[jira] [Updated] (DISPATCH-2188) ASAN use after free from qdr_core_unbind_address_link_CT in system_tests_protocol_settings

Mon, 28 Jun 2021 14:29:26 -0700 


     [ 
https://issues.apache.org/jira/browse/DISPATCH-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jiri Daněk updated DISPATCH-2188:
---------------------------------
    Description: 
https://travis-ci.com/github/apache/qpid-dispatch/jobs/519782806#L4771

{noformat}
27: Router EB1 output file:
27: >>>>
27: =================================================================
27: ==15423==ERROR: AddressSanitizer: use-after-poison on address 
0x6170000dc290 at pc 0x0000006e842a bp 0x7fbe59ae3070 sp 0x7fbe59ae3068
27: WRITE of size 8 at 0x6170000dc290 thread T1
27:     #0 0x6e8429 in qdr_core_unbind_address_link_CT 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:715:23
27:     #1 0x722f7f in del_outlink 
/home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:216:9
27:     #2 0x67a135 in qdrc_event_addr_raise 
/home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:125:13
27:     #3 0x6e7f40 in qdr_core_unbind_address_link_CT 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c
27:     #4 0x666b5c in qdr_link_inbound_detach_CT 
/home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:2064:17
27:     #5 0x6f2490 in router_core_thread 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:239:13
27:     #6 0x7fbe5fdfe608 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27:     #7 0x7fbe5f629292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
27: 
27: 0x6170000dc290 is located 272 bytes inside of 704-byte region 
[0x6170000dc180,0x6170000dc440)
27: allocated by thread T1 here:
27:     #0 0x4bb5c7 in posix_memalign 
(/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x4bb5c7)
27:     #1 0x57319e in qd_alloc 
/home/travis/build/apache/qpid-dispatch/src/alloc_pool.c:396:13
27:     #2 0x66cb80 in qdr_create_link_CT 
/home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:1128:24
27:     #3 0x71fb5d in on_conn_event 
/home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:281:32
27:     #4 0x679cb5 in qdrc_event_conn_raise 
/home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:101:13
27:     #5 0x679cb5 in qdrc_event_conn_raise 
/home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:101:13
27:     #6 0x6524d0 in qdr_connection_opened_CT 
/home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:1440:5
27:     #7 0x6f2490 in router_core_thread 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:239:13
27:     #8 0x7fbe5fdfe608 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27: 
27: Thread T1 created by T0 here:
27:     #0 0x4a520c in pthread_create 
(/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x4a520c)
27:     #1 0x6245c7 in sys_thread 
/home/travis/build/apache/qpid-dispatch/src/posix/threading.c:181:5
27:     #2 0x6d287a in qdr_core 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:124:20
27:     #3 0x75c06f in qd_router_setup_late 
/home/travis/build/apache/qpid-dispatch/src/router_node.c:2124:31
27:     #4 0x7fbe5b509ff4  (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
27: LLVMSymbolizer: error reading file: No such file or directory
27:     #5 0x7ffc3aaec1cf  ([stack]+0x211cf)
27: 
27: SUMMARY: AddressSanitizer: use-after-poison 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:715:23 in 
qdr_core_unbind_address_link_CT
27: Shadow bytes around the buggy address:
27:   0x0c2e80013800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27:   0x0c2e80013810: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
27:   0x0c2e80013820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27:   0x0c2e80013830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27:   0x0c2e80013840: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27: =>0x0c2e80013850: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27:   0x0c2e80013860: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27:   0x0c2e80013870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27:   0x0c2e80013880: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa
27:   0x0c2e80013890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27:   0x0c2e800138a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27: Shadow byte legend (one shadow byte represents 8 application bytes):
27:   Addressable:           00
27:   Partially addressable: 01 02 03 04 05 06 07 
27:   Heap left redzone:       fa
27:   Freed heap region:       fd
27:   Stack left redzone:      f1
27:   Stack mid redzone:       f2
27:   Stack right redzone:     f3
27:   Stack after return:      f5
27:   Stack use after scope:   f8
27:   Global redzone:          f9
27:   Global init order:       f6
27:   Poisoned by user:        f7
27:   Container overflow:      fc
27:   Array cookie:            ac
27:   Intra object redzone:    bb
27:   ASan internal:           fe
27:   Left alloca redzone:     ca
27:   Right alloca redzone:    cb
27:   Shadow gap:              cc
27: ==15423==ABORTING
{noformat}

  was:
https://travis-ci.com/github/apache/qpid-dispatch/jobs/498899790#L6312

{noformat}
54: ==================
54: WARNING: ThreadSanitizer: data race (pid=16195)
54:   Write of size 8 at 0x7b54000ae908 by thread T1:
54:     #0 qdr_core_unbind_address_link_CT 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:685 
(libqpid-dispatch.so+0xc4a83)
54:     #1 del_inlink 
/home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:174
 (libqpid-dispatch.so+0xd2af0)
54:     #2 on_addr_event 
/home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:426
 (libqpid-dispatch.so+0xd3102)
54:     #3 qdrc_event_addr_raise 
/home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:125 
(libqpid-dispatch.so+0xace11)
54:     #4 qdr_core_unbind_address_link_CT 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:697 
(libqpid-dispatch.so+0xc4bf7)
54:     #5 qdr_link_inbound_detach_CT 
/home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:2070 
(libqpid-dispatch.so+0xab5b4)
54:     #6 router_core_thread 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:240
 (libqpid-dispatch.so+0xc81e5)
54:     #7 _thread_init 
/home/travis/build/apache/qpid-dispatch/src/posix/threading.c:174 
(libqpid-dispatch.so+0x94ea6)
54:     #8 <null> <null> (libtsan.so.0+0x2d1af)
54: 
54:   Previous read of size 8 at 0x7b54000ae908 by thread T4:
54:     #0 qdr_link_is_anonymous 
/home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:526 
(libqpid-dispatch.so+0xa68e2)
54:     #1 AMQP_rx_handler 
/home/travis/build/apache/qpid-dispatch/src/router_node.c:640 
(libqpid-dispatch.so+0xe372b)
54:     #2 do_receive 
/home/travis/build/apache/qpid-dispatch/src/container.c:227 
(libqpid-dispatch.so+0x74584)
54:     #3 qd_container_handle_event 
/home/travis/build/apache/qpid-dispatch/src/container.c:737 
(libqpid-dispatch.so+0x74584)
54:     #4 handle /home/travis/build/apache/qpid-dispatch/src/server.c:1097 
(libqpid-dispatch.so+0xea531)
54:     #5 thread_run /home/travis/build/apache/qpid-dispatch/src/server.c:1122 
(libqpid-dispatch.so+0xec41c)
54:     #6 _thread_init 
/home/travis/build/apache/qpid-dispatch/src/posix/threading.c:174 
(libqpid-dispatch.so+0x94ea6)
54:     #7 <null> <null> (libtsan.so.0+0x2d1af)
54: 
54:   Location is heap block of size 576 at 0x7b54000ae880 allocated by thread 
T4:
54:     #0 posix_memalign <null> (libtsan.so.0+0x3048d)
54:     #1 qd_alloc 
/home/travis/build/apache/qpid-dispatch/src/alloc_pool.c:396 
(libqpid-dispatch.so+0x5f5f4)
54:     #2 new_qdr_link_t 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:33 
(libqpid-dispatch.so+0xc17e5)
54:     #3 qdr_link_first_attach 
/home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:581 
(libqpid-dispatch.so+0xa6acb)
54:     #4 AMQP_incoming_link_handler 
/home/travis/build/apache/qpid-dispatch/src/router_node.c:964 
(libqpid-dispatch.so+0xe19d2)
54:     #5 qd_container_handle_event 
/home/travis/build/apache/qpid-dispatch/src/container.c:729 
(libqpid-dispatch.so+0x74078)
54:     #6 handle /home/travis/build/apache/qpid-dispatch/src/server.c:1097 
(libqpid-dispatch.so+0xea531)
54:     #7 thread_run /home/travis/build/apache/qpid-dispatch/src/server.c:1122 
(libqpid-dispatch.so+0xec398)
54:     #8 _thread_init 
/home/travis/build/apache/qpid-dispatch/src/posix/threading.c:174 
(libqpid-dispatch.so+0x94ea6)
54:     #9 <null> <null> (libtsan.so.0+0x2d1af)
54: 
54:   Thread T1 (tid=16197, running) created by main thread at:
54:     #0 pthread_create <null> (libtsan.so.0+0x5ea99)
54:     #1 sys_thread 
/home/travis/build/apache/qpid-dispatch/src/posix/threading.c:183 
(libqpid-dispatch.so+0x95462)
54:     #2 qdr_core 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:122 
(libqpid-dispatch.so+0xc295e)
54:     #3 qd_router_setup_late 
/home/travis/build/apache/qpid-dispatch/src/router_node.c:2111 
(libqpid-dispatch.so+0xe5e9c)
54:     #4 <null> <null> (libffi.so.7+0x6ff4)
54:     #5 main_process 
/home/travis/build/apache/qpid-dispatch/router/src/main.c:97 (qdrouterd+0x2bb2)
54:     #6 main /home/travis/build/apache/qpid-dispatch/router/src/main.c:369 
(qdrouterd+0x2882)
54: 
54:   Thread T4 (tid=16200, running) created by main thread at:
54:     #0 pthread_create <null> (libtsan.so.0+0x5ea99)
54:     #1 sys_thread 
/home/travis/build/apache/qpid-dispatch/src/posix/threading.c:183 
(libqpid-dispatch.so+0x95462)
54:     #2 qd_server_run 
/home/travis/build/apache/qpid-dispatch/src/server.c:1485 
(libqpid-dispatch.so+0xecefa)
54:     #3 main_process 
/home/travis/build/apache/qpid-dispatch/router/src/main.c:115 (qdrouterd+0x2c27)
54:     #4 main /home/travis/build/apache/qpid-dispatch/router/src/main.c:369 
(qdrouterd+0x2882)
54: 
54: SUMMARY: ThreadSanitizer: data race 
/home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:685 in 
qdr_core_unbind_address_link_CT
54: ==================
54: ThreadSanitizer: reported 1 warnings
54: <<<<
54: 
54: ----------------------------------------------------------------------
54: Ran 89 tests in 381.923s
54: 
54: FAILED (errors=1)
54/74 Test #54: system_tests_edge_router ..........................***Failed  
382.09 sec
{noformat}


> ASAN use after free from qdr_core_unbind_address_link_CT in 
> system_tests_protocol_settings
> ------------------------------------------------------------------------------------------
>
>                 Key: DISPATCH-2188
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-2188
>             Project: Qpid Dispatch
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Jiri Daněk
>            Assignee: Ken Giusti
>            Priority: Major
>              Labels: race-condition, tsan
>             Fix For: 1.17.0
>
>
> https://travis-ci.com/github/apache/qpid-dispatch/jobs/519782806#L4771
> {noformat}
> 27: Router EB1 output file:
> 27: >>>>
> 27: =================================================================
> 27: ==15423==ERROR: AddressSanitizer: use-after-poison on address 
> 0x6170000dc290 at pc 0x0000006e842a bp 0x7fbe59ae3070 sp 0x7fbe59ae3068
> 27: WRITE of size 8 at 0x6170000dc290 thread T1
> 27:     #0 0x6e8429 in qdr_core_unbind_address_link_CT 
> /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:715:23
> 27:     #1 0x722f7f in del_outlink 
> /home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:216:9
> 27:     #2 0x67a135 in qdrc_event_addr_raise 
> /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:125:13
> 27:     #3 0x6e7f40 in qdr_core_unbind_address_link_CT 
> /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c
> 27:     #4 0x666b5c in qdr_link_inbound_detach_CT 
> /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:2064:17
> 27:     #5 0x6f2490 in router_core_thread 
> /home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:239:13
> 27:     #6 0x7fbe5fdfe608 in start_thread 
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27:     #7 0x7fbe5f629292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
> 27: 
> 27: 0x6170000dc290 is located 272 bytes inside of 704-byte region 
> [0x6170000dc180,0x6170000dc440)
> 27: allocated by thread T1 here:
> 27:     #0 0x4bb5c7 in posix_memalign 
> (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x4bb5c7)
> 27:     #1 0x57319e in qd_alloc 
> /home/travis/build/apache/qpid-dispatch/src/alloc_pool.c:396:13
> 27:     #2 0x66cb80 in qdr_create_link_CT 
> /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:1128:24
> 27:     #3 0x71fb5d in on_conn_event 
> /home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:281:32
> 27:     #4 0x679cb5 in qdrc_event_conn_raise 
> /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:101:13
> 27:     #5 0x679cb5 in qdrc_event_conn_raise 
> /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:101:13
> 27:     #6 0x6524d0 in qdr_connection_opened_CT 
> /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:1440:5
> 27:     #7 0x6f2490 in router_core_thread 
> /home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:239:13
> 27:     #8 0x7fbe5fdfe608 in start_thread 
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27: 
> 27: Thread T1 created by T0 here:
> 27:     #0 0x4a520c in pthread_create 
> (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x4a520c)
> 27:     #1 0x6245c7 in sys_thread 
> /home/travis/build/apache/qpid-dispatch/src/posix/threading.c:181:5
> 27:     #2 0x6d287a in qdr_core 
> /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:124:20
> 27:     #3 0x75c06f in qd_router_setup_late 
> /home/travis/build/apache/qpid-dispatch/src/router_node.c:2124:31
> 27:     #4 0x7fbe5b509ff4  (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
> 27: LLVMSymbolizer: error reading file: No such file or directory
> 27:     #5 0x7ffc3aaec1cf  ([stack]+0x211cf)
> 27: 
> 27: SUMMARY: AddressSanitizer: use-after-poison 
> /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:715:23 
> in qdr_core_unbind_address_link_CT
> 27: Shadow bytes around the buggy address:
> 27:   0x0c2e80013800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 27:   0x0c2e80013810: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
> 27:   0x0c2e80013820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 27:   0x0c2e80013830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 27:   0x0c2e80013840: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27: =>0x0c2e80013850: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27:   0x0c2e80013860: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27:   0x0c2e80013870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27:   0x0c2e80013880: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa
> 27:   0x0c2e80013890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 27:   0x0c2e800138a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 27: Shadow byte legend (one shadow byte represents 8 application bytes):
> 27:   Addressable:           00
> 27:   Partially addressable: 01 02 03 04 05 06 07 
> 27:   Heap left redzone:       fa
> 27:   Freed heap region:       fd
> 27:   Stack left redzone:      f1
> 27:   Stack mid redzone:       f2
> 27:   Stack right redzone:     f3
> 27:   Stack after return:      f5
> 27:   Stack use after scope:   f8
> 27:   Global redzone:          f9
> 27:   Global init order:       f6
> 27:   Poisoned by user:        f7
> 27:   Container overflow:      fc
> 27:   Array cookie:            ac
> 27:   Intra object redzone:    bb
> 27:   ASan internal:           fe
> 27:   Left alloca redzone:     ca
> 27:   Right alloca redzone:    cb
> 27:   Shadow gap:              cc
> 27: ==15423==ABORTING
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to