You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Jiri Daněk (Jira)" <ji...@apache.org> on 2021/05/08 10:34:00 UTC
[jira] [Updated] (DISPATCH-849) heap-use-after-free
../src/alloc_pool.c:338 in qd_alloc_finalize
[ https://issues.apache.org/jira/browse/DISPATCH-849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jiri Daněk updated DISPATCH-849:
--------------------------------
Environment:
Git tip of Proton and Dispatch, commit hashes follow
{noformat}
commit aece4ad2f4e4eb2d141020c59c393a30a79f53a9 (upstream/master)
Author: Andrew Stitcher <as...@apache.org>
PROTON-1609: Fix C++ example flags
{noformat}
{noformat}
commit 18c5f8d6293de4227c8c17ef08675cb4eaef689c (HEAD -> master, upstream/master)
Author: Ganesh Murthy <gm...@redhat.com>
NO-JIRA - Removed accidental printf inclusion
{noformat}
was:
Git tip of Proton and Dtspatch, commit hashes follow
{noformat}
commit aece4ad2f4e4eb2d141020c59c393a30a79f53a9 (upstream/master)
Author: Andrew Stitcher <as...@apache.org>
PROTON-1609: Fix C++ example flags
{noformat}
{noformat}
commit 18c5f8d6293de4227c8c17ef08675cb4eaef689c (HEAD -> master, upstream/master)
Author: Ganesh Murthy <gm...@redhat.com>
NO-JIRA - Removed accidental printf inclusion
{noformat}
> heap-use-after-free ../src/alloc_pool.c:338 in qd_alloc_finalize
> ----------------------------------------------------------------
>
> Key: DISPATCH-849
> URL: https://issues.apache.org/jira/browse/DISPATCH-849
> Project: Qpid Dispatch
> Issue Type: Bug
> Components: Tests
> Affects Versions: 1.1.0
> Environment: Git tip of Proton and Dispatch, commit hashes follow
> {noformat}
> commit aece4ad2f4e4eb2d141020c59c393a30a79f53a9 (upstream/master)
> Author: Andrew Stitcher <as...@apache.org>
> PROTON-1609: Fix C++ example flags
> {noformat}
> {noformat}
> commit 18c5f8d6293de4227c8c17ef08675cb4eaef689c (HEAD -> master, upstream/master)
> Author: Ganesh Murthy <gm...@redhat.com>
> NO-JIRA - Removed accidental printf inclusion
> {noformat}
> Reporter: Jiri Daněk
> Priority: Minor
> Labels: memory-bug
> Fix For: Backlog
>
>
> Compile Proton and Dispatch with sanitizers, same way as in DISPATCH-848. Then run test #13 by executing
> {noformat}
> LD_PRELOAD=/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so ASAN_OPTIONS=symbolize=1,color=always LSAN_OPTIONS=suppressions=`pwd`/../../qpid-proton/LSan.supp PYTHONPATH=`pwd`/../../qpid-proton/install_asan/lib64/proton/bindings/python LD_LIBRARY_PATH=`pwd`/../../qpid-proton/install_asan/lib64 ctest -VV -R system_tests_link_routes
> {noformat}
> In the output, the following can be seen
> {noformat}
> [...]
> 13: Process 29106 error: exit code 1, expected 0
> 13: qdrouterd -c C.conf -I /home/jdanek/Work/repos/qpid-dispatch/python
> 13: /home/jdanek/Work/repos/qpid-dispatch/build_asan/tests/system_test.dir/system_tests_link_routes/LinkRouteTest/setUpClass/C-3.cmd
> 13: >>>>
> 13: ../src/message.c:925:38: runtime error: load of value 190, which is not a valid value for type '_Bool'
> 13: =================================================================
> 13: ==29106==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000034340 at pc 0x7f4a7391c5be bp 0x7ffe069d5fd0 sp 0x7ffe069d5fc8
> 13: WRITE of size 8 at 0x611000034340 thread T0
> 13: #0 0x7f4a7391c5bd in qd_alloc_finalize ../src/alloc_pool.c:338
> 13: #1 0x7f4a7385543e in qd_dispatch_free ../src/dispatch.c:308
> 13: #2 0x4021bf in main_process ../router/src/main.c:115
> 13: #3 0x401d83 in main ../router/src/main.c:318
> 13: #4 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
> 13: #5 0x402029 in _start (/home/jdanek/Work/repos/qpid-dispatch/build_asan/router/qdrouterd+0x402029)
> 13:
> 13: 0x611000034340 is located 0 bytes inside of 192-byte region [0x611000034340,0x611000034400)
> 13: freed by thread T0 here:
> 13: #0 0x7f4a73dd0cf8 in free (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0xd8cf8)
> 13: #1 0x7f4a7391b4d2 in qd_alloc_finalize ../src/alloc_pool.c:339
> 13: #2 0x7f4a7385543e in qd_dispatch_free ../src/dispatch.c:308
> 13: #3 0x4021bf in main_process ../router/src/main.c:115
> 13: #4 0x401d83 in main ../router/src/main.c:318
> 13: #5 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
> 13:
> 13: previously allocated by thread T4 here:
> 13: #0 0x7f4a73dd1b88 in __interceptor_posix_memalign (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0xd9b88)
> 13: #1 0x7f4a739148ea in qd_alloc ../src/alloc_pool.c:182
> 13: #2 0x7f4a7386d001 in qd_message ../src/message.c:835
> 13: #3 0x7f4a738926f3 in qd_python_send ../src/python_embedded.c:605
> 13: #4 0x7f4a726f43d6 in PyEval_EvalFrameEx (/nix/store/1snk2wkpv97an87pk1842fgskl1vqhkr-python-2.7.14/lib/libpython2.7.so.1.0+0xe53d6)
> 13:
> 13: Thread T4 created by T0 here:
> 13: #0 0x7f4a73d2e7c0 in __interceptor_pthread_create (/nix/store/zahs1kwq4742f6l6h7yy4mdj44zzc1kd-gcc-7-20170409-lib/lib/libasan.so+0x367c0)
> 13: #1 0x7f4a7388f2a9 in sys_thread ../src/posix/threading.c:158
> 13: #2 0x7f4a7390aa01 in qd_server_run ../src/server.c:1157
> 13: #3 0x4021a8 in main_process ../router/src/main.c:111
> 13: #4 0x401d83 in main ../router/src/main.c:318
> 13: #5 0x7f4a7134655f in __libc_start_main (/nix/store/zpg78y1mf0di6127q6r51kgx2q8cxsvv-glibc-2.25-49/lib/libc.so.6+0x2055f)
> 13:
> 13: SUMMARY: AddressSanitizer: heap-use-after-free ../src/alloc_pool.c:338 in qd_alloc_finalize
> 13: Shadow bytes around the buggy address:
> 13: 0x0c227fffe810: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 13: 0x0c227fffe820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 13: 0x0c227fffe830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 13: 0x0c227fffe840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 13: 0x0c227fffe850: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 13: =>0x0c227fffe860: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
> 13: 0x0c227fffe870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 13: 0x0c227fffe880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 13: 0x0c227fffe890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 13: 0x0c227fffe8a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
> 13: 0x0c227fffe8b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 13: Shadow byte legend (one shadow byte represents 8 application bytes):
> 13: Addressable: 00
> 13: Partially addressable: 01 02 03 04 05 06 07
> 13: Heap left redzone: fa
> 13: Freed heap region: fd
> 13: Stack left redzone: f1
> 13: Stack mid redzone: f2
> 13: Stack right redzone: f3
> 13: Stack after return: f5
> 13: Stack use after scope: f8
> 13: Global redzone: f9
> 13: Global init order: f6
> 13: Poisoned by user: f7
> 13: Container overflow: fc
> 13: Array cookie: ac
> 13: Intra object redzone: bb
> 13: ASan internal: fe
> 13: Left alloca redzone: ca
> 13: Right alloca redzone: cb
> 13: ==29106==ABORTING
> [...]
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org