AddressSanitizer: stack-buffer-underflow in doh unit test
The doh
unit test failed GCC ASAN CI job on main
(!4680 (merged)):
[==========] Running 8 test(s).
[ RUN ] mock_doh_uv_tcp_bind
[ OK ] mock_doh_uv_tcp_bind
[ RUN ] doh_parse_GET_query_string
[ OK ] doh_parse_GET_query_string
[ RUN ] doh_base64url_to_base64
[ OK ] doh_base64url_to_base64
[ RUN ] doh_base64_to_base64url
[ OK ] doh_base64_to_base64url
[ RUN ] doh_noop_POST
[ OK ] doh_noop_POST
[ RUN ] doh_noop_GET
[ OK ] doh_noop_GET
[ RUN ] doh_noresponse_POST
=================================================================
==3435==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7f9fa3a733e0 at pc 0x7f9fab1a28ae bp 0x7f9fa3a730c0 sp 0x7f9fa3a72870
READ of size 152 at 0x7f9fa3a733e0 thread T7
#0 0x7f9fab1a28ad in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x378ad)
#1 0x7f9faac89948 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40
#2 0x7f9faac89948 in isc___nmhandle_get netmgr/netmgr.c:1404
#3 0x556d0cb6cd3c in failed_httpstream_read_cb ../netmgr/http.c:2204
#4 0x556d0cb75262 in failed_read_cb ../netmgr/http.c:2237
#5 0x556d0cb76057 in https_readcb ../netmgr/http.c:696
#6 0x7f9faac979fb in isc__nm_async_readcb netmgr/netmgr.c:1978
#7 0x7f9faac99bfc in process_netievent netmgr/netmgr.c:742
#8 0x7f9faac9a985 in process_queue netmgr/netmgr.c:765
#9 0x7f9faac9a985 in process_normal_queue netmgr/netmgr.c:651
#10 0x7f9faac9b708 in process_queues netmgr/netmgr.c:659
#11 0x7f9faac9b708 in async_cb netmgr/netmgr.c:617
#12 0x7f9faa995667 (/usr/lib/x86_64-linux-gnu/libuv.so.1+0x10667)
#13 0x7f9faa9a44af in uv__io_poll (/usr/lib/x86_64-linux-gnu/libuv.so.1+0x1f4af)
#14 0x7f9faa995f84 in uv_run (/usr/lib/x86_64-linux-gnu/libuv.so.1+0x10f84)
#15 0x7f9faac9b4a4 in nm_thread netmgr/netmgr.c:557
#16 0x7f9faa961fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
#17 0x7f9fa99ab4ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
Address 0x7f9fa3a733e0 is located in stack of thread T7 at offset 0 in frame
#0 0x556d0cb7460e in failed_read_cb ../netmgr/http.c:2212
This frame has 1 object(s):
[32, 48) '<unknown>' <== Memory access at offset 0 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
Thread T7 created by T0 here:
#0 0x7f9fab1bbdb0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
#1 0x7f9faae11e1e in isc_thread_create pthreads/thread.c:73
#2 0x7f9faac83b1b in isc_nm_start netmgr/netmgr.c:290
#3 0x556d0cb6fa57 in nm_setup /builds/isc-projects/bind9/lib/isc/tests/doh_test.c:242
#4 0x7f9fab1631e2 (/usr/lib/x86_64-linux-gnu/libcmocka.so.0+0x51e2)
SUMMARY: AddressSanitizer: stack-buffer-underflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x378ad) in __interceptor_memmove
Shadow bytes around the buggy address:
0x0ff474746620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff474746630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff474746640: f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2
0x0ff474746650: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff474746660: 00 00 00 00 00 00 00 f2 f3 f3 f3 f3 00 00 00 00
=>0x0ff474746670: 00 00 00 00 00 00 00 00 00 00 00 00[f1]f1 f1 f1
0x0ff474746680: 00 00 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x0ff474746690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x0ff4747466a0: f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f3 f3
0x0ff4747466b0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff4747466c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3435==ABORTING
Aborted (core dumped)
I:doh_test:Core dump found: ./core.3435
D:doh_test:backtrace from ./core.3435 start
[New LWP 4080]
[New LWP 3435]
[New LWP 4081]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/builds/isc-projects/bind9/lib/isc/tests/.libs/doh_test'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
[Current thread is 1 (Thread 0x7f9fa3a78700 (LWP 4080))]
Thread 3 (Thread 0x7f9fa43bc700 (LWP 4081)):
#0 0x00007f9fa99ab62e in __GI_epoll_pwait (epfd=9, events=0x7f9fa43b7b70, maxevents=1024, timeout=-1, set=0x0) at ../sysdeps/unix/sysv/linux/epoll_pwait.c:42
resultvar = 18446744073709551612
sc_cancel_oldtype = 0
sc_ret = <optimized out>
#1 0x00007f9faa9a4399 in uv.io_poll () from /usr/lib/x86_64-linux-gnu/libuv.so.1
No symbol table info available.
#2 0x00007f9faa995f85 in uv_run () from /usr/lib/x86_64-linux-gnu/libuv.so.1
No symbol table info available.
#3 0x00007f9faac9b4a5 in nm_thread (worker0=0x61a000003c80) at netmgr/netmgr.c:557
r = <optimized out>
worker = 0x61a000003c80
mgr = <optimized out>
#4 0x00007f9faa961fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
ret = <optimized out>
pd = <optimized out>
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140323631908608, 5557245483701016146, 140731872626558, 140731872626559, 140323631908608, 106858786326352, -5611479476276521390, -5611458202648013230}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#5 0x00007f9fa99ab4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
Thread 2 (Thread 0x7f9fa72ef980 (LWP 3435)):
#0 0x00007f9fa9978720 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffeb146d470, remaining=remaining@entry=0x0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
resultvar = 18446744073709551100
sc_cancel_oldtype = 0
sc_ret = <optimized out>
#1 0x00007f9fa99a3874 in usleep (useconds=useconds@entry=10000) at ../sysdeps/posix/usleep.c:32
ts = {tv_sec = 0, tv_nsec = 10000000}
#2 0x00007f9faac86514 in isc_nm_destroy (mgr0=0x60300004d740) at netmgr/netmgr.c:488
mgr = 0x612000243340
counter = 21
references = <optimized out>
#3 0x0000556d0cb6f175 in nm_teardown (state=<optimized out>) at doh_test.c:259
i = 0
nm = 0x60300004d740
#4 0x00007f9fab16321e in ?? () from /usr/lib/x86_64-linux-gnu/libcmocka.so.0
No symbol table info available.
#5 0x00007f9fab163b88 in _cmocka_run_group_tests () from /usr/lib/x86_64-linux-gnu/libcmocka.so.0
No symbol table info available.
#6 0x0000556d0cb9737e in main () at doh_test.c:1754
tests_short = <optimized out>
tests_long = <optimized out>
Thread 1 (Thread 0x7f9fa3a78700 (LWP 4080)):
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
set = {__val = {0, 0, 0, 0, 0, 0, 0, 0, 3399988123389603631, 3399988123389603631, 140323569084922, 20, 140320876527616, 140323748018736, 140323622162800, 140320876527616}}
pid = <optimized out>
tid = <optimized out>
ret = <optimized out>
#1 0x00007f9fa98d4535 in __GI_abort () at abort.c:79
save_stage = 1
act = {__sigaction_handler = {sa_handler = 0x0, sa_sigaction = 0x0}, sa_mask = {__val = {0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 140323748030499, 140323622171616, 140323622171616, 152, 152, 0}}, sa_flags = -1549328384, sa_restorer = 0x7f9fabf306d8}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f9fab271e6b in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
No symbol table info available.
#3 0x00007f9fab279ed8 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
No symbol table info available.
#4 0x00007f9fab25e97d in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.5
No symbol table info available.
#5 0x00007f9fab1a28d0 in memmove () from /usr/lib/x86_64-linux-gnu/libasan.so.5
No symbol table info available.
#6 0x00007f9faac89949 in memmove (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at netmgr/netmgr.c:1404
No locals.
#7 isc___nmhandle_get (sock=0x61c000010880, peer=<optimized out>, local=<optimized out>) at netmgr/netmgr.c:1404
handle = 0x61300002fec0
handlenum = <optimized out>
pos = <optimized out>
#8 0x0000556d0cb6cd3d in failed_httpstream_read_cb (sock=0x61c000010880, result=<optimized out>, session=0x6310000c8800) at ../netmgr/http.c:2204
handle = <optimized out>
addr = <optimized out>
#9 0x0000556d0cb75263 in failed_read_cb (result=<optimized out>, session=0x6310000c8800) at ../netmgr/http.c:2237
h2data = 0x61c000010958
#10 0x0000556d0cb76058 in https_readcb (handle=<optimized out>, result=20, region=0x7f9fa3a73550, data=0x6310000c8800) at ../netmgr/http.c:696
session = 0x6310000c8800
readlen = <optimized out>
#11 0x00007f9faac979fc in isc__nm_async_readcb (worker=worker@entry=0x61a000003680, ev0=ev0@entry=0x61300001c900) at netmgr/netmgr.c:1978
ievent = 0x61300001c900
sock = 0x61c000010080
uvreq = <optimized out>
eresult = 20
region = <optimized out>
#12 0x00007f9faac99bfd in process_netievent (worker=worker@entry=0x61a000003680, ievent=0x61300001c900) at netmgr/netmgr.c:742
No locals.
#13 0x00007f9faac9a986 in process_queue (queue=0x614000004280, worker=0x61a000003680) at netmgr/netmgr.c:765
ievent = <optimized out>
ievent = <optimized out>
#14 process_normal_queue (worker=worker@entry=0x61a000003680) at netmgr/netmgr.c:651
No locals.
#15 0x00007f9faac9b709 in process_queues (worker=0x61a000003680) at netmgr/netmgr.c:659
No locals.
#16 async_cb (handle=<optimized out>) at netmgr/netmgr.c:617
worker = 0x61a000003680
#17 0x00007f9faa995668 in ?? () from /usr/lib/x86_64-linux-gnu/libuv.so.1
No symbol table info available.
#18 0x00007f9faa9a44b0 in uv.io_poll () from /usr/lib/x86_64-linux-gnu/libuv.so.1
No symbol table info available.
#19 0x00007f9faa995f85 in uv_run () from /usr/lib/x86_64-linux-gnu/libuv.so.1
No symbol table info available.
#20 0x00007f9faac9b4a5 in nm_thread (worker0=0x61a000003680) at netmgr/netmgr.c:557
r = <optimized out>
worker = 0x61a000003680
mgr = <optimized out>
#21 0x00007f9faa961fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
ret = <optimized out>
pd = <optimized out>
now = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140323622192896, 5557245483701016146, 140731872626558, 140731872626559, 140323622192896, 106858786326800, -5611474019520571822, -5611458202648013230}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call = <optimized out>
#22 0x00007f9fa99ab4cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.
D:doh_test:backtrace from ./core.3435 end
FAIL doh_test (exit status: 134)