Bug 1219520

Summary:	ASAN crypt_r interceptor uses wrong sizeof(struct crypt_data)
Product:	[openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP5	Reporter:	Markus Mäkelä <markus.makela>
Component:	Basesystem	Assignee:	Richard Biener <rguenther>
Status:	IN_PROGRESS ---	QA Contact:
Severity:	Normal
Priority:	P5 - None	CC:	meissner, rguenther, schwab
Version:	unspecified
Target Milestone:	---
Hardware:	x86-64
OS:	SLES 15
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Markus Mäkelä 2024-02-03 15:02:05 UTC

I tested this on the opensuse/leap:latest docker image (image hash: ec3c3c09f741) so it should be easy to reproduce. I can confirm that it also happens on SLES 15.5. I verified that it does not happen with GCC 13.2.1 from Fedora 38 which suggests it's not a bug in GCC but something in the build environment on SLES 15.

The following program demonstrates the problem. 

>#include <crypt.h>
>#include <iostream>
>#include <cstring>
> 
>int main(int argc, char** argv)
>{
>  struct crypt_data data;
>  memset(&data, 0, sizeof(data));
>  std::cout << crypt_r(argv[1], argv[2], &data) << std::endl;
>  return 0;
>}

Compiling it with GCC 13 causes the problem.

>sudo zypper -n install gcc13 gcc13-c++
>/usr/bin/g++-13 -g -fsanitize=address -lcrypt test.cc
>./a.out 'hello' '$1$world'
>=================================================================
>==59107==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f55f8208020 at pc 0x7f55fa287061 bp 0x7ffc95a4f3d0 sp 0x7ffc95a4eb90
>WRITE of size 131232 at 0x7f55f8208020 thread T0
>    #0 0x7f55fa287060 in __interceptor_crypt_r ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:10214
>    #1 0x400c47 in main /build/test.cc:9
>    #2 0x7f55f9c3e24c in __libc_start_main (/lib64/libc.so.6+0x3524c) (BuildId: f732026552f6adff988b338e92d466bc81a01c37)
>    #3 0x400a49 in _start ../sysdeps/x86_64/start.S:120
>Address 0x7f55f8208020 is located in stack of thread T0 at offset 32800 in frame
>    #0 0x400b05 in main /build/test.cc:6
>  This frame has 1 object(s):
>    [32, 32800) 'data' (line 7) <== Memory access at offset 32800 overflows this variable
>HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
>      (longjmp and C++ exceptions *are* supported)
>SUMMARY: AddressSanitizer: stack-buffer-overflow ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:10214 in __interceptor_crypt_r
>Shadow bytes around the buggy address:
>  0x7f55f8207d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x7f55f8207e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x7f55f8207e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x7f55f8207f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x7f55f8207f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>=>0x7f55f8208000: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
>  0x7f55f8208080: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
>  0x7f55f8208100: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>  0x7f55f8208180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x7f55f8208200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x7f55f8208280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07 
>  Heap left redzone:       fa
>  Freed heap region:       fd
>  Stack left redzone:      f1
>  Stack mid redzone:       f2
>  Stack right redzone:     f3
>  Stack after return:      f5
>  Stack use after scope:   f8
>  Global redzone:          f9
>  Global init order:       f6
>  Poisoned by user:        f7
>  Container overflow:      fc
>  Array cookie:            ac
>  Intra object redzone:    bb
>  ASan internal:           fe
>  Left alloca redzone:     ca
>  Right alloca redzone:    cb
>==59107==ABORTING

Compiling with GCC 9 does not cause it.

>sudo zypper -n install gcc9 gcc9-c++
>/usr/bin/g++-9 -g -fsanitize=address -lcrypt test.cc
>./a.out 'hello' '$1$world'
>$1$world$9570e6rgzRsa0dGF.W93f.


On line 10214 in sanitizer_common_interceptors.inc we have this:
>    COMMON_INTERCEPTOR_WRITE_RANGE(ctx, data,
>                                   __sanitizer::struct_crypt_data_sz);

And struct_crypt_data_sz is defined in sanitizer_platform_limits_posix.cpp. There we see that it's correctly set to the size of the struct:
>#if SANITIZER_INTERCEPT_CRYPT_R
>  unsigned struct_crypt_data_sz = sizeof(struct crypt_data);
>#endif 

From /usr/include/crypt.h:
>/* These sizes are chosen to make sizeof (struct crypt_data) add up to
>   exactly 32768 bytes.  */
>#define CRYPT_DATA_RESERVED_SIZE 767
>#define CRYPT_DATA_INTERNAL_SIZE 30720

Here's the disassembly of libasan for the variable where the size of the struct is stored.
>0000000000166ce0 <__sanitizer::struct_crypt_data_sz>:
>  166ce0:       a0 00 02 00     movabs 0x1000000070000200,%al
>  166ce7:         
If I'm reading that correctly, that's 131232 in base 10 which is exactly the size of the write that ASAN reports and not what the crypt.h header uses. Maybe there's something weird about the libasan build environment that makes the size of the struct different?

I also tested Valgrind which confirms that it's indeed a problem in ASAN and not in the library itself.
>valgrind ./a.out 'hello' '$1$world'
>==58481== Memcheck, a memory error detector
>==58481== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
>==58481== Using Valgrind-3.20.0 and LibVEX; rerun with -h for copyright info
>==58481== Command: ./a.out hello $1$world
>==58481== 
>$1$world$9570e6rgzRsa0dGF.W93f.
>==58481== 
>==58481== HEAP SUMMARY:
>==58481==     in use at exit: 0 bytes in 0 blocks
>==58481==   total heap usage: 2 allocs, 2 frees, 74,752 bytes allocated
>==58481== 
>==58481== All heap blocks were freed -- no leaks are possible
>==58481== 
>==58481== For lists of detected and suppressed errors, rerun with: -s
>==58481== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Comment 1 Richard Biener 2024-02-08 08:01:38 UTC

Confirmed.  I checked that a locally built libasan works fine.  It looks like upstream dropped intercepting of crypt_r, so it will be gone with GCC 14.

GCC 13 from Leap/SLE build against glibc from SLE15 GA.

The crypt.h I have installed on SLE15 SP5 is from libxcrypt which has a
smaller size:

/* These sizes are chosen to make sizeof (struct crypt_data) add up to
   exactly 32768 bytes.  */
#define CRYPT_DATA_RESERVED_SIZE 767
#define CRYPT_DATA_INTERNAL_SIZE 30720

compared to what glibc has:

#ifdef __USE_GNU
   
/* This structure provides scratch and output buffers for 'crypt_r'.
   Its contents should not be accessed directly.  */
struct crypt_data     
  {  
    char keysched[16 * 8];
    char sb0[32768];
    char sb1[32768];
    char sb2[32768];
    char sb3[32768];
    /* end-of-aligment-critical-data */
    char crypt_3_buf[14];
    char current_salt[2];
    long int current_saltbits;
    int  direction, initialized;
  };

libxcrypt was added in SLE15 SP3 as "ABI compatible replacement for libcypt from glibc" when glibc was updated to version 2.31 and its internal crypt was
disabled.

Comment 2 Richard Biener 2024-02-08 08:05:47 UTC

The crypt interception was removed with

https://github.com/llvm/llvm-project/commit/d7bead833631486e337e541e692d9b4a1ca14edd

and I'm considering to simply backport this.

Comment 3 OBSbugzilla Bot 2024-02-08 09:25:03 UTC

This is an autogenerated message for OBS integration:
This bug (1219520) was mentioned in
https://build.opensuse.org/request/show/1145076 Factory / gcc13

Comment 4 OBSbugzilla Bot 2024-02-08 15:25:02 UTC

This is an autogenerated message for OBS integration:
This bug (1219520) was mentioned in
https://build.opensuse.org/request/show/1145209 Factory / gcc13

Comment 5 Richard Biener 2024-02-12 10:06:06 UTC

Now also pushed to ALP.  For SLE12/15 it has to wait for the usual update we do when 13.3 is out (or when something more urgent shows up).

Comment 7 Maintenance Automation 2024-04-12 08:30:09 UTC

SUSE-RU-2024:1253-1: An update that has nine fixes can now be installed.

Category: recommended (moderate)
Bug References: 1210959, 1214934, 1217450, 1217667, 1218492, 1219031, 1219520, 1220724, 1221239
Maintenance Incident: [SUSE:Maintenance:33128](https://smelt.suse.de/incident/33128/)
Sources used:
openSUSE Leap Micro 5.3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
openSUSE Leap Micro 5.4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
openSUSE Leap 15.5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server 15 SP2 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server 15 SP3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise High Performance Computing 15 SP4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server 15 SP4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Manager Server 4.3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Desktop 15 SP4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Manager Retail Branch Server 4.3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Manager Proxy 4.3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise High Performance Computing 15 SP5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server 15 SP5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Desktop 15 SP5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Micro 5.3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Micro 5.4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Micro 5.5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
Basesystem Module 15-SP5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
Development Tools Module 15-SP5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Package Hub 15 15-SP5 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Enterprise Storage 7.1 (src):
 gcc13-13.2.1+git8285-150000.1.9.1, cross-nvptx-gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Micro 5.1 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Micro 5.2 (src):
 gcc13-13.2.1+git8285-150000.1.9.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 gcc13-13.2.1+git8285-150000.1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Maintenance Automation 2024-06-19 12:30:11 UTC

SUSE-RU-2024:2087-1: An update that has 10 fixes can now be installed.

Category: recommended (moderate)
Bug References: 1188441, 1210959, 1214934, 1217450, 1217667, 1218492, 1219031, 1219520, 1220724, 1221239
Maintenance Incident: [SUSE:Maintenance:34272](https://smelt.suse.de/incident/34272/)
Sources used:
Toolchain Module 12 (src):
 cross-nvptx-gcc13-13.3.0+git8781-1.13.1, gcc13-13.3.0+git8781-1.13.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 gcc13-13.3.0+git8781-1.13.1
SUSE Linux Enterprise Server 12 SP5 (src):
 gcc13-13.3.0+git8781-1.13.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 gcc13-13.3.0+git8781-1.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.