On 11.11.2024 15:51, Prasad Pandit wrote:
On Mon, 11 Nov 2024 at 17:41, Дмитрий Фролов<[email protected]> wrote:
Above loop dereferences the pointer env, which is pointing to
the memory area, which is not allowed to read.
* Not allowed to read environment variables? Is it because
Debian/clang does not support the '**envp' parameter? Is '**envp' set
to NULL on Debian? If '**envp' is not supported, then the compiler
should throw an error at build time, no?
Not allowed to read the exact memory area, because it is marked as freed.
I am pointing on 2 facts:
1. "env" is Microsoft`s extension, not a standard
2. There is exact example, where standards violation raises
undefined behavior: debian13/clang16
* If this is about Debian not supporting '**envp' parameter, then
it'll help if the commit message says "...Debian does not support this
non-standard extension and crashes QEMU".
Since this is UB, it does not matter, if a crash happens or not.
ASAN just helps to highlight the hidden problem.
The asan error makes it
sound like the patch fixes the use-after-free issue.
I didn`t want to confuse anybody, but this is exactly,
what is actually happening (see log below).
What happens if
the -lasan is not used? Does it still crash QEMUt?
Thank you.
---
- Prasad
When saintizers are disabled, qos-test passes successfully.
qos-test fails when qemu is built with enabled sanitizers
(--enable-asan --enable-ubsan)
==879133==ERROR: AddressSanitizer: heap-use-after-free on address
0x514000000040 at pc 0x55eae79b407c bp 0x7ffd028715d0 sp 0x7ffd028715c8
READ of size 8 at 0x514000000040 thread T0
#0 0x55eae79b407b in main
/home/df/projects/upstream/qemu/build/../tests/qtest/qos-test.c:339:33
#1 0x7f9011760c89 (/lib/x86_64-linux-gnu/libc.so.6+0x27c89)
(BuildId: 61cf5c68463ab7677fa14f071a036eda24d0cc38)
#2 0x7f9011760d44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x27d44) (BuildId:
61cf5c68463ab7677fa14f071a036eda24d0cc38)
#3 0x55eae77a5c60 in _start
(/home/df/projects/upstream/qemu/build/tests/qtest/qos-test+0x209c60)
(BuildId: 2c9032193c32f574ceec39c89e10b1693e20d69e)
0x514000000040 is located 0 bytes inside of 416-byte region
[0x514000000040,0x5140000001e0)
freed by thread T0 here:
#0 0x55eae7840ce9 in __interceptor_realloc
(/home/df/projects/upstream/qemu/build/tests/qtest/qos-test+0x2a4ce9)
(BuildId: 2c9032193c32f574ceec39c89e10b1693e20d69e)
#1 0x7f901177b596 (/lib/x86_64-linux-gnu/libc.so.6+0x42596)
(BuildId: 61cf5c68463ab7677fa14f071a036eda24d0cc38)
previously allocated by thread T0 here:
#0 0x55eae7840ce9 in __interceptor_realloc
(/home/df/projects/upstream/qemu/build/tests/qtest/qos-test+0x2a4ce9)
(BuildId: 2c9032193c32f574ceec39c89e10b1693e20d69e)
#1 0x7f901177b596 (/lib/x86_64-linux-gnu/libc.so.6+0x42596)
(BuildId: 61cf5c68463ab7677fa14f071a036eda24d0cc38)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/df/projects/upstream/qemu/build/../tests/qtest/qos-test.c:339:33
in main
Shadow bytes around the buggy address:
0x513ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x513ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x513ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x513fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x513fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x514000000000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x514000000080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x514000000100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x514000000180: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x514000000200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x514000000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==879133==ABORTING
Aborted
With best regards,
Dmitry.
