[jira] [Commented] (DISPATCH-2283) heap-use-after-free in system_tests_policy_oversize_compound during qdrc_endpoint_delivery_CT
[
https://issues.apache.org/jira/browse/DISPATCH-2283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17443955#comment-17443955
]
Ganesh Murthy commented on DISPATCH-2283:
-
Fixed by commit -
[https://github.com/apache/qpid-dispatch/commit/6769203991b20ecf0fdeb28bb8d84962b73c22fd]
as part of fix to https://issues.apache.org/jira/browse/DISPATCH-2262
> heap-use-after-free in system_tests_policy_oversize_compound during
> qdrc_endpoint_delivery_CT
> -
>
> Key: DISPATCH-2283
> URL: https://issues.apache.org/jira/browse/DISPATCH-2283
> Project: Qpid Dispatch
> Issue Type: Bug
>Affects Versions: 1.18.0
>Reporter: Jiri Daněk
>Assignee: Ted Ross
>Priority: Major
> Fix For: 1.18.0
>
>
> https://github.com/jiridanek/qpid-dispatch/runs/4140877666?check_suite_focus=true#step:9:35786
> This comes from the "set memory pool max size to 0" memory poisoning
> investigation. I haven't seen this fail with unmodified main branch (yet ;)
> The only somewhat similar stacktrace I could find in Jira is for this leak
> DISPATCH-1699.
> {noformat}
> 27: ==12548==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x611136e0 at pc 0x55f47830adb9 bp 0x7f1063183140 sp 0x7f1063183130
> 27: READ of size 8 at 0x611136e0 thread T1
> 27: #0 0x55f47830adb8 in qdrc_endpoint_delivery_CT
> ../src/router_core/core_link_endpoint.c:136
> 27: #1 0x55f4783eea3b in on_timer
> ../src/router_core/modules/heartbeat_edge/heartbeat_edge.c:157
> 27: #2 0x55f4783c0613 in qdr_process_tick_CT
> ../src/router_core/core_timer.c:123
> 27: #3 0x55f47838fec7 in router_core_thread
> ../src/router_core/router_core_thread.c:236
> 27: #4 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172
> 27: #5 0x7f1069458608 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27: #6 0x7f106864e292 in __clone
> (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
> 27:
> 27: 0x611136e0 is located 160 bytes inside of 192-byte region
> [0x61113640,0x61113700)
> 27: freed by thread T1 here:
> 27: #0 0x7f1069a167cf in __interceptor_free
> (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
> 27: #1 0x55f4781e3b84 in qd_dealloc ../src/alloc_pool.c:497
> 27: #2 0x55f478308e1d in free_qdrc_endpoint_t
> ../src/router_core/core_link_endpoint.c:35
> 27: #3 0x55f47830d34f in qdrc_endpoint_do_cleanup_CT
> ../src/router_core/core_link_endpoint.c:245
> 27: #4 0x55f47830cb0f in qdrc_endpoint_do_detach_CT
> ../src/router_core/core_link_endpoint.c:220
> 27: #5 0x55f478301824 in qdr_link_inbound_detach_CT
> ../src/router_core/connections.c:2033
> 27: #6 0x55f47838fec7 in router_core_thread
> ../src/router_core/router_core_thread.c:236
> 27: #7 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172
> 27: #8 0x7f1069458608 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27:
> 27: previously allocated by thread T1 here:
> 27: #0 0x7f1069a17aa5 in posix_memalign
> (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
> 27: #1 0x55f4781df9cd in qd_alloc ../src/alloc_pool.c:393
> 27: #2 0x55f478308de5 in new_qdrc_endpoint_t
> ../src/router_core/core_link_endpoint.c:35
> 27: #3 0x55f478309d28 in qdrc_endpoint_create_link_CT
> ../src/router_core/core_link_endpoint.c:74
> 27: #4 0x55f4783eed7d in on_conn_event
> ../src/router_core/modules/heartbeat_edge/heartbeat_edge.c:178
> 27: #5 0x55f47830823d in qdrc_event_conn_raise
> ../src/router_core/core_events.c:101
> 27: #6 0x55f4783c5a14 in on_conn_event
> ../src/router_core/modules/edge_router/connection_manager.c:59
> 27: #7 0x55f47830823d in qdrc_event_conn_raise
> ../src/router_core/core_events.c:101
> 27: #8 0x55f4782f5fdc in qdr_connection_opened_CT
> ../src/router_core/connections.c:1479
> 27: #9 0x55f47838fec7 in router_core_thread
> ../src/router_core/router_core_thread.c:236
> 27: #10 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172
> 27: #11 0x7f1069458608 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27:
> 27: Thread T1 created by T0 here:
> 27: #0 0x7f1069943805 in pthread_create
> (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
> 27: #1 0x55f4782a2ad3 in sys_thread ../src/posix/threading.c:181
> 27: #2 0x55f47836b817 in qdr_core ../src/router_core/router_core.c:124
> 27: #3 0x55f478411c5c in qd_router_setup_late ../src/router_node.c:2127
> 27: #4 0x7f1064308ff4 (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
> 27: #5 0x7ffdaab8945f ([stack]+0x2145f)
> 27:
> 27: SUMMARY: AddressSanitizer: heap-use-after-free
> ../src/router_core/core_link_endpoint.c:136 in qdrc_endpoint_delivery_CT
> 27: Shadow bytes around the buggy address:
> 27:
[jira] [Commented] (DISPATCH-2283) heap-use-after-free in system_tests_policy_oversize_compound during qdrc_endpoint_delivery_CT
[
https://issues.apache.org/jira/browse/DISPATCH-2283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17441581#comment-17441581
]
Jiri Daněk commented on DISPATCH-2283:
--
I haven't been able to reproduce this in the series of 6 GitHub actions
overnight runs (dies when a test fails or when +-5hour timeout expires). See
DISPATCH-2188 for issue that I managed to confirm that way.
> heap-use-after-free in system_tests_policy_oversize_compound during
> qdrc_endpoint_delivery_CT
> -
>
> Key: DISPATCH-2283
> URL: https://issues.apache.org/jira/browse/DISPATCH-2283
> Project: Qpid Dispatch
> Issue Type: Bug
>Affects Versions: 1.18.0
>Reporter: Jiri Daněk
>Priority: Major
>
> https://github.com/jiridanek/qpid-dispatch/runs/4140877666?check_suite_focus=true#step:9:35786
> This comes from the "set memory pool max size to 0" memory poisoning
> investigation. I haven't seen this fail with unmodified main branch (yet ;)
> The only somewhat similar stacktrace I could find in Jira is for this leak
> DISPATCH-1699.
> {noformat}
> 27: ==12548==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x611136e0 at pc 0x55f47830adb9 bp 0x7f1063183140 sp 0x7f1063183130
> 27: READ of size 8 at 0x611136e0 thread T1
> 27: #0 0x55f47830adb8 in qdrc_endpoint_delivery_CT
> ../src/router_core/core_link_endpoint.c:136
> 27: #1 0x55f4783eea3b in on_timer
> ../src/router_core/modules/heartbeat_edge/heartbeat_edge.c:157
> 27: #2 0x55f4783c0613 in qdr_process_tick_CT
> ../src/router_core/core_timer.c:123
> 27: #3 0x55f47838fec7 in router_core_thread
> ../src/router_core/router_core_thread.c:236
> 27: #4 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172
> 27: #5 0x7f1069458608 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27: #6 0x7f106864e292 in __clone
> (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
> 27:
> 27: 0x611136e0 is located 160 bytes inside of 192-byte region
> [0x61113640,0x61113700)
> 27: freed by thread T1 here:
> 27: #0 0x7f1069a167cf in __interceptor_free
> (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
> 27: #1 0x55f4781e3b84 in qd_dealloc ../src/alloc_pool.c:497
> 27: #2 0x55f478308e1d in free_qdrc_endpoint_t
> ../src/router_core/core_link_endpoint.c:35
> 27: #3 0x55f47830d34f in qdrc_endpoint_do_cleanup_CT
> ../src/router_core/core_link_endpoint.c:245
> 27: #4 0x55f47830cb0f in qdrc_endpoint_do_detach_CT
> ../src/router_core/core_link_endpoint.c:220
> 27: #5 0x55f478301824 in qdr_link_inbound_detach_CT
> ../src/router_core/connections.c:2033
> 27: #6 0x55f47838fec7 in router_core_thread
> ../src/router_core/router_core_thread.c:236
> 27: #7 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172
> 27: #8 0x7f1069458608 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27:
> 27: previously allocated by thread T1 here:
> 27: #0 0x7f1069a17aa5 in posix_memalign
> (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
> 27: #1 0x55f4781df9cd in qd_alloc ../src/alloc_pool.c:393
> 27: #2 0x55f478308de5 in new_qdrc_endpoint_t
> ../src/router_core/core_link_endpoint.c:35
> 27: #3 0x55f478309d28 in qdrc_endpoint_create_link_CT
> ../src/router_core/core_link_endpoint.c:74
> 27: #4 0x55f4783eed7d in on_conn_event
> ../src/router_core/modules/heartbeat_edge/heartbeat_edge.c:178
> 27: #5 0x55f47830823d in qdrc_event_conn_raise
> ../src/router_core/core_events.c:101
> 27: #6 0x55f4783c5a14 in on_conn_event
> ../src/router_core/modules/edge_router/connection_manager.c:59
> 27: #7 0x55f47830823d in qdrc_event_conn_raise
> ../src/router_core/core_events.c:101
> 27: #8 0x55f4782f5fdc in qdr_connection_opened_CT
> ../src/router_core/connections.c:1479
> 27: #9 0x55f47838fec7 in router_core_thread
> ../src/router_core/router_core_thread.c:236
> 27: #10 0x55f4782a2964 in _thread_init ../src/posix/threading.c:172
> 27: #11 0x7f1069458608 in start_thread
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27:
> 27: Thread T1 created by T0 here:
> 27: #0 0x7f1069943805 in pthread_create
> (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
> 27: #1 0x55f4782a2ad3 in sys_thread ../src/posix/threading.c:181
> 27: #2 0x55f47836b817 in qdr_core ../src/router_core/router_core.c:124
> 27: #3 0x55f478411c5c in qd_router_setup_late ../src/router_node.c:2127
> 27: #4 0x7f1064308ff4 (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
> 27: #5 0x7ffdaab8945f ([stack]+0x2145f)
> 27:
> 27: SUMMARY: AddressSanitizer: heap-use-after-free
> ../src/router_core/core_link_endpoint.c:136 in qdrc_endpoint_delivery_CT
> 27: Shadow bytes around the buggy address:
> 27: 0x0c227fffa680: 00 00 00 00 00 00 00 00 00
