Unexpected asan error when call malloc and then free

[prime-zeng]

My platform config :
CFG_CORE_SANITIZE_KADDRESS ?= y

and the in the start code:

 void *p = malloc(1024);
 memset(p, 0x5a, 1024);
 free(p);

then i get the following error message:

ERROR:   [0x0] TEE-CORE: Panic at core/kernel/asan.c:177 <check_access>
ERROR:   [0x0] TEE-CORE: pc  0x7e00f269
....

Is there anything wrong with the bget lib when the asan is enabled? Can anyone help to explain?
Thank you.

[jenswi-linaro]

If it was malloc() that triggered this I guess you need to double check the compiler flags for lib/libutils/isoc/bget_malloc.c. Else there's something wrong with updating the tags during memory allocation.

[prime-zeng]

I found it was free() that triggered the error, but i don't know the asan is implemented, so it is hard to debug.
@jenswi-linaro could you help to take a look into it, it is easy to reproduce the error.

[jenswi-linaro]

I can take a look at the patch at least. Is it reproducible on QEMU?

[prime-zeng]

I just tried the same code on QEMU ,but i can't reproduce it.

[jenswi-linaro]

Perhaps it's the shadow area that is the problem.

[prime-zeng]

I can help to test and verify if you have any clue. @jenswi-linaro

[jenswi-linaro]

The compiler adds code to check all loads and stores. Once asan_start() is called all accesses in instrumented code will be checked (some code is excluded like malloc() and friends).

In this case you need to find out which line of code is actually calling panic() and perhaps the stack trace too and it shouldn't be too hard to tell what's wrong.

[prime-zeng]

The stack trace was to be expected to tell the which line of code is wrong, but it seems that there is no useful stack trace info in my case.

[prime-zeng]

@jenswi-linaro I found it, the following line cause the problem, i enabled the memset for debug use.

#ifdef FreeWipe
    V memset(((char *) b) + sizeof(struct bfhead), 0x55,
	     (MemSize) (len - sizeof(struct bfhead)));
#endif

[jenswi-linaro]

There you have it, memset() is still instrumented. FreeWipe isn't needed with asan so I never bothered to do something about that.
It would be a bit friendlier to have a compile error there if CFG_CORE_SANITIZE_KADDRESS=y.

[prime-zeng]

@jenswi-linaro Disable the FreeWipe when CFG_CORE_SANITIZE_KADDRESS=y is a good idea, but one more question about the problem, why can't i get the line of code which trigger the problem directly from the panic infomation?

[prime-zeng]

@jenswi-linaro i deep into the following code:

void print_kernel_stack(int level)
{
	struct unwind_state_arm32 state;
	uaddr_t exidx = (vaddr_t)__exidx_start;
	size_t exidx_sz = (vaddr_t)__exidx_end - (vaddr_t)__exidx_start;

	memset(state.registers, 0, sizeof(state.registers));
        ...

I found that memset will trigger the panic in asan.c, and that is why i can't get the line of code which triger the asan check error.

       ...
	e = va_to_shadow(end);
	for (a = va_to_shadow(begin); a != e; a++)
		if (*a < 0)
			panic();
        ...

I haven't seen any clue about stack in asan, could you help about this problem?
Thank you.

[jenswi-linaro]

Please test with #1799, it hopefully fixes the problem.

[prime-zeng]

OK, i will test it later, thank you.

[prime-zeng]

@jenswi-linaro it fixes the problem, thank you, i will close the issue.