You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (Jira)" <ji...@apache.org> on 2021/11/09 12:24:00 UTC
[jira] [Commented] (DISPATCH-2188) ASAN use after free from
qdr_core_unbind_address_link_CT in system_tests_protocol_settings
[ https://issues.apache.org/jira/browse/DISPATCH-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17441128#comment-17441128 ]
Jiri Daněk commented on DISPATCH-2188:
--------------------------------------
https://github.com/jiridanek/qpid-dispatch/runs/4140924463?check_suite_focus=true#step:27:54131
Again, mempool-zero patch. I am hoping to get this with unmodified main as well in the future.
{noformat}
27: ==14378==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000598e90 at pc 0x00000062654f bp 0x7f7b60546ff0 sp 0x7f7b60546fe8
27: WRITE of size 8 at 0x617000598e90 thread T1
27: #0 0x62654e in qdr_core_unbind_address_link_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core.c:725
27: #1 0x661317 in del_inlink /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:175
27: #2 0x661317 in on_addr_event /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:410
27: #3 0x661317 in on_addr_event /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:380
27: #4 0x5c6767 in qdrc_event_addr_raise /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/core_events.c:125
27: #5 0x5bccac in qdr_link_inbound_detach_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/connections.c:2141
27: #6 0x635c87 in router_core_thread /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core_thread.c:236
27: #7 0x7f7b67770298 in start_thread (/lib64/libpthread.so.0+0x9298)
27: #8 0x7f7b66939352 in clone (/lib64/libc.so.6+0x100352)
27:
27: 0x617000598e90 is located 272 bytes inside of 704-byte region [0x617000598d80,0x617000599040)
27: freed by thread T1 here:
27: #0 0x7f7b67c8b647 in free (/lib64/libasan.so.6+0xae647)
27: #1 0x4c2902 in qd_dealloc /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/alloc_pool.c:497
27: #2 0x5c1245 in qdr_connection_closed_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/connections.c:1575
27: #3 0x635c87 in router_core_thread /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core_thread.c:236
27: #4 0x7f7b67770298 in start_thread (/lib64/libpthread.so.0+0x9298)
27:
27: previously allocated by thread T1 here:
27: #0 0x7f7b67c8c51c in __interceptor_posix_memalign (/lib64/libasan.so.6+0xaf51c)
27: #1 0x4bed1d in qd_alloc /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/alloc_pool.c:393
27: #2 0x5abc4c in qdr_create_link_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/connections.c:1158
27: #3 0x660135 in add_inlink /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:161
27: #4 0x5c6767 in qdrc_event_addr_raise /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/core_events.c:125
27: #5 0x67b551 in qdr_link_react_to_first_attach_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/modules/address_lookup_client/lookup_client.c:395
27: #6 0x67edd8 in qcm_addr_lookup_local_search /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/modules/address_lookup_client/lookup_client.c:455
27: #7 0x681d26 in on_request_done /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/modules/address_lookup_client/lookup_client.c:705
27: #8 0x5cc2f5 in _free_request_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/core_client_api.c:359
27: #9 0x5cd77c in _receiver_detached_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/core_client_api.c:626
27: #10 0x5ca643 in qdrc_endpoint_do_cleanup_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/core_link_endpoint.c:243
27: #11 0x5ca643 in qdrc_endpoint_do_detach_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/core_link_endpoint.c:220
27: #12 0x5bc937 in qdr_link_inbound_detach_CT /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/connections.c:2033
27: #13 0x635c87 in router_core_thread /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core_thread.c:236
27: #14 0x7f7b67770298 in start_thread (/lib64/libpthread.so.0+0x9298)
27:
27: Thread T1 created by T0 here:
27: #0 0x7f7b67c338d6 in pthread_create (/lib64/libasan.so.6+0x568d6)
27: #1 0x56dbd5 in sys_thread /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/posix/threading.c:181
27: #2 0x61bb52 in qdr_core /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core.c:124
27: #3 0x69ee42 in qd_router_setup_late /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_node.c:2127
27: #4 0x7f7b6250fc03 in ffi_call_unix64 (/lib64/libffi.so.6+0x6c03)
27: #5 0x7ffddfa28b9f ([stack]+0x20b9f)
27:
27: SUMMARY: AddressSanitizer: heap-use-after-free /home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/src/router_core/router_core.c:725 in qdr_core_unbind_address_link_CT
27: Shadow bytes around the buggy address:
27: 0x0c2e800ab180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27: 0x0c2e800ab190: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
27: 0x0c2e800ab1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27: 0x0c2e800ab1b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27: 0x0c2e800ab1c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27: =>0x0c2e800ab1d0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
27: 0x0c2e800ab1e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27: 0x0c2e800ab1f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27: 0x0c2e800ab200: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
27: 0x0c2e800ab210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27: 0x0c2e800ab220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
27: Shadow byte legend (one shadow byte represents 8 application bytes):
27: Addressable: 00
27: Partially addressable: 01 02 03 04 05 06 07
27: Heap left redzone: fa
27: Freed heap region: fd
27: Stack left redzone: f1
27: Stack mid redzone: f2
27: Stack right redzone: f3
27: Stack after return: f5
27: Stack use after scope: f8
27: Global redzone: f9
27: Global init order: f6
27: Poisoned by user: f7
27: Container overflow: fc
27: Array cookie: ac
27: Intra object redzone: bb
27: ASan internal: fe
27: Left alloca redzone: ca
27: Right alloca redzone: cb
27: Shadow gap: cc
27: ==14378==ABORTING
{noformat}
> ASAN use after free from qdr_core_unbind_address_link_CT in system_tests_protocol_settings
> ------------------------------------------------------------------------------------------
>
> Key: DISPATCH-2188
> URL: https://issues.apache.org/jira/browse/DISPATCH-2188
> Project: Qpid Dispatch
> Issue Type: Bug
> Affects Versions: 1.17.0
> Reporter: Jiri Daněk
> Priority: Major
> Labels: asan, memory-bug
>
> https://travis-ci.com/github/apache/qpid-dispatch/jobs/519782806#L4771
> {noformat}
> 27: Router EB1 output file:
> 27: >>>>
> 27: =================================================================
> 27: ==15423==ERROR: AddressSanitizer: use-after-poison on address 0x6170000dc290 at pc 0x0000006e842a bp 0x7fbe59ae3070 sp 0x7fbe59ae3068
> 27: WRITE of size 8 at 0x6170000dc290 thread T1
> 27: #0 0x6e8429 in qdr_core_unbind_address_link_CT /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:715:23
> 27: #1 0x722f7f in del_outlink /home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:216:9
> 27: #2 0x67a135 in qdrc_event_addr_raise /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:125:13
> 27: #3 0x6e7f40 in qdr_core_unbind_address_link_CT /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c
> 27: #4 0x666b5c in qdr_link_inbound_detach_CT /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:2064:17
> 27: #5 0x6f2490 in router_core_thread /home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:239:13
> 27: #6 0x7fbe5fdfe608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27: #7 0x7fbe5f629292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
> 27:
> 27: 0x6170000dc290 is located 272 bytes inside of 704-byte region [0x6170000dc180,0x6170000dc440)
> 27: allocated by thread T1 here:
> 27: #0 0x4bb5c7 in posix_memalign (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x4bb5c7)
> 27: #1 0x57319e in qd_alloc /home/travis/build/apache/qpid-dispatch/src/alloc_pool.c:396:13
> 27: #2 0x66cb80 in qdr_create_link_CT /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:1128:24
> 27: #3 0x71fb5d in on_conn_event /home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:281:32
> 27: #4 0x679cb5 in qdrc_event_conn_raise /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:101:13
> 27: #5 0x679cb5 in qdrc_event_conn_raise /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:101:13
> 27: #6 0x6524d0 in qdr_connection_opened_CT /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:1440:5
> 27: #7 0x6f2490 in router_core_thread /home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:239:13
> 27: #8 0x7fbe5fdfe608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
> 27:
> 27: Thread T1 created by T0 here:
> 27: #0 0x4a520c in pthread_create (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x4a520c)
> 27: #1 0x6245c7 in sys_thread /home/travis/build/apache/qpid-dispatch/src/posix/threading.c:181:5
> 27: #2 0x6d287a in qdr_core /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:124:20
> 27: #3 0x75c06f in qd_router_setup_late /home/travis/build/apache/qpid-dispatch/src/router_node.c:2124:31
> 27: #4 0x7fbe5b509ff4 (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
> 27: LLVMSymbolizer: error reading file: No such file or directory
> 27: #5 0x7ffc3aaec1cf ([stack]+0x211cf)
> 27:
> 27: SUMMARY: AddressSanitizer: use-after-poison /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:715:23 in qdr_core_unbind_address_link_CT
> 27: Shadow bytes around the buggy address:
> 27: 0x0c2e80013800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 27: 0x0c2e80013810: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
> 27: 0x0c2e80013820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 27: 0x0c2e80013830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 27: 0x0c2e80013840: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27: =>0x0c2e80013850: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27: 0x0c2e80013860: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27: 0x0c2e80013870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27: 0x0c2e80013880: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa
> 27: 0x0c2e80013890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 27: 0x0c2e800138a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 27: Shadow byte legend (one shadow byte represents 8 application bytes):
> 27: Addressable: 00
> 27: Partially addressable: 01 02 03 04 05 06 07
> 27: Heap left redzone: fa
> 27: Freed heap region: fd
> 27: Stack left redzone: f1
> 27: Stack mid redzone: f2
> 27: Stack right redzone: f3
> 27: Stack after return: f5
> 27: Stack use after scope: f8
> 27: Global redzone: f9
> 27: Global init order: f6
> 27: Poisoned by user: f7
> 27: Container overflow: fc
> 27: Array cookie: ac
> 27: Intra object redzone: bb
> 27: ASan internal: fe
> 27: Left alloca redzone: ca
> 27: Right alloca redzone: cb
> 27: Shadow gap: cc
> 27: ==15423==ABORTING
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org