bin/52716: nvi dies with address sanitizer

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/52716: nvi dies with address sanitizer
From: coypu%sdf.org@localhost
Date: Fri, 10 Nov 2017 13:20:00 +0000 (UTC)

>Number:         52716
>Category:       bin
>Synopsis:       nvi dies with address sanitizer
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 10 13:20:00 +0000 2017
>Originator:     coypu
>Release:        nvi from -current as of nov 11 2017
>Organization:
>Environment:
NetBSD localhost 8.0_BETA NetBSD 8.0_BETA (GENERIC.201711061200Z) amd64

>Description:
cd /usr/src/external/*/nvi
make USETOOLS=no CFLAGS="-g -ggdb3 -Og -fsanitize=address -fsanitize=undefined -fPIC" LDFLAGS="-lubsan -lasan" -j20

echo "123" > testcase
env LD_PRELOAD=/usr/lib/libasan.so ./usr.bin/nvi/vi testcase


=================================================================
==25727==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001db0 at pc 0x7f7ff6c23bad bp 0x7f7fffffd8f0 sp 0x7f7fffffd0a0
READ of size 1024 at 0x619000001db0 thread T0
    #0 0x7f7ff6c23bac  (/usr/lib/libasan.so+0x23bac)
    #1 0x52b1b8 in db_get /usr/src/external/bsd/nvi/dist/common/vi_db1.c:187
    #2 0x47b2c3 in file_cinit /usr/src/external/bsd/nvi/dist/common/exf.c:594
    #3 0x4802d0 in file_init /usr/src/external/bsd/nvi/dist/common/exf.c:415
    #4 0x48bb9b in editor /usr/src/external/bsd/nvi/dist/common/main.c:392
    #5 0x40f0a2 in main /usr/src/external/bsd/nvi/dist/cl/cl_main.c:134
    #6 0x404c6a in ___start (/usr/src/external/bsd/nvi/usr.bin/nvi/vi+0x404c6a)

0x619000001db0 is located 0 bytes to the right of 1072-byte region [0x619000001980,0x619000001db0)
allocated by thread T0 here:
    #0 0x7f7ff6c16036 in calloc (/usr/lib/libasan.so+0x16036)
    #1 0x7f7ff4f16284  (/usr/lib/libc.so.12+0x116284)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c327fff8360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff83a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff83b0: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
  0x0c327fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25727==ABORTING

>How-To-Repeat:

>Fix:

Prev by Date: bin/52715: sh dies with address sanitizer
Next by Date: kern/52717: no wm(4) networking in 8.0_BETA
Previous by Thread: bin/52715: sh dies with address sanitizer
Next by Thread: kern/52717: no wm(4) networking in 8.0_BETA
Indexes:

Home | Main Index | Thread Index | Old Index