You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (Jira)" <ji...@apache.org> on 2021/11/07 21:00:00 UTC
[jira] [Commented] (DISPATCH-2206) ASAN use-after-free of
qdr_link_t by I/O thread
[ https://issues.apache.org/jira/browse/DISPATCH-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17440087#comment-17440087 ]
Jiri Daněk commented on DISPATCH-2206:
--------------------------------------
Here's it again, on master, even after DISPATCH-2274 fix.
https://github.com/apache/qpid-dispatch/runs/4132448953?check_suite_focus=true#step:9:2055
{noformat}
27: ==4193==ERROR: AddressSanitizer: use-after-poison on address 0x6170000fafb0 at pc 0x558837d1622c bp 0x7f308603fc00 sp 0x7f308603fbf0
27: READ of size 8 at 0x6170000fafb0 thread T2
27: #0 0x558837d1622b in qdr_link_get_context ../src/router_core/connections.c:516
27: #1 0x558837e4293b in CORE_link_second_attach ../src/router_node.c:1736
27: #2 0x558837d1140b in qdr_connection_process ../src/router_core/connections.c:355
27: #3 0x558837e3836f in AMQP_writable_conn_handler ../src/router_node.c:299
27: #4 0x558837c4353b in writable_handler ../src/container.c:388
27: #5 0x558837c484b9 in qd_container_handle_event ../src/container.c:744
27: #6 0x558837e5adef in handle ../src/server.c:1108
27: #7 0x558837e5b00c in thread_run ../src/server.c:1133
27: #8 0x558837cd4c9e in _thread_init ../src/posix/threading.c:172
27: #9 0x7f308de2b608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27: #10 0x7f308d021292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
27:
27: 0x6170000fafb0 is located 176 bytes inside of 704-byte region [0x6170000faf00,0x6170000fb1c0)
27: allocated by thread T2 here:
27: #0 0x7f308e3eaaa5 in posix_memalign (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
27: #1 0x558837c11cad in qd_alloc ../src/alloc_pool.c:391
27: #2 0x558837d9bbe5 in new_qdr_link_t ../src/router_core/router_core.c:35
27: #3 0x558837d16e63 in qdr_link_first_attach ../src/router_core/connections.c:617
27: #4 0x558837e3b1ff in AMQP_incoming_link_handler ../src/router_node.c:994
27: #5 0x558837c416b2 in setup_incoming_link ../src/container.c:197
27: #6 0x558837c47211 in qd_container_handle_event ../src/container.c:667
27: #7 0x558837e5adef in handle ../src/server.c:1108
27: #8 0x558837e5b00c in thread_run ../src/server.c:1133
27: #9 0x558837cd4c9e in _thread_init ../src/posix/threading.c:172
27: #10 0x7f308de2b608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27:
27: Thread T2 created by T0 here:
27: #0 0x7f308e316805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
27: #1 0x558837cd4e0d in sys_thread ../src/posix/threading.c:181
27: #2 0x558837e62a92 in qd_server_run ../src/server.c:1525
27: #3 0x558837ebe074 in main_process ../router/src/main.c:115
27: #4 0x558837ec0078 in main ../router/src/main.c:369
27: #5 0x7f308cf260b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
27:
27: SUMMARY: AddressSanitizer: use-after-poison ../src/router_core/connections.c:516 in qdr_link_get_context
27: Shadow bytes around the buggy address:
27: 0x0c2e800175a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27: 0x0c2e800175b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27: 0x0c2e800175c0: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa
27: 0x0c2e800175d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27: 0x0c2e800175e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27: =>0x0c2e800175f0: 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
27: 0x0c2e80017600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27: 0x0c2e80017610: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27: 0x0c2e80017620: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27: 0x0c2e80017630: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa
27: 0x0c2e80017640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27: Shadow byte legend (one shadow byte represents 8 application bytes):
27: Addressable: 00
27: Partially addressable: 01 02 03 04 05 06 07
27: Heap left redzone: fa
27: Freed heap region: fd
27: Stack left redzone: f1
27: Stack mid redzone: f2
27: Stack right redzone: f3
27: Stack after return: f5
27: Stack use after scope: f8
27: Global redzone: f9
27: Global init order: f6
27: Poisoned by user: f7
27: Container overflow: fc
27: Array cookie: ac
27: Intra object redzone: bb
27: ASan internal: fe
27: Left alloca redzone: ca
27: Right alloca redzone: cb
27: Shadow gap: cc
27: ==4193==ABORTING
{noformat}
> ASAN use-after-free of qdr_link_t by I/O thread
> -----------------------------------------------
>
> Key: DISPATCH-2206
> URL: https://issues.apache.org/jira/browse/DISPATCH-2206
> Project: Qpid Dispatch
> Issue Type: Bug
> Components: Router Node
> Affects Versions: 1.16.1
> Reporter: Ken Giusti
> Priority: Major
> Labels: asan
> Fix For: 1.19.0
>
>
> [https://github.com/apache/qpid-dispatch/blob/main/src/router_core/connections.c#L1344]
>
> {{27: ==3859==ERROR: AddressSanitizer: use-after-poison on address 0x61700017e030 at pc 0x56212343cdac bp 0x7f9d33c40c90 sp 0x7f9d33c40c80 }}
> {{ }}{{}}
> 27: READ of size 8 at 0x61700017e030 thread T2
> {{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{}}{{ }}{{}}
> 27: #0 0x56212343cdab in qdr_link_get_context ../src/router_core/connections.c:498
> {{}}{{ }}{{}}
> 27: #1 0x56212352ec25 in CORE_link_second_attach ../src/router_node.c:1729
> {{}}{{ }}{{}}
> 27: #2 0x5621234388df in qdr_connection_process ../src/router_core/connections.c:355
> {{}}{{ }}{{}}
> 27: #3 0x56212338eccf in writable_handler ../src/container.c:396
> {{}}{{ }}{{}}
> 27: #4 0x56212338eccf in qd_container_handle_event ../src/container.c:748
> {{}}{{ }}{{}}
> 27: #5 0x562123547289 in handle ../src/server.c:1108
> {{}}{{ }}{{}}
> 27: #6 0x562123554c9f in thread_run ../src/server.c:1133
> {{}}{{ }}{{}}
> 27: #7 0x7f9d3ba6c608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> {{}}{{ }}{{}}
> 27: #8 0x7f9d3ac33292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
> {{}}{{ }}{{}}
> 27:
> {{}}{{ }}{{}}
> 27: 0x61700017e030 is located 176 bytes inside of 704-byte region [0x61700017df80,0x61700017e240)
> {{}}{{ }}{{}}
> 27: allocated by thread T2 here:
> {{}}{{ }}{{}}
> 27: #0 0x7f9d3bfd9aa5 in posix_memalign (/lib/x86_64-linux-gnu/libasan.so.5+0x10eaa5)
> {{}}{{ }}{{}}
> 27: #1 0x5621233247b0 in qd_alloc ../src/alloc_pool.c:396
> {{}}{{ }}{{}}
> 27: #2 0x56212343d4c9 in qdr_link_first_attach ../src/router_core/connections.c:592
> {{}}{{ }}{{}}
> 27: #3 0x56212352dde9 in AMQP_outgoing_link_handler ../src/router_node.c:1018
> {{}}{{ }}{{}}
> 27: #4 0x562123547289 in handle ../src/server.c:1108
> {{}}{{ }}{{}}
> 27: #5 0x562123554c9f in thread_run ../src/server.c:1133
> {{}}{{ }}{{}}
> 27: #6 0x7f9d3ba6c608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> {{}}{{ }}{{}}
> 27:
> {{}}{{ }}{{}}
> 27: Thread T2 created by T0 here:
> {{}}{{ }}{{}}
> 27: #0 0x7f9d3bf05805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
> {{}}{{ }}{{}}
> 27: #1 0x562123403bcf in sys_thread ../src/posix/threading.c:181
> {{}}{{ }}{{}}
> 27: #2 0x56212355541e in qd_server_run ../src/server.c:1522
> {{}}{{ }}{{}}
> 27: #3 0x56212359f46c in main_process ../router/src/main.c:115
> {{}}{{ }}{{}}
> 27: #4 0x56212329bc50 in main ../router/src/main.c:369
> {{}}{{ }}{{}}
> 27: #5 0x7f9d3ab380b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
> {{}}{{ }}{{}}
> 27:
> {{}}{{ }}{{}}
> 27: SUMMARY: AddressSanitizer: use-after-poison ../src/router_core/connections.c:498 in qdr_link_get_context
> {{}}{{ }}{{}}
> 27: Shadow bytes around the buggy address:
> {{}}{{ }}{{}}
> 27: 0x0c2e80027bb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> {{}}{{ }}{{}}
> 27: 0x0c2e80027bc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> {{}}{{ }}{{}}
> 27: 0x0c2e80027bd0: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa
> {{}}{{ }}{{}}
> 27: 0x0c2e80027be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> {{}}{{ }}{{}}
> 27: 0x0c2e80027bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> {{}}{{ }}{{}}
> 27: =>0x0c2e80027c00: 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
> {{}}{{ }}{{}}
> 27: 0x0c2e80027c10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> {{}}{{ }}{{}}
> 27: 0x0c2e80027c20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> {{}}{{ }}{{}}
> 27: 0x0c2e80027c30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> {{}}{{ }}{{}}
> 27: 0x0c2e80027c40: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa
> {{}}{{ }}{{}}
> 27: 0x0c2e80027c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> {{}}{{ }}{{}}
> 27: Shadow byte legend (one shadow byte represents 8 application bytes):
> {{}}{{ }}{{}}
> 27: Addressable: 00
> {{}}{{ }}{{}}
> 27: Partially addressable: 01 02 03 04 05 06 07
> {{}}{{ }}{{}}
> 27: Heap left redzone: fa
> {{}}{{ }}{{}}
> 27: Freed heap region: fd
> {{}}{{ }}{{}}
> 27: Stack left redzone: f1
> {{}}{{ }}{{}}
> 27: Stack mid redzone: f2
> {{}}{{ }}{{}}
> 27: Stack right redzone: f3
> {{}}{{ }}{{}}
> 27: Stack after return: f5
> {{}}{{ }}{{}}
> 27: Stack use after scope: f8
> {{}}{{ }}{{}}
> 27: Global redzone: f9
> {{}}{{ }}{{}}
> 27: Global init order: f6
> {{}}{{ }}{{}}
> 27: Poisoned by user: f7
> {{}}{{ }}{{}}
> 27: Container overflow: fc
> {{}}{{ }}{{}}
> 27: Array cookie: ac
> {{}}{{ }}{{}}
> 27: Intra object redzone: bb
> {{}}{{ }}{{}}
> 27: ASan internal: fe
> {{}}{{ }}{{}}
> 27: Left alloca redzone: ca
> {{}}{{ }}{{}}
> 27: Right alloca redzone: cb
> {{}}{{ }}{{}}
> 27: Shadow gap: cc
> {{}}{{ }}{{}}
> 27: ==3859==ABORTING
> {{}}{{ }}{{27: }}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org