heap-buffer-overflow on startup

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
5 years ago
5 years ago

People

(Reporter: me.himansu, Unassigned)

Tracking

20 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [asan])

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 (Beta/Release)
Build ID: 20130329030832

Steps to reproduce:

I have build firefox using address-sanitizer on my x64 Ubuntu machine. Now as soon as I try to run the build, i m getting a crash as below: 

https://gist.github.com/anonymous/a5c4137fda8c7fe350c8

himanshu@simulator:~/Desktop/mozilla-beta/objdir-ff-asan/dist/bin$ ./firefox
=================================================================
==29854==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e1f0 at pc 0x7f1dddffbc4c bp 0x7fff332e2000 sp 0x7fff332e1ff8
READ of size 4 at 0x60200000e1f0 thread T0
    #0 0x7f1dddffbc4b (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/libxul.so+0x59f5c4b)
    #1 0x7f1dde002901 (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/libxul.so+0x59fc901)
    #2 0x7f1dda12bad8 (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/libxul.so+0x1b25ad8)
    #3 0x7f1dda12b553 (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/libxul.so+0x1b25553)
    #4 0x7f1dda111679 (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/libxul.so+0x1b0b679)
    #5 0x7f1dda11f76f (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/libxul.so+0x1b1976f)
    #6 0x7f1dda120404 (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/libxul.so+0x1b1a404)
    #7 0x459d3f (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/firefox+0x459d3f)
    #8 0x7f1dea30076c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
    #9 0x458ecc (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/firefox+0x458ecc)
0x60200000e1f0 is located 0 bytes inside of 4-byte region [0x60200000e1f0,0x60200000e1f4)
allocated by thread T0 here:
    #0 0x44615b (/home/himanshu/Desktop/mozilla-beta/objdir-ff-asan/dist/bin/firefox+0x44615b)
    #1 0x7f1deb4da364 (/lib64/ld-linux-x86-64.so.2+0x1364)
Shadow bytes around the buggy address:
  0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
  0x0c047fff9c40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9c50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9c60: fa fa 00 07 fa fa 05 fa fa fa 05 fa fa fa 00 07
  0x0c047fff9c70: fa fa 05 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff9c80: fa fa 01 fa fa fa 06 fa fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==29854==ABORTING
himanshu@simulator:~/Desktop/mozilla-beta/objdir-ff-asan/dist/bin$ 



Actual results:

I got a buffer overflow on console.


Expected results:

the firefox build must have executed.
Can you symbolize the output, please?

We regularly run ASAN builds, so it is odd that you are experiencing a problem right at startup.
Summary: firefox build with address-sanitizer crashes → heap-buffer-overflow on startup
Whiteboard: [asan]
Please also provide the version (revision) of LLVM/Clang/Asan you are using.

If it's a recent clang, then it might be a duplicate of bug 895845. If your symbolized trace matches that, please try the patch in that bug (we did not backport this).
Thanks for filing Himanshu, it would be great to get your details re: comment 2 to help us figure out the right action here.
Flags: needinfo?(me.himansu)
(Reporter)

Comment 4

5 years ago
Sorry for replying back late.

I did follow the Manual Build steps from https://developer.mozilla.org/en-US/docs/Building_Firefox_with_Address_Sanitizer so i am assuming that i must have used the latest vesion of LLVM. By the way, how do i check for the version of asan on my system?
Flags: needinfo?(me.himansu)
The version of ASan is the revision of the compiler-rt repository inside your LLVM root.

Can you please

1) retry with LLVM/Clang/ASan r185949
2) provide a symbolized trace
3) if the trace matches, try the patch of the bug mentioned in comment 2?


Thanks!
Component: Untriaged → General
Product: Firefox → Core
I'm going to assume this is just a dupe of the other ASAN startup bug that has been fixed, and ended up just being an ASAN problem.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.