Attachment 13162 Details for Bug 12748 – address sanitizer stack trace

address sanitizer stack trace

samba-cleanupdb-buffer-overread-asan.txt (text/plain), 3.43 KB, created by Hanno Böck on 2017-04-19 09:02:40 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Hanno Böck

Created: 2017-04-19 09:02:40 UTC

Size: 3.43 KB

patch

obsolete

>=================================================================
>==19205==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc4680b404 at pc 0x7f5be49269df bp 0x7ffc4680b0e0 sp 0x7ffc4680a890
>READ of size 8 at 0x7ffc4680b404 thread T0
>    #0 0x7f5be49269de  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x5d9de)
>    #1 0x7f5bd9270053 in tdb_write ../common/io.c:184
>    #2 0x7f5bd9265dab in _tdb_storev ../common/tdb.c:617
>    #3 0x7f5bd926686b in _tdb_store ../common/tdb.c:643
>    #4 0x7f5bd926686b in tdb_store ../common/tdb.c:667
>    #5 0x7f5be155331f in cleanupdb_store_child ../source3/lib/cleanupdb.c:72
>    #6 0x562faaadea66 in remove_child_pid ../source3/smbd/server.c:836
>    #7 0x562faaadea66 in smbd_sig_chld_handler ../source3/smbd/server.c:916
>    #8 0x7f5bdf9747d0 in tevent_common_check_signal ../tevent_signal.c:417
>    #9 0x7f5bdf97a80b in epoll_event_loop ../tevent_epoll.c:647
>    #10 0x7f5bdf97a80b in epoll_event_loop_once ../tevent_epoll.c:930
>    #11 0x7f5bdf974cbe in std_event_loop_once ../tevent_standard.c:114
>    #12 0x7f5bdf968d3d in _tevent_loop_once ../tevent.c:721
>    #13 0x7f5bdf96948a in tevent_common_loop_wait ../tevent.c:844
>    #14 0x7f5bdf974baa in std_event_loop_wait ../tevent_standard.c:145
>    #15 0x562faaad880e in smbd_parent_loop ../source3/smbd/server.c:1384
>    #16 0x562faaad880e in main ../source3/smbd/server.c:2038
>    #17 0x7f5bdf5e81e0 in __libc_start_main (/lib64/libc.so.6+0x201e0)
>    #18 0x562faaad9049 in _start (/usr/sbin/smbd+0x13049)
>
>Address 0x7ffc4680b404 is located in stack of thread T0 at offset 36 in frame
>    #0 0x7f5be155327f in cleanupdb_store_child ../source3/lib/cleanupdb.c:59
>
>  This frame has 1 object(s):
>    [32, 36) 'key' <== Memory access at offset 36 overflows this variable
>HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
>      (longjmp and C++ exceptions *are* supported)
>SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x5d9de) 
>Shadow bytes around the buggy address:
>  0x100008cf9630: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f4
>  0x100008cf9640: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00
>  0x100008cf9650: 00 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
>  0x100008cf9660: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f4 f4 f3 f3
>  0x100008cf9670: f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
>=>0x100008cf9680:[04]f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
>  0x100008cf9690: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4
>  0x100008cf96a0: f2 f2 f2 f2 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00
>  0x100008cf96b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x100008cf96c0: 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2
>  0x100008cf96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07 
>  Heap left redzone:       fa
>  Heap right redzone:      fb
>  Freed heap region:       fd
>  Stack left redzone:      f1
>  Stack mid redzone:       f2
>  Stack right redzone:     f3
>  Stack partial redzone:   f4
>  Stack after return:      f5
>  Stack use after scope:   f8
>  Global redzone:          f9
>  Global init order:       f6
>  Poisoned by user:        f7
>  Container overflow:      fc
>  Array cookie:            ac
>  Intra object redzone:    bb
>  ASan internal:           fe
>  Left alloca redzone:     ca
>  Right alloca redzone:    cb
>==19205==ABORTING

Actions: View

Attachments on bug 12748: 13161 | 13162 | 13163 | 13164