Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASan reports pointer overflow #7229

Open
edeiana opened this issue Jan 28, 2025 · 2 comments
Open

ASan reports pointer overflow #7229

edeiana opened this issue Jan 28, 2025 · 2 comments
Labels
Bug-DRCrash Google-Affecting Tool-DrCov

Comments

@edeiana
Copy link
Contributor

edeiana commented Jan 28, 2025

Address Sanitizer reports pointer overflow when performing pointer arithmetic with final_pc.
This happens when final_pc is NULL, as adding to it is undefined behavior.
We cast final_pc (which is an app_pc aka unsigned char *) to unsigned integer to fix the issue.
@edeiana edeiana mentioned this issue Jan 28, 2025
Merged
@vitalybuka
Copy link
Contributor

Detected reports:

core/ir/instrlist.c:575:18: runtime error: applying non-zero offset 4 to null pointer
    #0 ir/instrlist.c:575:18
    #1 dynamorio::drmemtrace::add_encodings_to_memrefs drmemtrace/memref_gen.h:198:9

core/ir/aarch64/codec.c:1084:62: runtime error: applying non-zero offset 16 to null pointer
    #0 decode_opnd_adr_page core/ir/aarch64/codec.c:1084:62
    #1 decode_opnds_adr core/ir/aarch64/codec.c:9156:10
    #2 decoder_v80 arm/decode_gen_v80.h
    #3 decode_common core/ir/aarch64/codec.c:9581:10
    #4 decode_from_copy core/ir/aarch64/decode.c:100:12

core/ir/x86/encode.c:3024:67: runtime error: applying non-zero offset 6 to null pointer
    #0 encode_cti core/ir/x86/encode.c:3024:67
    #1 instr_encode_arch core/ir/x86/encode.c:3173:20
    #2 instr_encode_common core/ir/encode_shared.c:129:12
    #3 instr_encode_to_copy core/ir/encode_shared.c:153:12
    #4 instrlist_encode_to_copy core/ir/instrlist.c:572:20
    #5 dynamorio::drmemtrace::add_encodings_to_memrefs drmemtrace/memref_gen.h:198:9

clients/drcachesim/tracer/raw2trace_shared.cpp:290:78: runtime error: applying non-zero offset 4096 to null pointer
    #0 dynamorio::drmemtrace::module_mapper_t::read_and_map_modules() clients/drcachesim/tracer/raw2trace_shared.cpp:290:78
    #1 dynamorio::drmemtrace::module_mapper_t::get_loaded_modules() clients/drcachesim/tracer/raw2trace_shared.h:270:13

core/drlibc/drlibc_module_elf.c:201:55: runtime error: applying non-zero offset 126787216 to null pointer
    #0 module_vaddr_from_prog_header core/drlibc/drlibc_module_elf.c:201:55
    #1 elf_loader_map_phdrs core/drlibc/drlibc_module_elf.c:397:16
    #2 privload_map_and_relocate core/unix/loader.c:571:12
    #3 dr_map_executable_file core/lib/instrument.c:3997:12
    #4 dynamorio::drmemtrace::module_mapper_t::read_and_map_modules() clients/drcachesim/tracer/raw2trace_shared.cpp:333:21
    #5 dynamorio::drmemtrace::module_mapper_t::get_loaded_modules() clients/drcachesim/tracer/raw2trace_shared.h:270:13

drlibc/drlibc_module_elf.c:459:77: runtime error: applying non-zero offset 140355803590656 to null pointer
    #0 elf_loader_map_phdrs drlibc/drlibc_module_elf.c:459:77
    #1 privload_map_and_relocate unix/loader.c:571:12
    #2 dr_map_executable_file lib/instrument.c:3997:12
    #3 dynamorio::drmemtrace::module_mapper_t::read_and_map_modules() clients/drcachesim/tracer/raw2trace_shared.cpp:334:21
    #4 dynamorio::drmemtrace::module_mapper_t::get_loaded_modules() drmemtrace/raw2trace_shared.h:270:13

drlibc/drlibc_module_elf.c:525:58: runtime error: applying non-zero offset 126787216 to null pointer
    #0 0x5647d0371fdb in elf_loader_map_phdrs drlibc/drlibc_module_elf.c:525:58
    #1 0x5647d034d227 in privload_map_and_relocate unix/loader.c:571:12
    #2 0x5647d032692c in dr_map_executable_file lib/instrument.c:3997:12
    #3 0x7fd41a57cb0f in dynamorio::drmemtrace::module_mapper_t::read_and_map_modules() drcachesim/tracer/raw2trace_shared.cpp:334:21
    #4 0x7fd41a57e6e2 in dynamorio::drmemtrace::module_mapper_t::get_loaded_modules() drcachesim/tracer/raw2trace_shared.h:270:13

clients/drcachesim/tracer/raw2trace_shared.h:315:82: runtime error: applying non-zero offset 3 to null pointer
    #0 dynamorio::drmemtrace::module_mapper_t::get_orig_pc clients/drcachesim/tracer/raw2trace_shared.h:315:82
    #1 dynamorio::drmemtrace::raw2trace_t::append_bb_entries clients/drcachesim/tracer/raw2trace.cpp:1540:19
    #2 dynamorio::drmemtrace::raw2trace_t::process_offline_entry clients/drcachesim/tracer/raw2trace.cpp:420:14
    #3 dynamorio::drmemtrace::raw2trace_t::process_next_thread_buffer clients/drcachesim/tracer/raw2trace.cpp:997:24

ext/drcovlib/modules.c:470:75: runtime error: applying non-zero offset 1 to null pointer
    #0 module_read_entry_print ext/drcovlib/modules.c:470:75
    #1 drmodtrack_offline_write ext/drcovlib/modules.c:838:15
    #2 dynamorio::drmemtrace::module_mapper_t::write_module_data clients/drcachesim/tracer/raw2trace_shared.cpp:249:15

clients/drcachesim/tracer/raw2trace_shared.h:289:61: runtime error: applying non-zero offset 3 to null pointer
    #0 dynamorio::drmemtrace::module_mapper_t::get_orig_pc_from_map_pc clients/drcachesim/tracer/raw2trace_shared.h:289:61
    #1 dynamorio::drmemtrace::raw2trace_t::append_bb_entries clients/drcachesim/tracer/raw2trace.cpp:1568:36
    #2 dynamorio::drmemtrace::raw2trace_t::process_offline_entry clients/drcachesim/tracer/raw2trace.cpp:420:14
    #3 dynamorio::drmemtrace::raw2trace_t::process_next_thread_buffer clients/drcachesim/tracer/raw2trace.cpp:997:24

edeiana pushed a commit that referenced this issue Jan 28, 2025
@vitalybuka
i#7229: Fix --fsanitize=pointer-overflow reports (#7218)
ed508d6 
Adding to NULL is undefined behavior.

This fixes reports we detected on our internal tests
of tools depending on DynamoRIO.

Examples of reports are in #7229.

Many others are likely still undiscovered.

Issue: #7229
vitalybuka added a commit to vitalybuka/dynamorio that referenced this issue Jan 30, 2025
@vitalybuka
i#7229: Fix --fsanitize=pointer-overflow reports
022b16d 
Adding to NULL is undefined behavior.

Examples of reports are in DynamoRIO#7229.

Many others are likely still undiscovered.

Issue: DynamoRIO#7229
@vitalybuka vitalybuka mentioned this issue Jan 30, 2025
Open
@vitalybuka
Copy link
Contributor

More reports

core/unix/module_elf.c:394:51: runtime error: applying non-zero offset 94646340419584 to null pointer
    #0 module_walk_program_headers core/unix/module_elf.c:394:51
    #1 os_module_area_init core/unix/module.c:84:9
    #2 module_area_create core/module_list.c:126:5
    #3 module_list_add core/module_list.c:260:13
    #4 os_walk_address_space core/unix/os.c:10078:17
    #5 find_executable_vm_areas core/unix/os.c:10145:13
    #6 vm_areas_init core/vmareas.c:1675:13
    #7 dynamorio_app_init_part_two_finalize core/dynamo.c:683:13
    #8 dynamorio_app_init core/dynamo.c:395:12
    #9 dr_app_setup core/dynamo.c:2745:11

core/drlibc/drlibc_module_elf.c:525:58: runtime error: applying non-zero offset 136317360 to null pointer
    #0 elf_loader_map_phdrs core/drlibc/drlibc_module_elf.c:525:58
    #1 privload_map_and_relocate core/unix/loader.c:571:12
    #2 dr_map_executable_file core/lib/instrument.c:3997:12

clients/drcachesim/tracer/output.cpp:835:85: runtime error: applying non-zero offset 4096 to null pointer
    #0 dynamorio::drmemtrace::output_buffer clients/drcachesim/tracer/output.cpp:835:85

core/unix/signal.c:5075:78: runtime error: applying non-zero offset 18446744073709551614 to null pointer
    #0 record_pending_signal core/unix/signal.c:5075:78

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug-DRCrash Google-Affecting Tool-DrCov
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vitalybuka @edeiana