Buffer Overflow

[Leandros]

Description

It seems to me that there is a buffer overflow in the signal handling routine.
Are you doing shenanigans in there? The only C++ legal thing to do in a signal handler is setting a volatile sigatomic_t, anything else is UB.
(POSIX has a different opinion on that, and is saying that pretty much all the syscalls are fine. C or C++ stdlib is still off-limits, though)

Steps to reproduce

• Compile with ASan enabled
• Trigger an error in a catch TEST_CASE

Report

=================================================================
==21739==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001ed0efc at pc 0x0000004abab2 bp 0x000001ed0e70 sp 0x000001ed0620
READ of size 1 at 0x000001ed0efc thread T0
    #0 0x4abab1 in fwrite /root/tmp/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1051
    #1 0x7fcf91b2c58d in std::basic_ostream<char, std::char_traits<char> >& std::__ostream_insert<char, std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*, long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x10d58d)
    #2 0x7fcf91b2c827 in std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x10d827)
    #3 0x686dd1 in Catch::(anonymous namespace)::PosixColourImpl::setColour(char const*) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:6763:27
    #4 0x686ac2 in Catch::(anonymous namespace)::PosixColourImpl::use(Catch::Colour::Code) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:6748:52
    #5 0x6372a5 in Catch::Colour::use(Catch::Colour::Code) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:6819:15
    #6 0x6371cc in Catch::Colour::Colour(Catch::Colour::Code) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:6804:42
    #7 0x68974d in Catch::(anonymous namespace)::AssertionPrinter::printSourceInfo() const /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:11110:16
    #8 0x66be0f in Catch::(anonymous namespace)::AssertionPrinter::print() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:11041:9
    #9 0x66b6e2 in Catch::CompactReporter::assertionEnded(Catch::AssertionStats const&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:11226:21
    #10 0x64c2e1 in Catch::RunContext::assertionEnded(Catch::AssertionResult const&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8466:39
    #11 0x64e3f3 in Catch::RunContext::handleFatalErrorCondition(Catch::StringRef) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8565:9
    #12 0x638ff8 in (anonymous namespace)::reportFatal(char const*) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:7127:56
    #13 0x638d3d in Catch::FatalConditionHandler::handleSignal(int) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:7235:9
    #14 0x7fcf916b302f  (/lib/x86_64-linux-gnu/libc.so.6+0x3302f)
    #15 0x56531b in a::atomic::detail::load_relaxed(a::atomic::detail::uint128_atomic const*) /root/p4/depot/_out/../liba/include/a/bits/atomic_gcc.hxx:659:5
    #16 0x5651d7 in a::atomic::detail::uint128_atomic::Type a::atomic::LoadSeqCst<a::atomic::detail::uint128_atomic>(a::atomic::detail::uint128_atomic const*) /root/p4/depot/_out/../liba/include/a/bits/atomic.hxx:73:28
    #17 0x564d0a in a::atomic::detail::uint128_atomic::Type a::atomic::Load<a::atomic::detail::uint128_atomic>(a::atomic::detail::uint128_atomic const*, a::atomic::MemoryOrder) /root/p4/depot/_out/../liba/include/a/bits/atomic.hxx:91:16
    #18 0x5622ee in a::Atomic128::Load(a::MemoryOrder) const /root/p4/depot/_out/../liba/include/a/atomic.hxx:303:16
    #19 0x55acec in ____C_A_T_C_H____T_E_S_T____25() /root/p4/depot/_out/../liba/tests/atomic.cxx:188:30
    #20 0x65d6ba in Catch::TestInvokerAsFunction::invoke() const /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:9870:9
    #21 0x64f625 in Catch::TestCase::invoke() const /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:9771:15
    #22 0x64f46a in Catch::RunContext::invokeActiveTestCase() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8655:27
    #23 0x64b403 in Catch::RunContext::runCurrentTest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8630:17
    #24 0x648eeb in Catch::RunContext::runTest(Catch::TestCase const&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8419:13
    #25 0x6559f9 in Catch::(anonymous namespace)::runTests(std::shared_ptr<Catch::Config> const&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8967:39
    #26 0x6542b3 in Catch::Session::runInternal() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:9151:63
    #27 0x653d0d in Catch::Session::run() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:9108:24
    #28 0x6862f6 in main /root/p4/depot/_out/../liba/tests/driver.cxx:36:20
    #29 0x7fcf916a02b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #30 0x42ed49 in _start (/root/p4/depot/_out/tests/a+0x42ed49)

0x000001ed0efc is located 36 bytes to the left of global variable 'Catch::FatalConditionHandler::altStackMem' defined in '../extern/lib/catch2/single_include/catch.hpp:7274:33' (0x1ed0f20) of size 8192
0x000001ed0efc is located 204 bytes to the right of global variable 'Catch::FatalConditionHandler::oldSigActions' defined in '../extern/lib/catch2/single_include/catch.hpp:7272:45' (0x1ed0aa0) of size 912
SUMMARY: AddressSanitizer: global-buffer-overflow /root/tmp/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1051 in fwrite
Shadow bytes around the buggy address:
  0x0000803d2180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803d2190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803d21a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803d21b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803d21c0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0000803d21d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]
  0x0000803d21e0: f9 f9 f9 f9 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
  0x0000803d21f0: f2 f2 f2 f2 f8 f8 f2 f2 f8 f8 f3 f3 00 00 00 00
  0x0000803d2200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803d2210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803d2220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21739==ABORTING

Extra information

• Catch version: v2.1.0
• Operating System: Linux arvid.io 4.9.0-3-amd64 Memory leak in ResultInfo::operator =() #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64 GNU/Linux
• Compiler+version: clang 5.0.1

[Leandros]

There is more:

=================================================================
==2961==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000005950 at pc 0x0000006382da bp 0x000001feb0d0 sp 0x000001feb0c8
READ of size 8 at 0x604000005950 thread T0
    #0 0x6382d9 in Catch::Colour::use(Catch::Colour::Code) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:6819:15
    #1 0x638241 in Catch::Colour::Colour(Catch::Colour::Code) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:6804:42
    #2 0x68c556 in Catch::(anonymous namespace)::AssertionPrinter::printExpressionWas() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:11132:24
    #3 0x66dc10 in Catch::(anonymous namespace)::AssertionPrinter::print() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:11075:13
    #4 0x66cbe2 in Catch::CompactReporter::assertionEnded(Catch::AssertionStats const&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:11226:21
    #5 0x64d4a0 in Catch::RunContext::assertionEnded(Catch::AssertionResult const&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8466:39
    #6 0x64f5c3 in Catch::RunContext::handleFatalErrorCondition(Catch::StringRef) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8565:9
    #7 0x63a0b8 in (anonymous namespace)::reportFatal(char const*) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:7127:56
    #8 0x639df2 in Catch::FatalConditionHandler::handleSignal(int) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:7235:9
    #9 0x7f169df2e02f  (/lib/x86_64-linux-gnu/libc.so.6+0x3302f)
    #10 0x564b9b in a::atomic::detail::load_relaxed(a::atomic::detail::uint128_atomic const*) /root/p4/depot/_out/../liba/include/a/bits/atomic_gcc.hxx:659:5
    #11 0x564a57 in a::atomic::detail::uint128_atomic::Type a::atomic::LoadSeqCst<a::atomic::detail::uint128_atomic>(a::atomic::detail::uint128_atomic const*) /root/p4/depot/_out/../liba/include/a/bits/atomic.hxx:73:28
    #12 0x56458a in a::atomic::detail::uint128_atomic::Type a::atomic::Load<a::atomic::detail::uint128_atomic>(a::atomic::detail::uint128_atomic const*, a::atomic::MemoryOrder) /root/p4/depot/_out/../liba/include/a/bits/atomic.hxx:91:16
    #13 0x561e2e in a::Atomic128::Load(a::MemoryOrder) const /root/p4/depot/_out/../liba/include/a/atomic.hxx:303:16
    #14 0x55b59a in ____C_A_T_C_H____T_E_S_T____25() /root/p4/depot/_out/../liba/tests/atomic.cxx:199:30
    #15 0x65e9ba in Catch::TestInvokerAsFunction::invoke() const /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:9870:9
    #16 0x6507f5 in Catch::TestCase::invoke() const /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:9771:15
    #17 0x65063a in Catch::RunContext::invokeActiveTestCase() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8655:27
    #18 0x64c5b7 in Catch::RunContext::runCurrentTest(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8630:17
    #19 0x64a08b in Catch::RunContext::runTest(Catch::TestCase const&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8419:13
    #20 0x656c79 in Catch::(anonymous namespace)::runTests(std::shared_ptr<Catch::Config> const&) /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:8967:39
    #21 0x655527 in Catch::Session::runInternal() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:9151:63
    #22 0x654f62 in Catch::Session::run() /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:9108:24
    #23 0x6878f6 in main /root/p4/depot/_out/../liba/tests/driver.cxx:36:20
    #24 0x7f169df1b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #25 0x42ed89 in _start (/root/p4/depot/_out/tests/a+0x42ed89)

0x604000005950 is located 0 bytes inside of 36-byte region [0x604000005950,0x604000005974)
freed by thread T0 here:
    #0 0x523d70 in operator delete(void*) /root/tmp/llvm/compiler-rt/lib/asan/asan_new_delete.cc:137

previously allocated by thread T0 here:
    #0 0x522ff8 in operator new(unsigned long) /root/tmp/llvm/compiler-rt/lib/asan/asan_new_delete.cc:92

SUMMARY: AddressSanitizer: heap-use-after-free /root/p4/depot/_out/../extern/lib/catch2/single_include/catch.hpp:6819:15 in Catch::Colour::use(Catch::Colour::Code)
Shadow bytes around the buggy address:
  0x0c087fff8ad0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8ae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8af0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff8b00: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
  0x0c087fff8b10: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
=>0x0c087fff8b20: fa fa 00 00 00 00 00 fa fa fa[fd]fd fd fd fd fa
  0x0c087fff8b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8b70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

[Leandros]

Potentially false positives, due to not having instrumented the standard library. Take with a grain of salt, and re-test with an instrumented libcxx.