* [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address
@ 2015-01-17 15:51 Todd
2015-01-17 15:51 ` [PATCH v1 1/2] lib: Fix potential invalid read past an empty string Todd
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Todd @ 2015-01-17 15:51 UTC (permalink / raw)
To: notmuch
I built a copy of notmuch with gcc 4.8's new -fsanitize=address
feature and ran the test bench. It pointed out these two issues.
Todd (2):
lib: Fix potential invalid read past an empty string
lib: Fix use after free
lib/thread.cc | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--
1.9.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v1 1/2] lib: Fix potential invalid read past an empty string
2015-01-17 15:51 [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address Todd
@ 2015-01-17 15:51 ` Todd
2015-01-17 15:51 ` [PATCH v1 2/2] lib: Fix use after free Todd
2015-01-19 7:37 ` [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address David Bremner
2 siblings, 0 replies; 4+ messages in thread
From: Todd @ 2015-01-17 15:51 UTC (permalink / raw)
To: notmuch
==22884== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x601600008291 at pc 0x7ff6295680e5 bp 0x7fff4ab9aa40 sp 0x7fff4ab9aa08
READ of size 1 at 0x601600008291 thread T0
#0 0x7ff6295680e4 in __interceptor_strcmp ??:?
#1 0x44763b in _thread_add_message /home/todd/.apps/notmuch/lib/thread.cc:255
#2 0x4459e8 in notmuch_threads_get /home/todd/.apps/notmuch/lib/query.cc:496
#3 0x41e2a7 in do_search_threads /home/todd/.apps/notmuch/notmuch-search.c:131
#4 0x40a408 in main /home/todd/.apps/notmuch/notmuch.c:345
#5 0x7ff627cb9ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#6 0x40abf3 in _start ??:?
0x601600008291 is located 0 bytes to the right of 97-byte region [0x601600008230,0x601600008291)
allocated by thread T0 here:
#0 0x7ff62956e41a in malloc ??:?
#1 0x7ff628b8ab5d in talloc_strdup ??:?
---
lib/thread.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/thread.cc b/lib/thread.cc
index 4542505..4c49f98 100644
--- a/lib/thread.cc
+++ b/lib/thread.cc
@@ -251,8 +251,8 @@ _thread_add_message (notmuch_thread_t *thread,
term != NULL;
term = term->next)
{
- /* We ignore initial 'K'. */
- if (strcmp(tag, (term->string + 1)) == 0) {
+ /* Check for an empty string, and then ignore initial 'K'. */
+ if (*(term->string) && strcmp(tag, (term->string + 1)) == 0) {
message_excluded = TRUE;
break;
}
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v1 2/2] lib: Fix use after free
2015-01-17 15:51 [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address Todd
2015-01-17 15:51 ` [PATCH v1 1/2] lib: Fix potential invalid read past an empty string Todd
@ 2015-01-17 15:51 ` Todd
2015-01-19 7:37 ` [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address David Bremner
2 siblings, 0 replies; 4+ messages in thread
From: Todd @ 2015-01-17 15:51 UTC (permalink / raw)
To: notmuch
_thread_set_subject_from_message sometimes replaces the subject, making the
cur_subject point to free'd memory
==6550== ERROR: AddressSanitizer: heap-use-after-free on address 0x601a0000bec0 at pc 0x4464a4 bp 0x7fffa40be910 sp 0x7fffa40be908
READ of size 1 at 0x601a0000bec0 thread T0
#0 0x4464a3 in _thread_add_matched_message /home/todd/.apps/notmuch/lib/thread.cc:369
#1 0x443c2c in notmuch_threads_get /home/todd/.apps/notmuch/lib/query.cc:496
#2 0x41d947 in do_search_threads /home/todd/.apps/notmuch/notmuch-search.c:131
#3 0x40a3fe in main /home/todd/.apps/notmuch/notmuch.c:345
#4 0x7f4e535b4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#5 0x40abe6 in _start ??:?
0x601a0000bec0 is located 96 bytes inside of 134-byte region [0x601a0000be60,0x601a0000bee6)
freed by thread T0 here:
#0 0x7f4e54e6933a in __interceptor_free ??:?
#1 0x7f4e54482fab in _talloc_free ??:?
previously allocated by thread T0 here:
#0 0x7f4e54e6941a in malloc ??:?
#1 0x7f4e54485b5d in talloc_strdup ??:?
---
lib/thread.cc | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/thread.cc b/lib/thread.cc
index 4c49f98..9847cf8 100644
--- a/lib/thread.cc
+++ b/lib/thread.cc
@@ -353,10 +353,8 @@ _thread_add_matched_message (notmuch_thread_t *thread,
{
time_t date;
notmuch_message_t *hashed_message;
- const char *cur_subject;
date = notmuch_message_get_date (message);
- cur_subject = notmuch_thread_get_subject(thread);
if (date < thread->oldest || ! thread->matched_messages) {
thread->oldest = date;
@@ -366,6 +364,7 @@ _thread_add_matched_message (notmuch_thread_t *thread,
if (date > thread->newest || ! thread->matched_messages) {
thread->newest = date;
+ const char *cur_subject = notmuch_thread_get_subject(thread);
if (sort != NOTMUCH_SORT_OLDEST_FIRST || EMPTY_STRING(cur_subject))
_thread_set_subject_from_message (thread, message);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address
2015-01-17 15:51 [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address Todd
2015-01-17 15:51 ` [PATCH v1 1/2] lib: Fix potential invalid read past an empty string Todd
2015-01-17 15:51 ` [PATCH v1 2/2] lib: Fix use after free Todd
@ 2015-01-19 7:37 ` David Bremner
2 siblings, 0 replies; 4+ messages in thread
From: David Bremner @ 2015-01-19 7:37 UTC (permalink / raw)
To: Todd, notmuch
Todd <todd@electricoding.com> writes:
> I built a copy of notmuch with gcc 4.8's new -fsanitize=address
> feature and ran the test bench. It pointed out these two issues.
Series pushed. Thanks!
d
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-01-19 7:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-17 15:51 [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address Todd
2015-01-17 15:51 ` [PATCH v1 1/2] lib: Fix potential invalid read past an empty string Todd
2015-01-17 15:51 ` [PATCH v1 2/2] lib: Fix use after free Todd
2015-01-19 7:37 ` [PATCH v1 0/2] Fixes for issues discovered with -fsanitize=address David Bremner
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).