You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (Jira)" <ji...@apache.org> on 2021/05/08 10:35:00 UTC
[jira] [Closed] (DISPATCH-849) heap-use-after-free ../src/alloc_pool.c:338 in qd_alloc_finalize

     [ https://issues.apache.org/jira/browse/DISPATCH-849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jiri Daněk closed DISPATCH-849.
-------------------------------
    Fix Version/s:     (was: Backlog)
       Resolution: Abandoned

... which happened to be today. Closing this as out of date. The repro command is somewhat interesting, I apparently also compiled qpid-proton-python with asan, there, which is why I had to do LD_PRELOAD.

> heap-use-after-free ../src/alloc_pool.c:338 in qd_alloc_finalize
> ----------------------------------------------------------------
>
>                 Key: DISPATCH-849
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-849
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Tests
>    Affects Versions: 1.1.0
>         Environment: Git tip of Proton and Dispatch, commit hashes follow
> {noformat}
> commit aece4ad2f4e4eb2d141020c59c393a30a79f53a9 (upstream/master)
> Author: Andrew Stitcher <as...@apache.org>
>     PROTON-1609: Fix C++ example flags
> {noformat}
> {noformat}
> commit 18c5f8d6293de4227c8c17ef08675cb4eaef689c (HEAD -> master, upstream/master)
> Author: Ganesh Murthy <gm...@redhat.com>
>     NO-JIRA - Removed accidental printf inclusion
> {noformat}
>            Reporter: Jiri Daněk
>            Priority: Minor
>              Labels: memory-bug
>
> Compile Proton and Dispatch with sanitizers, same way as in DISPATCH-848. Then run test #13 by executing
> {noformat}
> LD_PRELOAD=/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so ASAN_OPTIONS=symbolize=1,color=always LSAN_OPTIONS=suppressions=`pwd`/../../qpid-proton/LSan.supp PYTHONPATH=`pwd`/../../qpid-proton/install_asan/lib64/proton/bindings/python LD_LIBRARY_PATH=`pwd`/../../qpid-proton/install_asan/lib64 ctest -VV -R system_tests_link_routes
> {noformat}
> In the output, the following can be seen
> {noformat}
> [...]
> 13: Process 29106 error: exit code 1, expected 0
> 13: qdrouterd -c C.conf -I /home/jdanek/Work/repos/qpid-dispatch/python
> 13: /home/jdanek/Work/repos/qpid-dispatch/build_asan/tests/system_test.dir/system_tests_link_routes/LinkRouteTest/setUpClass/C-3.cmd
> 13: >>>>
> 13: ../src/message.c:925:38: runtime error: load of value 190, which is not a valid value for type '_Bool'
> 13: =================================================================
> 13: ==29106==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000034340 at pc 0x7f4a7391c5be bp 0x7ffe069d5fd0 sp 0x7ffe069d5fc8
> 13: WRITE of size 8 at 0x611000034340 thread T0
> 13:     #0 0x7f4a7391c5bd in qd_alloc_finalize ../src/alloc_pool.c:338
> 13:     #1 0x7f4a7385543e in qd_dispatch_free ../src/dispatch.c:308
> 13:     #2 0x4021bf in main_process ../router/src/main.c:115
> 13:     #3 0x401d83 in main ../router/src/main.c:318
> 13:     #4 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
> 13:     #5 0x402029 in _start (/home/jdanek/Work/repos/qpid-dispatch/build_asan/router/qdrouterd+0x402029)
> 13: 
> 13: 0x611000034340 is located 0 bytes inside of 192-byte region [0x611000034340,0x611000034400)
> 13: freed by thread T0 here:
> 13:     #0 0x7f4a73dd0cf8 in free (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0xd8cf8)
> 13:     #1 0x7f4a7391b4d2 in qd_alloc_finalize ../src/alloc_pool.c:339
> 13:     #2 0x7f4a7385543e in qd_dispatch_free ../src/dispatch.c:308
> 13:     #3 0x4021bf in main_process ../router/src/main.c:115
> 13:     #4 0x401d83 in main ../router/src/main.c:318
> 13:     #5 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
> 13: 
> 13: previously allocated by thread T4 here:
> 13:     #0 0x7f4a73dd1b88 in __interceptor_posix_memalign (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0xd9b88)
> 13:     #1 0x7f4a739148ea in qd_alloc ../src/alloc_pool.c:182
> 13:     #2 0x7f4a7386d001 in qd_message ../src/message.c:835
> 13:     #3 0x7f4a738926f3 in qd_python_send ../src/python_embedded.c:605
> 13:     #4 0x7f4a726f43d6 in PyEval_EvalFrameEx (/nix/store/1snk2wkpv97an87pk1842fgskl1vqhkr-python-2.7.14/lib/libpython2.7.so.1.0+0xe53d6)
> 13: 
> 13: Thread T4 created by T0 here:
> 13:     #0 0x7f4a73d2e7c0 in __interceptor_pthread_create (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0x367c0)
> 13:     #1 0x7f4a7388f2a9 in sys_thread ../src/posix/threading.c:158
> 13:     #2 0x7f4a7390aa01 in qd_server_run ../src/server.c:1157
> 13:     #3 0x4021a8 in main_process ../router/src/main.c:111
> 13:     #4 0x401d83 in main ../router/src/main.c:318
> 13:     #5 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
> 13: 
> 13: SUMMARY: AddressSanitizer: heap-use-after-free ../src/alloc_pool.c:338 in qd_alloc_finalize
> 13: Shadow bytes around the buggy address:
> 13:   0x0c227fffe810: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 13:   0x0c227fffe820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 13:   0x0c227fffe830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 13:   0x0c227fffe840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 13:   0x0c227fffe850: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 13: =>0x0c227fffe860: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
> 13:   0x0c227fffe870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 13:   0x0c227fffe880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 13:   0x0c227fffe890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 13:   0x0c227fffe8a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 13:   0x0c227fffe8b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 13: Shadow byte legend (one shadow byte represents 8 application bytes):
> 13:   Addressable:           00
> 13:   Partially addressable: 01 02 03 04 05 06 07 
> 13:   Heap left redzone:       fa
> 13:   Freed heap region:       fd
> 13:   Stack left redzone:      f1
> 13:   Stack mid redzone:       f2
> 13:   Stack right redzone:     f3
> 13:   Stack after return:      f5
> 13:   Stack use after scope:   f8
> 13:   Global redzone:          f9
> 13:   Global init order:       f6
> 13:   Poisoned by user:        f7
> 13:   Container overflow:      fc
> 13:   Array cookie:            ac
> 13:   Intra object redzone:    bb
> 13:   ASan internal:           fe
> 13:   Left alloca redzone:     ca
> 13:   Right alloca redzone:    cb
> 13: ==29106==ABORTING
> [...]
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org