You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Ganesh Murthy (Jira)" <ji...@apache.org> on 2021/04/29 13:38:01 UTC

[jira] [Resolved] (DISPATCH-2055) AddressSanitizer: heap-use-after-free in write_log during system_tests_qdmanage

     [ https://issues.apache.org/jira/browse/DISPATCH-2055?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ganesh Murthy resolved DISPATCH-2055.
-------------------------------------
    Resolution: Fixed

> AddressSanitizer: heap-use-after-free in write_log during system_tests_qdmanage
> -------------------------------------------------------------------------------
>
>                 Key: DISPATCH-2055
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-2055
>             Project: Qpid Dispatch
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Jiri Daněk
>            Assignee: Ganesh Murthy
>            Priority: Major
>             Fix For: 1.17.0
>
>
> https://travis-ci.com/github/apache/qpid-dispatch/jobs/498853046#L5728
> {noformat}
> 29: Process 13857 error: exit code 1, expected -1
> 29: qdrouterd -c test_router_1.conf -I /home/travis/build/apache/qpid-dispatch/python
> 29: /home/travis/build/apache/qpid-dispatch/build/tests/system_test.dir/system_tests_qdmanage/QdmanageTest/setUpClass/test_router_1-2.cmd
> 29: >>>>
> 29: =================================================================
> 29: ==13857==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffaca04ba8 at pc 0xffffb1f23f34 bp 0xffffa5cf2770 sp 0xffffa5cf2768
> 29: READ of size 8 at 0xffffaca04ba8 thread T2
> 29:     #0 0xffffb1f23f30 in write_log /home/travis/build/apache/qpid-dispatch/src/log.c:343:22
> 29:     #1 0xffffb1f23f30 in qd_vlog_impl /home/travis/build/apache/qpid-dispatch/src/log.c:437:5
> 29:     #2 0xffffb1f24d44 in qd_log_impl /home/travis/build/apache/qpid-dispatch/src/log.c:456:3
> 29:     #3 0xffffb1b482c8 in pni_tracer_to_log_sink /home/travis/build/apache/qpid-dispatch/qpid-proton/c/src/core/transport.c:2874:3
> 29: 
> 29: 0xffffaca04ba8 is located 24 bytes inside of 48-byte region [0xffffaca04b90,0xffffaca04bc0)
> 29: freed by thread T3 here:
> 29:     #0 0x48f30c in free (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x48f30c)
> 29:     #1 0xffffb1f27c64 in qd_log_entity /home/travis/build/apache/qpid-dispatch/src/log.c:555:17
> 29:     #2 0xffffacf09ff4  (/lib/aarch64-linux-gnu/libffi.so.7+0x5ff4)
> 29:     #3 0xffffacf097c8  (/lib/aarch64-linux-gnu/libffi.so.7+0x57c8)
> 29:     #4 0xffffacddfd20 in _ctypes_callproc (/usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-aarch64-linux-gnu.so+0xfd20)
> 29:     #5 0xffffacde0334  (/usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-aarch64-linux-gnu.so+0x10334)
> 29:     #6 0xffffb17dc604 in _PyObject_MakeTpCall (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x299604)
> 29:     #7 0xffffb15b6698  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73698)
> 29:     #8 0xffffb15bd888 in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7a888)
> 29:     #9 0xffffb15c1698  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7e698)
> 29:     #10 0xffffb17dc8a0  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x2998a0)
> 29:     #11 0xffffb15b6624  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73624)
> 29:     #12 0xffffb15bd888 in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7a888)
> 29:     #13 0xffffb15c1698  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7e698)
> 29:     #14 0xffffb17dc8a0  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x2998a0)
> 29:     #15 0xffffb15b6624  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73624)
> 29:     #16 0xffffb15bb3bc in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x783bc)
> 29:     #17 0xffffb15c1698  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7e698)
> 29:     #18 0xffffb15b6624  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73624)
> 29:     #19 0xffffb15b75a0 in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x745a0)
> 29:     #20 0xffffb1702958 in _PyEval_EvalCodeWithName (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x1bf958)
> 29:     #21 0xffffb17dbbbc in _PyFunction_Vectorcall (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x298bbc)
> 29:     #22 0xffffb17dc808  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x299808)
> 29:     #23 0xffffb17dcf34  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x299f34)
> 29:     #24 0xffffb17dd8c0 in PyObject_CallFunction (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x29a8c0)
> 29:     #25 0xffffb1f7e4d0 in qd_io_rx_handler /home/travis/build/apache/qpid-dispatch/src/python_embedded.c:662:23
> 29:     #26 0xffffb200eb54 in qdr_forward_on_message /home/travis/build/apache/qpid-dispatch/src/router_core/forwarder.c:341:28
> 29:     #27 0xffffb2031bb4 in qdr_general_handler /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:903:9
> 29:     #28 0xffffb20ee754 in qd_timer_visit /home/travis/build/apache/qpid-dispatch/src/timer.c:205:9
> 29:     #29 0xffffb20e1754 in handle /home/travis/build/apache/qpid-dispatch/src/server.c:1008:9
> 29: 
> 29: previously allocated by thread T0 here:
> 29:     #0 0x48f578 in malloc (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x48f578)
> 29:     #1 0xffffb1f262ac in qd_malloc /home/travis/build/apache/qpid-dispatch/include/qpid/dispatch/ctools.h:229:17
> 29:     #2 0xffffb1f262ac in log_sink_lh /home/travis/build/apache/qpid-dispatch/src/log.c:165:16
> 29:     #3 0xffffb1f27a48 in qd_log_entity /home/travis/build/apache/qpid-dispatch/src/log.c:550:32
> 29:     #4 0xffffacf09ff4  (/lib/aarch64-linux-gnu/libffi.so.7+0x5ff4)
> 29:     #5 0xffffacf097c8  (/lib/aarch64-linux-gnu/libffi.so.7+0x57c8)
> 29:     #6 0xffffacddfd20 in _ctypes_callproc (/usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-aarch64-linux-gnu.so+0xfd20)
> 29:     #7 0xffffacde0334  (/usr/lib/python3.8/lib-dynload/_ctypes.cpython-38-aarch64-linux-gnu.so+0x10334)
> 29:     #8 0xffffb17dc604 in _PyObject_MakeTpCall (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x299604)
> 29:     #9 0xffffb15b6698  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73698)
> 29:     #10 0xffffb15bd888 in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7a888)
> 29:     #11 0xffffb15c1698  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7e698)
> 29:     #12 0xffffb17dc8a0  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x2998a0)
> 29:     #13 0xffffb15b6624  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73624)
> 29:     #14 0xffffb15bd888 in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7a888)
> 29:     #15 0xffffb15c1698  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7e698)
> 29:     #16 0xffffb15b6624  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73624)
> 29:     #17 0xffffb15b75a0 in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x745a0)
> 29:     #18 0xffffb15c1698  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x7e698)
> 29:     #19 0xffffb15b6624  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73624)
> 29:     #20 0xffffb15b75a0 in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x745a0)
> 29:     #21 0xffffb1702958 in _PyEval_EvalCodeWithName (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x1bf958)
> 29:     #22 0xffffb17dbbbc in _PyFunction_Vectorcall (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x298bbc)
> 29:     #23 0xffffb15b6624  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x73624)
> 29:     #24 0xffffb15bb3bc in _PyEval_EvalFrameDefault (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x783bc)
> 29:     #25 0xffffb1702958 in _PyEval_EvalCodeWithName (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x1bf958)
> 29:     #26 0xffffb17dbbbc in _PyFunction_Vectorcall (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x298bbc)
> 29:     #27 0xffffb17dcf34  (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x299f34)
> 29:     #28 0xffffb17dd8c0 in PyObject_CallFunction (/lib/aarch64-linux-gnu/libpython3.8.so.1.0+0x29a8c0)
> 29:     #29 0xffffb1f057f8 in qd_dispatch_load_config /home/travis/build/apache/qpid-dispatch/src/dispatch.c:133:45
> 29:     #30 0x4bd030 in main_process /home/travis/build/apache/qpid-dispatch/router/src/main.c:97:5
> 29: 
> 29: Thread T2 created by T0 here:
> 29:     #0 0x47a794 in pthread_create (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x47a794)
> 29:     #1 0xffffb1f79084 in sys_thread /home/travis/build/apache/qpid-dispatch/src/posix/threading.c:183:5
> 29:     #2 0xffffb20dac9c in qd_server_run /home/travis/build/apache/qpid-dispatch/src/server.c:1485:22
> 29: 
> 29: Thread T3 created by T0 here:
> 29:     #0 0x47a794 in pthread_create (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x47a794)
> 29:     #1 0xffffb1f79084 in sys_thread /home/travis/build/apache/qpid-dispatch/src/posix/threading.c:183:5
> 29:     #2 0xffffb20dac9c in qd_server_run /home/travis/build/apache/qpid-dispatch/src/server.c:1485:22
> 29: 
> 29: SUMMARY: AddressSanitizer: heap-use-after-free /home/travis/build/apache/qpid-dispatch/src/log.c:343:22 in write_log
> 29: Shadow bytes around the buggy address:
> 29:   0x200ff5940920: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
> 29:   0x200ff5940930: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
> 29:   0x200ff5940940: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
> 29:   0x200ff5940950: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
> 29:   0x200ff5940960: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
> 29: =>0x200ff5940970: fa fa fd fd fd[fd]fd fd fa fa fd fd fd fd fd fa
> 29:   0x200ff5940980: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
> 29:   0x200ff5940990: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 03 fa
> 29:   0x200ff59409a0: fa fa 00 00 00 00 03 fa fa fa fd fd fd fd fd fa
> 29:   0x200ff59409b0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
> 29:   0x200ff59409c0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
> 29: Shadow byte legend (one shadow byte represents 8 application bytes):
> 29:   Addressable:           00
> 29:   Partially addressable: 01 02 03 04 05 06 07 
> 29:   Heap left redzone:       fa
> 29:   Freed heap region:       fd
> 29:   Stack left redzone:      f1
> 29:   Stack mid redzone:       f2
> 29:   Stack right redzone:     f3
> 29:   Stack after return:      f5
> 29:   Stack use after scope:   f8
> 29:   Global redzone:          f9
> 29:   Global init order:       f6
> 29:   Poisoned by user:        f7
> 29:   Container overflow:      fc
> 29:   Array cookie:            ac
> 29:   Intra object redzone:    bb
> 29:   ASan internal:           fe
> 29:   Left alloca redzone:     ca
> 29:   Right alloca redzone:    cb
> 29:   Shadow gap:              cc
> 29: ==13857==ABORTING
> 29: <<<<
> 29: 
> 29: ----------------------------------------------------------------------
> 29: Ran 34 tests in 82.088s
> 29: 
> 29: FAILED (errors=6)
> 29/74 Test #29: system_tests_qdmanage .............................***Failed   82.36 sec
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org