~lattis/muon#19: 
global-buffer-overflow in set_builtin_options

ASan is not happy with muon's set_builtin_options when run with the wlroots project (haven't tested anything else):

../src/data/bucket_array.c:67:2: runtime error: null pointer passed as argument 2, which is declared to never be null
=================================================================
==60666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55cbe89d6d77 at pc 0x7f12b935f72b bp 0x7ffce97d6100 sp 0x7ffce97d58a8
READ of size 5144 at 0x55cbe89d6d77 thread T0
    #0 0x7f12b935f72a in __interceptor_strlen /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389
    <a href="/~lattis/muon/1" title="~lattis/muon#1: .muon:1:1: error: in builtin function setup   1 | setup(">#1</a> 0x55cbe8900a8a in eval_str ../src/lang/eval.c:153
    <a href="/~lattis/muon/2" title="~lattis/muon#2: error invalid option: &#39;samu=&#39;enabled&#39;&#39;">#2</a> 0x55cbe88ea02a in set_builtin_options ../src/functions/default/options.c:584
    <a href="/~lattis/muon/3" title="~lattis/muon#3: Add support for &#34;pkgconfig&#34; module">#3</a> 0x55cbe8901441 in eval_project ../src/lang/eval.c:88
    <a href="/~lattis/muon/4" title="~lattis/muon#4: Add support for &#34;is_subproject()&#34; function">#4</a> 0x55cbe88eadb9 in do_setup ../src/functions/default/setup.c:20
    <a href="/~lattis/muon/5" title="~lattis/muon#5: run_command(): error: invalid type for run_command argument: &#39;array&#39;">#5</a> 0x55cbe8954f9e in cmd_setup ../src/main.c:466
    <a href="/~lattis/muon/6" title="~lattis/muon#6: add_project_arguments(arg1, language: []): error: expected type string, got array">#6</a> 0x55cbe888bd3d in cmd_main ../src/main.c:582
    <a href="/~lattis/muon/7" title="~lattis/muon#7: Implement `add_global_arguments()` function">#7</a> 0x55cbe888bd3d in main ../src/main.c:597
    <a href="/~lattis/muon/8" title="~lattis/muon#8: Add support for disabler functions">#8</a> 0x7f12b8696b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    <a href="/~lattis/muon/9" title="~lattis/muon#9: Support `directory` keys in subproject wraps">#9</a> 0x55cbe888c15d in _start (/home/simon/src/muon/build/muon+0x10515d)

0x55cbe89d6d77 is located 41 bytes to the left of global variable 'embedded_len' defined in 'src/embedded_files.h:1:10' (0x55cbe89d6da0) of size 4
0x55cbe89d6d77 is located 0 bytes to the right of global variable '__compound_literal.0' defined in 'src/embedded_files.h:65:52' (0x55cbe89d5960) of size 5143
SUMMARY: AddressSanitizer: global-buffer-overflow /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:389 in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0ab9fd132d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9fd132d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9fd132d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9fd132d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9fd132d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab9fd132da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]f9
  0x0ab9fd132db0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9
  0x0ab9fd132dc0: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ab9fd132dd0: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ab9fd132de0: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0ab9fd132df0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==60666==ABORTING
Status
RESOLVED FIXED
Submitter
~emersion
Assigned to
No-one
Submitted
2 months ago
Updated
2 months ago
Labels
No labels applied.

~lattis REPORTED FIXED 2 months ago

Thanks for this. It (and a few other things I saw) should be fixed. There may be other lurking bugs but unfortunately I do most of my development on alpine, and as far as I can tell musl doesn't support these sanitizers. I debugged this in a builds.sr.ht vm.

~emersion 2 months ago

When ASan isn't available, it's possible to use Valgrind to check for this kind of issues.

~lattis 2 months ago

Strangely, valgrind wasn't catching this.

Register here or Log in to comment, or comment via email.