Bug 1479182 - [rpcdebug] AddressSanitizer: heap-buffer-overflow reported by ASAN
[rpcdebug] AddressSanitizer: heap-buffer-overflow reported by ASAN
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nfs-utils (Show other bugs)
7.4-Alt
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Steve Dickson
Yongcheng Yang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-08 02:34 EDT by ChunYu Wang
Modified: 2017-08-10 07:09 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description ChunYu Wang 2017-08-08 02:34:06 EDT
Description:

Running rpcdebug on KASAN/ASAN raised a heap-buffer-overflow problem, this issue had been detected by valgrind before[1], but ASAN results are more clear for debugging:

[root@bootp-73-131-219 rpcdebug]# uname -r 
4.11.0-18.el7abz1477127_fail.x86_64
^^^^^^ A KASAN Enabled el7a kernel built by Stefano
[root@bootp-73-131-219 BUILD]# rpm -q libasan
libasan-4.8.5-16.el7.x86_64

[root@bootp-73-131-219 rpcdebug]# ./rpcdebug -h
=================================================================
==17897== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040000dff0 at pc 0x7fe5ca179ef1 bp 0x7fff84e2be70 sp 0x7fff84e2b618
WRITE of size 9 at 0x60040000dff0 thread T0
    #0 0x7fe5ca179ef0 (/usr/lib64/libasan.so.0.0.0+0xeef0)
    #1 0x400f31 (/root/rpmbuild/BUILD/nfs-utils-1.3.0/tools/rpcdebug/rpcdebug+0x400f31)
    #2 0x7fe5c9dc9c04 (/usr/lib64/libc-2.17.so+0x21c04)
    #3 0x401554 (/root/rpmbuild/BUILD/nfs-utils-1.3.0/tools/rpcdebug/rpcdebug+0x401554)
0x60040000dff8 is located 0 bytes to the right of 8-byte region [0x60040000dff0,0x60040000dff8)
allocated by thread T0 here:
    #0 0x7fe5ca181129 (/usr/lib64/libasan.so.0.0.0+0x16129)
    #1 0x400ef6 (/root/rpmbuild/BUILD/nfs-utils-1.3.0/tools/rpcdebug/rpcdebug+0x400ef6)
Shadow bytes around the buggy address:
  0x0c00ffff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c00ffff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[00]fa
  0x0c00ffff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c00ffff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==17897== ABORTING

Expected results:
No memory related issues detected by valgrind / ASAN. 

Additional info:

[1] https://patchwork.kernel.org/patch/9866401/

rpcdebug.c use char* cdename to store program name:

    cdename = malloc(strlen(basename(argv[0])));
    strcpy(cdename, basename(argv[0]));

It is better to free before exit to avoid potential leaks.

Note You need to log in before you can comment on or make changes to this bug.