From 24b64c228bc6a46d3ced4b615d8e6eebd7c55de4 Mon Sep 17 00:00:00 2001
From: lhchavez <lhchavez@lhchavez.com>
Date: Fri, 1 Sep 2017 03:52:13 +0000
Subject: [PATCH] ASan: Fix stack overflow in system_unittest

This change fixes the following buffer overflow in system_unittest,
found by running `make tests` with AddressSanitizer:

==30977==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffddc9c3055 at pc 0x7ff7ec00f2d5 bp 0x7ffddc9c2ca0 sp 0x7ffddc9c2448
READ of size 6 at 0x7ffddc9c3055 thread T0
    #0 0x7ff7ec00f2d4  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x472d4)
    #1 0x44fa17 in write_pid_to_path_basic_Test::TestBody() system_unittest.cc:132

Address 0x7ffddc9c3055 is located in stack of thread T0 at offset 805 in frame
    #0 0x44ef6f in write_pid_to_path_basic_Test::TestBody() system_unittest.cc:121

  This frame has 7 object(s):
    [32, 40) 'path'
    [96, 104) 'fp'
    [160, 176) 'gtest_ar'
    [224, 256) '<unknown>'
    [288, 320) '<unknown>'
    [352, 744) 'ss'
    [800, 805) 'data' <== Memory access at offset 805 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x10003b9305b0: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
  0x10003b9305c0: f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2
  0x10003b9305d0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003b9305e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003b9305f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10003b930600: 00 00 00 f4 f4 f4 f2 f2 f2 f2[05]f4 f4 f4 f3 f3
  0x10003b930610: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10003b930620: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10003b930630: 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10003b930640: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10003b930650: 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==30977==ABORTING

Bug: None
Test: make tests (with -fsanitize=address in {C,CXX}FLAGS).
Change-Id: If5145d60f34664c39b560bf5a739bdac7ee689b6
---
 system_unittest.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system_unittest.cc b/system_unittest.cc
index 0ecfcde..9300b70 100644
--- a/system_unittest.cc
+++ b/system_unittest.cc
@@ -126,7 +126,7 @@ TEST(write_pid_to_path, basic) {
   FILE *fp = fopen(path, "re");
   unlink(path);
   EXPECT_NE(nullptr, fp);
-  char data[5];
+  char data[6] = {};
   EXPECT_EQ(5u, fread(data, 1, sizeof(data), fp));
   fclose(fp);
   EXPECT_EQ(0, strcmp(data, "1234\n"));