You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (JIRA)" <ji...@apache.org> on 2017/10/04 21:15:00 UTC
[jira] [Created] (DISPATCH-849) heap-use-after-free
../src/alloc_pool.c:338 in qd_alloc_finalize
Jiri Daněk created DISPATCH-849:
-----------------------------------
Summary: heap-use-after-free ../src/alloc_pool.c:338 in qd_alloc_finalize
Key: DISPATCH-849
URL: https://issues.apache.org/jira/browse/DISPATCH-849
Project: Qpid Dispatch
Issue Type: Bug
Components: Tests
Affects Versions: 1.1.0
Environment: Git tip of Proton and Dtspatch, commit hashes follow
{noformat}
commit aece4ad2f4e4eb2d141020c59c393a30a79f53a9 (upstream/master)
Author: Andrew Stitcher <as...@apache.org>
PROTON-1609: Fix C++ example flags
{noformat}
{noformat}
commit 18c5f8d6293de4227c8c17ef08675cb4eaef689c (HEAD -> master, upstream/master)
Author: Ganesh Murthy <gm...@redhat.com>
NO-JIRA - Removed accidental printf inclusion
{noformat}
Reporter: Jiri Daněk
Priority: Minor
Compile Proton and Dispatch with sanitizers, same way as in DISPATCH-848. Then run test #13 by executing
{noformat}
LD_PRELOAD=/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so ASAN_OPTIONS=symbolize=1,color=always LSAN_OPTIONS=suppressions=`pwd`/../../qpid-proton/LSan.supp PYTHONPATH=`pwd`/../../qpid-proton/install_asan/lib64/proton/bindings/python LD_LIBRARY_PATH=`pwd`/../../qpid-proton/install_asan/lib64 ctest -VV -R system_tests_link_routes
{noformat}
In the output, the following can be seen
{noformat}
[...]
13: Process 29106 error: exit code 1, expected 0
13: qdrouterd -c C.conf -I /home/jdanek/Work/repos/qpid-dispatch/python
13: /home/jdanek/Work/repos/qpid-dispatch/build_asan/tests/system_test.dir/system_tests_link_routes/LinkRouteTest/setUpClass/C-3.cmd
13: >>>>
13: ../src/message.c:925:38: runtime error: load of value 190, which is not a valid value for type '_Bool'
13: =================================================================
13: ==29106==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000034340 at pc 0x7f4a7391c5be bp 0x7ffe069d5fd0 sp 0x7ffe069d5fc8
13: WRITE of size 8 at 0x611000034340 thread T0
13: #0 0x7f4a7391c5bd in qd_alloc_finalize ../src/alloc_pool.c:338
13: #1 0x7f4a7385543e in qd_dispatch_free ../src/dispatch.c:308
13: #2 0x4021bf in main_process ../router/src/main.c:115
13: #3 0x401d83 in main ../router/src/main.c:318
13: #4 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
13: #5 0x402029 in _start (/home/jdanek/Work/repos/qpid-dispatch/build_asan/router/qdrouterd+0x402029)
13:
13: 0x611000034340 is located 0 bytes inside of 192-byte region [0x611000034340,0x611000034400)
13: freed by thread T0 here:
13: #0 0x7f4a73dd0cf8 in free (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0xd8cf8)
13: #1 0x7f4a7391b4d2 in qd_alloc_finalize ../src/alloc_pool.c:339
13: #2 0x7f4a7385543e in qd_dispatch_free ../src/dispatch.c:308
13: #3 0x4021bf in main_process ../router/src/main.c:115
13: #4 0x401d83 in main ../router/src/main.c:318
13: #5 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
13:
13: previously allocated by thread T4 here:
13: #0 0x7f4a73dd1b88 in __interceptor_posix_memalign (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0xd9b88)
13: #1 0x7f4a739148ea in qd_alloc ../src/alloc_pool.c:182
13: #2 0x7f4a7386d001 in qd_message ../src/message.c:835
13: #3 0x7f4a738926f3 in qd_python_send ../src/python_embedded.c:605
13: #4 0x7f4a726f43d6 in PyEval_EvalFrameEx (/nix/store/1snk2wkpv97an87pk1842fgskl1vqhkr-python-2.7.14/lib/libpython2.7.so.1.0+0xe53d6)
13:
13: Thread T4 created by T0 here:
13: #0 0x7f4a73d2e7c0 in __interceptor_pthread_create (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0x367c0)
13: #1 0x7f4a7388f2a9 in sys_thread ../src/posix/threading.c:158
13: #2 0x7f4a7390aa01 in qd_server_run ../src/server.c:1157
13: #3 0x4021a8 in main_process ../router/src/main.c:111
13: #4 0x401d83 in main ../router/src/main.c:318
13: #5 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
13:
13: SUMMARY: AddressSanitizer: heap-use-after-free ../src/alloc_pool.c:338 in qd_alloc_finalize
13: Shadow bytes around the buggy address:
13: 0x0c227fffe810: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
13: 0x0c227fffe820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
13: 0x0c227fffe830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
13: 0x0c227fffe840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
13: 0x0c227fffe850: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
13: =>0x0c227fffe860: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
13: 0x0c227fffe870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
13: 0x0c227fffe880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
13: 0x0c227fffe890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
13: 0x0c227fffe8a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
13: 0x0c227fffe8b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
13: Shadow byte legend (one shadow byte represents 8 application bytes):
13: Addressable: 00
13: Partially addressable: 01 02 03 04 05 06 07
13: Heap left redzone: fa
13: Freed heap region: fd
13: Stack left redzone: f1
13: Stack mid redzone: f2
13: Stack right redzone: f3
13: Stack after return: f5
13: Stack use after scope: f8
13: Global redzone: f9
13: Global init order: f6
13: Poisoned by user: f7
13: Container overflow: fc
13: Array cookie: ac
13: Intra object redzone: bb
13: ASan internal: fe
13: Left alloca redzone: ca
13: Right alloca redzone: cb
13: ==29106==ABORTING
[...]
{noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org