You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Robbie Gemmell (Jira)" <ji...@apache.org> on 2022/11/01 15:35:00 UTC

[jira] [Commented] (PROTON-2460) heap-use-after-free in pn_strdup called from pn_experimental::pni_iocp_recv

    [ https://issues.apache.org/jira/browse/PROTON-2460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627213#comment-17627213 ] 

Robbie Gemmell commented on PROTON-2460:
----------------------------------------

Above commit was incorrectly referencing this JIRA, it was actually for PROTON-2640

> heap-use-after-free in pn_strdup called from pn_experimental::pni_iocp_recv
> ---------------------------------------------------------------------------
>
>                 Key: PROTON-2460
>                 URL: https://issues.apache.org/jira/browse/PROTON-2460
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: cpp-binding
>    Affects Versions: proton-c-0.36.0
>            Reporter: Jiri Daněk
>            Priority: Major
>         Attachments: log.txt
>
>
> Microsoft has been implementing Sanitizers in MSVC. It is supposed to be available in VS2019, but it did not work for me (CMake failed to validate compiler when I added {{/fsanitize=address}} to {{-DCMAKE_C_FLAGS}}.) I decided to pick up VS2022 beta, where I got one sanitizer report.
> As far as I know this is the first time sanitizers were run on the IOCP proactor code.
> {noformat}
> 26: Test command: "C:\Program Files\Python310\python.exe" "C:/Users/Vitorio/CLionProjects/qpid-proton/scripts/env.py" "--" "PATH=C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/cpp/examples;C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/c;C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/cpp" "PYTHONPATH=C:/Users/Vitorio/CLionProjects/qpid-proton/tests/py" "HAS_CPP11=" "C:/Program Files/Python310/python.exe" "C:/Users/Vitorio/CLionProjects/qpid-proton/cpp/examples/testme" "-v" "ContainerExampleTest"
> 26: Test timeout computed to be: 1500
> 26: test_encode_decode (__main__.ContainerExampleTest) ... ok
> 26: test_flow_control (__main__.ContainerExampleTest) ... ok
> 26: test_helloworld (__main__.ContainerExampleTest) ... ok
> 26: test_message_properties (__main__.ContainerExampleTest) ... ok
> 26: test_multithreaded_client (__main__.ContainerExampleTest) ... ok
> 26: test_request_response (__main__.ContainerExampleTest) ... ok
> 26: test_request_response_direct (__main__.ContainerExampleTest) ... ok
> 26: test_scheduled_send (__main__.ContainerExampleTest) ... ok
> 26: test_scheduled_send_03 (__main__.ContainerExampleTest) ... ERROR
> 26: test_simple_recv_direct_send (__main__.ContainerExampleTest) ... ok
> 26: test_simple_recv_send (__main__.ContainerExampleTest) ... ERROR
> 26: test_simple_send_direct_recv (__main__.ContainerExampleTest) ... ok
> 26: test_simple_send_recv (__main__.ContainerExampleTest) ... ERROR
> {noformat}
> ...
> {noformat}
> 26: ________________________________ stderr(18088) ________________________________
> 26: =================================================================
> 26: ==18088==ERROR: AddressSanitizer: heap-use-after-free on address 0x1227308a78e0 at pc 0x7ffbaed05d1e bp 0x00b894bfe9f0 sp 0x00b894bfe9f8
> 26: READ of size 2 at 0x1227308a78e0 thread T1
> 26:     #0 0x7ffbaed05d50 in _asan_wrap_GlobalSize+0x4304a (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x180045d50)
> 26:     #1 0x7ffbb3ee33af in pn_strdup C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\util.c:122
> 26:     #2 0x7ffbb3ee441c in pn_error_set C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:78
> 26:     #3 0x7ffbb3ee3f16 in pn_error_copy C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:120
> 26:     #4 0x7ffbd946e478 in pn_experimental::pni_iocp_recv C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1126
> 26:     #5 0x7ffbd9465adf in pconnection_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2367
> 26:     #6 0x7ffbd9463b73 in psocket_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
> 26:     #7 0x7ffbd94639b2 in proactor_completion_loop C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
> 26:     #8 0x7ffbd9462f84 in pn_proactor_wait C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
> 26:     #9 0x7ffbcab00478 in proton::container::impl::thread C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
> 26:     #10 0x7ffbcaaad15c in std::invoke<void (__cdecl proton::container::impl::*)(void),proton::container::impl *> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
> 26:     #11 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
> 26:     #12 0x7ffbb4074c7b in register_onexit_function+0xeb (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
> 26:     #13 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
> 26:     #14 0x7ffbf7007033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
> 26:     #15 0x7ffbf8162650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
> 26: 
> 26: 0x1227308a78e0 is located 0 bytes inside of 74-byte region [0x1227308a78e0,0x1227308a792a)
> 26: freed by thread T1 here:
> 26:     #0 0x7ffbaed0f071 in _asan_wrap_GlobalSize+0x4c36b (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18004f071)
> 26:     #1 0x7ffbb3ee15ad in pni_mem_subdeallocate C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\memory.c:276
> 26:     #2 0x7ffbb3ee456c in pn_error_clear C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:67
> 26:     #3 0x7ffbb3ee43ab in pn_error_set C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:75
> 26:     #4 0x7ffbb3ee3f16 in pn_error_copy C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:120
> 26:     #5 0x7ffbd946e478 in pn_experimental::pni_iocp_recv C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1126
> 26:     #6 0x7ffbd9465adf in pconnection_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2367
> 26:     #7 0x7ffbd9463b73 in psocket_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
> 26:     #8 0x7ffbd94639b2 in proactor_completion_loop C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
> 26:     #9 0x7ffbd9462f84 in pn_proactor_wait C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
> 26:     #10 0x7ffbcab00478 in proton::container::impl::thread C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
> 26:     #11 0x7ffbcaaad15c in std::invoke<void (__cdecl proton::container::impl::*)(void),proton::container::impl *> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
> 26:     #12 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
> 26:     #13 0x7ffbb4074c7b in register_onexit_function+0xeb (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
> 26:     #14 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
> 26:     #15 0x7ffbf7007033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
> 26:     #16 0x7ffbf8162650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
> 26: 
> 26: previously allocated by thread T1 here:
> 26:     #0 0x7ffbaed0f201 in _asan_wrap_GlobalSize+0x4c4fb (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18004f201)
> 26:     #1 0x7ffbb3ee1608 in pni_mem_allocate C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\memory.c:270
> 26:     #2 0x7ffbb3ee33c1 in pn_strdup C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\util.c:122
> 26:     #3 0x7ffbb3ee441c in pn_error_set C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:78
> 26:     #4 0x7ffbb3ee42f7 in pn_error_vformat C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:91
> 26:     #5 0x7ffbb3ee40dc in pn_error_format C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:99
> 26:     #6 0x7ffbd9473b91 in pn_experimental::pni_win32_error C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:567
> 26:     #7 0x7ffbd9473781 in pn_experimental::iocpdesc_fail C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:572
> 26:     #8 0x7ffbd946e906 in pn_experimental::complete_read C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1107
> 26:     #9 0x7ffbd94694c2 in do_complete C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1817
> 26:     #10 0x7ffbd9465738 in pconnection_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2335
> 26:     #11 0x7ffbd9463b73 in psocket_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
> 26:     #12 0x7ffbd94639b2 in proactor_completion_loop C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
> 26:     #13 0x7ffbd9462f84 in pn_proactor_wait C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
> 26:     #14 0x7ffbcab00478 in proton::container::impl::thread C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
> 26:     #15 0x7ffbcaaad15c in std::invoke<void (__cdecl proton::container::impl::*)(void),proton::container::impl *> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
> 26:     #16 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
> 26:     #17 0x7ffbb4074c7b in register_onexit_function+0xeb (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
> 26:     #18 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
> 26:     #19 0x7ffbf7007033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
> 26:     #20 0x7ffbf8162650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
> 26: 
> 26: Thread T1 created by T0 here:
> 26:     #0 0x7ffbaed1f3b8 in _asan_wrap_GlobalSize+0x5c6b2 (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005f3b8)
> 26:     #1 0x7ffbb40753fe in beginthreadex+0x14e (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x1800753fe)
> 26:     #2 0x7ffbcaaaf072 in std::thread::_Start<void (__cdecl proton::container::impl::*)(void),proton::container::impl *> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:75
> 26:     #3 0x7ffbcaaa82c0 in std::thread::thread<void (__cdecl proton::container::impl::*)(void),proton::container::impl *,0> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:90
> 26:     #4 0x7ffbcab0897c in proton::container::impl::run C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:795
> 26:     #5 0x7ffbcaafe905 in proton::container::run C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\container.cpp:94
> 26:     #6 0x7ff7c015c88a in broker::run C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\examples\broker.cpp:381
> 26:     #7 0x7ff7c01128a4 in main C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\examples\broker.cpp:419
> 26:     #8 0x7ff7c0160918 in invoke_main d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
> 26:     #9 0x7ff7c016086d in __scrt_common_main_seh d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
> 26:     #10 0x7ff7c016072d in __scrt_common_main d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
> 26:     #11 0x7ff7c016098d in mainCRTStartup d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
> 26:     #12 0x7ffbf7007033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
> 26:     #13 0x7ffbf8162650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
> 26: 
> 26: SUMMARY: AddressSanitizer: heap-use-after-free (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x180045d50) in _asan_wrap_GlobalSize+0x4304a
> 26: Shadow bytes around the buggy address:
> 26:   0x045e16994ec0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
> 26:   0x045e16994ed0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
> 26:   0x045e16994ee0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
> 26:   0x045e16994ef0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
> 26:   0x045e16994f00: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
> 26: =>0x045e16994f10: 00 00 00 00 00 00 06 fa fa fa fa fa[fd]fd fd fd
> 26:   0x045e16994f20: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
> 26:   0x045e16994f30: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
> 26:   0x045e16994f40: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
> 26:   0x045e16994f50: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
> 26:   0x045e16994f60: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
> 26: Shadow byte legend (one shadow byte represents 8 application bytes):
> 26:   Addressable:           00
> 26:   Partially addressable: 01 02 03 04 05 06 07 
> 26:   Heap left redzone:       fa
> 26:   Freed heap region:       fd
> 26:   Stack left redzone:      f1
> 26:   Stack mid redzone:       f2
> 26:   Stack right redzone:     f3
> 26:   Stack after return:      f5
> 26:   Stack use after scope:   f8
> 26:   Global redzone:          f9
> 26:   Global init order:       f6
> 26:   Poisoned by user:        f7
> 26:   Container overflow:      fc
> 26:   Array cookie:            ac
> 26:   Intra object redzone:    bb
> 26:   ASan internal:           fe
> 26:   Left alloca redzone:     ca
> 26:   Right alloca redzone:    cb
> 26:   Shadow gap:              cc
> 26: ==18088==ABORTING
> 26: ________________________________ stderr(18088) ________________________________
> 26: 
> Failed
> {noformat}
> To enable sanitizer, I followed blog https://devblogs.microsoft.com/cppblog/address-sanitizer-for-msvc-now-generally-available/. I added the /fsanitize=address compile flag, then I had to manually find and copy the {{clang_rt.asan_dbg_dynamic-x86_64.dll}} from VS directory to the directory where the compiled test binary is located.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org