Project

General

Profile

Bug #11484

asan wild memory access suspected

Added by David Schaefer about 2 years ago. Updated about 2 years ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
-
Target version:
Start date:
01/29/2017
Due date:
% Done:

100%

Affected Version:
git master branch
System:
Ubuntu
bitness:
64-bit
hardware architecture:
amd64/x86

Description

david@UX32VD ~> env LC_ALL=C ~/unstable/darktable-asan/bin/darktable

(darktable:14152): Gtk-WARNING **: Allocating size to GtkDialog 0x6290003e0310 without calling gtk_widget_get_preferred_width/height(). How does the code know the size to allocate?

(darktable:14152): Gtk-WARNING **: Allocating size to GtkDialog 0x6290003e0310 without calling gtk_widget_get_preferred_width/height(). How does the code know the size to allocate?

(darktable:14152): Gtk-WARNING **: Allocating size to GtkDialog 0x6290003e0310 without calling gtk_widget_get_preferred_width/height(). How does the code know the size to allocate?

(darktable:14152): Gtk-CRITICAL **: gtk_list_store_append: assertion 'GTK_IS_LIST_STORE (list_store)' failed

(darktable:14152): Gtk-CRITICAL **: gtk_list_store_set_valist: assertion 'GTK_IS_LIST_STORE (list_store)' failed =================================================================
14152ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x61400023cc40 in thread T0
#0 0x7f5ac8225b50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6b50)
#1 0x7f5ac438daa2 in gp_file_free (/usr/lib/x86_64-linux-gnu/libgphoto2.so.6+0x11aa2)
#2 0x7f5ac438db0f in gp_file_unref (/usr/lib/x86_64-linux-gnu/libgphoto2.so.6+0x11b0f)
#3 0x7f5ac438f2d1 (/usr/lib/x86_64-linux-gnu/libgphoto2.so.6+0x132d1)
#4 0x7f5ac438f53d (/usr/lib/x86_64-linux-gnu/libgphoto2.so.6+0x1353d)
#5 0x7f5ac438f5e2 (/usr/lib/x86_64-linux-gnu/libgphoto2.so.6+0x135e2)
#6 0x7f5ac438f5d7 (/usr/lib/x86_64-linux-gnu/libgphoto2.so.6+0x135d7)
#7 0x7f5ac439022a in gp_filesystem_reset (/usr/lib/x86_64-linux-gnu/libgphoto2.so.6+0x1422a)
#8 0x7f5ac4384967 in gp_camera_exit (/usr/lib/x86_64-linux-gnu/libgphoto2.so.6+0x8967)
#9 0x7f5ac7d43353 in dt_camctl_camera_destroy /home/david/workspace/darktable.git/src/common/camera_control.c:613
#10 0x7f5ac7d43cab in dt_camctl_destroy /home/david/workspace/darktable.git/src/common/camera_control.c:636
#11 0x7f5ac7b1115f in dt_cleanup /home/david/workspace/darktable.git/src/common/darktable.c:1062
#12 0x7f5ac7cefc2b in dt_gui_gtk_run /home/david/workspace/darktable.git/src/gui/gtk.c:1030
#13 0x55f7b5672a0b in main /home/david/workspace/darktable.git/src/main.c:25
#14 0x7f5ac74373f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
#15 0x55f7b5672a59 in _start (/home/david/unstable/darktable-asan/bin/darktable+0xa59)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: bad-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6b50) in __interceptor_free
14152ABORTING

Associated revisions

Revision 6e15b9cc
Added by David Schaefer about 2 years ago

Fixes #11484

- Replaced redundant function (_string_get_next_variable) with simplified _string_get_next_variable
- Completely rewritten _string_get_next_variable fixes the former segmentation fault

Howto formerly trigger the segmentation fault:
1) Have a SD card in the card reader with DCIM structure and images
2) Open dt
3) Click on Import > Import from camera
4) In the UI "Import images from camera" select any image and click on import -> Segmentation fault
SUMMARY: AddressSanitizer: heap-buffer-overflow src/common/variables.c:79 in _string_get_next_variable

Revision dfc8c6ab
Added by Roman Lebedev about 2 years ago

Merge remote-tracking branch 'upstream/pr/1438'

  • upstream/pr/1438:
    Fixes #11484

Revision 6e3d855f
Added by David Schaefer about 2 years ago

Fixes #11484

- Replaced redundant function (_string_get_next_variable) with simplified _string_get_next_variable
- Completely rewritten _string_get_next_variable fixes the former segmentation fault

Howto formerly trigger the segmentation fault:
1) Have a SD card in the card reader with DCIM structure and images
2) Open dt
3) Click on Import > Import from camera
4) In the UI "Import images from camera" select any image and click on import -> Segmentation fault
SUMMARY: AddressSanitizer: heap-buffer-overflow src/common/variables.c:79 in _string_get_next_variable

(cherry picked from commit 6e15b9cc7fcd5b2b7b1a813a8756d2df7453a52e)

History

#1 Updated by Roman Lebedev about 2 years ago

you may want to export these, it helps:

export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))

export G_DEBUG=gc-friendly,resident-modules
export G_SLICE=always-malloc,debug-blocks

i don't think anyone currently uses/works on this area of code, so patches welcomed.

#2 Updated by David Schaefer about 2 years ago

david@UX32VD ~> env LC_ALL=C MALLOC_CHECK_=3 MALLOC_PERTURB_=(random) G_DEBUG=gc-friendly,resident-modules G_SLICE=always-malloc,debug-blocks ~/unstable/darktable-asan/bin/darktable =================================================================
3767ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060003da8d4 at pc 0x7f8fb2c5c8db bp 0x7f8f9aa5c2e0 sp 0x7f8f9aa5c2d0
READ of size 1 at 0x6060003da8d4 thread T4
#0 0x7f8fb2c5c8da in _string_get_next_variable /home/david/workspace/darktable.git/src/common/variables.c:79
#1 0x7f8fb2c5dfd2 in dt_variables_expand /home/david/workspace/darktable.git/src/common/variables.c:382
#2 0x7f8fb2c2246e in dt_import_session_filename /home/david/workspace/darktable.git/src/common/import_session.c:251
#3 0x7f8fb2df61c4 in _camera_request_image_filename /home/david/workspace/darktable.git/src/control/jobs/camera_jobs.c:304
#4 0x7f8fb2df1029 in _dispatch_request_image_filename /home/david/workspace/darktable.git/src/common/camera_control.c:1566
#5 0x7f8fb2df3e46 in dt_camctl_import /home/david/workspace/darktable.git/src/common/camera_control.c:922
#6 0x7f8fb2df5fe7 in dt_camera_import_job_run /home/david/workspace/darktable.git/src/control/jobs/camera_jobs.c:350
#7 0x7f8fb2c82798 in dt_control_job_execute /home/david/workspace/darktable.git/src/control/jobs.c:298
#8 0x7f8fb2c83b0f in dt_control_run_job /home/david/workspace/darktable.git/src/control/jobs.c:317
#9 0x7f8fb2c83b0f in dt_control_work /home/david/workspace/darktable.git/src/control/jobs.c:555
#10 0x7f8fb28906c9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76c9)
#11 0x7f8fb25ca0ae in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x1080ae)

0x6060003da8d4 is located 0 bytes to the right of 52-byte region [0x6060003da8a0,0x6060003da8d4)
allocated by thread T4 here:
#0 0x7f8fb32d0eb0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6eb0)
#1 0x7f8fb18d1de8 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4fde8)

Thread T4 created by T0 here:
#0 0x7f8fb323b4e8 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x314e8)
#1 0x7f8fb2bc7cdd in dt_pthread_create /home/david/workspace/darktable.git/src/common/dtpthread.c:63
#2 0x7f8fb2c84143 in dt_control_jobs_init /home/david/workspace/darktable.git/src/control/jobs.c:611
#3 0x7f8fb2c79e2d in dt_control_init /home/david/workspace/darktable.git/src/control/control.c:72
#4 0x7f8fb2bbafcd in dt_init /home/david/workspace/darktable.git/src/common/darktable.c:831
#5 0x5643d876c9d5 in main /home/david/workspace/darktable.git/src/main.c:24
#6 0x7f8fb24e23f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/david/workspace/darktable.git/src/common/variables.c:79 in _string_get_next_variable
Shadow bytes around the buggy address:
0x0c0c800734c0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c800734d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c800734e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800734f0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c80073500: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c80073510: fa fa fa fa 00 00 00 00 00 0004fa fa fa fa fa
0x0c0c80073520: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c0c80073530: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80073540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80073550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80073560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
3767ABORTING

#3 Updated by Roman Lebedev about 2 years ago

and which pattern string are you using?
please copy-paste it here, without changing anything

#4 Updated by David Schaefer about 2 years ago

david@Tower ~/w/darktable.git> ~/unstable/darktable/bin/darktable

(darktable:9841): IBUS-WARNING **: Unable to connect to ibus: Could not connect: Connection refused

(darktable:9841): Gtk-WARNING **: Allocating size to GtkDialog 0x6170000f36f0 without calling gtk_widget_get_preferred_width/height(). How does the code know the size to allocate?

(darktable:9841): Gtk-WARNING **: Allocating size to GtkDialog 0x6170000f36f0 without calling gtk_widget_get_preferred_width/height(). How does the code know the size to allocate? =================================================================
9841ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600055d814 at pc 0x7fc025eb4b0b bp 0x7fc00bd3d2e0 sp 0x7fc00bd3d2d0
READ of size 1 at 0x60600055d814 thread T8
#0 0x7fc025eb4b0a in _string_get_next_variable /home/david/workspace/darktable.git/src/common/variables.c:79
#1 0x7fc025eb6202 in dt_variables_expand /home/david/workspace/darktable.git/src/common/variables.c:382
#2 0x7fc025e7a65e in dt_import_session_filename /home/david/workspace/darktable.git/src/common/import_session.c:251
#3 0x7fc02604e6d4 in _camera_request_image_filename /home/david/workspace/darktable.git/src/control/jobs/camera_jobs.c:304
#4 0x7fc026049539 in _dispatch_request_image_filename /home/david/workspace/darktable.git/src/common/camera_control.c:1566
#5 0x7fc02604c356 in dt_camctl_import /home/david/workspace/darktable.git/src/common/camera_control.c:922
#6 0x7fc02604e4f7 in dt_camera_import_job_run /home/david/workspace/darktable.git/src/control/jobs/camera_jobs.c:350
#7 0x7fc025eda9b8 in dt_control_job_execute /home/david/workspace/darktable.git/src/control/jobs.c:298
#8 0x7fc025edbd2f in dt_control_run_job /home/david/workspace/darktable.git/src/control/jobs.c:317
#9 0x7fc025edbd2f in dt_control_work /home/david/workspace/darktable.git/src/control/jobs.c:555
#10 0x7fc025ae86c9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76c9)
#11 0x7fc0258220ae in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x1080ae)

0x60600055d814 is located 0 bytes to the right of 52-byte region [0x60600055d7e0,0x60600055d814)
allocated by thread T8 here:
#0 0x7fc026529eb0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6eb0)
#1 0x7fc024b29de8 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4fde8)

Thread T8 created by T0 here:
#0 0x7fc0264944e8 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x314e8)
#1 0x7fc025e1fe8d in dt_pthread_create /home/david/workspace/darktable.git/src/common/dtpthread.c:63
#2 0x7fc025edc363 in dt_control_jobs_init /home/david/workspace/darktable.git/src/control/jobs.c:611
#3 0x7fc025ed204d in dt_control_init /home/david/workspace/darktable.git/src/control/control.c:72
#4 0x7fc025e1312d in dt_init /home/david/workspace/darktable.git/src/common/darktable.c:831
#5 0x5570344aa9d5 in main /home/david/workspace/darktable.git/src/main.c:24
#6 0x7fc02573a3f0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/david/workspace/darktable.git/src/common/variables.c:79 in _string_get_next_variable
Shadow bytes around the buggy address:
0x0c0c800a3ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800a3ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800a3ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800a3ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800a3af0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c0c800a3b00: 00 0004fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800a3b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800a3b20: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c0c800a3b30: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800a3b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800a3b50: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
9841ABORTING

MALLOC_CHECK_=3
MALLOC_PERTURB_=2394
G_DEBUG=gc-friendly,resident-modules
G_SLICE=always-malloc,debug-blocks

#5 Updated by David Schaefer about 2 years ago

Moved to individual case #11503

#6 Updated by David Schaefer about 2 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

#7 Updated by Roman Lebedev about 2 years ago

  • Target version set to 2.4.0

Also available in: Atom PDF