On 11.11.2024 16:35, Дмитрий Фролов wrote: > > > On 11.11.2024 15:51, Prasad Pandit wrote: >> On Mon, 11 Nov 2024 at 17:41, Дмитрий Фролов <[email protected]> wrote: >>> Above loop dereferences the pointer env, which is pointing to >>> the memory area, which is not allowed to read. >> * Not allowed to read environment variables? Is it because >> Debian/clang does not support the '**envp' parameter? Is '**envp' set >> to NULL on Debian? If '**envp' is not supported, then the compiler >> should throw an error at build time, no? > Not allowed to read the exact memory area, because it is marked as freed. As far as I understand, heap-use-after-free means a situation when code allocates memory then frees it and then access it. Here the code just accesses invalid memory because of nonstandard main() call convention.
If it is correct, the patch title could be "tests/qtest: make access to environment variables portable" -- Alexey >>> I am pointing on 2 facts: >>> 1. "env" is Microsoft`s extension, not a standard >>> 2. There is exact example, where standards violation raises >>> undefined behavior: debian13/clang16 >>> >> * If this is about Debian not supporting '**envp' parameter, then >> it'll help if the commit message says "...Debian does not support this >> non-standard extension and crashes QEMU". > Since this is UB, it does not matter, if a crash happens or not. > ASAN just helps to highlight the hidden problem. > >> The asan error makes it >> sound like the patch fixes the use-after-free issue. > I didn`t want to confuse anybody, but this is exactly, > what is actually happening (see log below). > >> What happens if >> the -lasan is not used? Does it still crash QEMUt? >> >> Thank you. >> --- >> - Prasad >> > When saintizers are disabled, qos-test passes successfully. > qos-test fails when qemu is built with enabled sanitizers > (--enable-asan --enable-ubsan) > > ==879133==ERROR: AddressSanitizer: heap-use-after-free on address > 0x514000000040 at pc 0x55eae79b407c bp 0x7ffd028715d0 sp 0x7ffd028715c8 > READ of size 8 at 0x514000000040 thread T0 > #0 0x55eae79b407b in main > /home/df/projects/upstream/qemu/build/../tests/qtest/qos-test.c:339:33 > #1 0x7f9011760c89 (/lib/x86_64-linux-gnu/libc.so.6+0x27c89) > (BuildId: 61cf5c68463ab7677fa14f071a036eda24d0cc38) > #2 0x7f9011760d44 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x27d44) (BuildId: > 61cf5c68463ab7677fa14f071a036eda24d0cc38) > #3 0x55eae77a5c60 in _start > (/home/df/projects/upstream/qemu/build/tests/qtest/qos-test+0x209c60) > (BuildId: 2c9032193c32f574ceec39c89e10b1693e20d69e) > > 0x514000000040 is located 0 bytes inside of 416-byte region > [0x514000000040,0x5140000001e0) > freed by thread T0 here: > #0 0x55eae7840ce9 in __interceptor_realloc > (/home/df/projects/upstream/qemu/build/tests/qtest/qos-test+0x2a4ce9) > (BuildId: 2c9032193c32f574ceec39c89e10b1693e20d69e) > #1 0x7f901177b596 (/lib/x86_64-linux-gnu/libc.so.6+0x42596) > (BuildId: 61cf5c68463ab7677fa14f071a036eda24d0cc38) > > previously allocated by thread T0 here: > #0 0x55eae7840ce9 in __interceptor_realloc > (/home/df/projects/upstream/qemu/build/tests/qtest/qos-test+0x2a4ce9) > (BuildId: 2c9032193c32f574ceec39c89e10b1693e20d69e) > #1 0x7f901177b596 (/lib/x86_64-linux-gnu/libc.so.6+0x42596) > (BuildId: 61cf5c68463ab7677fa14f071a036eda24d0cc38) > > SUMMARY: AddressSanitizer: heap-use-after-free > /home/df/projects/upstream/qemu/build/../tests/qtest/qos-test.c:339:33 > in main > Shadow bytes around the buggy address: > 0x513ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x513ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x513ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x513fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x513fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =>0x514000000000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd > 0x514000000080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x514000000100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x514000000180: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa > 0x514000000200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 > 0x514000000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > ==879133==ABORTING > Aborted > > > With best regards, > Dmitry. > > _______________________________________________ > sdl.qemu mailing list > [email protected] > http://linuxtesting.org/cgi-bin/mailman/listinfo/sdl.qemu
