GNU bug report logs - #64316
ASAN failures in dir.c

Previous Next

Package: diffutils;

Reported by: Gisle Vanem <gvanem <at> yahoo.no>

Date: Tue, 27 Jun 2023 13:06:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Gisle Vanem <gvanem <at> yahoo.no>
Subject: bug#64316: closed (Re: [bug-diffutils] bug#64316: ASAN failures
 in dir.c)
Date: Tue, 27 Jun 2023 16:41:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#64316: ASAN failures in dir.c

which was filed against the diffutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 64316 <at> debbugs.gnu.org.

-- 
64316: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=64316
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Gisle Vanem <gvanem <at> yahoo.no>
Cc: 64316-done <at> debbugs.gnu.org
Subject: Re: [bug-diffutils] bug#64316: ASAN failures in dir.c
Date: Tue, 27 Jun 2023 09:40:06 -0700

[Message part 3 (text/plain, inline)]
Thanks for reporting that bug, which I recently introduced. I installed 
the attached to fix it.
[0001-diff-fix-xpalloc-typo.patch (text/x-patch, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Gisle Vanem <gvanem <at> yahoo.no>
To: bug-diffutils <at> gnu.org
Subject: ASAN failures in dir.c
Date: Tue, 27 Jun 2023 15:04:48 +0200

Hello list.

Since some time ago, building diff.exe with ASAN (on Windows-10),
causes it to trigger on illegal use of memcpy().
For example:

==3752==ERROR: AddressSanitizer: heap-use-after-free on address 0x121647e20772 at
pc 0x7ffc6e93727e bp 0x00d589efdba0 sp 0x00d589efd330
WRITE of size 17 at 0x121647e20772 thread T0
    #0 0x7ffc6e93727d in __asan_memcpy 
D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\li\asan\asan_interceptors_memintrinsics.cpp:22
    #1 0x7ff604834af1 in dir_read F:\MinGW32\src\gnu\GNU-diff\src\dir.c:101
    #2 0x7ff604832ec7 in diff_dirs F:\MinGW32\src\gnu\GNU-diff\src\dir.c:214
    #3 0x7ff60482dc37 in compare_files F:\MinGW32\src\gnu\GNU-diff\src\diff.c:1369
    #4 0x7ff604833b1b in diff_dirs F:\MinGW32\src\gnu\GNU-diff\src\dir.c:289
    #5 0x7ff60482dc37 in compare_files F:\MinGW32\src\gnu\GNU-diff\src\diff.c:1369
    #6 0x7ff60483270e in main F:\MinGW32\src\gnu\GNU-diff\src\diff.c:862
    ...

-----------------------

This causes Heap Corruption all over the place.

I'm not sure this is an issue with Gnulib or diff. But reverting this
patch:


diff --git a/src/dir.c b/src/dir.c
index ba9403b..773afeb 100644
--- a/src/dir.c
+++ b/src/dir.c
@@ -95,13 +95,9 @@ dir_read (struct file_data const *dir, struct dirdata *dirdata)
           if (excluded_file_name (excluded, d_name))
             continue;

-          while (data_alloc - data_used < d_size)
-            {
-              if (IDX_MAX / 2 <= data_alloc)
-                xalloc_die ();
-              dirdata->data = data = xirealloc (data, data_alloc *= 2);
-            }
-
+          if (data_alloc - data_used < d_size)
+	    dirdata->data = xpalloc (dirdata->data, &data_alloc,
+				     d_size - (data_alloc - data_used), -1, 1);
           memcpy (data + data_used, d_name, d_size);
           data_used += d_size;
           nnames++;

--------

it work with ASAN too (although much slower).

-- 
--gv
This bug report was last modified 1 year and 331 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.