You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (Jira)" <ji...@apache.org> on 2021/11/07 18:37:00 UTC
[jira] [Created] (PROTON-2460) heap-use-after-free in pn_strdup
called from pn_experimental::pni_iocp_recv
Jiri Daněk created PROTON-2460:
----------------------------------
Summary: heap-use-after-free in pn_strdup called from pn_experimental::pni_iocp_recv
Key: PROTON-2460
URL: https://issues.apache.org/jira/browse/PROTON-2460
Project: Qpid Proton
Issue Type: Bug
Components: cpp-binding
Affects Versions: proton-c-0.36.0
Reporter: Jiri Daněk
Microsoft has been implementing Sanitizers in MSVC. It is supposed to be available in VS2019, but it did not work for me (CMake failed to validate compiler when I added {{/fsanitize=address}} to {{-DCMAKE_C_FLAGS}}.) I decided to pick up VS2022 beta, where I got one sanitizer report.
As far as I know this is the first time sanitizers were run on the IOCP proactor code.
{noformat}
26: Test command: "C:\Program Files\Python310\python.exe" "C:/Users/Vitorio/CLionProjects/qpid-proton/scripts/env.py" "--" "PATH=C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/cpp/examples;C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/c;C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/cpp" "PYTHONPATH=C:/Users/Vitorio/CLionProjects/qpid-proton/tests/py" "HAS_CPP11=" "C:/Program Files/Python310/python.exe" "C:/Users/Vitorio/CLionProjects/qpid-proton/cpp/examples/testme" "-v" "ContainerExampleTest"
26: Test timeout computed to be: 1500
26: test_encode_decode (__main__.ContainerExampleTest) ... ok
26: test_flow_control (__main__.ContainerExampleTest) ... ok
26: test_helloworld (__main__.ContainerExampleTest) ... ok
26: test_message_properties (__main__.ContainerExampleTest) ... ok
26: test_multithreaded_client (__main__.ContainerExampleTest) ... ok
26: test_request_response (__main__.ContainerExampleTest) ... ok
26: test_request_response_direct (__main__.ContainerExampleTest) ... ok
26: test_scheduled_send (__main__.ContainerExampleTest) ... ok
26: test_scheduled_send_03 (__main__.ContainerExampleTest) ... ERROR
26: test_simple_recv_direct_send (__main__.ContainerExampleTest) ... ok
26: test_simple_recv_send (__main__.ContainerExampleTest) ... ERROR
26: test_simple_send_direct_recv (__main__.ContainerExampleTest) ... ok
26: test_simple_send_recv (__main__.ContainerExampleTest) ... ERROR
{noformat}
...
{noformat}
26: ________________________________ stderr(18088) ________________________________
26: =================================================================
26: ==18088==ERROR: AddressSanitizer: heap-use-after-free on address 0x1227308a78e0 at pc 0x7ffbaed05d1e bp 0x00b894bfe9f0 sp 0x00b894bfe9f8
26: READ of size 2 at 0x1227308a78e0 thread T1
26: #0 0x7ffbaed05d50 in _asan_wrap_GlobalSize+0x4304a (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x180045d50)
26: #1 0x7ffbb3ee33af in pn_strdup C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\util.c:122
26: #2 0x7ffbb3ee441c in pn_error_set C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:78
26: #3 0x7ffbb3ee3f16 in pn_error_copy C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:120
26: #4 0x7ffbd946e478 in pn_experimental::pni_iocp_recv C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1126
26: #5 0x7ffbd9465adf in pconnection_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2367
26: #6 0x7ffbd9463b73 in psocket_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
26: #7 0x7ffbd94639b2 in proactor_completion_loop C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
26: #8 0x7ffbd9462f84 in pn_proactor_wait C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
26: #9 0x7ffbcab00478 in proton::container::impl::thread C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
26: #10 0x7ffbcaaad15c in std::invoke<void (__cdecl proton::container::impl::*)(void),proton::container::impl *> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
26: #11 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
26: #12 0x7ffbb4074c7b in register_onexit_function+0xeb (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
26: #13 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
26: #14 0x7ffbf7007033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
26: #15 0x7ffbf8162650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
26:
26: 0x1227308a78e0 is located 0 bytes inside of 74-byte region [0x1227308a78e0,0x1227308a792a)
26: freed by thread T1 here:
26: #0 0x7ffbaed0f071 in _asan_wrap_GlobalSize+0x4c36b (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18004f071)
26: #1 0x7ffbb3ee15ad in pni_mem_subdeallocate C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\memory.c:276
26: #2 0x7ffbb3ee456c in pn_error_clear C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:67
26: #3 0x7ffbb3ee43ab in pn_error_set C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:75
26: #4 0x7ffbb3ee3f16 in pn_error_copy C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:120
26: #5 0x7ffbd946e478 in pn_experimental::pni_iocp_recv C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1126
26: #6 0x7ffbd9465adf in pconnection_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2367
26: #7 0x7ffbd9463b73 in psocket_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
26: #8 0x7ffbd94639b2 in proactor_completion_loop C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
26: #9 0x7ffbd9462f84 in pn_proactor_wait C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
26: #10 0x7ffbcab00478 in proton::container::impl::thread C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
26: #11 0x7ffbcaaad15c in std::invoke<void (__cdecl proton::container::impl::*)(void),proton::container::impl *> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
26: #12 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
26: #13 0x7ffbb4074c7b in register_onexit_function+0xeb (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
26: #14 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
26: #15 0x7ffbf7007033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
26: #16 0x7ffbf8162650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
26:
26: previously allocated by thread T1 here:
26: #0 0x7ffbaed0f201 in _asan_wrap_GlobalSize+0x4c4fb (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18004f201)
26: #1 0x7ffbb3ee1608 in pni_mem_allocate C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\memory.c:270
26: #2 0x7ffbb3ee33c1 in pn_strdup C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\util.c:122
26: #3 0x7ffbb3ee441c in pn_error_set C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:78
26: #4 0x7ffbb3ee42f7 in pn_error_vformat C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:91
26: #5 0x7ffbb3ee40dc in pn_error_format C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:99
26: #6 0x7ffbd9473b91 in pn_experimental::pni_win32_error C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:567
26: #7 0x7ffbd9473781 in pn_experimental::iocpdesc_fail C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:572
26: #8 0x7ffbd946e906 in pn_experimental::complete_read C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1107
26: #9 0x7ffbd94694c2 in do_complete C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1817
26: #10 0x7ffbd9465738 in pconnection_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2335
26: #11 0x7ffbd9463b73 in psocket_process C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
26: #12 0x7ffbd94639b2 in proactor_completion_loop C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
26: #13 0x7ffbd9462f84 in pn_proactor_wait C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
26: #14 0x7ffbcab00478 in proton::container::impl::thread C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
26: #15 0x7ffbcaaad15c in std::invoke<void (__cdecl proton::container::impl::*)(void),proton::container::impl *> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
26: #16 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
26: #17 0x7ffbb4074c7b in register_onexit_function+0xeb (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
26: #18 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
26: #19 0x7ffbf7007033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
26: #20 0x7ffbf8162650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
26:
26: Thread T1 created by T0 here:
26: #0 0x7ffbaed1f3b8 in _asan_wrap_GlobalSize+0x5c6b2 (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005f3b8)
26: #1 0x7ffbb40753fe in beginthreadex+0x14e (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x1800753fe)
26: #2 0x7ffbcaaaf072 in std::thread::_Start<void (__cdecl proton::container::impl::*)(void),proton::container::impl *> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:75
26: #3 0x7ffbcaaa82c0 in std::thread::thread<void (__cdecl proton::container::impl::*)(void),proton::container::impl *,0> C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:90
26: #4 0x7ffbcab0897c in proton::container::impl::run C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:795
26: #5 0x7ffbcaafe905 in proton::container::run C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\container.cpp:94
26: #6 0x7ff7c015c88a in broker::run C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\examples\broker.cpp:381
26: #7 0x7ff7c01128a4 in main C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\examples\broker.cpp:419
26: #8 0x7ff7c0160918 in invoke_main d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
26: #9 0x7ff7c016086d in __scrt_common_main_seh d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
26: #10 0x7ff7c016072d in __scrt_common_main d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
26: #11 0x7ff7c016098d in mainCRTStartup d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
26: #12 0x7ffbf7007033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
26: #13 0x7ffbf8162650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
26:
26: SUMMARY: AddressSanitizer: heap-use-after-free (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x180045d50) in _asan_wrap_GlobalSize+0x4304a
26: Shadow bytes around the buggy address:
26: 0x045e16994ec0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
26: 0x045e16994ed0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
26: 0x045e16994ee0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
26: 0x045e16994ef0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
26: 0x045e16994f00: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
26: =>0x045e16994f10: 00 00 00 00 00 00 06 fa fa fa fa fa[fd]fd fd fd
26: 0x045e16994f20: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
26: 0x045e16994f30: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
26: 0x045e16994f40: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
26: 0x045e16994f50: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
26: 0x045e16994f60: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
26: Shadow byte legend (one shadow byte represents 8 application bytes):
26: Addressable: 00
26: Partially addressable: 01 02 03 04 05 06 07
26: Heap left redzone: fa
26: Freed heap region: fd
26: Stack left redzone: f1
26: Stack mid redzone: f2
26: Stack right redzone: f3
26: Stack after return: f5
26: Stack use after scope: f8
26: Global redzone: f9
26: Global init order: f6
26: Poisoned by user: f7
26: Container overflow: fc
26: Array cookie: ac
26: Intra object redzone: bb
26: ASan internal: fe
26: Left alloca redzone: ca
26: Right alloca redzone: cb
26: Shadow gap: cc
26: ==18088==ABORTING
26: ________________________________ stderr(18088) ________________________________
26:
Failed
{noformat}
To enable sanitizer, I followed blog https://devblogs.microsoft.com/cppblog/address-sanitizer-for-msvc-now-generally-available/. I added the /fsanitize=address compile flag, then I had to manually find and copy the {{clang_rt.asan_dbg_dynamic-x86_64.dll}} from VS directory to the directory where the compiled test binary is located.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org