Bug 25097 - mono stack-buffer-overflow on latest build
Summary: mono stack-buffer-overflow on latest build
Status: NEW
Alias: None
Product: Runtime
Classification: Mono
Component: JIT (show other bugs)
Version: unspecified
Hardware: PC Linux
: --- normal
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2014-12-05 06:52 UTC by Joshua Rogers
Modified: 2015-04-14 11:09 UTC (History)
3 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments

Description Joshua Rogers 2014-12-05 06:52:07 UTC
Using the latest source, mono-3.10.0, and building using ASAN, detects a buffer overflow when compiling:


=================================================================
==63069==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffe09b300 at pc 0x137a750 bp 0x7ffffe09b0a0 sp 0x7ffffe09b098
READ of size 8 at 0x7ffffe09b300 thread T0
    #0 0x137a74f in conservatively_pin_objects_from /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:1200
    #1 0x137a74f in scan_thread_data /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:3778
    #2 0x137a74f in pin_from_roots /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:1259
    #3 0x138bb35 in collect_nursery /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:2298
    #4 0x138ed60 in collect_nursery /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:3241
    #5 0x138ed60 in sgen_perform_collection /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:3196
    #6 0x149c45b in mono_gc_alloc_obj_nolock /root/srcs/mono-3.10.0/mono/metadata/sgen-alloc.c:315
    #7 0x149fcf9 in mono_gc_alloc_vector /root/srcs/mono-3.10.0/mono/metadata/sgen-alloc.c:521
    #8 0x4141c95d (+0x795d)

Address 0x7ffffe09b300 is located in stack of thread T0 at offset 528 in frame
    #0 0x13786e7 in pin_from_roots /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:1242

  This frame has 7 object(s):
    [32, 40) '_zzq_result'
    [96, 104) '_zzq_result'
    [160, 168) '_zzq_result'
    [224, 240) 'data'
    [288, 336) '_zzq_args'
    [384, 432) '_zzq_args'
    [480, 528) '_zzq_args' <== Memory access at offset 528 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported) 
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:1200 conservatively_pin_objects_from
Shadow bytes around the buggy address:
  0x10007fc0b610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007fc0b620: f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
  0x10007fc0b630: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
  0x10007fc0b640: f2 f2 00 00 00 00 00 00 f4 f4 f2 f2 f2 f2 00 00
  0x10007fc0b650: 00 00 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
=>0x10007fc0b660:[f4]f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fc0b670: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 00 00
  0x10007fc0b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007fc0b690: f1 f1 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x10007fc0b6a0: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
  0x10007fc0b6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00




Line 1200 of sgen-gc.c is:
                if (*start >= start_nursery && *start < end_nursery) {



Thanks,

Note You need to log in before you can comment on or make changes to this bug.