Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap buffer overflow detected by ASan #59

Closed
Randl opened this issue Jan 11, 2018 · 1 comment
Closed

Heap buffer overflow detected by ASan #59

Randl opened this issue Jan 11, 2018 · 1 comment
Labels
category:Refactoring Related to code refactoring

Comments

@Randl
Copy link
Contributor

Randl commented Jan 11, 2018 

==26577==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6080000040f4 at pc 0x00000058ebfc bp 0x7ffd8fecbc20 sp 0x7ffd8fecb3d0
READ of size 53 at 0x6080000040f4 thread T0
    #0 0x58ebfb in __interceptor_strndup.part.278 (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x58ebfb)
    #1 0x7fb49177f60e  (/usr/lib/x86_64-linux-gnu/libxkbcommon-x11.so.0+0x460e)
    #2 0x7fb49177ec61 in xkb_x11_keymap_new_from_device (/usr/lib/x86_64-linux-gnu/libxkbcommon-x11.so.0+0x3c61)
    #3 0x7fb49ad1a1fc  (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x421fc)
    #4 0x7fb49ad1b28c  (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x4328c)
    #5 0x7fb49ad15a1a in QXcbConnection::QXcbConnection(QXcbNativeInterface*, bool, unsigned int, char const*) (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x3da1a)
    #6 0x7fb49ad19019 in QXcbIntegration::QXcbIntegration(QStringList const&, int&, char**) (/usr/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5+0x41019)
    #7 0x7fb49afdb2aa in _init (/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so+0x12aa)
    #8 0x7fb4b9cc2f8c in QPlatformIntegrationFactory::create(QString const&, QStringList const&, int&, char**, QString const&) (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0xe8f8c)
    #9 0x7fb4b9cd3349 in QGuiApplicationPrivate::createPlatformIntegration() (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0xf9349)
    #10 0x7fb4b9cd3e3c in QGuiApplicationPrivate::createEventDispatcher() (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0xf9e3c)
    #11 0x7fb4b9721b84 in QCoreApplicationPrivate::init() (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x290b84)
    #12 0x7fb4b9cd58ce in QGuiApplicationPrivate::init() (/usr/lib/x86_64-linux-gnu/libQt5Gui.so.5+0xfb8ce)
    #13 0x7fb4be005288 in QApplicationPrivate::init() (/usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5+0x159288)
    #14 0x28ff1ad in Application::Application(int&, char**) /home/vista/dev/tdesktop/Telegram/SourceFiles/application.cpp:75:52
    #15 0x2974fc8 in main /home/vista/dev/tdesktop/Telegram/SourceFiles/main.cpp:48:15
    #16 0x7fb4b83b61c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #17 0x500389 in _start (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x500389)

0x6080000040f4 is located 0 bytes to the right of 84-byte region [0x6080000040a0,0x6080000040f4)
allocated by thread T1 (QXcbEventReader) here:
    #0 0x5bfd80 in __interceptor_malloc (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x5bfd80)
    #1 0x7fb4ae09ae2b  (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xde2b)

Thread T1 (QXcbEventReader) created by T0 here:
    #0 0x519400 in pthread_create (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x519400)
    #1 0x7fb4b953c795 in QThread::start(QThread::Priority) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xab795)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x58ebfb) in __interceptor_strndup.part.278
Shadow bytes around the buggy address:
  0x0c107fff87c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff87e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff87f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8800: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c107fff8810: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[04]fa
  0x0c107fff8820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
QApplication: invalid style override passed, ignoring it.
=================================================================

==26577==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000d4bff at pc 0x0000005992fb bp 0x7ffd8fec5d90 sp 0x7ffd8fec5540
READ of size 7 at 0x6040000d4bff thread T0
    #0 0x5992fa in __interceptor_memcmp.part.282 (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x5992fa)
    #1 0x6c84b7 in Lang::GetKeyIndex(QLatin1String) /home/vista/dev/tdesktop/cmake-build-debug/Telegram/lang_auto.cpp:13610:20
    #2 0x1c431f6 in LangKey Lang::Instance::ParseKeyValue<std::vector<QString, std::allocator<QString> > >(QByteArray const&, QByteArray const&, std::vector<QString, std::allocator<QString> >&) /home/vista/dev/tdesktop/Telegram/SourceFiles/lang/lang_instance.cpp:453:18
    #3 0x1c37bbb in Lang::Instance::applyValue(QByteArray const&, QByteArray const&) /home/vista/dev/tdesktop/Telegram/SourceFiles/lang/lang_instance.cpp:469:15
    #4 0x1c3762a in Lang::Instance::fillFromSerialized(QByteArray const&) /home/vista/dev/tdesktop/Telegram/SourceFiles/lang/lang_instance.cpp:319:3
    #5 0x222ac02 in Local::readLangPack() /home/vista/dev/tdesktop/Telegram/SourceFiles/storage/localstorage.cpp:3947:19
    #6 0x2217667 in Local::start() /home/vista/dev/tdesktop/Telegram/SourceFiles/storage/localstorage.cpp:2335:2
    #7 0x2b46bbf in Messenger::startLocalStorage() /home/vista/dev/tdesktop/Telegram/SourceFiles/messenger.cpp:477:2
    #8 0x2b452cc in Messenger::Messenger() /home/vista/dev/tdesktop/Telegram/SourceFiles/messenger.cpp:91:2
    #9 0x290b4a7 in std::_MakeUniq<Messenger>::__single_object std::make_unique<Messenger>() /usr/bin/../lib/gcc/x86_64-linux-gnu/7.2.0/../../../../include/c++/7.2.0/bits/unique_ptr.h:825:34
    #10 0x2908c75 in Application::createMessenger() /home/vista/dev/tdesktop/Telegram/SourceFiles/application.cpp:302:23
    #11 0x2904c71 in Sandbox::launch() /home/vista/dev/tdesktop/Telegram/SourceFiles/application.cpp:410:17
    #12 0x2900196 in Application::singleInstanceChecked() /home/vista/dev/tdesktop/Telegram/SourceFiles/application.cpp:209:4
    #13 0x29036f1 in Application::socketError(QLocalSocket::LocalSocketError) /home/vista/dev/tdesktop/Telegram/SourceFiles/application.cpp:182:2
    #14 0x2cb706d in Application::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram_autogen/T6Y2NIRYHF/moc_application.cpp:116:21
    #15 0x7fb4b97498e4 in QMetaObject::activate(QObject*, int, int, void**) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0x2b88e4)
    #16 0x7fb4bdc08950 in QLocalSocket::error(QLocalSocket::LocalSocketError) (/usr/lib/x86_64-linux-gnu/libQt5Network.so.5+0xe7950)
    #17 0x7fb4bdc16d89  (/usr/lib/x86_64-linux-gnu/libQt5Network.so.5+0xf5d89)
    #18 0x7fb4bdc17631  (/usr/lib/x86_64-linux-gnu/libQt5Network.so.5+0xf6631)
    #19 0x7fb4bdc1780b in QLocalSocket::connectToServer(QFlags<QIODevice::OpenModeFlag>) (/usr/lib/x86_64-linux-gnu/libQt5Network.so.5+0xf680b)
    #20 0x28ffce4 in Application::Application(int&, char**) /home/vista/dev/tdesktop/Telegram/SourceFiles/application.cpp:101:16
    #21 0x2974fc8 in main /home/vista/dev/tdesktop/Telegram/SourceFiles/main.cpp:48:15
    #22 0x7fb4b83b61c0 in __libc_start_main /build/glibc-CxtIbX/glibc-2.26/csu/../csu/libc-start.c:308
    #23 0x500389 in _start (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x500389)

0x6040000d4bff is located 0 bytes to the right of 47-byte region [0x6040000d4bd0,0x6040000d4bff)
allocated by thread T0 here:
    #0 0x5bfd80 in __interceptor_malloc (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x5bfd80)
    #1 0x7fb4b953e9f1 in QArrayData::allocate(unsigned long, unsigned long, unsigned long, QFlags<QArrayData::AllocationOption>) (/usr/lib/x86_64-linux-gnu/libQt5Core.so.5+0xad9f1)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/vista/dev/tdesktop/cmake-build-debug/Telegram/Telegram+0x5992fa) in __interceptor_memcmp.part.282
Shadow bytes around the buggy address:
  0x0c0880012920: fa fa 00 00 00 00 00 07 fa fa 00 00 00 00 00 04
  0x0c0880012930: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 00 02
  0x0c0880012940: fa fa 00 00 00 00 00 07 fa fa 00 00 00 00 01 fa
  0x0c0880012950: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 04 fa
  0x0c0880012960: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 00 02
=>0x0c0880012970: fa fa 00 00 00 00 00 03 fa fa 00 00 00 00 00[07]
  0x0c0880012980: fa fa 00 00 00 00 00 03 fa fa 00 00 00 00 07 fa
  0x0c0880012990: fa fa 00 00 00 00 00 06 fa fa 00 00 00 00 00 07
  0x0c08800129a0: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 07 fa
  0x0c08800129b0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 01
  0x0c08800129c0: fa fa 00 00 00 00 00 03 fa fa 00 00 00 00 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  OpenType support missing for script 11
  OpenType support missing for script 11

=================================================================

Seemingly each of those connected to corresponding error message (QApplication: invalid style override passed, ignoring it. and OpenType support missing for script 11)
@vyamkovyi vyamkovyi mentioned this issue Jan 23, 2018
Closed
@leha-bot leha-bot added the category:Refactoring Related to code refactoring label Jan 26, 2018
@Randl
Copy link
Contributor Author

Randl commented Jun 6, 2018

Randl@db869f4
this hotfixes the second one. Note this appears not to be the proper fix. There is some problem with size checks in codegen/lang/generator.cpp however the logic is not that easy to understand.

@Randl Randl mentioned this issue Oct 19, 2018
Closed
Randl added a commit to Randl/tdesktop that referenced this issue Oct 19, 2018
@Randl
Replace mess with maps in lang_auto ( procxx#196 ). Also fixes procxx#59
6291f83
@Randl Randl mentioned this issue Oct 19, 2018
Merged
leha-bot pushed a commit that referenced this issue Oct 19, 2018
@Randl @leha-bot
Replace mess with maps in lang_auto ( #196 ). Also fixes #59
f4ae3d5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
category:Refactoring Related to code refactoring
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Randl @leha-bot