Bug 25097 - mono stack-buffer-overflow on latest build
Summary: mono stack-buffer-overflow on latest build
Status: RESOLVED ANSWERED
Alias: None
Product: Runtime
Classification: Mono
Component: JIT (show other bugs)
Version: unspecified
Hardware: PC Linux
: --- normal
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2014-12-05 06:52 UTC by Joshua Rogers
Modified: 2018-02-28 22:35 UTC (History)
4 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED ANSWERED

Description Joshua Rogers 2014-12-05 06:52:07 UTC
Using the latest source, mono-3.10.0, and building using ASAN, detects a buffer overflow when compiling:


=================================================================
==63069==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffe09b300 at pc 0x137a750 bp 0x7ffffe09b0a0 sp 0x7ffffe09b098
READ of size 8 at 0x7ffffe09b300 thread T0
    #0 0x137a74f in conservatively_pin_objects_from /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:1200
    #1 0x137a74f in scan_thread_data /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:3778
    #2 0x137a74f in pin_from_roots /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:1259
    #3 0x138bb35 in collect_nursery /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:2298
    #4 0x138ed60 in collect_nursery /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:3241
    #5 0x138ed60 in sgen_perform_collection /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:3196
    #6 0x149c45b in mono_gc_alloc_obj_nolock /root/srcs/mono-3.10.0/mono/metadata/sgen-alloc.c:315
    #7 0x149fcf9 in mono_gc_alloc_vector /root/srcs/mono-3.10.0/mono/metadata/sgen-alloc.c:521
    #8 0x4141c95d (+0x795d)

Address 0x7ffffe09b300 is located in stack of thread T0 at offset 528 in frame
    #0 0x13786e7 in pin_from_roots /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:1242

  This frame has 7 object(s):
    [32, 40) '_zzq_result'
    [96, 104) '_zzq_result'
    [160, 168) '_zzq_result'
    [224, 240) 'data'
    [288, 336) '_zzq_args'
    [384, 432) '_zzq_args'
    [480, 528) '_zzq_args' <== Memory access at offset 528 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported) 
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/srcs/mono-3.10.0/mono/metadata/sgen-gc.c:1200 conservatively_pin_objects_from
Shadow bytes around the buggy address:
  0x10007fc0b610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007fc0b620: f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
  0x10007fc0b630: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
  0x10007fc0b640: f2 f2 00 00 00 00 00 00 f4 f4 f2 f2 f2 f2 00 00
  0x10007fc0b650: 00 00 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
=>0x10007fc0b660:[f4]f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fc0b670: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 00 00
  0x10007fc0b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007fc0b690: f1 f1 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00
  0x10007fc0b6a0: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
  0x10007fc0b6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00




Line 1200 of sgen-gc.c is:
                if (*start >= start_nursery && *start < end_nursery) {



Thanks,
Comment 1 Ludovic Henry 2018-02-28 22:35:41 UTC
We have had a few run with ASAN and didn't find this issue again. Marking as fixed. If you still see it, please provide us with the ASAN version you are using as well as the Mono version. Thank you.