[Toybox] asan is your friend

enh enh at google.com
Fri Jul 15 19:24:22 PDT 2022 

i saw you complaining about memory errors on your blog, talking about
writing your own infrastructure... why not just `export ASAN=1`?

/tmp$ git clone https://github.com/landley/toybox.git toybox
Cloning into 'toybox'...
remote: Enumerating objects: 25806, done.
remote: Counting objects: 100% (2750/2750), done.
remote: Compressing objects: 100% (905/905), done.
remote: Total 25806 (delta 1933), reused 2165 (delta 1833), pack-reused
23056
Receiving objects: 100% (25806/25806), 11.12 MiB | 7.71 MiB/s, done.
Resolving deltas: 100% (18574/18574), done.
/tmp$ cd toybox/
/tmp/toybox$ vi .config
/tmp/toybox$ export ASAN=1
/tmp/toybox$ make
scripts/make.sh

warning: using unfinished code from toys/pending
generated/{flags.h}
Compile
toybox......................................................................................................................toys/pending/diff.c:
In function 'do_diff':
toys/pending/diff.c:621:14: warning: variable 'b' set but not used
[-Wunused-but-set-variable]
  621 |       long a,b;
      |              ^
......................toys/posix/grep.c: In function 'do_grep':
toys/posix/grep.c:208:26: warning: 'regexec0' accessing 8 bytes in a region
of size 4 [-Wstringop-overflow=]
  208 |               shoe->rc = regexec0(&shoe->r, start,
ulen-(start-line), 1,
      |
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  209 |                                   &shoe->m, start==line ? 0 :
REG_NOTBOL);
      |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
toys/posix/grep.c:208:26: note: referencing argument 5 of type 'regmatch_t
*'
In file included from ./toys.h:70,
                 from toys/posix/grep.c:68:
./lib/lib.h:272:5: note: in a call to function 'regexec0'
  272 | int regexec0(regex_t *preg, char *string, long len, int nmatch,
      |     ^~~~~~~~
.....toys/pending/diff.c: At top level:
cc1: note: unrecognized command-line option '-Wno-string-plus-int' may have
been intended to silence earlier diagnostics
.........toys/posix/grep.c: At top level:
cc1: note: unrecognized command-line option '-Wno-string-plus-int' may have
been intended to silence earlier diagnostics
............................
/tmp/toybox$ seq 1 100000 > one
/tmp/toybox$ seq 1 4 100000 > two
/tmp/toybox$ ./toybox diff -u one two > /dev/null
=================================================================
==2475581==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000000f at pc 0x7fa9e6019ab7 bp 0x7fffa8f4a9b0 sp 0x7fffa8f4a160
READ of size 1 at 0x60200000000f thread T0
    #0 0x7fa9e6019ab6 in printf_common
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:553
    #1 0x7fa9e601a1ca in __interceptor_vprintf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1660
    #2 0x7fa9e601a2a6 in __interceptor_printf
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1718
    #3 0x560bf7b183d7 in show_label toys/pending/diff.c:548

0x60200000000f is located 1 bytes to the left of 4-byte region
[0x602000000010,0x602000000014)
allocated by thread T0 here:
    #0 0x7fa9e606c7cf in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x560bf7ad1bbb in xmalloc lib/xwrap.c:71
    #2 0x560bf7b182af in quote_filename toys/pending/diff.c:537
    #3 0x560bf7b183a4 in show_label toys/pending/diff.c:547
    #4 0x560bf7b190ed in do_diff toys/pending/diff.c:610
    #5 0x560bf7b1b258 in diff_main toys/pending/diff.c:837
    #6 0x560bf7ad68c0 in toy_exec_which /tmp/toybox/main.c:220
    #7 0x560bf7ad6ad6 in toybox_main /tmp/toybox/main.c:246
    #8 0x560bf7ad68c0 in toy_exec_which /tmp/toybox/main.c:220
    #9 0x560bf7ad6ad6 in toybox_main /tmp/toybox/main.c:246
    #10 0x560bf7abe776 in main /tmp/toybox/main.c:293
    #11 0x7fa9e5caa7fc in __libc_start_main ../csu/libc-start.c:332

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:553
in printf_common
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa[fa]04 fa fa fa 00 03 fa fa 00 03 fa fa fd fd
  0x0c047fff8010: fa fa 00 07 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2475581==ABORTING
/tmp/toybox$
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20220715/c5e4955e/attachment-0001.htm>

More information about the Toybox mailing list