Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

segfault during hts_md5_update #1692

Closed
OctavioGalland opened this issue Nov 16, 2023 · 0 comments
Closed

segfault during hts_md5_update #1692

OctavioGalland opened this issue Nov 16, 2023 · 0 comments

Comments

@OctavioGalland
Copy link

Summary

Segfault in hts_md5_update during parsing of a crafted SAM/FASTA file pair.

Environment

Built using LLVM 14 with ASAN on Ubuntu 22.04

How to reproduce

Build with ASAN on latest commit like so:

git clone --recursive https://github.com/samtools/htslib
cd htslib
autoreconf -i
CC=clang-14 CXX=clang++-14 CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure
make -j$(nproc)

git clone --recursive https://github.com/samtools/samtools
cd samtools
autoheader
autoconf -Wno-syntax
CC=clang-14 CXX=clang++-14 CFLAGS="-fsanitize=address -g -I$(pwd)/../htslib" CXXFLAGS="-fsanitize=address -g -I$(pwd)/../htslib" LDFLAGS="-fsanitize=address -g -L$(pwd)/../htslib" ./configure
make -j$(nproc)

Within the samtools folder, get poc file and reproduce with:

echo -ne "QFNRCVNOOmMxCUxOOjEwCnMwCTAJYzEJMTAwMDAwMDAwMDAwCTAJKjAJQTFDQ0dDR0dUVDEJMgkw
CTENTQkqCTAqKkNDQ0NYUEP/ZEJDSEMqKgoqUQlTATpjMQlMTjoxMApzMAkwCWMxCTEJMAkqMAlB
MUNDR0NHR1RUGQkyCTAJMQ1NCSoKczAJMAljMQkxCTAJKjAJQTFDQ0dDR0dUVDEJMgkwCTFRCVNO
OmMxCUxOOjEwCnMwCTAJYzEJMQkwCSowCUExQ0NHQ0dHVFQZCTIJMCoqCg==" | base64 -d > poc
./samtools view -C -T ../htslib/test/c2.fa poc

Which on my setup outputs:

[W::cram_get_ref] Reference file given, but ref 'c1' not present
[W::cram_get_ref] Failed to populate reference for id 0
[W::cram_write_SAM_hdr] No M5 tags present and could not find reference
[W::cram_write_SAM_hdr] Enabling embed_ref=2 option
[W::cram_write_SAM_hdr] NOTE: the CRAM file will be bigger than using an external reference
CRAM-�\��vvr@SQ	SN:c1	LN:10
@PG	ID:samtools	PN:samtools	VN:1.18-21-g528e1b2	CL:./samtools view -C -T ../htslib/test/c2.fa poc
�	�??}�Y�[W::sam_parse1] mapped query must have a CIGAR; treated as unmapped
[W::sam_parse1] unrecognized mate reference name "A1CCGCGGTT1"; treated as unmapped
[W::sam_read1_sam] Parse error at line 3
AddressSanitizer:DEADLYSIGNAL
=================================================================
==11502==ERROR: AddressSanitizer: SEGV on unknown address 0x61a700001980 (pc 0x7f43074c49bf bp 0x7ffca087c6c0 sp 0x7ffca087be88 T0)
==11502==The signal is caused by a READ memory access.
    #0 0x7f43074c49bf  string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370
    #1 0x559b356add81 in __asan_memcpy (/home/octavio/samtools/samtools+0x132d81) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)
    #2 0x559b359c13e9 in hts_md5_update /home/octavio/htslib/md5.c:268:2
    #3 0x559b35a7fcbd in cram_encode_container /home/octavio/htslib/cram/cram_encode.c:2041:17
    #4 0x559b35aef96c in cram_flush_container /home/octavio/htslib/cram/cram_io.c:4128:14
    #5 0x559b35af0795 in cram_flush_container_mt /home/octavio/htslib/cram/cram_io.c:4280:16
    #6 0x559b35afb742 in cram_flush /home/octavio/htslib/cram/cram_io.c:5431:19
    #7 0x559b3598a2e7 in hts_flush /home/octavio/htslib/hts.c:1667:16
    #8 0x559b35903084 in vprint_error_core /home/octavio/samtools/sam_utils.c:48:26
    #9 0x559b3590345c in print_error_errno /home/octavio/samtools/sam_utils.c:71:5
    #10 0x559b3570c472 in stream_view /home/octavio/samtools/sam_view.c:762:9
    #11 0x559b35707be8 in main_samview /home/octavio/samtools/sam_view.c:1363:15
    #12 0x559b35786eed in main /home/octavio/samtools/bamtk.c:244:55
    #13 0x7f4307429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #14 0x7f4307429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #15 0x559b3562bb24 in _start (/home/octavio/samtools/samtools+0xb0b24) (BuildId: 7078ea94d4e08689f85e1df47e2d609c021d2440)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:370 
==11502==ABORTING
@OctavioGalland OctavioGalland mentioned this issue Nov 16, 2023
Closed
jkbonfield added a commit to jkbonfield/htslib that referenced this issue Nov 16, 2023
@jkbonfield
Make CRAM internal data structures use hts_pos_t.
2613299 
Most of the CRAM code (and hopefully all) already has hts_pos_t
throughout when manipulating positions, but for some reason we never
updated the structures.  Surprising given I thought I'd tested CRAM 4
as working on long references.  (They're already 64-bit in io_lib.)

The code that fills out these variables already very carefully calls
the 32-bit (CRAM3) or 64-bit (CRAM4) query function and then copies
the variable over, so that should still be fine.

Fixes samtools#1692
jkbonfield added a commit to jkbonfield/htslib that referenced this issue Nov 16, 2023
@jkbonfield
Make CRAM internal data structures use hts_pos_t.
c39ea6d 
Most of the CRAM code (and hopefully all) already has hts_pos_t
throughout when manipulating positions, but for some reason we never
updated the structures.  Surprising given I thought I'd tested CRAM 4
as working on long references.  (They're already 64-bit in io_lib.)

The code that fills out these variables already very carefully calls
the 32-bit (CRAM3) or 64-bit (CRAM4) query function and then copies
the variable over, so that should still be fine.

Fixes samtools#1692
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@OctavioGalland