Buffer overflow with -CF -8 options and 0x00 0xFF input
#628
Comments
|
That sounds familiar but it will take a minute to trace it and be sure.
ASAN evaluates crash logs, right? So this is a real crash rather than a
linter warning?
…On Sun, Feb 25, 2024, 08:52 Szabolcs Horvát ***@***.***> wrote:
AddressSanitizer detect a global buffer overflow in all our scanners (five
different ones) when compiled with the -CF -8 options and fed with a
two-byte input of 0x00 0xFF.
An example of one of the simpler scanners is
https://github.com/igraph/igraph/blob/58e01aa8594b98c198118b507f29186854cdbc3b/src/io/ncol-lexer.l
The crash happens on the first line within a for loop like this:
for ( yy_c = YY_SC_TO_UI(*yy_cp);
(yy_trans_info = &yy_current_state[yy_c])->
yy_verify == yy_c;
yy_c = YY_SC_TO_UI(*++yy_cp) )
yy_current_state += yy_trans_info->yy_nxt;
}
Before investigating further, and putting in the time to produce a minimal
example, I wanted to ask if similar issues are known.
—
Reply to this email directly, view it on GitHub
<#628>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAVJXIJ4ZEEQBBFWAY4OGQLYVM6Z3AVCNFSM6AAAAABDY4L2OKVHI2DSMVQWIX3LMV43ASLTON2WKOZSGE2TENZXGU3TQOI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Yes, correct. |
|
This wasn't what I thought. It was more interesting. I think everything is fine. Here's what I see happening and why I think ASAN is mad. With your example scanner and using the A couple of lines later it's re-assigned to point into the 2D transition table Then without further re-assignment, we hit the block on which ASAN halted: I think the second assignment sets ASAN's assumption about I don't think there's really an out-of-bounds access here. I think we just broke the Address Sanitizer by feeding it conflicting type information. Please post an ASAN log if you can. I'm curious what it thinks is happening and curious whether we can give it better hints. BREAK BREAK Something you might see in the future, and this is a fun one: In Fullspeed mode, flex routinely accesses |
Sure, the full log is at the end. This issue, as well as #627, came up while using OSS-fuzz, a fuzz testing service for open-source projects. With one of the new fuzz targets we started to get timeouts, and it turned out that the Flex scanner was surprisingly slow on some edge cases that the fuzzer tended to hit. Using either ASan is not supposed to have false positives, but it could of course have bugs. I was using Clang 17.0.6 on macOS for this test, and I believe OSS-fuzz is currently using Clang 15. These ASan logs are from this program with a 2-byte input of 0x00 0xFF, but this program is probably not something you should try to work with directly on your end. "located 0 bytes after global variable 'yy_transition'" seems a bit strange in the logs below. If I understand this right, we should be hitting inside |
|
Regarding your question on StackOverflow, Piotr Siupa has the right idea. Declare your own string accumulator, then append to it in an action for Still thinking about the ASAN log. That's odd stuff. |
|
Two requests:
ASAN is really good. It has no false positives in the sense that it never reports a memory access that didn't happen. It builds its shadow map based on compile-time information, though. I suspect we mess them up, but I haven't dug in deeply yet. |
|
It seems I can reproduce this with the simple example from the manual: https://westes.github.io/flex/manual/Simple-Examples.html#Simple-Examples Find a way to create a file Run |
No, not so far. |
|
Thanks for the example! I'll check as soon as I can. In case it matters, are you using clang, gcc, or something else? |
|
I tried both with Clang v15 and v17 (macOS on ARM) and GCC v14 (Fedora in Docker on ARM). Here's the GCC ASan output for the minimal example: |
|
It's maybe interesting to mention that if I run without ASan, on macOS I get: This doesn't look right, does it? On Fedora, I get the expected output (regardless of whether compiling with GCC and Clang): The Flex output is not of the same size on the two platforms, even through I used flex 2.6.4 on both. On macOS I see 1739 lines in https://github.com/macports/macports-ports/tree/master/devel/flex/files |
|
Thank you both for the very careful and thorough investigation on this issue. That we're handling a specific instance of crashing is awesome. As a sanity check, would you confirm what version of flex you're using for this? (I didn't see it in my skim of the comments.) Unless otherwise stated, we work on the tip of the master branch. |
|
Version 2.6.4 on all systems. A few days ago I tried to compile flex from the master branch, following these instructions, and installing all requirements listed there, but did not succeed. Some generated C headers appear to contain unevaluated code (m4 code? autoconf? I'm not very familiar with these). Any chance of a bugfix release this year? It's been 7 years since the last one, meaning 2.6.4 is old enough to be learning to write in school now ;-) |
Yes, it's my top priority for flex at the moment. (There's just all the other things happening, so I'm not promising a specific date yet.) |
I should get back to this today or tomorrow. By macOS on ARM, are we talking about m1, m2, etc.? I don't own one of those to debug on, but it's looking like I should. |
I don't think it should matter, but it's an M2. Could you not reproduce it on Intel? The same happened on the OSS-fuzz infrastructure which is x86_64 on Linux. Unfortunately I won't have direct access to Intel hardware for perhaps two more weeks.
Resolving this is not urgent for me, but I hope the report will be useful for the long term improvement of Flex. |
|
Just making sure I have all the info I need in case I can't reproduce. Otherwise I'll bash my head against it all weekend. Your trouble building the main branch has me worried. We had an issue recently where main won't bootstrap on m2. I've built it on ARM though, so I don't know why. It's been really hard to debug using GHActions runners. |
|
Quick update. I've been able to reproduce the ASAN reports on ubuntu 20.04 from the HEAD of the main branch. Our line numbers are off by 8, so I'm no longer concerned that it's an architecture flag thing in the build script. More hunting to follow. |
|
I found a solution, but proving I've solved the right problem will take some extraordinary evidence. Looks like we've been making the Fullspeed table too big for the last 30+ years, but it almost never causes a problem. I'm getting a PR together so folks can check my patch against their scanners. I'm having a hard time believing myself on this. |
Correct fullspeed table size computation from 'tblend + numecs + 1' to 'tblend + 2 + 1' to avoid allocating extra space that is never initialized. Refs: westes#628
|
@szhorvat did the PR fix the issue for you? My mac mini is late arriving. |
|
I'm travelling this week, I'll try again when I'm back. However, last time I tried, I wasn't able to build flex from the master branch, as some headers were mis-generated ... Can you please check that the prerequisites mentioned in the installation document are correct and complete? |
|
The prerequisites list is complete and up to date. However, I've noticed quirks with packages on some distros. In particular, I have to install My mac arrives next Tuesday. If we need to debug the build system we can do it then. |
I've moved this over to #632, and I have partial solutions now. |
AddressSanitizer detect a global buffer overflow in all our scanners (five different ones) when compiled with the
-CF -8options and fed with a two-byte input of 0x00 0xFF.An example of one of the simpler scanners is https://github.com/igraph/igraph/blob/58e01aa8594b98c198118b507f29186854cdbc3b/src/io/ncol-lexer.l
The crash happens on the first line within a for loop like this:
Before investigating further, and putting in the time to produce a minimal example, I wanted to ask if similar issues are known.
The text was updated successfully, but these errors were encountered: