Tk Source Code

View Ticket
Login
Ticket UUID: b1534b438bc711e848ad7ade3642ce0a6323fe8e
Title: Out of bounds read access in function Write / tclIO.c
Type: Bug Version: 8.6.4
Submitter: hanno Created on: 2015-06-30 19:56:05
Subsystem: None Assigned To: dgp
Priority: 5 Medium Severity: Minor
Status: Closed Last Modified: 2016-08-22 08:34:09
Resolution: Fixed Closed By: dkf
    Closed on: 2016-08-22 08:34:09
Description:
When compiling tcl with address sanitizer the test chanio.test will report an out of bounds error. I'll attach the address sanitizer output below. To reproduce run:

./configure CFLAGS="-fsanitize=address -g"; make; make test

The access happens in the file tclIO.c in line 4326. This is the code in question:
	    if (saved == 0 || src[-1]	 != '\n') {

Seems like it's trying to access the "-1" index of src without verifying that there is a previous index.

This is the address sanitizer error message:
==18913==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f751e8da91f at pc 0x7f751e773ef7 bp 0x7ffe51019900 sp 0x7ffe510198f0
READ of size 1 at 0x7f751e8da91f thread T0
    #0 0x7f751e773ef6 in Write /mnt/ram/tcl8.6.4/generic/tclIO.c:4326
    #1 0x7f751e770d84 in Tcl_Close /mnt/ram/tcl8.6.4/generic/tclIO.c:3353
    #2 0x7f751e7716b2 in Tcl_UnregisterChannel /mnt/ram/tcl8.6.4/generic/tclIO.c:1247
    #3 0x7f751e782b9b in Tcl_CloseObjCmd /mnt/ram/tcl8.6.4/generic/tclIOCmd.c:726
    #4 0x7f751e52ba1b in TclNRRunCallbacks /mnt/ram/tcl8.6.4/generic/tclBasic.c:4392
    #5 0x7f751e5320b1 in TclEvalEx /mnt/ram/tcl8.6.4/generic/tclBasic.c:5261
    #6 0x7f751e79d7ee in Tcl_FSEvalFileEx /mnt/ram/tcl8.6.4/generic/tclIOUtil.c:1815
    #7 0x7f751e7b091c in Tcl_MainEx /mnt/ram/tcl8.6.4/generic/tclMain.c:417
    #8 0x401713 in main /mnt/ram/tcl8.6.4/unix/tclAppInit.c:84
    #9 0x7f751d7abf9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
    #10 0x401866 (/mnt/ram/tcl8.6.4/unix/tcltest+0x401866)

0x7f751e8da91f is located 1 bytes to the left of global variable '*.LC89' from '/mnt/ram/tcl8.6.4/generic/tclIO.c' (0x7f751e8da920) of size 1
  '*.LC89' is ascii string ''
0x7f751e8da91f is located 54 bytes to the right of global variable '*.LC88' from '/mnt/ram/tcl8.6.4/generic/tclIO.c' (0x7f751e8da8e0) of size 9
  '*.LC88' is ascii string '-eofchar'
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/ram/tcl8.6.4/generic/tclIO.c:4326 Write
Shadow bytes around the buggy address:
  0x0fef23d134d0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9
  0x0fef23d134e0: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0fef23d134f0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0fef23d13500: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 02 f9 f9
  0x0fef23d13510: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
=>0x0fef23d13520: f9 f9 f9[f9]01 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9
  0x0fef23d13530: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0fef23d13540: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0fef23d13550: f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x0fef23d13560: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
  0x0fef23d13570: f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 00 00 00 01
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==18913==ABORTING
User Comments: dgp added on 2015-07-15 17:19:30:
Fixed for Tcl 8.5.19 and 8.6.5.

Please confirm.

dgp added on 2015-07-15 14:59:26:
...and this is a Tcl matter, not Tk.

dgp added on 2015-07-15 14:57:58:
Looks like test io-1.9 triggers the matter.