Thanks to visit codestin.com
Credit goes to github.com

Skip to content

<xstring>: ASAN report container-overflow in a legal case #3955

New issue
New issue
Closed
#3956
Closed
<xstring>: ASAN report container-overflow in a legal case#3955
#3956
Labels
ASanAddress SanitizerbugSomething isn't workingfixedSomething works now, yay!
@zlsun

Description

@zlsun
zlsun
opened on Aug 12, 2023

Describe the bug

ASAN report container-overflow in a legal case.

Command-line test case

C:\Temp>type repro.cpp
#include <iostream>
#include <string>

int main()
{
    std::string fontName = "ui/font/test.ttf";
    int nFindPos = (int)fontName.rfind("/");
    fontName = &fontName[nFindPos + 1];
}

C:\Temp>cl /EHsc /W4 /WX /std:c++latest /fsanitize=address /Zi .\repro.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.37.32822 for x64
Copyright (C) Microsoft Corporation.  All rights reserved.

/std:c++latest is provided as a preview of language features from the latest C++
working draft, and we're eager to hear about bugs and suggestions for improvements.
However, note that these features are provided as-is without support, and subject
to changes or removal as the working draft evolves. See
https://go.microsoft.com/fwlink/?linkid=2045807 for details.

repro.cpp
Microsoft (R) Incremental Linker Version 14.37.32822.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:repro.exe
/InferAsanLibs
/debug
repro.obj

C:\Temp>.\repro.exe
=================================================================
==11212==ERROR: AddressSanitizer: container-overflow on address 0x124a920a0949 at pc 0x7ffcdc4714bb bp 0x00939796f490 sp 0x00939796ec20
READ of size 8 at 0x124a920a0949 thread T0
    #0 0x7ffcdc4714ba in __asan_wrap_memcpy D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:840
    #1 0x7ff7a0835936 in std::_Char_traits<char, int>::move(char *const, char const *const, unsigned __int64) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xstring:119
    #2 0x7ff7a0834e2b in std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>::assign(char const *const, unsigned __int64) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xstring:3380
    #3 0x7ff7a0834bd1 in std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>::assign(char const *const) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xstring:3395
    #4 0x7ff7a083311c in std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>::operator=(char const *const) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xstring:3204
    #5 0x7ff7a0831133 in main D:\tmp\asan\repro.cpp:8
    #6 0x7ff7a08388bb in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #7 0x7ff7a08388bb in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #8 0x7ffd47457613  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017613)
    #9 0x7ffd48c826b0  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526b0)

0x124a920a0949 is located 9 bytes inside of 32-byte region [0x124a920a0940,0x124a920a0960)
allocated by thread T0 here:
    #0 0x7ff7a08382e5 in operator new(unsigned __int64) D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\asan\asan_win_new_scalar_thunk.cpp:40
    #1 0x7ff7a0833712 in std::_Default_allocate_traits::_Allocate(unsigned __int64) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xmemory:87
    #2 0x7ff7a08311fd in std::_Allocate<16, struct std::_Default_allocate_traits, 0>(unsigned __int64) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xmemory:245
    #3 0x7ff7a08349bf in std::allocator<char>::allocate(unsigned __int64) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xmemory:974
    #4 0x7ff7a08316e2 in std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>::_Construct<1, char const *>(char const *const, unsigned __int64) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xstring:2652
    #5 0x7ff7a0832b2b in std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>(char const *const) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\xstring:2540
    #6 0x7ff7a08310ee in main D:\tmp\asan\repro.cpp:6
    #7 0x7ff7a08388bb in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #8 0x7ff7a08388bb in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #9 0x7ffd47457613  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017613)
    #10 0x7ffd48c826b0  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526b0)

HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:840 in __asan_wrap_memcpy
Shadow bytes around the buggy address:
  0x048de44940d0: 06 fa fa fa 00 00 00 01 fa fa 00 00 00 03 fa fa
  0x048de44940e0: 00 00 07 fa fa fa 00 00 00 03 fa fa 00 00 00 01
  0x048de44940f0: fa fa 00 00 00 03 fa fa 00 00 00 fa fa fa 00 00
  0x048de4494100: 07 fa fa fa 00 00 01 fa fa fa 00 00 02 fa fa fa
  0x048de4494110: 00 00 00 00 fa fa 00 00 02 fa fa fa 00 00 05 fa
=>0x048de4494120: fa fa 00 00 00 06 fa fa 00[01]fc fc fa fa fd fd
  0x048de4494130: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x048de4494140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x048de4494150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x048de4494160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x048de4494170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11212==ABORTING

Expected behavior

ASAN should not report container-overflow in this case.

STL version

  Microsoft Visual Studio Community 2022
  Version 17.7.0

Additional context

Cause

fontName = &fontName[nFindPos + 1]; call assign method in <xstring>

STL/stl/inc/xstring

Lines 3370 to 3381 in 8674b3d

_CONSTEXPR20 basic_string& assign(
_In_reads_(_Count) const _Elem* const _Ptr, _CRT_GUARDOVERFLOW const size_type _Count) {
// assign [_Ptr, _Ptr + _Count)
if (_Count <= _Mypair._Myval2._Myres) {
_ASAN_STRING_MODIFY(*this, _Mypair._Myval2._Mysize, _Count);
_Elem* const _Old_ptr = _Mypair._Myval2._Myptr();
_Mypair._Myval2._Mysize = _Count;
_Traits::move(_Old_ptr, _Ptr, _Count);
_Traits::assign(_Old_ptr[_Count], _Elem());
return *this;
}

_ASAN_STRING_MODIFY shrink the valid range of string fontName

Then _Traits::move copy chars from invalid range.

This code is introduced in #3164

Original source code

The example code is copy from https://github.com/cocos2d/cocos2d-x/blob/76903dee64046c7bfdba50790be283484b4be271/cocos/platform/win32/CCDevice-win32.cpp#L115-L119

This is VSO-1854245 / AB#1854245.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ASanAddress SanitizerbugSomething isn't workingfixedSomething works now, yay!

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions