NetBSD Problem Report #54491
From www@netbsd.org Tue Aug 27 05:29:43 2019
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 6EBDF7A1A1
for <gnats-bugs@gnats.NetBSD.org>; Tue, 27 Aug 2019 05:29:43 +0000 (UTC)
Message-Id: <20190827052942.7ACA57A1BB@mollari.NetBSD.org>
Date: Tue, 27 Aug 2019 05:29:42 +0000 (UTC)
From: n54@gmx.com
Reply-To: n54@gmx.com
To: gnats-bugs@NetBSD.org
Subject: sysinst is not LLVM ASan clean
X-Send-Pr-Version: www-1.0
>Number: 54491
>Category: install
>Synopsis: sysinst is not LLVM ASan clean
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Aug 27 05:30:00 +0000 2019
>Last-Modified: Tue Aug 27 14:55:01 +0000 2019
>Originator: Kamil Rytarowski
>Release: NetBSD 9.99.10
>Organization:
TNF
>Environment:
NetBSD 9.99.10 NetBSD 9.99.10 (GENERIC) #0: Tue Aug 27 05:56:51 CEST 2019 kamill@chieftec:/public/netbsd.asan/sys/arch/amd64/compile/GENERIC amd64
>Description:
sysinst errors after unpacking sets
=================================================================
==18==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f7ff7a9b478
at pc 0x7f7ff786fb22 bp 0x7f7fffffd590 sp 0x7f7fffffd588
READ of size 8 at 0x7f7ff7a9b478 thread T0
#0 0x7f7ff786fb21 in doupdate (/usr/lib/libcurses.so.8+0x6fb21) // /usr/src/lib/libcurses/refresh.c:2013
#1 0x7f7ff7865c19 in wrefresh (/usr/lib/libcurses.so.8+0x65c19) // /usr/src/lib/libcurses/refresh.c:481
#2 0x38ff0c in do_configmenu (/usr/sbin/sysinst+0x18ff0c) // /usr/src/usr.sbin/sysinst/arch/amd64/../../configmenu.c:460
#3 0x364cce in do_install (/usr/sbin/sysinst+0x164cce) // /usr/src/usr.sbin/sysinst/arch/amd64/../../install.c:211
#4 0x35d76e in opt_act_2_0 (/usr/sbin/sysinst+0x15d76e) // /public/netbsd.asan/usr.sbin/sysinst/arch/amd64/menu_defs.c:254
#5 0x35ae43 in process_menu (/usr/sbin/sysinst+0x15ae43) // /public/netbsd.asan/usr.sbin/sysinst/arch/amd64/menu_defs.c:3208
#6 0x364281 in main (/usr/sbin/sysinst+0x164281) // /usr/src/usr.sbin/sysinst/arch/amd64/../../main.c:277
#7 0x262e1c in ___start (/usr/sbin/sysinst+0x62e1c)
0x7f7ff7a9b478 is located 40 bytes to the left of global variable 'buf' defined
in '/usr/src/lib/libcurses/refresh.c:1465:16' (0x7f7ff7a9b4a0) of size 2048
0x7f7ff7a9b478 is located 8 bytes to the right of global variable 'blank' define
d in '/usr/src/lib/libcurses/refresh.c:1119:17' (0x7f7ff7a9b460) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/libcurses.so.8+0x6fb
21) in doupdate
Shadow bytes around the buggy address:
0x4feffef53630: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x4feffef53640: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x4feffef53650: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x4feffef53660: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 04 f9 f9 f9
0x4feffef53670: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x4feffef53680: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 f9[f9]
0x4feffef53690: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x4feffef536a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4feffef536b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4feffef536c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x4feffef536d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==18==ABORTING
>How-To-Repeat:
1. ./build.sh -C /public/extras -j8 -N0 -U -u -V MAKECONF=/dev/null -V MKDEBUGLIB=yes -V MKDEBUG=yes -V MKSANITIZER=yes -V MKLLVM=yes -V MKGCC=no -V HAVE_LLVM=yes -O /public/netbsd.asan distribution
2. Build release
3. Build iso-image
4. Try to install in qemu.
>Fix:
N/A
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: install-manager->lib-bug-people
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Tue, 27 Aug 2019 06:44:13 +0000
Responsible-Changed-Why:
Sounds like a libcurses bug to me
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: install/54491: sysinst is not LLVM ASan clean
Date: Tue, 27 Aug 2019 11:29:39 +0200
This seems to depend on the terminal type, i.e. I can not reproduce it
with "xterm".
Did you use quemu with graphical display (so your $TERM would have been
wsvt25)?
Martin
From: Kamil Rytarowski <n54@gmx.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: install/54491: sysinst is not LLVM ASan clean
Date: Tue, 27 Aug 2019 16:29:57 +0200
On 27.08.2019 11:30, Martin Husemann wrote:
> The following reply was made to PR install/54491; it has been noted by G=
NATS.
>
> From: Martin Husemann <martin@duskware.de>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: install/54491: sysinst is not LLVM ASan clean
> Date: Tue, 27 Aug 2019 11:29:39 +0200
>
> This seems to depend on the terminal type, i.e. I can not reproduce it
> with "xterm".
>
> Did you use quemu with graphical display (so your $TERM would have been
> wsvt25)?
>
> Martin
>
>
# echo $TERM
wsvt25
I use qemu with -curses.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.