| Ticket UUID: | b1534b438bc711e848ad7ade3642ce0a6323fe8e | |||
| Title: | Out of bounds read access in function Write / tclIO.c | |||
| Type: | Bug | Version: | 8.6.4 | |
| Submitter: | hanno | Created on: | 2015-06-30 19:56:05 | |
| Subsystem: | None | Assigned To: | dgp | |
| Priority: | 5 Medium | Severity: | Minor | |
| Status: | Closed | Last Modified: | 2016-08-22 08:34:09 | |
| Resolution: | Fixed | Closed By: | dkf | |
| Closed on: | 2016-08-22 08:34:09 | |||
| Description: |
When compiling tcl with address sanitizer the test chanio.test will report an out of bounds error. I'll attach the address sanitizer output below. To reproduce run:
./configure CFLAGS="-fsanitize=address -g"; make; make test
The access happens in the file tclIO.c in line 4326. This is the code in question:
if (saved == 0 || src[-1] != '\n') {
Seems like it's trying to access the "-1" index of src without verifying that there is a previous index.
This is the address sanitizer error message:
==18913==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f751e8da91f at pc 0x7f751e773ef7 bp 0x7ffe51019900 sp 0x7ffe510198f0
READ of size 1 at 0x7f751e8da91f thread T0
#0 0x7f751e773ef6 in Write /mnt/ram/tcl8.6.4/generic/tclIO.c:4326
#1 0x7f751e770d84 in Tcl_Close /mnt/ram/tcl8.6.4/generic/tclIO.c:3353
#2 0x7f751e7716b2 in Tcl_UnregisterChannel /mnt/ram/tcl8.6.4/generic/tclIO.c:1247
#3 0x7f751e782b9b in Tcl_CloseObjCmd /mnt/ram/tcl8.6.4/generic/tclIOCmd.c:726
#4 0x7f751e52ba1b in TclNRRunCallbacks /mnt/ram/tcl8.6.4/generic/tclBasic.c:4392
#5 0x7f751e5320b1 in TclEvalEx /mnt/ram/tcl8.6.4/generic/tclBasic.c:5261
#6 0x7f751e79d7ee in Tcl_FSEvalFileEx /mnt/ram/tcl8.6.4/generic/tclIOUtil.c:1815
#7 0x7f751e7b091c in Tcl_MainEx /mnt/ram/tcl8.6.4/generic/tclMain.c:417
#8 0x401713 in main /mnt/ram/tcl8.6.4/unix/tclAppInit.c:84
#9 0x7f751d7abf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#10 0x401866 (/mnt/ram/tcl8.6.4/unix/tcltest+0x401866)
0x7f751e8da91f is located 1 bytes to the left of global variable '*.LC89' from '/mnt/ram/tcl8.6.4/generic/tclIO.c' (0x7f751e8da920) of size 1
'*.LC89' is ascii string ''
0x7f751e8da91f is located 54 bytes to the right of global variable '*.LC88' from '/mnt/ram/tcl8.6.4/generic/tclIO.c' (0x7f751e8da8e0) of size 9
'*.LC88' is ascii string '-eofchar'
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/ram/tcl8.6.4/generic/tclIO.c:4326 Write
Shadow bytes around the buggy address:
0x0fef23d134d0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9
0x0fef23d134e0: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
0x0fef23d134f0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
0x0fef23d13500: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 02 f9 f9
0x0fef23d13510: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
=>0x0fef23d13520: f9 f9 f9[f9]01 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
0x0fef23d13530: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
0x0fef23d13540: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
0x0fef23d13550: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
0x0fef23d13560: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
0x0fef23d13570: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 00 00 01
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==18913==ABORTING
| |||
| User Comments: |
dgp added on 2015-07-15 17:19:30:
Fixed for Tcl 8.5.19 and 8.6.5. Please confirm. dgp added on 2015-07-15 14:59:26: ...and this is a Tcl matter, not Tk. dgp added on 2015-07-15 14:57:58: Looks like test io-1.9 triggers the matter. | |||
Home
Timeline
Branches
Tags
Tickets
Download
Wiki