[jira] [Commented] (DISPATCH-2045) qd_hash_internal_remove_item writes to freed (pooled) memory on router shutdown

Wed, 14 Apr 2021 05:23:04 -0700 


    [ 
https://issues.apache.org/jira/browse/DISPATCH-2045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17320957#comment-17320957
 ] 

Jiri Daněk commented on DISPATCH-2045:
--------------------------------------

{noformat}
34: ==3003==ERROR: AddressSanitizer: use-after-poison on address 0x61100003e658 
at pc 0x7fad96d68f45 bp 0x7ffeab5e9770 sp 0x7ffeab5e9760
34: READ of size 8 at 0x61100003e658 thread T0
34:     #0 0x7fad96d68f44 in qd_hash_internal_remove_item ../src/hash.c:126
34:     #1 0x7fad96d6a908 in qd_hash_free ../src/hash.c:142
34:     #2 0x7fad96e89781 in qdr_core_free ../src/router_core/router_core.c:209
34:     #3 0x7fad96efacf1 in qd_router_free ../src/router_node.c:2148
34:     #4 0x7fad96d61fe1 in qd_dispatch_free ../src/dispatch.c:371
34:     #5 0x7fad96d61fe1 in qd_dispatch_free ../src/dispatch.c:363
34:     #6 0x564ff23ea1d3 in main_process ../router/src/main.c:119
34:     #7 0x564ff23e9ce0 in main ../router/src/main.c:369
34:     #8 0x7fad95c590b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
34:     #9 0x564ff23e9f8d in _start 
(/home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/build/router/qdrouterd+0x5f8d)
34: 
34: 0x61100003e658 is located 152 bytes inside of 192-byte region 
[0x61100003e5c0,0x61100003e680)
34: allocated by thread T1 here:
34:     #0 0x7fad975f2aa5 in posix_memalign 
(/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
34:     #1 0x7fad96cebd00 in qd_alloc ../src/alloc_pool.c:397
34:     #2 0x7fad96d6975b in qd_hash_internal_insert ../src/hash.c:196
34:     #3 0x7fad96d6ada4 in qd_hash_insert ../src/hash.c:224
34:     #4 0x7fad96e95efd in qdr_subscribe_CT 
../src/router_core/route_tables.c:648
34:     #5 0x7fad96e91008 in router_core_thread 
../src/router_core/router_core_thread.c:240
34:     #6 0x7fad9679a608 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
34: 
34: Thread T1 created by T0 here:
34:     #0 0x7fad9751e805 in pthread_create 
(/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
34:     #1 0x7fad96dcc4cf in sys_thread ../src/posix/threading.c:183
34:     #2 0x7fad96e77e7c in qdr_core ../src/router_core/router_core.c:122
34:     #3 0x7fad96efa7f6 in qd_router_setup_late ../src/router_node.c:2111
34:     #4 0x7fad91208ff4  (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
34:     #5 0x7ffeab5e921f  ([stack]+0x1f21f)
34: 
34: SUMMARY: AddressSanitizer: use-after-poison ../src/hash.c:126 in 
qd_hash_internal_remove_item
34: Shadow bytes around the buggy address:
34:   0x0c227ffffc70: 00 00 00 00 00 00 00 00 00 00 f7 f7 00 00 00 00
34:   0x0c227ffffc80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
34:   0x0c227ffffc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
34:   0x0c227ffffca0: 00 00 f7 f7 00 00 00 00 fa fa fa fa fa fa fa fa
34:   0x0c227ffffcb0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
34: =>0x0c227ffffcc0: 00 00 00 00 00 00 00 00 00 00 f7[f7]00 00 00 00
34:   0x0c227ffffcd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
34:   0x0c227ffffce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
34:   0x0c227ffffcf0: 00 00 f7 f7 00 00 00 00 fa fa fa fa fa fa fa fa
34:   0x0c227ffffd00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
34:   0x0c227ffffd10: 00 00 00 00 00 00 00 00 00 00 f7 f7 00 00 00 00
34: Shadow byte legend (one shadow byte represents 8 application bytes):
34:   Addressable:           00
34:   Partially addressable: 01 02 03 04 05 06 07 
34:   Heap left redzone:       fa
34:   Freed heap region:       fd
34:   Stack left redzone:      f1
34:   Stack mid redzone:       f2
34:   Stack right redzone:     f3
34:   Stack after return:      f5
34:   Stack use after scope:   f8
34:   Global redzone:          f9
34:   Global init order:       f6
34:   Poisoned by user:        f7
34:   Container overflow:      fc
34:   Array cookie:            ac
34:   Intra object redzone:    bb
34:   ASan internal:           fe
34:   Left alloca redzone:     ca
34:   Right alloca redzone:    cb
34:   Shadow gap:              cc
34: ==3003==ABORTING
{noformat}

> qd_hash_internal_remove_item writes to freed (pooled) memory on router 
> shutdown
> -------------------------------------------------------------------------------
>
>                 Key: DISPATCH-2045
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-2045
>             Project: Qpid Dispatch
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Jiri Daněk
>            Priority: Minor
>         Attachments: 
> 0001-DISPATCH-2039-WIP-add-prints-around-hash-inserts-and.patch, 
> hashcrash.conf
>
>
> Apply the attached patch (), run router with the attached config, wait a 
> moment, then stop the router. Note the following lines in the router output
> {code}
> inserting key M0$management
> inserting key L$management
> inserting key L$_management_internal
> inserting key Corg.apache
> inserting key CFakeBroker
> inserting key LlinkRoute/0
> inserting key Dorg.apache
> inserting key LlinkRoute/1
> ^C
> freeing item 0x61100000de10 with key 2/apache
> zeroing the handle pointer, of value 0x61100000de10
> freeing hash handle 0x611000034f10 for item (nil)
> freeing item 0x61100000df50 with key 1/org
> zeroing the handle pointer, of value 0x61100000df50
> freeing hash handle 0x611000035050 for item (nil)
> freeing item 0x611000030050 with key Corg.apache
> zeroing the handle pointer, of value 0x611000030050
> freeing hash handle 0x611000035190 for item (nil)
> freeing hash handle 0x611000034c90 for item 0x61100000db90
> freeing item 0x61100000dcd0 with key CFakeBroker
> zeroing the handle pointer, of value 0x61100000dcd0
> freeing hash handle 0x611000034dd0 for item (nil)
> freeing item 0x61100000d7d0 with key 2/apache
> zeroing the handle pointer, of value 0x61100000d7d0
> freeing hash handle 0x6110000348d0 for item (nil)
> freeing item 0x61100000d910 with key 1/org
> zeroing the handle pointer, of value 0x61100000d910
> freeing hash handle 0x611000034a10 for item (nil)
> freeing item 0x61100000da50 with key Dorg.apache
> zeroing the handle pointer, of value 0x61100000da50
> freeing hash handle 0x611000034b50 for item (nil)
> freeing hash handle 0x611000034790 for item 0x61100000d690
> freeing item 0x611000030410 with key M0$management
> zeroing the handle pointer, of value 0x611000030410
> freeing hash handle 0x611000035550 for item (nil)
> freeing item 0x6110000302d0 with key L$management
> zeroing the handle pointer, of value 0x6110000302d0
> freeing hash handle 0x611000035410 for item (nil)
> freeing item 0x611000030190 with key L$_management_internal
> zeroing the handle pointer, of value 0x611000030190
> freeing hash handle 0x6110000352d0 for item (nil)
> freeing item 0x61100000db90 with key LlinkRoute/0
> zeroing the handle pointer, of value 0x9999999999999999
> freeing item 0x61100000d690 with key LlinkRoute/1
> zeroing the handle pointer, of value 0x9999999999999999
> freeing item 0x611000007290 with key router
> {code}
> The problem is at the end, writing to memory set to {{#define QD_MEMORY_FREE 
> 0x99}}.
> {noformat}
> freeing item 0x61100000db90 with key LlinkRoute/0
> zeroing the handle pointer, of value 0x9999999999999999
> freeing item 0x61100000d690 with key LlinkRoute/1
> zeroing the handle pointer, of value 0x9999999999999999
> freeing item 0x611000007290 with key router
> {noformat}
> That is because a handle can be freed before the item, which happened in this 
> case, in {{freeing hash handle 0x611000034790 for item 0x61100000d690}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to