Skip to content

AddressSanitizerFoundBugs

Kostya Serebryany edited this page Oct 15, 2015 · 25 revisions

Chromium, WebKit Safari, iTunes

Chromium's asan bot: http://build.chromium.org/p/chromium.memory/console

Mozilla

See also http://blog.mozilla.com/decoder/2012/01/27/trying-new-code-analysis-techniques/#more-14

Opera

DNA-15927

vlc

https://trac.videolan.org/vlc/query?status=assigned&status=closed&status=new&status=reopened&reporter=mikispag&order=priority

ffmpeg

Some (but not all) bugs found in ffmpeg:

ffmpeg's asan bot: http://fate.libav.org/x86_64-linux-clang-asan

FreeType

bash

https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html

webrtc

perl

libcurl

php

libreoffice

MySQL

RocksDB

PostgreSQL

http://postgresql.1045698.n5.nabble.com/pgsql-Avoid-potential-buffer-overflow-crash-td5779963.html

Hypertable

https://github.com/hypertable/hypertable/commit/237f170de93ceda11560f87970c4494a8790e0d9

vim

http://www.mail-archive.com/[email protected]/msg15549.html

libpango

LLVM

GCC

Go

Tor

Impala

GNU Coreutils

Unsorted

Spec CPU 2006

Use-after-free in 400.perlbench (a pointer is used after it is passed to realloc).

READ of size 1 at 0x00000000023b7413 thread T0 (bad: 0x00002000008edd04; shadow: 0x0000100000476e82)
    #0 0x66490a in Perl_sv_setpvn sv.c:4127
    #1 0x45766c in Perl_magic_get mg.c:772
    #2 0x453bcb in Perl_mg_get mg.c:169
    #3 0x669fb8 in Perl_sv_setsv_flags sv.c:3796
    #4 0x684c3f in Perl_sv_mortalcopy sv.c:6748
    #5 0x56fedd in Perl_pp_leaveeval pp_ctl.c:3486
    #6 0x635d44 in Perl_runops_standard run.c:37
    #7 0x4d2ad6 in S_run_body perl.c:2017
    #8 0x4f9077 in main perlmain.c:100
    #9 0x7fa3900e2c4d in __libc_start_main ??:0
    #10 0x403519 in _start ??:0
0x00000000023b7413 is located 3 bytes inside of 5-byte region [0x00000000023b7410,0x00000000023b7415)
freed by thread T0 here:
    #0 0x7bc852 in realloc _asan_rtl_
    #1 0x733e2e in Perl_safesysrealloc util.c:132
    #2 0x650a82 in Perl_sv_grow sv.c:1620
    #3 0x66c3f5 in Perl_sv_setsv_flags sv.c:4012
    #4 0x5735e8 in Perl_pp_sassign pp_hot.c:122
    #5 0x635d44 in Perl_runops_standard run.c:37
    #6 0x4d2ad6 in S_run_body perl.c:2017
    #7 0x4f9077 in main perlmain.c:100
    #8 0x7fa3900e2c4d in __libc_start_main ??:0
previously allocated by thread T0 here:
    #0 0x7bc852 in realloc _asan_rtl_
    #1 0x733e2e in Perl_safesysrealloc util.c:132
    #2 0x650a82 in Perl_sv_grow sv.c:1620
    #3 0x6745f5 in Perl_sv_catpvn_flags sv.c:4376
    #4 0x675027 in Perl_sv_catsv_flags sv.c:4460
    #5 0x5402a3 in Perl_pp_substcont pp_ctl.c:190
    #6 0x635d44 in Perl_runops_standard run.c:37
    #7 0x4d2ad6 in S_run_body perl.c:2017
    #8 0x4f9077 in main perlmain.c:100
    #9 0x7fa3900e2c4d in __libc_start_main ??:0

global-buffer-overflow in memcmp("perlio", "unix", 6):

==17858== ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006af025 at pc 0x426478 bp 0x7fffb37ffe40 sp 0x7fffb37ffe18
READ of size 6 at 0x0000006af025 thread T0
    #0 0x426477 in __interceptor_memcmp _asan_rtl_
    #1 0x4bf792 in PerlIO_find_layer perlio.c:751
    #2 0x4c0ab2 in PerlIO_default_buffer perlio.c:1015
    #3 0x4c1171 in PerlIO_default_layers perlio.c:1113
    #4 0x4c255d in PerlIO_resolve_layers perlio.c:1433
    #5 0x4c3289 in PerlIO_openn perlio.c:1519
    #6 0x4c1410 in PerlIO_fdopen perlio.c:4745
    #7 0x4cfca1 in Perl_PerlIO_stdin perlio.c:4686
    #8 0x4b57df in S_open_script perl.c:3348
    #9 0x4d13f7 in main perlmain.c:96
    #10 0x7fcab450876c in __libc_start_main libc-start.c:226
    #11 0x4359b4 in _start ??:0
0x0000006af025 is located 59 bytes to the left of global variable '.str39 (perlio.c)' (0x6af060) of size 3
  '.str39 (perlio.c)' is ascii string 'r+'
0x0000006af025 is located 0 bytes to the right of global variable '.str38 (perlio.c)' (0x6af020) of size 5
  '.str38 (perlio.c)' is ascii string 'unix'
Shadow bytes around the buggy address:

Stack buffer overflow in 464.h264ref:

int k, satd = 0, m[16], dd, d[16];
...
for (dd=d[k=0]; k<16; dd=d[++k])
                         ^^^^^^
// On the last iteration, d[++k] reads d[16], one element after the array boundary.

READ of size 4 mem: 0x00007fff516bd140 thread T0
#0 0x506211 in SATD mv-search.c:1093
#1 0x509524 in SubPelBlockMotionSearch mv-search.c:1398
#2 0x527300 in BlockMotionSearch mv-search.c:2672
#3 0x53091e in PartitionMotionSearch mv-search.c:3272
...
Address 0x00007fff516bd140 is inside T0's stack

See also: http://www.spec.org/cpu2006/Docs/faq.html#Run.05

Global buffer overflow in 464.h264ref:

context_ini.c:222:
BIARI_CTX_INIT2 (NUM_BLOCK_TYPES, NUM_BCBP_CTX, tc->bcbp_contexts,    INIT_BCBP,      img->model_number);

READ of size 4 at 0x00000000005ec1c0 thread T0
    #0 0x4139cf in biari_init_context biariencode.c:334
    #1 0x43f8f3 in init_contexts context_ini.c:222
    #2 0x5a6f33 in start_slice slice.c:118
    #3 0x5a93b7 in encode_one_slice slice.c:223
    #4 0x466d7a in code_a_picture image.c:236
    #5 0x4728c0 in frame_picture image.c:800
    #6 0x4696ef in encode_one_frame image.c:411
    #7 0x48167d in main lencod.c:413
0x00000000005ec1c0 is located 0 bytes to the right of global variable 'INIT_BCBP_I' (0x5ec0c0) of size 256

Clone this wiki locally