You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Ken Giusti (Jira)" <ji...@apache.org> on 2021/05/10 18:42:00 UTC

[jira] [Updated] (DISPATCH-2076) [ASan] use-after-poison in qd_connector_decref during system_tests_edge_router

     [ https://issues.apache.org/jira/browse/DISPATCH-2076?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ken Giusti updated DISPATCH-2076:
---------------------------------
    Fix Version/s: 1.17.0

> [ASan] use-after-poison in qd_connector_decref during system_tests_edge_router
> ------------------------------------------------------------------------------
>
>                 Key: DISPATCH-2076
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-2076
>             Project: Qpid Dispatch
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Jiri Daněk
>            Priority: Minor
>              Labels: asan
>             Fix For: 1.17.0
>
>
> https://github.com/apache/qpid-dispatch/runs/2425607516?check_suite_focus=true#step:9:6961
> {noformat}
> 54: ==4179==ERROR: AddressSanitizer: use-after-poison on address 0x61e0000295d0 at pc 0x7ff6f63ac8b4 bp 0x7ff6ee0c7010 sp 0x7ff6ee0c7000
> 54: WRITE of size 8 at 0x61e0000295d0 thread T2
> 54:     #0 0x7ff6f63ac8b3 in qd_connector_decref ../src/server.c:1693
> 54:     #1 0x7ff6f63ac8b3 in qd_connector_decref ../src/server.c:1688
> 54:     #2 0x7ff6f031eff4  (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
> 54:     #3 0x7ff6f031e409  (/lib/x86_64-linux-gnu/libffi.so.7+0x6409)
> 54:     #4 0x7ff6f034502e in _call_function_pointer /home/vsts/work/1/s/SourceCode/Modules/_ctypes/callproc.c:816
> 54:     #5 0x7ff6f034502e in _ctypes_callproc /home/vsts/work/1/s/SourceCode/Modules/_ctypes/callproc.c:1188
> 54:     #6 0x7ff6f0341b33 in PyCFuncPtr_call /home/vsts/work/1/s/SourceCode/Modules/_ctypes/_ctypes.c:4025
> 54:     #7 0x7ff6f488e998 in _PyObject_FastCallKeywords Objects/call.c:199
> 54:     #8 0x7ff6f4901c78 in call_function Python/ceval.c:4619
> 54:     #9 0x7ff6f48fec29 in _PyEval_EvalFrameDefault Python/ceval.c:3093
> 54:     #10 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
> 54:     #11 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
> 54:     #12 0x7ff6f4901aee in call_function Python/ceval.c:4616
> 54:     #13 0x7ff6f48fec29 in _PyEval_EvalFrameDefault Python/ceval.c:3093
> 54:     #14 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
> 54:     #15 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
> 54:     #16 0x7ff6f4901aee in call_function Python/ceval.c:4616
> 54:     #17 0x7ff6f48fa58c in _PyEval_EvalFrameDefault Python/ceval.c:3124
> 54:     #18 0x7ff6f488f099 in function_code_fastcall Objects/call.c:283
> 54:     #19 0x7ff6f488f099 in _PyFunction_FastCallKeywords Objects/call.c:408
> 54:     #20 0x7ff6f4901aee in call_function Python/ceval.c:4616
> 54:     #21 0x7ff6f48fa629 in _PyEval_EvalFrameDefault Python/ceval.c:3110
> 54:     #22 0x7ff6f48f8fa2 in _PyEval_EvalCodeWithName Python/ceval.c:3930
> 54:     #23 0x7ff6f488f807 in _PyFunction_FastCallDict Objects/call.c:376
> 54:     #24 0x7ff6f488fc89 in _PyObject_Call_Prepend Objects/call.c:906
> 54:     #25 0x7ff6f488e1ec in _PyObject_FastCallDict Objects/call.c:125
> 54:     #26 0x7ff6f488f467 in _PyObject_CallFunctionVa Objects/call.c:959
> 54:     #27 0x7ff6f489007c in _PyObject_CallFunctionVa Objects/call.c:932
> 54:     #28 0x7ff6f489007c in PyObject_CallFunction Objects/call.c:979
> 54:     #29 0x7ff6f6267d95 in qd_io_rx_handler ../src/python_embedded.c:660
> 54:     #30 0x7ff6f6267d95 in qd_io_rx_handler ../src/python_embedded.c:631
> 54:     #31 0x7ff6f62e799b in qdr_forward_on_message ../src/router_core/forwarder.c:336
> 54:     #32 0x7ff6f630b5ed in qdr_general_handler ../src/router_core/router_core.c:927
> 54:     #33 0x7ff6f63b16a2 in qd_timer_visit ../src/timer.c:205
> 54:     #34 0x7ff6f639d8e6 in handle ../src/server.c:1006
> 54:     #35 0x7ff6f63a5ce5 in thread_run ../src/server.c:1120
> 54:     #36 0x7ff6f5c2a608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 54:     #37 0x7ff6f51e4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
> 54: 
> 54: 0x61e0000295d0 is located 336 bytes inside of 2624-byte region [0x61e000029480,0x61e000029ec0)
> 54: allocated by thread T2 here:
> 54:     #0 0x7ff6f6a8baa5 in posix_memalign (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
> 54:     #1 0x7ff6f6180810 in qd_alloc ../src/alloc_pool.c:397
> 54:     #2 0x7ff6f639999f in qd_server_connection ../src/server.c:567
> 54:     #3 0x7ff6f63aac13 in on_accept ../src/server.c:599
> 54:     #4 0x7ff6f63aac13 in handle_listener ../src/server.c:853
> 54:     #5 0x7ff6f639d7b5 in handle_event_with_context ../src/server.c:802
> 54:     #6 0x7ff6f639d7b5 in do_handle_raw_connection_event ../src/server.c:808
> 54:     #7 0x7ff6f639d7b5 in handle ../src/server.c:1088
> 54:     #8 0x7ff6f63a5ce5 in thread_run ../src/server.c:1120
> 54:     #9 0x7ff6f5c2a608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 54: 
> 54: Thread T2 created by T0 here:
> 54:     #0 0x7ff6f69b7805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
> 54:     #1 0x7ff6f626100f in sys_thread ../src/posix/threading.c:181
> 54:     #2 0x7ff6f63a81c6 in qd_server_run ../src/server.c:1485
> 54:     #3 0x5571ce0981bc in main_process ../router/src/main.c:115
> 54:     #4 0x5571ce097ce0 in main ../router/src/main.c:369
> 54:     #5 0x7ff6f50e90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> 54: 
> 54: SUMMARY: AddressSanitizer: use-after-poison ../src/server.c:1693 in qd_connector_decref
> 54: Shadow bytes around the buggy address:
> 54:   0x0c3c7fffd260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 54:   0x0c3c7fffd270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 54:   0x0c3c7fffd280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 54:   0x0c3c7fffd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 54:   0x0c3c7fffd2a0: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54: =>0x0c3c7fffd2b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7
> 54:   0x0c3c7fffd2c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54:   0x0c3c7fffd2d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54:   0x0c3c7fffd2e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54:   0x0c3c7fffd2f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54:   0x0c3c7fffd300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 54: Shadow byte legend (one shadow byte represents 8 application bytes):
> 54:   Addressable:           00
> 54:   Partially addressable: 01 02 03 04 05 06 07 
> 54:   Heap left redzone:       fa
> 54:   Freed heap region:       fd
> 54:   Stack left redzone:      f1
> 54:   Stack mid redzone:       f2
> 54:   Stack right redzone:     f3
> 54:   Stack after return:      f5
> 54:   Stack use after scope:   f8
> 54:   Global redzone:          f9
> 54:   Global init order:       f6
> 54:   Poisoned by user:        f7
> 54:   Container overflow:      fc
> 54:   Array cookie:            ac
> 54:   Intra object redzone:    bb
> 54:   ASan internal:           fe
> 54:   Left alloca redzone:     ca
> 54:   Right alloca redzone:    cb
> 54:   Shadow gap:              cc
> 54: ==4179==ABORTING
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org