Clamscan (Cisco-Talos) wants a pull request of fast signature synthesis, functional analysis, local sandbox, + analysis CNS #1
Labels
good first issue
Good for newcomers
improve
New feature or request
todo
unimplemented (but advertised) part of the tool
Milestone
Comments
SwuduSusuwu
changed the title
SwuduSusuwu
added a commit
that referenced
this issue
Jun 15, 2024
Includes most of https://developers.redhat.com/blog/2021/05/05/memory-error-checking-in-c-and-c-comparing-sanitizers-and-valgrind https://clang.llvm.org/docs/MemorySanitizer.html , such as ``` CXX_FLAGS="-fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment" export ASAN_OPTIONS=abort_on_error=1:fast_unwind_on_malloc=0:detect_leaks=0 UBSAN_OPTIONS=print_stacktrace=1 CXX_FLAGS+="-fno-omit-frame-pointer" #/* from https://clang.llvm.org/docs/MemorySanitizer.html */ CXX_FLAGS+="-g" #/* gives variables+linenums to stacktraces */ ``` which produces stackktraces such as ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass cxx/VirusAnalysis.hxx: pass AddressSanitizer:DEADLYSIGNAL ================================================================= ==355==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x007958880050 bp 0x007fed4ad6f0 sp 0x007fed4acee0 T0) ==355==The signal is caused by a READ memory access. ==355==Hint: address points to the zero page. libunwind: unsupported .eh_frame_hdr version: 127 at 795cd30000 #0 0x7958880050 in __strlen_aarch64 libc_init_dynamic.cpp #1 0x795a4be864 in strlen out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc #2 0x59a56172b0 in std::__ndk1::__constexpr_strlen[abi:v170000](char const*) /data/data/com.termux/files/usr/include/c++/v1/cstring:114:10 #3 0x59a5617270 in std::__ndk1::char_traits<char>::length(char const*) /data/data/com.termux/files/usr/include/c++/v1/__string/char_traits.h:220:12 #4 0x59a55e0c8c in std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>>::basic_string[abi:v170000]<std::nullptr_t>(char const*) /data/data/com.termux/files/usr/include/c++/v1/string:882:17 #5 0x59a5639018 in Susuwu::questionsResponsesFromHosts(Susuwu::ResultList&, Susuwu::ResultList&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>>, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>>>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ConversationCns.cxx:54:68 #6 0x59a5638870 in Susuwu::conversationCnsTestsThrows() /data/data/com.termux/files/home/SubStack/./cxx/ConversationCns.cxx:32:2 #7 0x59a56431bc in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:5 #8 0x59a56431f8 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:28:9 #9 0x795887ee18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV libc_init_dynamic.cpp in __strlen_aarch64 ==355==ABORTING Aborted ~/SubStack $ ``` `GXX` -> `CXX` for compiler executable (more consistant) @posts/VirusAnalysis.md "callgraphs" -> "stacktraces". Give comparisons of `-fsanitize` vs _static analysis_
SwuduSusuwu
added a commit
that referenced
this issue
Jun 16, 2024
Removes parameter _execves.executable_ (which was execve.pathname) because Android OS fails unless `&pathname == &argv[0]` (must not just match value, but must reuse address, thus there is not a purpose for function signature to ask for this). `for(auto x : s)` -> `for(auto x = s.begin(); s.end() != x; ++x)` /* `-fsanitize=address` gives _stack-use-after-scope_ with `for(auto x : s)` */ Fixes #5 Closes https://github.com/SwuduSusuwu/SubStack/milestone/2 ``` Welcome to Termux! ~/SubStack $ ./make.sh + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha1.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha224-256.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha384-512.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassSha2.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassResultList.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassCns.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//VirusAnalysis.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ConversationCns.cxx ./cxx//ConversationCns.cxx:106:74: warning: non-void function does not return a value [-Wreturn-type] 106 | const FileBytecode conversationParseQuestion(const FilePath &xhtmlFile) {} /* TODO */ | ^ ./cxx//ConversationCns.cxx:107:88: warning: non-void function does not return a value [-Wreturn-type] 107 | const std::vector<FileBytecode> conversationParseResponses(const FilePath &xhtmlFile) {} /* TODO */ | ^ 2 warnings generated. + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//main.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g sha1.o sha224-256.o sha384-512.o ClassSha2.o ClassResultList.o ClassCns.o VirusAnalysis.o ConversationCns.o main.o + set +x ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): pass execvex(): pass virusAnalysisTestsThrows(): pass conversationCnsTestsThrows(): --2024-06-15 18:22:01-- https://stackoverflow.com/robots.txt Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘robots.txt’ robots.txt [ <=> ] 1.99K --.-KB/s in 0.07s 2024-06-15 18:22:02 (27.4 KB/s) - ‘robots.txt’ saved [2036] --2024-06-15 18:22:02-- https://stackoverflow.com/ Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.xhtml’ index.xhtml [ <=> ] 175.66K 136KB/s in 1.3s 2024-06-15 18:22:03 (136 KB/s) - ‘index.xhtml’ saved [179877] Trap ~/SubStack $ ``` `conversationParseResponses()` is work-in-progress, `-fsanitize` Traps just before this, thus counts as `pass`. If curious: `for(auto x : s)` gives ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): ================================================================= ==18709==ERROR: AddressSanitizer: stack-use-after-scope on address 0x007ffc3d9511 at pc 0x007450ea2a78 bp 0x007ffc3d7e90 sp 0x007ffc3d7678 READ of size 1 at 0x007ffc3d9511 thread T0 #0 0x7450ea2a74 in strncmp out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 #1 0x745388e200 (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x2200) #2 0x745388dd68 in execve (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x1d68) #3 0x63f79ca63c in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:34:2 #4 0x63f7a3a7ac in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:7 #5 0x63f7a3b1e0 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:40:9 #6 0x74524c9e18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) Address 0x007ffc3d9511 is located in stack of thread T0 at offset 241 in frame #0 0x63f79c9f14 in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:13 This frame has 14 object(s): [32, 36) 'status' (line 17) [48, 72) 'argvSmutable' (line 22) [112, 136) 'argv' (line 23) [176, 184) '__begin1' (line 24) [208, 216) '__end1' (line 24) [240, 264) 'x' (line 24) <== Memory access at offset 241 is inside this variable [304, 312) 'ref.tmp' (line 25) [336, 344) 'ref.tmp26' (line 27) [368, 392) 'envpSmutable' (line 28) [432, 456) 'envp' (line 29) [496, 504) 'x44' (line 30) [528, 536) 'ref.tmp49' (line 30) [560, 568) 'ref.tmp56' (line 31) [592, 600) 'ref.tmp66' (line 33) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 in strncmp Shadow bytes around the buggy address: 0x007ffc3d9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9400: 00 00 00 00 f1 f1 f1 f1 f8 f2 00 00 00 f2 f2 f2 0x007ffc3d9480: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 =>0x007ffc3d9500: f2 f2[f8]f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x007ffc3d9580: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x007ffc3d9600: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 0x007ffc3d9680: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18709==ABORTING ```
SwuduSusuwu
added a commit
that referenced
this issue
Jun 16, 2024
Removes parameter _execves.executable_ (which was execve.pathname) because Android OS fails unless `&pathname == &argv[0]` (must not just match value, but must reuse address, thus there is not a purpose for function signature to ask for this). `for(auto x : s)` -> `for(auto x = s.begin(); s.end() != x; ++x)` /* `-fsanitize=address` gives _stack-use-after-scope_ with `for(auto x : s)` */ Fixes #5 Closes https://github.com/SwuduSusuwu/SubStack/milestone/2 ``` Welcome to Termux! ~/SubStack $ ./make.sh + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha1.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha224-256.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha384-512.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassSha2.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassResultList.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassCns.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//VirusAnalysis.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ConversationCns.cxx ./cxx//ConversationCns.cxx:106:74: warning: non-void function does not return a value [-Wreturn-type] 106 | const FileBytecode conversationParseQuestion(const FilePath &xhtmlFile) {} /* TODO */ | ^ ./cxx//ConversationCns.cxx:107:88: warning: non-void function does not return a value [-Wreturn-type] 107 | const std::vector<FileBytecode> conversationParseResponses(const FilePath &xhtmlFile) {} /* TODO */ | ^ 2 warnings generated. + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//main.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g sha1.o sha224-256.o sha384-512.o ClassSha2.o ClassResultList.o ClassCns.o VirusAnalysis.o ConversationCns.o main.o + set +x ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): pass execvex(): pass virusAnalysisTestsThrows(): pass conversationCnsTestsThrows(): --2024-06-15 18:22:01-- https://stackoverflow.com/robots.txt Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘robots.txt’ robots.txt [ <=> ] 1.99K --.-KB/s in 0.07s 2024-06-15 18:22:02 (27.4 KB/s) - ‘robots.txt’ saved [2036] --2024-06-15 18:22:02-- https://stackoverflow.com/ Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.xhtml’ index.xhtml [ <=> ] 175.66K 136KB/s in 1.3s 2024-06-15 18:22:03 (136 KB/s) - ‘index.xhtml’ saved [179877] Trap ~/SubStack $ ``` `conversationParseResponses()` is work-in-progress, `-fsanitize` Traps just before this, thus counts as `pass`. If curious: `for(auto x : s)` gives ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): ================================================================= ==18709==ERROR: AddressSanitizer: stack-use-after-scope on address 0x007ffc3d9511 at pc 0x007450ea2a78 bp 0x007ffc3d7e90 sp 0x007ffc3d7678 READ of size 1 at 0x007ffc3d9511 thread T0 #0 0x7450ea2a74 in strncmp out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 #1 0x745388e200 (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x2200) #2 0x745388dd68 in execve (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x1d68) #3 0x63f79ca63c in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:34:2 #4 0x63f7a3a7ac in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:7 #5 0x63f7a3b1e0 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:40:9 #6 0x74524c9e18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) Address 0x007ffc3d9511 is located in stack of thread T0 at offset 241 in frame #0 0x63f79c9f14 in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:13 This frame has 14 object(s): [32, 36) 'status' (line 17) [48, 72) 'argvSmutable' (line 22) [112, 136) 'argv' (line 23) [176, 184) '__begin1' (line 24) [208, 216) '__end1' (line 24) [240, 264) 'x' (line 24) <== Memory access at offset 241 is inside this variable [304, 312) 'ref.tmp' (line 25) [336, 344) 'ref.tmp26' (line 27) [368, 392) 'envpSmutable' (line 28) [432, 456) 'envp' (line 29) [496, 504) 'x44' (line 30) [528, 536) 'ref.tmp49' (line 30) [560, 568) 'ref.tmp56' (line 31) [592, 600) 'ref.tmp66' (line 33) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 in strncmp Shadow bytes around the buggy address: 0x007ffc3d9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9400: 00 00 00 00 f1 f1 f1 f1 f8 f2 00 00 00 f2 f2 f2 0x007ffc3d9480: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 =>0x007ffc3d9500: f2 f2[f8]f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x007ffc3d9580: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x007ffc3d9600: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 0x007ffc3d9680: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18709==ABORTING ```
SwuduSusuwu
added a commit
that referenced
this issue
Jun 16, 2024
Removes parameter _execves.executable_ (which was execve.pathname) because Android OS fails unless `&pathname == &argv[0]` (must not just match value, but must reuse address, thus there is not a purpose for function signature to ask for this). `for(auto x : s)` -> `for(auto x = s.begin(); s.end() != x; ++x)` /* `-fsanitize=address` gives _stack-use-after-scope_ with `for(auto x : s)` */ Fixes #5 Closes https://github.com/SwuduSusuwu/SubStack/milestone/2 Precondition `std::ifstream(argv[0])` /* exists */ -> `-1 != access(argv[0], X_OK)` /* executable */ ``` Welcome to Termux! ~/SubStack $ ./make.sh + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha1.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha224-256.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha384-512.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassSha2.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassResultList.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassCns.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//VirusAnalysis.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ConversationCns.cxx ./cxx//ConversationCns.cxx:106:74: warning: non-void function does not return a value [-Wreturn-type] 106 | const FileBytecode conversationParseQuestion(const FilePath &xhtmlFile) {} /* TODO */ | ^ ./cxx//ConversationCns.cxx:107:88: warning: non-void function does not return a value [-Wreturn-type] 107 | const std::vector<FileBytecode> conversationParseResponses(const FilePath &xhtmlFile) {} /* TODO */ | ^ 2 warnings generated. + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//main.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g sha1.o sha224-256.o sha384-512.o ClassSha2.o ClassResultList.o ClassCns.o VirusAnalysis.o ConversationCns.o main.o + set +x ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): pass execvex(): pass virusAnalysisTestsThrows(): pass conversationCnsTestsThrows(): --2024-06-15 18:22:01-- https://stackoverflow.com/robots.txt Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘robots.txt’ robots.txt [ <=> ] 1.99K --.-KB/s in 0.07s 2024-06-15 18:22:02 (27.4 KB/s) - ‘robots.txt’ saved [2036] --2024-06-15 18:22:02-- https://stackoverflow.com/ Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.xhtml’ index.xhtml [ <=> ] 175.66K 136KB/s in 1.3s 2024-06-15 18:22:03 (136 KB/s) - ‘index.xhtml’ saved [179877] Trap ~/SubStack $ ``` `conversationParseResponses()` is work-in-progress, `-fsanitize` Traps just before this, thus counts as `pass`. If curious: `for(auto x : s)` gives ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): ================================================================= ==18709==ERROR: AddressSanitizer: stack-use-after-scope on address 0x007ffc3d9511 at pc 0x007450ea2a78 bp 0x007ffc3d7e90 sp 0x007ffc3d7678 READ of size 1 at 0x007ffc3d9511 thread T0 #0 0x7450ea2a74 in strncmp out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 #1 0x745388e200 (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x2200) #2 0x745388dd68 in execve (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x1d68) #3 0x63f79ca63c in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:34:2 #4 0x63f7a3a7ac in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:7 #5 0x63f7a3b1e0 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:40:9 #6 0x74524c9e18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) Address 0x007ffc3d9511 is located in stack of thread T0 at offset 241 in frame #0 0x63f79c9f14 in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:13 This frame has 14 object(s): [32, 36) 'status' (line 17) [48, 72) 'argvSmutable' (line 22) [112, 136) 'argv' (line 23) [176, 184) '__begin1' (line 24) [208, 216) '__end1' (line 24) [240, 264) 'x' (line 24) <== Memory access at offset 241 is inside this variable [304, 312) 'ref.tmp' (line 25) [336, 344) 'ref.tmp26' (line 27) [368, 392) 'envpSmutable' (line 28) [432, 456) 'envp' (line 29) [496, 504) 'x44' (line 30) [528, 536) 'ref.tmp49' (line 30) [560, 568) 'ref.tmp56' (line 31) [592, 600) 'ref.tmp66' (line 33) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 in strncmp Shadow bytes around the buggy address: 0x007ffc3d9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9400: 00 00 00 00 f1 f1 f1 f1 f8 f2 00 00 00 f2 f2 f2 0x007ffc3d9480: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 =>0x007ffc3d9500: f2 f2[f8]f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x007ffc3d9580: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x007ffc3d9600: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 0x007ffc3d9680: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18709==ABORTING ``` @posts/VirusAnalysis /* new `execves` */
SwuduSusuwu
added a commit
that referenced
this issue
Jun 16, 2024
Removes parameter _execves.executable_ (which was execve.pathname) because Android OS fails unless `&pathname == &argv[0]` (must not just match value, but must reuse address, thus there is not a purpose for function signature to ask for this). `for(auto x : s)` -> `for(auto x = s.begin(); s.end() != x; ++x)` /* `-fsanitize=address` gives _stack-use-after-scope_ with `for(auto x : s)` */ Fixes #5 Closes https://github.com/SwuduSusuwu/SubStack/milestone/2 Precondition `std::ifstream(argv[0])` /* exists */ -> `-1 != access(argv[0], X_OK)` /* executable */ ``` Welcome to Termux! ~/SubStack $ ./make.sh + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha1.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha224-256.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha384-512.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassSha2.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassResultList.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassCns.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//VirusAnalysis.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ConversationCns.cxx ./cxx//ConversationCns.cxx:106:74: warning: non-void function does not return a value [-Wreturn-type] 106 | const FileBytecode conversationParseQuestion(const FilePath &xhtmlFile) {} /* TODO */ | ^ ./cxx//ConversationCns.cxx:107:88: warning: non-void function does not return a value [-Wreturn-type] 107 | const std::vector<FileBytecode> conversationParseResponses(const FilePath &xhtmlFile) {} /* TODO */ | ^ 2 warnings generated. + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//main.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g sha1.o sha224-256.o sha384-512.o ClassSha2.o ClassResultList.o ClassCns.o VirusAnalysis.o ConversationCns.o main.o + set +x ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): pass execvex(): pass virusAnalysisTestsThrows(): pass conversationCnsTestsThrows(): --2024-06-15 18:22:01-- https://stackoverflow.com/robots.txt Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘robots.txt’ robots.txt [ <=> ] 1.99K --.-KB/s in 0.07s 2024-06-15 18:22:02 (27.4 KB/s) - ‘robots.txt’ saved [2036] --2024-06-15 18:22:02-- https://stackoverflow.com/ Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.xhtml’ index.xhtml [ <=> ] 175.66K 136KB/s in 1.3s 2024-06-15 18:22:03 (136 KB/s) - ‘index.xhtml’ saved [179877] Trap ~/SubStack $ ``` `conversationParseResponses()` is work-in-progress, `-fsanitize` Traps just before this, thus counts as `pass`. If curious: `for(auto x : s)` gives ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): ================================================================= ==18709==ERROR: AddressSanitizer: stack-use-after-scope on address 0x007ffc3d9511 at pc 0x007450ea2a78 bp 0x007ffc3d7e90 sp 0x007ffc3d7678 READ of size 1 at 0x007ffc3d9511 thread T0 #0 0x7450ea2a74 in strncmp out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 #1 0x745388e200 (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x2200) #2 0x745388dd68 in execve (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x1d68) #3 0x63f79ca63c in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:34:2 #4 0x63f7a3a7ac in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:7 #5 0x63f7a3b1e0 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:40:9 #6 0x74524c9e18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) Address 0x007ffc3d9511 is located in stack of thread T0 at offset 241 in frame #0 0x63f79c9f14 in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:13 This frame has 14 object(s): [32, 36) 'status' (line 17) [48, 72) 'argvSmutable' (line 22) [112, 136) 'argv' (line 23) [176, 184) '__begin1' (line 24) [208, 216) '__end1' (line 24) [240, 264) 'x' (line 24) <== Memory access at offset 241 is inside this variable [304, 312) 'ref.tmp' (line 25) [336, 344) 'ref.tmp26' (line 27) [368, 392) 'envpSmutable' (line 28) [432, 456) 'envp' (line 29) [496, 504) 'x44' (line 30) [528, 536) 'ref.tmp49' (line 30) [560, 568) 'ref.tmp56' (line 31) [592, 600) 'ref.tmp66' (line 33) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 in strncmp Shadow bytes around the buggy address: 0x007ffc3d9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9400: 00 00 00 00 f1 f1 f1 f1 f8 f2 00 00 00 f2 f2 f2 0x007ffc3d9480: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 =>0x007ffc3d9500: f2 f2[f8]f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x007ffc3d9580: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x007ffc3d9600: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 0x007ffc3d9680: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18709==ABORTING ``` @posts/VirusAnalysis /* new `execves` */
|
Cisco-Talos requires #6 ( |
SwuduSusuwu
added a commit
that referenced
this issue
Jun 17, 2024
Removes parameter _execves.executable_ (which was execve.pathname) because Android OS fails unless `&pathname == &argv[0]` (must not just match value, but must reuse address, thus there is not a purpose for function signature to ask for this). `for(auto x : s)` -> `for(auto x = s.begin(); s.end() != x; ++x)` /* `-fsanitize=address` gives _stack-use-after-scope_ with `for(auto x : s)` */ Fixes #5 Closes https://github.com/SwuduSusuwu/SubStack/milestone/2 Precondition `std::ifstream(argv[0])` /* exists */ -> `-1 != access(argv[0], X_OK)` /* executable */ ``` Welcome to Termux! ~/SubStack $ ./make.sh + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha1.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha224-256.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha384-512.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassSha2.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassResultList.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassCns.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//VirusAnalysis.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ConversationCns.cxx ./cxx//ConversationCns.cxx:106:74: warning: non-void function does not return a value [-Wreturn-type] 106 | const FileBytecode conversationParseQuestion(const FilePath &xhtmlFile) {} /* TODO */ | ^ ./cxx//ConversationCns.cxx:107:88: warning: non-void function does not return a value [-Wreturn-type] 107 | const std::vector<FileBytecode> conversationParseResponses(const FilePath &xhtmlFile) {} /* TODO */ | ^ 2 warnings generated. + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//main.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g sha1.o sha224-256.o sha384-512.o ClassSha2.o ClassResultList.o ClassCns.o VirusAnalysis.o ConversationCns.o main.o + set +x ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): pass execvex(): pass virusAnalysisTestsThrows(): pass conversationCnsTestsThrows(): --2024-06-15 18:22:01-- https://stackoverflow.com/robots.txt Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘robots.txt’ robots.txt [ <=> ] 1.99K --.-KB/s in 0.07s 2024-06-15 18:22:02 (27.4 KB/s) - ‘robots.txt’ saved [2036] --2024-06-15 18:22:02-- https://stackoverflow.com/ Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.xhtml’ index.xhtml [ <=> ] 175.66K 136KB/s in 1.3s 2024-06-15 18:22:03 (136 KB/s) - ‘index.xhtml’ saved [179877] Trap ~/SubStack $ ``` `conversationParseResponses()` is work-in-progress, `-fsanitize` Traps just before this, thus counts as `pass`. If curious: `for(auto x : s)` gives ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): ================================================================= ==18709==ERROR: AddressSanitizer: stack-use-after-scope on address 0x007ffc3d9511 at pc 0x007450ea2a78 bp 0x007ffc3d7e90 sp 0x007ffc3d7678 READ of size 1 at 0x007ffc3d9511 thread T0 #0 0x7450ea2a74 in strncmp out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 #1 0x745388e200 (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x2200) #2 0x745388dd68 in execve (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x1d68) #3 0x63f79ca63c in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:34:2 #4 0x63f7a3a7ac in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:7 #5 0x63f7a3b1e0 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:40:9 #6 0x74524c9e18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) Address 0x007ffc3d9511 is located in stack of thread T0 at offset 241 in frame #0 0x63f79c9f14 in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:13 This frame has 14 object(s): [32, 36) 'status' (line 17) [48, 72) 'argvSmutable' (line 22) [112, 136) 'argv' (line 23) [176, 184) '__begin1' (line 24) [208, 216) '__end1' (line 24) [240, 264) 'x' (line 24) <== Memory access at offset 241 is inside this variable [304, 312) 'ref.tmp' (line 25) [336, 344) 'ref.tmp26' (line 27) [368, 392) 'envpSmutable' (line 28) [432, 456) 'envp' (line 29) [496, 504) 'x44' (line 30) [528, 536) 'ref.tmp49' (line 30) [560, 568) 'ref.tmp56' (line 31) [592, 600) 'ref.tmp66' (line 33) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 in strncmp Shadow bytes around the buggy address: 0x007ffc3d9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9400: 00 00 00 00 f1 f1 f1 f1 f8 f2 00 00 00 f2 f2 f2 0x007ffc3d9480: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 =>0x007ffc3d9500: f2 f2[f8]f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x007ffc3d9580: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x007ffc3d9600: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 0x007ffc3d9680: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18709==ABORTING ``` @posts/VirusAnalysis /* new `execves` */
SwuduSusuwu
added a commit
that referenced
this issue
Jun 17, 2024
Removes parameter _execves.executable_ (which was execve.pathname) because Android OS fails unless `&pathname == &argv[0]` (must not just match value, but must reuse address, thus there is not a purpose for function signature to ask for this). `for(auto x : s)` -> `for(auto x = s.begin(); s.end() != x; ++x)` /* `-fsanitize=address` gives _stack-use-after-scope_ with `for(auto x : s)` */ Fixes #5 Closes https://github.com/SwuduSusuwu/SubStack/milestone/2 Precondition `std::ifstream(argv[0])` /* exists */ -> `-1 != access(argv[0], X_OK)` /* executable */ ``` Welcome to Termux! ~/SubStack $ ./make.sh + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha1.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha224-256.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha384-512.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassSha2.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassResultList.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassCns.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//VirusAnalysis.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ConversationCns.cxx ./cxx//ConversationCns.cxx:106:74: warning: non-void function does not return a value [-Wreturn-type] 106 | const FileBytecode conversationParseQuestion(const FilePath &xhtmlFile) {} /* TODO */ | ^ ./cxx//ConversationCns.cxx:107:88: warning: non-void function does not return a value [-Wreturn-type] 107 | const std::vector<FileBytecode> conversationParseResponses(const FilePath &xhtmlFile) {} /* TODO */ | ^ 2 warnings generated. + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//main.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g sha1.o sha224-256.o sha384-512.o ClassSha2.o ClassResultList.o ClassCns.o VirusAnalysis.o ConversationCns.o main.o + set +x ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): pass execvex(): pass virusAnalysisTestsThrows(): pass conversationCnsTestsThrows(): --2024-06-15 18:22:01-- https://stackoverflow.com/robots.txt Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘robots.txt’ robots.txt [ <=> ] 1.99K --.-KB/s in 0.07s 2024-06-15 18:22:02 (27.4 KB/s) - ‘robots.txt’ saved [2036] --2024-06-15 18:22:02-- https://stackoverflow.com/ Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.xhtml’ index.xhtml [ <=> ] 175.66K 136KB/s in 1.3s 2024-06-15 18:22:03 (136 KB/s) - ‘index.xhtml’ saved [179877] Trap ~/SubStack $ ``` `conversationParseResponses()` is work-in-progress, `-fsanitize` Traps just before this, thus counts as `pass`. If curious: `for(auto x : s)` gives ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): ================================================================= ==18709==ERROR: AddressSanitizer: stack-use-after-scope on address 0x007ffc3d9511 at pc 0x007450ea2a78 bp 0x007ffc3d7e90 sp 0x007ffc3d7678 READ of size 1 at 0x007ffc3d9511 thread T0 #0 0x7450ea2a74 in strncmp out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 #1 0x745388e200 (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x2200) #2 0x745388dd68 in execve (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x1d68) #3 0x63f79ca63c in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:34:2 #4 0x63f7a3a7ac in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:7 #5 0x63f7a3b1e0 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:40:9 #6 0x74524c9e18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) Address 0x007ffc3d9511 is located in stack of thread T0 at offset 241 in frame #0 0x63f79c9f14 in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:13 This frame has 14 object(s): [32, 36) 'status' (line 17) [48, 72) 'argvSmutable' (line 22) [112, 136) 'argv' (line 23) [176, 184) '__begin1' (line 24) [208, 216) '__end1' (line 24) [240, 264) 'x' (line 24) <== Memory access at offset 241 is inside this variable [304, 312) 'ref.tmp' (line 25) [336, 344) 'ref.tmp26' (line 27) [368, 392) 'envpSmutable' (line 28) [432, 456) 'envp' (line 29) [496, 504) 'x44' (line 30) [528, 536) 'ref.tmp49' (line 30) [560, 568) 'ref.tmp56' (line 31) [592, 600) 'ref.tmp66' (line 33) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 in strncmp Shadow bytes around the buggy address: 0x007ffc3d9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9400: 00 00 00 00 f1 f1 f1 f1 f8 f2 00 00 00 f2 f2 f2 0x007ffc3d9480: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 =>0x007ffc3d9500: f2 f2[f8]f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x007ffc3d9580: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x007ffc3d9600: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 0x007ffc3d9680: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18709==ABORTING ``` @posts/VirusAnalysis /* new `execves` */
SwuduSusuwu
added a commit
that referenced
this issue
Jun 18, 2024
Removes parameter _execves.executable_ (which was execve.pathname) because Android OS fails unless `&pathname == &argv[0]` (must not just match value, but must reuse address, thus there is not a purpose for function signature to ask for this). `for(auto x : s)` -> `for(auto x = s.begin(); s.end() != x; ++x)` /* `-fsanitize=address` gives _stack-use-after-scope_ with `for(auto x : s)` */ Fixes #5 Closes https://github.com/SwuduSusuwu/SubStack/milestone/2 Precondition `std::ifstream(argv[0])` /* exists */ -> `-1 != access(argv[0], X_OK)` /* executable */ ``` Welcome to Termux! ~/SubStack $ ./make.sh + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha1.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha224-256.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha384-512.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassSha2.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassResultList.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassCns.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//VirusAnalysis.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ConversationCns.cxx ./cxx//ConversationCns.cxx:106:74: warning: non-void function does not return a value [-Wreturn-type] 106 | const FileBytecode conversationParseQuestion(const FilePath &xhtmlFile) {} /* TODO */ | ^ ./cxx//ConversationCns.cxx:107:88: warning: non-void function does not return a value [-Wreturn-type] 107 | const std::vector<FileBytecode> conversationParseResponses(const FilePath &xhtmlFile) {} /* TODO */ | ^ 2 warnings generated. + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//main.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g sha1.o sha224-256.o sha384-512.o ClassSha2.o ClassResultList.o ClassCns.o VirusAnalysis.o ConversationCns.o main.o + set +x ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): pass execvex(): pass virusAnalysisTestsThrows(): pass conversationCnsTestsThrows(): --2024-06-15 18:22:01-- https://stackoverflow.com/robots.txt Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘robots.txt’ robots.txt [ <=> ] 1.99K --.-KB/s in 0.07s 2024-06-15 18:22:02 (27.4 KB/s) - ‘robots.txt’ saved [2036] --2024-06-15 18:22:02-- https://stackoverflow.com/ Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.xhtml’ index.xhtml [ <=> ] 175.66K 136KB/s in 1.3s 2024-06-15 18:22:03 (136 KB/s) - ‘index.xhtml’ saved [179877] Trap ~/SubStack $ ``` `conversationParseResponses()` is work-in-progress, `-fsanitize` Traps just before this, thus counts as `pass`. If curious: `for(auto x : s)` gives ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): ================================================================= ==18709==ERROR: AddressSanitizer: stack-use-after-scope on address 0x007ffc3d9511 at pc 0x007450ea2a78 bp 0x007ffc3d7e90 sp 0x007ffc3d7678 READ of size 1 at 0x007ffc3d9511 thread T0 #0 0x7450ea2a74 in strncmp out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 #1 0x745388e200 (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x2200) #2 0x745388dd68 in execve (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x1d68) #3 0x63f79ca63c in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:34:2 #4 0x63f7a3a7ac in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:7 #5 0x63f7a3b1e0 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:40:9 #6 0x74524c9e18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) Address 0x007ffc3d9511 is located in stack of thread T0 at offset 241 in frame #0 0x63f79c9f14 in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:13 This frame has 14 object(s): [32, 36) 'status' (line 17) [48, 72) 'argvSmutable' (line 22) [112, 136) 'argv' (line 23) [176, 184) '__begin1' (line 24) [208, 216) '__end1' (line 24) [240, 264) 'x' (line 24) <== Memory access at offset 241 is inside this variable [304, 312) 'ref.tmp' (line 25) [336, 344) 'ref.tmp26' (line 27) [368, 392) 'envpSmutable' (line 28) [432, 456) 'envp' (line 29) [496, 504) 'x44' (line 30) [528, 536) 'ref.tmp49' (line 30) [560, 568) 'ref.tmp56' (line 31) [592, 600) 'ref.tmp66' (line 33) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 in strncmp Shadow bytes around the buggy address: 0x007ffc3d9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9400: 00 00 00 00 f1 f1 f1 f1 f8 f2 00 00 00 f2 f2 f2 0x007ffc3d9480: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 =>0x007ffc3d9500: f2 f2[f8]f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x007ffc3d9580: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x007ffc3d9600: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 0x007ffc3d9680: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18709==ABORTING ``` @posts/VirusAnalysis /* new `execves` */
SwuduSusuwu
added a commit
that referenced
this issue
Jun 23, 2024
Removes parameter _execves.executable_ (which was execve.pathname) because Android OS fails unless `&pathname == &argv[0]` (must not just match value, but must reuse address, thus there is not a purpose for function signature to ask for this). `for(auto x : s)` -> `for(auto x = s.begin(); s.end() != x; ++x)` /* `-fsanitize=address` gives _stack-use-after-scope_ with `for(auto x : s)` */ Fixes #5 Closes https://github.com/SwuduSusuwu/SubStack/milestone/2 Precondition `std::ifstream(argv[0])` /* exists */ -> `-1 != access(argv[0], X_OK)` /* executable */ ``` Welcome to Termux! ~/SubStack $ ./make.sh + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha1.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha224-256.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -x c -c ./cxx//../c/rfc6234/sha384-512.c + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassSha2.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassResultList.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ClassCns.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//VirusAnalysis.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//ConversationCns.cxx ./cxx//ConversationCns.cxx:106:74: warning: non-void function does not return a value [-Wreturn-type] 106 | const FileBytecode conversationParseQuestion(const FilePath &xhtmlFile) {} /* TODO */ | ^ ./cxx//ConversationCns.cxx:107:88: warning: non-void function does not return a value [-Wreturn-type] 107 | const std::vector<FileBytecode> conversationParseResponses(const FilePath &xhtmlFile) {} /* TODO */ | ^ 2 warnings generated. + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g -c ./cxx//main.cxx + clang++ -fsanitize=address -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer -g sha1.o sha224-256.o sha384-512.o ClassSha2.o ClassResultList.o ClassCns.o VirusAnalysis.o ConversationCns.o main.o + set +x ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): pass execvex(): pass virusAnalysisTestsThrows(): pass conversationCnsTestsThrows(): --2024-06-15 18:22:01-- https://stackoverflow.com/robots.txt Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/plain] Saving to: ‘robots.txt’ robots.txt [ <=> ] 1.99K --.-KB/s in 0.07s 2024-06-15 18:22:02 (27.4 KB/s) - ‘robots.txt’ saved [2036] --2024-06-15 18:22:02-- https://stackoverflow.com/ Resolving stackoverflow.com (stackoverflow.com)... 172.64.155.249, 104.18.32.7 Connecting to stackoverflow.com (stackoverflow.com)|172.64.155.249|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.xhtml’ index.xhtml [ <=> ] 175.66K 136KB/s in 1.3s 2024-06-15 18:22:03 (136 KB/s) - ‘index.xhtml’ saved [179877] Trap ~/SubStack $ ``` `conversationParseResponses()` is work-in-progress, `-fsanitize` Traps just before this, thus counts as `pass`. If curious: `for(auto x : s)` gives ``` ~/SubStack $ ./a.out cxx/Macros.hxx: pass execves(): ================================================================= ==18709==ERROR: AddressSanitizer: stack-use-after-scope on address 0x007ffc3d9511 at pc 0x007450ea2a78 bp 0x007ffc3d7e90 sp 0x007ffc3d7678 READ of size 1 at 0x007ffc3d9511 thread T0 #0 0x7450ea2a74 in strncmp out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 #1 0x745388e200 (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x2200) #2 0x745388dd68 in execve (/data/data/com.termux/files/usr/lib/libtermux-exec.so+0x1d68) #3 0x63f79ca63c in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:34:2 #4 0x63f7a3a7ac in Susuwu::testHarnesses() /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:21:7 #5 0x63f7a3b1e0 in main /data/data/com.termux/files/home/SubStack/./cxx/main.cxx:40:9 #6 0x74524c9e18 in __libc_init (/apex/com.android.runtime/lib64/bionic/libc.so+0x56e18) (BuildId: 33ad5959e2b38fc822cda3c642e16c94) Address 0x007ffc3d9511 is located in stack of thread T0 at offset 241 in frame #0 0x63f79c9f14 in Susuwu::execves(std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&, std::__ndk1::vector<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const, std::__ndk1::allocator<std::__ndk1::basic_string<char, std::__ndk1::char_traits<char>, std::__ndk1::allocator<char>> const>> const&) /data/data/com.termux/files/home/SubStack/./cxx/ClassCns.cxx:13 This frame has 14 object(s): [32, 36) 'status' (line 17) [48, 72) 'argvSmutable' (line 22) [112, 136) 'argv' (line 23) [176, 184) '__begin1' (line 24) [208, 216) '__end1' (line 24) [240, 264) 'x' (line 24) <== Memory access at offset 241 is inside this variable [304, 312) 'ref.tmp' (line 25) [336, 344) 'ref.tmp26' (line 27) [368, 392) 'envpSmutable' (line 28) [432, 456) 'envp' (line 29) [496, 504) 'x44' (line 30) [528, 536) 'ref.tmp49' (line 30) [560, 568) 'ref.tmp56' (line 31) [592, 600) 'ref.tmp66' (line 33) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope out/lib/compiler-rt-aarch64/out/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:545:3 in strncmp Shadow bytes around the buggy address: 0x007ffc3d9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9400: 00 00 00 00 f1 f1 f1 f1 f8 f2 00 00 00 f2 f2 f2 0x007ffc3d9480: f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 =>0x007ffc3d9500: f2 f2[f8]f8 f8 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 0x007ffc3d9580: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 0x007ffc3d9600: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 0x007ffc3d9680: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x007ffc3d9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==18709==ABORTING ``` @posts/VirusAnalysis /* new `execves` */
SwuduSusuwu
added a commit
that referenced
this issue
Nov 24, 2024
?`cxx/ClassSys.hxx`: +`classSysKernelSetHook()`: , usage is `classSysSetHook(func, callback);` effect is `%s/function(...)/classSysKernelCallback(...)/` /* `virusAnalysisHook()` will use this */ +`classSysKernelCallback<Func, Callback>` /* returns `(callback(...) ? function(...) : decltype(function(...))())` */ ?`cxx/VirusAnalysis.cxx`: -`lambdaScan`, +`virusAnalysisImpl`: C++11 does not allow to use lambda in new lambdas. +`lambdaScanExecv`, `+lambdaScanCreateProcessA`: operating system specific lambdas. ?`virusAnalysisHook`: use `classSysKernelSetHook(*, lambdaScan*)` to scan files which you execute. Is progress to issues #1, #8 (both about `VirusAnalysis.cxx`). Is followup to: commit a8c9f9b ("?virusAnalysisHook `s/[] (/auto lambdaScan = [] (/`)"). ?`posts/VirusAnalysis.md`: include all this.
SwuduSusuwu
added this to the
Todo: auto scan downloads/launches, manual scan whole disk milestone
SwuduSusuwu
added
improve
SwuduSusuwu
modified the milestones:
Todo: auto scan downloads/launches, manual scan whole disk,
`cxx/VirusAnalysis.cxx`, `cxx/ClassSys.*xx`, `cxx/ClassPortableExecutable.*xx`: auto scan downloads/launches, manual scan whole disk
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Should use cxx/ClassPortableExecutable.hxx, cxx/ClassSha2.hxx, cxx/ClassSha2.cxx, cxx/ClassCns.hxx, cxx/ClassCns.cxx, cxx/ClassResultList.hxx, cxx/VirusAnalysis.hxx, cxx/VirusAnalysis.cxx (from https://github.com/SwuduSusuwu/SubStack/tree/trunk/cxx) for this;
Cisco-Talos/clamav#1206 (comment)
The text was updated successfully, but these errors were encountered: