Closed
Description
This test appears to intentionally corrupt memory:
#[test]
fn two() {
let src = b"hi\0";
let mut dest = [0u8; 2]; // no space for null terminator
let result = unsafe { strcpy(dest.as_mut_ptr(), src.as_ptr()) };
assert_eq!(unsafe { core::slice::from_raw_parts(result, 2) }, b"hi");
}
https://asan.saethlin.dev/ub?crate=tinyrlibc&version=0.3.0
test strcpy::test::two ... =================================================================
==12736==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffb5f9f7eb2 at pc 0x559635b472fc bp 0x7ffba02f4830 sp 0x7ffba02f4828
WRITE of size 1 at 0x7ffb5f9f7eb2 thread T29
#0 0x559635b472fb in strcpy /build/src/strcpy.rs:13:3
#1 0x559635b4b057 in tinyrlibc::strcpy::test::two::h743566c6ea54f540 /build/src/strcpy.rs:42:25
#2 0x559635b4af02 in tinyrlibc::strcpy::test::two::_$u7b$$u7b$closure$u7d$$u7d$::hd19b72cfcca7882c /build/src/strcpy.rs:39:10
Address 0x7ffb5f9f7eb2 is located in stack of thread T29 at offset 178 in frame
#0 0x559635b4af2f in tinyrlibc::strcpy::test::two::h743566c6ea54f540 /build/src/strcpy.rs:39
This frame has 4 object(s):
[32, 80) '_17' (line 43)
[112, 128) '_11' (line 43)
[144, 160) '_9' (line 43)
[176, 178) 'dest' (line 41) <== Memory access at offset 178 overflows this variable
SUMMARY: AddressSanitizer: stack-buffer-overflow /build/src/strcpy.rs:13:3 in strcpy
Shadow bytes around the buggy address:
0x7ffb5f9f7c00: f1 f1 f1 f1 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
0x7ffb5f9f7c80: f2 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
0x7ffb5f9f7d00: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7ffb5f9f7d80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x7ffb5f9f7e00: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8
=>0x7ffb5f9f7e80: f2 f2 f8 f8 f2 f2[02]f3 00 00 00 00 00 00 00 00
0x7ffb5f9f7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffb5f9f7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffb5f9f8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffb5f9f8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffb5f9f8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12736==ABORTING
Fix: Don't write tests that intentionally trigger undefined behavior.
Metadata
Metadata
Assignees
Labels
No labels