.LC115' defined in 'message_test.c' (0x987900) of size 17
'*.LC115' is ascii string 'a text that fits'
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/dope/sb/vim/src/mbyte.c:3740 utf_head_off
Shadow bytes around the buggy address:
0x000080128ec0: 05 f9 f9 f9 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9
0x000080128ed0: 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9 00 05 f9 f9
0x000080128ee0: f9 f9 f9 f9 00 00 00 00 00 00 05 f9 f9 f9 f9 f9
0x000080128ef0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 05
0x000080128f00: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 05 f9
=>0x000080128f10: f9 f9 f9 f9 00 00 00 00 00 00 00 05 f9 f9 f9[f9]
0x000080128f20: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 07 f9 f9 f9
0x000080128f30: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 02 f9
0x000080128f40: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x000080128f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080128f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==12311==ABORTING
Makefile:2002: recipe for target 'run_message_test' failed
make: *** [run_message_test] Aborted
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
