[jira] [Created] (DISPATCH-2206) ASAN use-after-free of qdr_link_t by I/O thread

Ken Giusti (Jira) Wed, 21 Jul 2021 13:26:05 -0700

Ken Giusti created DISPATCH-2206:
------------------------------------

             Summary: ASAN use-after-free of qdr_link_t by I/O thread
                 Key: DISPATCH-2206
                 URL: https://issues.apache.org/jira/browse/DISPATCH-2206
             Project: Qpid Dispatch
          Issue Type: Bug
          Components: Router Node
    Affects Versions: 1.16.1
            Reporter: Ken Giusti
             Fix For: 1.18.0



[https://github.com/apache/qpid-dispatch/blob/main/src/router_core/connections.c#L1344]

 
{{27: ==3859==ERROR: AddressSanitizer: use-after-poison on address 
0x61700017e030 at pc 0x56212343cdac bp 0x7f9d33c40c90 sp 0x7f9d33c40c80 }}
{{ }}{{}}
27: READ of size 8 at 0x61700017e030 thread T2 
{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{ }}{{}}
27:  #0 0x56212343cdab in qdr_link_get_context 
../src/router_core/connections.c:498 
{{}}{{ }}{{}}
27:  #1 0x56212352ec25 in CORE_link_second_attach ../src/router_node.c:1729 
{{}}{{ }}{{}}
27:  #2 0x5621234388df in qdr_connection_process 
../src/router_core/connections.c:355 
{{}}{{ }}{{}}
27:  #3 0x56212338eccf in writable_handler ../src/container.c:396 
{{}}{{ }}{{}}
27:  #4 0x56212338eccf in qd_container_handle_event ../src/container.c:748 
{{}}{{ }}{{}}
27:  #5 0x562123547289 in handle ../src/server.c:1108 
{{}}{{ }}{{}}
27:  #6 0x562123554c9f in thread_run ../src/server.c:1133 
{{}}{{ }}{{}}
27:  #7 0x7f9d3ba6c608 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) 
{{}}{{ }}{{}}
27:  #8 0x7f9d3ac33292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 
{{}}{{ }}{{}}
27:  
{{}}{{ }}{{}}
27: 0x61700017e030 is located 176 bytes inside of 704-byte region 
[0x61700017df80,0x61700017e240) 
{{}}{{ }}{{}}
27: allocated by thread T2 here: 
{{}}{{ }}{{}}
27:  #0 0x7f9d3bfd9aa5 in posix_memalign 
(/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5) 
{{}}{{ }}{{}}
27:  #1 0x5621233247b0 in qd_alloc ../src/alloc_pool.c:396 
{{}}{{ }}{{}}
27:  #2 0x56212343d4c9 in qdr_link_first_attach 
../src/router_core/connections.c:592 
{{}}{{ }}{{}}
27:  #3 0x56212352dde9 in AMQP_outgoing_link_handler ../src/router_node.c:1018 
{{}}{{ }}{{}}
27:  #4 0x562123547289 in handle ../src/server.c:1108 
{{}}{{ }}{{}}
27:  #5 0x562123554c9f in thread_run ../src/server.c:1133 
{{}}{{ }}{{}}
27:  #6 0x7f9d3ba6c608 in start_thread 
(/lib/x86_64-linux-gnu/libpthread.so.0+0x9608) 
{{}}{{ }}{{}}
27:  
{{}}{{ }}{{}}
27: Thread T2 created by T0 here: 
{{}}{{ }}{{}}
27:  #0 0x7f9d3bf05805 in pthread_create 
(/lib/x86_64-linux-gnu/libasan.so.5+0x3a805) 
{{}}{{ }}{{}}
27:  #1 0x562123403bcf in sys_thread ../src/posix/threading.c:181 
{{}}{{ }}{{}}
27:  #2 0x56212355541e in qd_server_run ../src/server.c:1522 
{{}}{{ }}{{}}
27:  #3 0x56212359f46c in main_process ../router/src/main.c:115 
{{}}{{ }}{{}}
27:  #4 0x56212329bc50 in main ../router/src/main.c:369 
{{}}{{ }}{{}}
27:  #5 0x7f9d3ab380b2 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2) 
{{}}{{ }}{{}}
27:  
{{}}{{ }}{{}}
27: SUMMARY: AddressSanitizer: use-after-poison 
../src/router_core/connections.c:498 in qdr_link_get_context 
{{}}{{ }}{{}}
27: Shadow bytes around the buggy address: 
{{}}{{ }}{{}}
27:  0x0c2e80027bb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
{{}}{{ }}{{}}
27:  0x0c2e80027bc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
{{}}{{ }}{{}}
27:  0x0c2e80027bd0: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa 
{{}}{{ }}{{}}
27:  0x0c2e80027be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
{{}}{{ }}{{}}
27:  0x0c2e80027bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
{{}}{{ }}{{}}
27: =>0x0c2e80027c00: 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 
{{}}{{ }}{{}}
27:  0x0c2e80027c10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
{{}}{{ }}{{}}
27:  0x0c2e80027c20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
{{}}{{ }}{{}}
27:  0x0c2e80027c30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 
{{}}{{ }}{{}}
27:  0x0c2e80027c40: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa 
{{}}{{ }}{{}}
27:  0x0c2e80027c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
{{}}{{ }}{{}}
27: Shadow byte legend (one shadow byte represents 8 application bytes): 
{{}}{{ }}{{}}
27:  Addressable: 00 
{{}}{{ }}{{}}
27:  Partially addressable: 01 02 03 04 05 06 07 
{{}}{{ }}{{}}
27:  Heap left redzone: fa 
{{}}{{ }}{{}}
27:  Freed heap region: fd 
{{}}{{ }}{{}}
27:  Stack left redzone: f1 
{{}}{{ }}{{}}
27:  Stack mid redzone: f2 
{{}}{{ }}{{}}
27:  Stack right redzone: f3 
{{}}{{ }}{{}}
27:  Stack after return: f5 
{{}}{{ }}{{}}
27:  Stack use after scope: f8 
{{}}{{ }}{{}}
27:  Global redzone: f9 
{{}}{{ }}{{}}
27:  Global init order: f6 
{{}}{{ }}{{}}
27:  Poisoned by user: f7 
{{}}{{ }}{{}}
27:  Container overflow: fc 
{{}}{{ }}{{}}
27:  Array cookie: ac 
{{}}{{ }}{{}}
27:  Intra object redzone: bb 
{{}}{{ }}{{}}
27:  ASan internal: fe 
{{}}{{ }}{{}}
27:  Left alloca redzone: ca 
{{}}{{ }}{{}}
27:  Right alloca redzone: cb 
{{}}{{ }}{{}}
27:  Shadow gap: cc 
{{}}{{ }}{{}}
27: ==3859==ABORTING 
{{}}{{ }}{{27:  }}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (DISPATCH-2206) ASAN use-after-free of qdr_link_t by I/O thread

Reply via email to