AddressSanitizerFoundBugs

Alexander Potapenko edited this page Sep 5, 2018 · 25 revisions

Chromium, WebKit Safari, iTunes

Chromium's asan bot: http://build.chromium.org/p/chromium.memory/console

Mozilla

See also http://blog.mozilla.com/decoder/2012/01/27/trying-new-code-analysis-techniques/#more-14

Opera

DNA-15927

vlc

https://trac.videolan.org/vlc/query?status=assigned&status=closed&status=new&status=reopened&reporter=mikispag&order=priority

ffmpeg

Some (but not all) bugs found in ffmpeg:

ffmpeg's asan bot: http://fate.libav.org/x86_64-linux-clang-asan

FreeType

bash

https://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html

webrtc

perl

libcurl

php

parrot (http://www.parrot.org/)

libreoffice

MySQL

RocksDB

PostgreSQL

http://postgresql.1045698.n5.nabble.com/pgsql-Avoid-potential-buffer-overflow-crash-td5779963.html

Hypertable

https://github.com/hypertable/hypertable/commit/237f170de93ceda11560f87970c4494a8790e0d9

vim

http://www.mail-archive.com/vim_dev@googlegroups.com/msg15549.html

Phusion Passenger (https://www.phusionpassenger.com/)

Percona Server with XtraDB (http://www.percona.com/software/percona-server)

libpango

LLVM

GCC

Go

Tor

Impala

GNU Coreutils

Tizen

http://injoit.org/index.php/j1/article/viewFile/231/184

This paper describes our experience in integration of ASan
technology into large-scale software products: Tizen
distribution and Linux kernel. The tool has already found
around a hundred of serious memory bugs in various Tizen
applications and in mainline Linux kernel. 

Unsorted

Spec CPU 2006

Use-after-free in 400.perlbench (a pointer is used after it is passed to realloc).

READ of size 1 at 0x00000000023b7413 thread T0 (bad: 0x00002000008edd04; shadow: 0x0000100000476e82)
    #0 0x66490a in Perl_sv_setpvn sv.c:4127
    #1 0x45766c in Perl_magic_get mg.c:772
    #2 0x453bcb in Perl_mg_get mg.c:169
    #3 0x669fb8 in Perl_sv_setsv_flags sv.c:3796
    #4 0x684c3f in Perl_sv_mortalcopy sv.c:6748
    #5 0x56fedd in Perl_pp_leaveeval pp_ctl.c:3486
    #6 0x635d44 in Perl_runops_standard run.c:37
    #7 0x4d2ad6 in S_run_body perl.c:2017
    #8 0x4f9077 in main perlmain.c:100
    #9 0x7fa3900e2c4d in __libc_start_main ??:0
    #10 0x403519 in _start ??:0
0x00000000023b7413 is located 3 bytes inside of 5-byte region [0x00000000023b7410,0x00000000023b7415)
freed by thread T0 here:
    #0 0x7bc852 in realloc _asan_rtl_
    #1 0x733e2e in Perl_safesysrealloc util.c:132
    #2 0x650a82 in Perl_sv_grow sv.c:1620
    #3 0x66c3f5 in Perl_sv_setsv_flags sv.c:4012
    #4 0x5735e8 in Perl_pp_sassign pp_hot.c:122
    #5 0x635d44 in Perl_runops_standard run.c:37
    #6 0x4d2ad6 in S_run_body perl.c:2017
    #7 0x4f9077 in main perlmain.c:100
    #8 0x7fa3900e2c4d in __libc_start_main ??:0
previously allocated by thread T0 here:
    #0 0x7bc852 in realloc _asan_rtl_
    #1 0x733e2e in Perl_safesysrealloc util.c:132
    #2 0x650a82 in Perl_sv_grow sv.c:1620
    #3 0x6745f5 in Perl_sv_catpvn_flags sv.c:4376
    #4 0x675027 in Perl_sv_catsv_flags sv.c:4460
    #5 0x5402a3 in Perl_pp_substcont pp_ctl.c:190
    #6 0x635d44 in Perl_runops_standard run.c:37
    #7 0x4d2ad6 in S_run_body perl.c:2017
    #8 0x4f9077 in main perlmain.c:100
    #9 0x7fa3900e2c4d in __libc_start_main ??:0

global-buffer-overflow in memcmp("perlio", "unix", 6):

==17858== ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006af025 at pc 0x426478 bp 0x7fffb37ffe40 sp 0x7fffb37ffe18
READ of size 6 at 0x0000006af025 thread T0
    #0 0x426477 in __interceptor_memcmp _asan_rtl_
    #1 0x4bf792 in PerlIO_find_layer perlio.c:751
    #2 0x4c0ab2 in PerlIO_default_buffer perlio.c:1015
    #3 0x4c1171 in PerlIO_default_layers perlio.c:1113
    #4 0x4c255d in PerlIO_resolve_layers perlio.c:1433
    #5 0x4c3289 in PerlIO_openn perlio.c:1519
    #6 0x4c1410 in PerlIO_fdopen perlio.c:4745
    #7 0x4cfca1 in Perl_PerlIO_stdin perlio.c:4686
    #8 0x4b57df in S_open_script perl.c:3348
    #9 0x4d13f7 in main perlmain.c:96
    #10 0x7fcab450876c in __libc_start_main libc-start.c:226
    #11 0x4359b4 in _start ??:0
0x0000006af025 is located 59 bytes to the left of global variable '.str39 (perlio.c)' (0x6af060) of size 3
  '.str39 (perlio.c)' is ascii string 'r+'
0x0000006af025 is located 0 bytes to the right of global variable '.str38 (perlio.c)' (0x6af020) of size 5
  '.str38 (perlio.c)' is ascii string 'unix'
Shadow bytes around the buggy address:

Stack buffer overflow in 464.h264ref:

int k, satd = 0, m[16], dd, d[16];
...
for (dd=d[k=0]; k<16; dd=d[++k])
                         ^^^^^^
// On the last iteration, d[++k] reads d[16], one element after the array boundary.

READ of size 4 mem: 0x00007fff516bd140 thread T0
#0 0x506211 in SATD mv-search.c:1093
#1 0x509524 in SubPelBlockMotionSearch mv-search.c:1398
#2 0x527300 in BlockMotionSearch mv-search.c:2672
#3 0x53091e in PartitionMotionSearch mv-search.c:3272
...
Address 0x00007fff516bd140 is inside T0's stack

See also: http://www.spec.org/cpu2006/Docs/faq.html#Run.05

Global buffer overflow in 464.h264ref:

context_ini.c:222:
BIARI_CTX_INIT2 (NUM_BLOCK_TYPES, NUM_BCBP_CTX, tc->bcbp_contexts,    INIT_BCBP,      img->model_number);

READ of size 4 at 0x00000000005ec1c0 thread T0
    #0 0x4139cf in biari_init_context biariencode.c:334
    #1 0x43f8f3 in init_contexts context_ini.c:222
    #2 0x5a6f33 in start_slice slice.c:118
    #3 0x5a93b7 in encode_one_slice slice.c:223
    #4 0x466d7a in code_a_picture image.c:236
    #5 0x4728c0 in frame_picture image.c:800
    #6 0x4696ef in encode_one_frame image.c:411
    #7 0x48167d in main lencod.c:413
0x00000000005ec1c0 is located 0 bytes to the right of global variable 'INIT_BCBP_I' (0x5ec0c0) of size 256

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.