Bug: realloc of globalnames by addstr results in heap-use-after-free #47
Labels
Comments
|
FYI: The follow patch does NOT fix this problem .. it only "kicks the can down the road" far enough for calc/regeess.cal (i.e., make chk) to not trigger the reallocation of globalnames bug: diff --git a/str.c b/str.c #define STR_TABLECHUNK 100 /* how often to reallocate string table / We will likely increate the STR_CHUNK size away in a future release. Nevertheless this bug needs to be fixed. |
|
FYI: We are using the following lines in Makefile.local to invoke clang AddressSanitizer on macOS 12.1: CFLAGS+= -fsanitize=address -fno-omit-frame-pointer |
|
You might want to try some of the other sanitizers too. For example: |
|
We found that gcc version 4.8.5 with libasan-4.8.5-4, only this was supported:
On macOS 12.1 with clang version 13.0.0 (clang-1300.0.29.30), only this was supported:
We didn't find (yet) an instance where -fsanitize=memory was supported. Thanks for the suggestions: We added some to the Makefile.local at the top of the master branch. |
|
We recommend debugging the realloc problem with the following patch: The issue can be triggered faster by lowering the value of both STR_TABLECHUNK and STR_CHUNK |
|
You may not be able to run |
|
Thanks |
lcn2
changed the title
lcn2
changed the title
|
When the following patch: is applied to the top of the calc master bench (for what will be calc version 2.14.1.4) The output of: make check > debug.out.txt 2>&1is attached here: |
STATUS UPDATE for RHEL 9.2 calc v2.15.0.1Under RHEL 9.2 with calc v2.15.0.1 source with clang version 15.0.7 (Red Hat 15.0.7-2.el9), adding these lines to CFLAGS+= -fsanitize=address
LDFLAGS+= -fsanitize=addressdoing a Under RHEL 9.2 with calc v2.15.0.1 source with clang version 15.0.7 (Red Hat 15.0.7-2.el9), adding these lines to CFLAGS+= -fsanitize=address -fno-omit-frame-pointer
LDFLAGS+= -fsanitize=address -fno-omit-frame-pointerdoing a |
|
BTW, side note: for your own sanity, you might want to use https://gist.github.com/ for storing long blobs of text like that for future reference. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When compiling calc with clang on macOS AND with the following in Makefile.local:
Running 'make chk' results calc reporting:
AddressSanitizer: heap-use-after-free
See issue.txt for details.
The problem here is that when addglobal() (see addglobal symbol.c:122):
and then addstr() does a realloc (see addstr str.c:115):
pointers into that global block become BOGUS. Normally symbols are located within globalnames by an offset, which is correct. Something in calc is doing the wrong thing and is retaining a pointer into globalnames when it should use an offset instead.
Realloc is allowed to move the memory block, so global symbol lookup should use an OFFSET into globalnames, NOT pointers!
This bug is triggered when lots of global symbols are defined. This happens, for example, when the cal/regress.cal code is run. Because of the extensive script use, enough global symbols are defined that the initial global symbol block is filled and realloc() can move it.
Triggering this bug is highly dependent on the libc allocator, so your kilometer-age may vary. :-)
Nevertheless, the issue of realloc in calc should be carefully examined when it goes to larger blocks such as that for globalnames.
While this bug was first observed in v2.14.0.14, it appears this bug goes way back to pre-1999. Thanks to clang, we have identified this flaw and intend to correct it.
Comments, and bug fix patches are welcome!
The text was updated successfully, but these errors were encountered: