[jira] [Commented] (DISPATCH-2206) ASAN use-after-free of qdr_link_t by I/O thread

Jira Mon, 08 Nov 2021 08:10:06 -0800


    [ 
https://issues.apache.org/jira/browse/DISPATCH-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17440574#comment-17440574
 ]


Jiri Daněk commented on DISPATCH-2206:
--------------------------------------

And, the results are in!

https://github.com/jiridanek/qpid-dispatch/runs/4141119600?check_suite_focus=true#step:9:446

{noformat}
27: ==4101==ERROR: AddressSanitizer: heap-use-after-free on address 
0x617000986b30 at pc 0x56236ce30ef2 bp 0x7ff4dcfddc00 sp 0x7ff4dcfddbf0
27: READ of size 8 at 0x617000986b30 thread T2
27:     #0 0x56236ce30ef1 in qdr_link_get_context 
../src/router_core/connections.c:516
27:     #1 0x56236cf5d601 in CORE_link_second_attach ../src/router_node.c:1736
27:     #2 0x56236ce2c0d1 in qdr_connection_process 
../src/router_core/connections.c:355
27:     #3 0x56236cf53035 in AMQP_writable_conn_handler ../src/router_node.c:299
27:     #4 0x56236cd5e201 in writable_handler ../src/container.c:388
27:     #5 0x56236cd6317f in qd_container_handle_event ../src/container.c:744
27:     #6 0x56236cf75ab5 in handle ../src/server.c:1108
27:     #7 0x56236cf75cd2 in thread_run ../src/server.c:1133
27:     #8 0x56236cdef964 in _thread_init ../src/posix/threading.c:172
27:     #9 0x7ff4e4dd5608 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27:     #10 0x7ff4e3fcb292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
27: 
27: 0x617000986b30 is located 176 bytes inside of 704-byte region 
[0x617000986a80,0x617000986d40)
27: freed by thread T1 here:
27:     #0 0x7ff4e53937cf in __interceptor_free 
(/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
27:     #1 0x56236cd30b84 in qd_dealloc ../src/alloc_pool.c:497
27:     #2 0x56236ceb68e3 in free_qdr_link_t ../src/router_core/router_core.c:35
27:     #3 0x56236ce3cc11 in qdr_link_cleanup_CT 
../src/router_core/connections.c:1121
27:     #4 0x56236ce50a5f in qdr_link_processing_complete_CT 
../src/router_core/connections.c:2220
27:     #5 0x56236cedcec7 in router_core_thread 
../src/router_core/router_core_thread.c:236
27:     #6 0x56236cdef964 in _thread_init ../src/posix/threading.c:172
27:     #7 0x7ff4e4dd5608 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27: 
27: previously allocated by thread T2 here:
27:     #0 0x7ff4e5394aa5 in posix_memalign 
(/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
27:     #1 0x56236cd2c9cd in qd_alloc ../src/alloc_pool.c:393
27:     #2 0x56236ceb68ab in new_qdr_link_t ../src/router_core/router_core.c:35
27:     #3 0x56236ce31b29 in qdr_link_first_attach 
../src/router_core/connections.c:617
27:     #4 0x56236cf56125 in AMQP_outgoing_link_handler 
../src/router_node.c:1025
27:     #5 0x56236cd5b620 in setup_outgoing_link ../src/container.c:157
27:     #6 0x56236cd61ccc in qd_container_handle_event ../src/container.c:659
27:     #7 0x56236cf75ab5 in handle ../src/server.c:1108
27:     #8 0x56236cf75cd2 in thread_run ../src/server.c:1133
27:     #9 0x56236cdef964 in _thread_init ../src/posix/threading.c:172
27:     #10 0x7ff4e4dd5608 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27: 
27: Thread T2 created by T0 here:
27:     #0 0x7ff4e52c0805 in pthread_create 
(/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
27:     #1 0x56236cdefad3 in sys_thread ../src/posix/threading.c:181
27:     #2 0x56236cf7d758 in qd_server_run ../src/server.c:1525
27:     #3 0x56236cfd8791 in main_process ../router/src/main.c:115
27:     #4 0x56236cfda795 in main ../router/src/main.c:369
27:     #5 0x7ff4e3ed00b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
27: 
27: Thread T1 created by T0 here:
27:     #0 0x7ff4e52c0805 in pthread_create 
(/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
27:     #1 0x56236cdefad3 in sys_thread ../src/posix/threading.c:181
27:     #2 0x56236ceb8817 in qdr_core ../src/router_core/router_core.c:124
27:     #3 0x56236cf5ec5c in qd_router_setup_late ../src/router_node.c:2127
27:     #4 0x7ff4dfe06ff4  (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
27:     #5 0x7ffdb8b9975f  ([stack]+0x2175f)
27: 
27: SUMMARY: AddressSanitizer: heap-use-after-free 
../src/router_core/connections.c:516 in qdr_link_get_context
27: Shadow bytes around the buggy address:
27:   0x0c2e80128d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27:   0x0c2e80128d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27:   0x0c2e80128d30: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
27:   0x0c2e80128d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27:   0x0c2e80128d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27: =>0x0c2e80128d60: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
27:   0x0c2e80128d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27:   0x0c2e80128d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27:   0x0c2e80128d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27:   0x0c2e80128da0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
27:   0x0c2e80128db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27: Shadow byte legend (one shadow byte represents 8 application bytes):
27:   Addressable:           00
27:   Partially addressable: 01 02 03 04 05 06 07 
27:   Heap left redzone:       fa
27:   Freed heap region:       fd
27:   Stack left redzone:      f1
27:   Stack mid redzone:       f2
27:   Stack right redzone:     f3
27:   Stack after return:      f5
27:   Stack use after scope:   f8
27:   Global redzone:          f9
27:   Global init order:       f6
27:   Poisoned by user:        f7
27:   Container overflow:      fc
27:   Array cookie:            ac
27:   Intra object redzone:    bb
27:   ASan internal:           fe
27:   Left alloca redzone:     ca
27:   Right alloca redzone:    cb
27:   Shadow gap:              cc
27: ==4101==ABORTING
{noformat}

> ASAN use-after-free of qdr_link_t by I/O thread
> -----------------------------------------------
>
>                 Key: DISPATCH-2206
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-2206
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Router Node
>    Affects Versions: 1.16.1
>            Reporter: Ken Giusti
>            Priority: Major
>              Labels: asan
>             Fix For: 1.19.0
>
>
> [https://github.com/apache/qpid-dispatch/blob/main/src/router_core/connections.c#L1344]
>  
> {{27: ==3859==ERROR: AddressSanitizer: use-after-poison on address 
> 0x61700017e030 at pc 0x56212343cdac bp 0x7f9d33c40c90 sp 0x7f9d33c40c80 }}
> {{ }}{{}}
> 27: READ of size 8 at 0x61700017e030 thread T2 
> {{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{ }}{{}}
> 27:  #0 0x56212343cdab in qdr_link_get_context 
> ../src/router_core/connections.c:498 
> {{}}{{ }}{{}}
> 27:  #1 0x56212352ec25 in CORE_link_second_attach ../src/router_node.c:1729 
> {{}}{{ }}{{}}
> 27:  #2 0x5621234388df in qdr_connection_process 
> ../src/router_core/connections.c:355 
> {{}}{{ }}{{}}
> 27:  #3 0x56212338eccf in writable_handler ../src/container.c:396 
> {{}}{{ }}{{}}
> 27:  #4 0x56212338eccf in qd_container_handle_event ../src/container.c:748 
> {{}}{{ }}{{}}
> 27:  #5 0x562123547289 in handle ../src/server.c:1108 
> {{}}{{ }}{{}}
> 27:  #6 0x562123554c9f in thread_run ../src/server.c:1133 
> {{}}{{ }}{{}}
> 27:  #7 0x7f9d3ba6c608 in start_thread 
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) 
> {{}}{{ }}{{}}
> 27:  #8 0x7f9d3ac33292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 
> {{}}{{ }}{{}}
> 27:  
> {{}}{{ }}{{}}
> 27: 0x61700017e030 is located 176 bytes inside of 704-byte region 
> [0x61700017df80,0x61700017e240) 
> {{}}{{ }}{{}}
> 27: allocated by thread T2 here: 
> {{}}{{ }}{{}}
> 27:  #0 0x7f9d3bfd9aa5 in posix_memalign 
> (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5) 
> {{}}{{ }}{{}}
> 27:  #1 0x5621233247b0 in qd_alloc ../src/alloc_pool.c:396 
> {{}}{{ }}{{}}
> 27:  #2 0x56212343d4c9 in qdr_link_first_attach 
> ../src/router_core/connections.c:592 
> {{}}{{ }}{{}}
> 27:  #3 0x56212352dde9 in AMQP_outgoing_link_handler 
> ../src/router_node.c:1018 
> {{}}{{ }}{{}}
> 27:  #4 0x562123547289 in handle ../src/server.c:1108 
> {{}}{{ }}{{}}
> 27:  #5 0x562123554c9f in thread_run ../src/server.c:1133 
> {{}}{{ }}{{}}
> 27:  #6 0x7f9d3ba6c608 in start_thread 
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) 
> {{}}{{ }}{{}}
> 27:  
> {{}}{{ }}{{}}
> 27: Thread T2 created by T0 here: 
> {{}}{{ }}{{}}
> 27:  #0 0x7f9d3bf05805 in pthread_create 
> (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) 
> {{}}{{ }}{{}}
> 27:  #1 0x562123403bcf in sys_thread ../src/posix/threading.c:181 
> {{}}{{ }}{{}}
> 27:  #2 0x56212355541e in qd_server_run ../src/server.c:1522 
> {{}}{{ }}{{}}
> 27:  #3 0x56212359f46c in main_process ../router/src/main.c:115 
> {{}}{{ }}{{}}
> 27:  #4 0x56212329bc50 in main ../router/src/main.c:369 
> {{}}{{ }}{{}}
> 27:  #5 0x7f9d3ab380b2 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) 
> {{}}{{ }}{{}}
> 27:  
> {{}}{{ }}{{}}
> 27: SUMMARY: AddressSanitizer: use-after-poison 
> ../src/router_core/connections.c:498 in qdr_link_get_context 
> {{}}{{ }}{{}}
> 27: Shadow bytes around the buggy address: 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027bb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027bc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027bd0: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
> {{}}{{ }}{{}}
> 27: =>0x0c2e80027c00: 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027c10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027c20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027c30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027c40: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa 
> {{}}{{ }}{{}}
> 27:  0x0c2e80027c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
> {{}}{{ }}{{}}
> 27: Shadow byte legend (one shadow byte represents 8 application bytes): 
> {{}}{{ }}{{}}
> 27:  Addressable: 00 
> {{}}{{ }}{{}}
> 27:  Partially addressable: 01 02 03 04 05 06 07 
> {{}}{{ }}{{}}
> 27:  Heap left redzone: fa 
> {{}}{{ }}{{}}
> 27:  Freed heap region: fd 
> {{}}{{ }}{{}}
> 27:  Stack left redzone: f1 
> {{}}{{ }}{{}}
> 27:  Stack mid redzone: f2 
> {{}}{{ }}{{}}
> 27:  Stack right redzone: f3 
> {{}}{{ }}{{}}
> 27:  Stack after return: f5 
> {{}}{{ }}{{}}
> 27:  Stack use after scope: f8 
> {{}}{{ }}{{}}
> 27:  Global redzone: f9 
> {{}}{{ }}{{}}
> 27:  Global init order: f6 
> {{}}{{ }}{{}}
> 27:  Poisoned by user: f7 
> {{}}{{ }}{{}}
> 27:  Container overflow: fc 
> {{}}{{ }}{{}}
> 27:  Array cookie: ac 
> {{}}{{ }}{{}}
> 27:  Intra object redzone: bb 
> {{}}{{ }}{{}}
> 27:  ASan internal: fe 
> {{}}{{ }}{{}}
> 27:  Left alloca redzone: ca 
> {{}}{{ }}{{}}
> 27:  Right alloca redzone: cb 
> {{}}{{ }}{{}}
> 27:  Shadow gap: cc 
> {{}}{{ }}{{}}
> 27: ==3859==ABORTING 
> {{}}{{ }}{{27:  }}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (DISPATCH-2206) ASAN use-after-free of qdr_link_t by I/O thread

Reply via email to