Test issue #1
Assignees
Labels
Comments
athoik
added a commit
that referenced
this issue
Dec 25, 2020
This commit fixes a heap-buffer-overflow found using ASAN.
Same issue also seens to occur on readyErrRead, so fix it there as well.
In order to verify that console is not breaking after this commit
a random file was written to stdout using cat.
The file was written to another file and hashes where same on input
file and on output file. That seems enough as a test schenario.
Input file can be created using command: dd if=/dev/urandom of=/tmp/in.dat bs=1 count=1024
def yellow(self):
self.container = eConsoleAppContainer()
self.container.appClosed.append(self.finish)
self.container.stdoutAvail.append(self.write)
self.container.setBufferSize(1024)
catargs = ['/bin/cat', '/tmp/in.dat']
self.container.execute('/bin/cat', *catargs)
def finish(self, retval=None):
self.container.kill()
def write(self, data):
file = open('/tmp/out.dat', 'ab')
file.write(data)
file.close()
The full error from ASAN follows:
=================================================================
==1014==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x9e176400 at pc 0x00093b98 bp 0xbe9ca384 sp 0xbe9ca37c
WRITE of size 1 at 0x9e176400 thread T0
#0 0x93b94 in eConsoleAppContainer::readyRead(int) ../../git/lib/base/console.cpp:242
#1 0x9d1f8 in sigc::bound_mem_functor1<void, eConsoleAppContainer, int>::operator()(int const&) const /usr/include/sigc++-2.0/sigc++/functors/mem_fun.h:2066
OpenPLi#2 0x9bafc in sigc::adaptor_functor<sigc::bound_mem_functor1<void, eConsoleAppContainer, int> >::deduce_result_type<int const&, void, void, void, void, void, void>::type sigc::adaptor_functor<sigc::bound_mem_functor1<void, eConsoleAppContainer, int> >::operator()<int const&>(int const&) const /usr/include/sigc++-2.0/sigc++/adaptors/adaptor_trait.h:89
OpenPLi#3 0x99878 in sigc::internal::slot_call<sigc::bound_mem_functor1<void, eConsoleAppContainer, int>, void, int>::call_it(sigc::internal::slot_rep*, int const&) /usr/include/sigc++-2.0/sigc++/functors/slot.h:451
OpenPLi#4 0x9ae0c in sigc::internal::signal_emit1<void, int, sigc::nil>::emit(sigc::internal::signal_impl*, int const&) /usr/include/sigc++-2.0/sigc++/signal.h:1041
OpenPLi#5 0x98f68 in sigc::signal1<void, int, sigc::nil>::emit(int const&) const /usr/include/sigc++-2.0/sigc++/signal.h:2951
OpenPLi#6 0x97854 in sigc::signal1<void, int, sigc::nil>::operator()(int const&) const /usr/include/sigc++-2.0/sigc++/signal.h:2967
OpenPLi#7 0x95cac in PSignal1<void, int>::operator()(int) ../../git/lib/python/connections.h:67
OpenPLi#8 0xaaef4 in eSocketNotifier::activate(int) ../../git/lib/base/ebase.h:157
OpenPLi#9 0xaf070 in eMainloop::processOneEvent(long, _object**, ePyObject) ../../git/lib/base/ebase.cpp:273
OpenPLi#10 0xafeb8 in eMainloop::iterate(unsigned int, _object**, ePyObject) ../../git/lib/base/ebase.cpp:352
OpenPLi#11 0xb0400 in eMainloop::poll(ePyObject, ePyObject) ../../git/lib/base/ebase.cpp:379
OpenPLi#12 0x7446d4 in _wrap_eMainloop_poll python/enigma_python.cpp:5964
0x9e176400 is located 0 bytes to the right of 32768-byte region [0x9e16e400,0x9e176400)
allocated by thread T0 here:
#0 0xb6a290a0 in operator new(unsigned int) (/usr/lib/libasan.so.5+0x1030a0)
#1 0x63560 in __gnu_cxx::new_allocator<char>::allocate(unsigned int, void const*) /usr/include/c++/9.2.0/ext/new_allocator.h:114
OpenPLi#2 0x624c0 in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned int) /usr/include/c++/9.2.0/bits/alloc_traits.h:444
OpenPLi#3 0x63ce4 in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned int) /usr/include/c++/9.2.0/bits/stl_vector.h:343
OpenPLi#4 0x62d38 in std::vector<char, std::allocator<char> >::_M_default_append(unsigned int) /usr/include/c++/9.2.0/bits/vector.tcc:635
OpenPLi#5 0x619e8 in std::vector<char, std::allocator<char> >::resize(unsigned int) /usr/include/c++/9.2.0/bits/stl_vector.h:937
OpenPLi#6 0x91bbc in eConsoleAppContainer::setBufferSize(int) ../../git/lib/base/console.cpp:90
OpenPLi#7 0x73d040 in eConsolePy_setBufferSize python/enigma_python.cpp:4913
OpenPLi#8 0xb603b728 in PyEval_EvalFrameEx (/usr/lib/libpython2.7.so.1.0+0xd9728)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../git/lib/base/console.cpp:242 in eConsoleAppContainer::readyRead(int)
Shadow bytes around the buggy address:
0x33c2ec30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x33c2ec40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x33c2ec50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x33c2ec60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x33c2ec70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x33c2ec80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x33c2ec90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x33c2eca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x33c2ecb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x33c2ecc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x33c2ecd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1014==ABORTING
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Testing 1
The text was updated successfully, but these errors were encountered: