[kbd] Invalid out of bounds memory read when running make check

Hanno Böck hanno at hboeck.de
Mon Mar 21 12:41:52 MSK 2016 

Hi,

When compiling kbd (latest version 2.0.3) with address sanitizer and
running the test suite (make check) it will show a global out of bounds
memory read. I have attached the address sanitizer error message at the
end of this mail.

I have not fully tracked down the bug, but the error happens in the
file ksyms.c in line 203.

The test that's causing this can be manually run with
./libkeymap-dumpkeys ./dumpkeys.ua-ws.map SEPARATE_LINE FALSE
in the tests dir.

This line from dumpkeys.ua-ws.map causes it:
altgr keycode   3 = 157

To reproduce:
./configure CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address"
make
make check


Here's the full asan error:

==19183==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000006473d8 at pc 0x417ce5 bp 0x7ffc88302d70 sp 0x7ffc88302d60
READ of size 8 at 0x0000006473d8 thread T0
    #0 0x417ce4 in codetoksym /mnt/ram/kbd/src/libkeymap/ksyms.c:203
    #1 0x418e82 in convert_code /mnt/ram/kbd/src/libkeymap/ksyms.c:415
    #2 0x40bc3f in yyparse /mnt/ram/kbd/src/libkeymap/parser.y:396
    #3 0x40ce98 in lk_parse_keymap /mnt/ram/kbd/src/libkeymap/parser.y:421
    #4 0x402167 in main /mnt/ram/kbd/tests/libkeymap-dumpkeys.c:32
    #5 0x7f9a0f87b62f in __libc_start_main (/lib64/libc.so.6+0x2062f)
    #6 0x401db8 in _start (/mnt/ram/kbd/tests/libkeymap-dumpkeys+0x401db8)

0x0000006473d8 is located 24 bytes to the right of global variable 'koi8_syms' from 'ksyms.c' (0x646bc0) of size 2048
0x0000006473d8 is located 40 bytes to the left of global variable 'latin1_syms' from 'ksyms.c' (0x647400) of size 1536
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/ram/kbd/src/libkeymap/ksyms.c:203 codetoksym
Shadow bytes around the buggy address:
  0x0000800c0e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800c0e70: 00 00 00 00 00 00 00 00 f9 f9 f9[f9]00 00 00 00
  0x0000800c0e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800c0ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==19183==ABORTING


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.altlinux.org/pipermail/kbd/attachments/20160321/81e56c83/attachment.bin>

More information about the kbd mailing list