ASAN: heap-buffer-overflow in stack_put_watermark with small stack size #9026

nshy · 2023-08-24T07:35:20Z

Found in 3.0.0-alpha1-16-g0e5a3cc21.

Exposed by fiber_stack.c unit test with the patch below and ASAN friendly allocators (WIP PR #8901).

--- a/test/unit/fiber_stack.c
+++ b/test/unit/fiber_stack.c
@@ -93,7 +93,7 @@ main_f(va_list ap)
        fiber_attr_delete(fiber_attr);
        fiber_attr = fiber_attr_new();
        fiber_attr->flags |= FIBER_CUSTOM_STACK;
-       fiber_attr->stack_size = 64 << 10;
+       fiber_attr->stack_size = (64 << 10) - 128;

==259759==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310000147c8 at pc 0x556206458633 bp 0x7ff11497f210 sp 0x7ff11497f208
WRITE of size 8 at 0x6310000147c8 thread T0
    #0 0x556206458632 in stack_put_watermark /home/shiny/dev/tarantool/src/lib/core/fiber.c:1126:8
    #1 0x55620645dfff in fiber_stack_watermark_create /home/shiny/dev/tarantool/src/lib/core/fiber.c:1213:2
    #2 0x55620643e82a in fiber_stack_create /home/shiny/dev/tarantool/src/lib/core/fiber.c:1319:2
    #3 0x55620643b0dc in fiber_new_ex /home/shiny/dev/tarantool/src/lib/core/fiber.c:1373:7
    #4 0x556206405965 in main_f /home/shiny/dev/tarantool/test/unit/fiber_stack.c:102:10
    #5 0x556206403c96 in fiber_c_invoke /home/shiny/dev/tarantool/src/lib/core/fiber.h:1151:9
    #6 0x55620643ee0e in fiber_loop /home/shiny/dev/tarantool/src/lib/core/fiber.c:1013:18
    #7 0x5562065481f8 in coro_init /home/shiny/dev/tarantool/third_party/coro/coro.c:108:3

0x6310000147c8 is located 56 bytes to the left of 65536-byte region [0x631000014800,0x631000024800)
allocated by thread T0 here:
    #0 0x5562063bb239 in malloc (/home/shiny/dev/tarantool/build-asan-debug/test/unit/fiber_stack.test+0x1a1239) (BuildId: 3726deb8a4e6c608e3705b7bf6332d76685089b6)
    #1 0x55620645aaf0 in slab_get /home/shiny/dev/tarantool/src/lib/small/include/small/slab_cache_malloc.h:108:37
    #2 0x55620643d927 in fiber_stack_create /home/shiny/dev/tarantool/src/lib/core/fiber.c:1273:22
    #3 0x55620643b0dc in fiber_new_ex /home/shiny/dev/tarantool/src/lib/core/fiber.c:1373:7
    #4 0x556206405965 in main_f /home/shiny/dev/tarantool/test/unit/fiber_stack.c:102:10
    #5 0x556206403c96 in fiber_c_invoke /home/shiny/dev/tarantool/src/lib/core/fiber.h:1151:9
    #6 0x55620643ee0e in fiber_loop /home/shiny/dev/tarantool/src/lib/core/fiber.c:1013:18
    #7 0x5562065481f8 in coro_init /home/shiny/dev/tarantool/third_party/coro/coro.c:108:3

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/shiny/dev/tarantool/src/lib/core/fiber.c:1126:8 in stack_put_watermark
Shadow bytes around the buggy address:
  0x0c627fffa8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c627fffa8f0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c627fffa900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==259759==ABORTING

The text was updated successfully, but these errors were encountered:

Fiber flags are initialized after fiber stack creation. As result currently check for custom stack in fiber_stack_watermark_create does not work. This leads to heap-buffer-overflow on putting watermark if custom stack size is less than FIBER_STACK_SIZE_WATERMARK. Close tarantool#9026 NO_DOC=bugfix

Fiber flags are initialized after fiber stack creation. As result currently check for custom stack in fiber_stack_watermark_create does not work. This leads to heap-buffer-overflow on putting watermark if custom stack size is less than FIBER_STACK_SIZE_WATERMARK. Close #9026 NO_DOC=bugfix

Fiber flags are initialized after fiber stack creation. As result currently check for custom stack in fiber_stack_watermark_create does not work. This leads to heap-buffer-overflow on putting watermark if custom stack size is less than FIBER_STACK_SIZE_WATERMARK. Close #9026 NO_DOC=bugfix (cherry picked from commit 750e489)

nshy added the bug Something isn't working label Aug 24, 2023

nshy self-assigned this Aug 24, 2023

nshy mentioned this issue Aug 25, 2023

fiber: fix heap-buffer-overflow in fiber_stack_watermark_create #9039

Merged

locker closed this as completed in #9039 Aug 28, 2023

locker added the 2.10 Target is 2.10 and all newer release/master branches label Aug 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ASAN: heap-buffer-overflow in stack_put_watermark with small stack size #9026

ASAN: heap-buffer-overflow in stack_put_watermark with small stack size #9026

nshy commented Aug 24, 2023

ASAN: heap-buffer-overflow in stack_put_watermark with small stack size #9026

ASAN: heap-buffer-overflow in stack_put_watermark with small stack size #9026

Comments

nshy commented Aug 24, 2023