[ 
https://issues.apache.org/jira/browse/DISPATCH-2274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17439460#comment-17439460
 ] 

ASF subversion and git services commented on DISPATCH-2274:
-----------------------------------------------------------

Commit a2785d25e0ce2c0c9253fe26ab7d8470d6912b6d in qpid-dispatch's branch 
refs/heads/main from Ganesh Murthy
[ https://gitbox.apache.org/repos/asf?p=qpid-dispatch.git;h=a2785d2 ]

DISPATCH-2274: Fix use after free of qd_link_t by using safe pointer as context


> system_tests_router_mesh: ERROR: AddressSanitizer: use-after-poison in 
> qd_link_pn container.c:1029
> --------------------------------------------------------------------------------------------------
>
>                 Key: DISPATCH-2274
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-2274
>             Project: Qpid Dispatch
>          Issue Type: Bug
>    Affects Versions: 1.18.0
>         Environment: Aarch64 Linux, amd64 macOS
>            Reporter: Jiri Daněk
>            Assignee: Ken Giusti
>            Priority: Major
>             Fix For: 1.18.0
>
>
> https://app.travis-ci.com/github/apache/qpid-dispatch/jobs/545969177
> {noformat}
> 66: Create 10 senders each with a different priority. ... ERROR
> 66: ERROR
> 66: 
> 66: Router RouterC output file:
> 66: >>>>
> 66: =================================================================
> 66: ==21601==ERROR: AddressSanitizer: use-after-poison on address 
> 0x61300007d828 at pc 0x0001064a6469 bp 0x70000843bca0 sp 0x70000843bc98
> 66: READ of size 8 at 0x61300007d828 thread T4
> 66:     #0 0x1064a6468 in qd_link_pn container.c:1029
> 66:     #1 0x1066d0e37 in CORE_link_push router_node.c:1920
> 66:     #2 0x106576df6 in qdr_connection_process connections.c:414
> 66:     #3 0x1064956ce in writable_handler container.c:396
> 66:     #4 0x1066edb36 in thread_run server.c:1149
> 66:     #5 0x7fff5fa152ea in _pthread_body 
> (libsystem_pthread.dylib:x86_64+0x32ea)
> 66:     #6 0x7fff5fa18248 in _pthread_start 
> (libsystem_pthread.dylib:x86_64+0x6248)
> 66:     #7 0x7fff5fa1440c in thread_start 
> (libsystem_pthread.dylib:x86_64+0x240c)
> 66: 
> 66: 0x61300007d828 is located 168 bytes inside of 320-byte region 
> [0x61300007d780,0x61300007d8c0)
> 66: allocated by thread T4 here:
> 66:     #0 0x106f823a7 in wrap_posix_memalign 
> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5f3a7)
> 66:     #1 0x1064555df in qd_alloc alloc_pool.c:396
> 66:     #2 0x10649691a in qd_container_handle_event container.c:75
> 66:     #3 0x1066f4366 in handle server.c:1108
> 66:     #4 0x1066eda23 in thread_run server.c:1133
> 66:     #5 0x7fff5fa152ea in _pthread_body 
> (libsystem_pthread.dylib:x86_64+0x32ea)
> 66:     #6 0x7fff5fa18248 in _pthread_start 
> (libsystem_pthread.dylib:x86_64+0x6248)
> 66:     #7 0x7fff5fa1440c in thread_start 
> (libsystem_pthread.dylib:x86_64+0x240c)
> 66: 
> 66: Thread T4 created by T0 here:
> 66:     #0 0x106f79add in wrap_pthread_create 
> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x56add)
> 66:     #1 0x106535a6d in sys_thread threading.c:181
> 66:     #2 0x1066ed1af in qd_server_run server.c:1525
> 66:     #3 0x1063b081e in main_process main.c:115
> 66:     #4 0x1063af12b in main main.c:369
> 66:     #5 0x7fff5f8213d4 in start (libdyld.dylib:x86_64+0x163d4)
> 66: 
> 66: SUMMARY: AddressSanitizer: use-after-poison container.c:1029 in qd_link_pn
> 66: Shadow bytes around the buggy address:
> 66:   0x1c260000fab0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 66:   0x1c260000fac0: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
> 66:   0x1c260000fad0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00
> 66:   0x1c260000fae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 66:   0x1c260000faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 66: =>0x1c260000fb00: 00 00 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 66:   0x1c260000fb10: f7 f7 f7 f7 00 00 00 00 fa fa fa fa fa fa fa fa
> 66:   0x1c260000fb20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 66:   0x1c260000fb30: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
> 66:   0x1c260000fb40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00
> 66:   0x1c260000fb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 66: Shadow byte legend (one shadow byte represents 8 application bytes):
> 66:   Addressable:           00
> 66:   Partially addressable: 01 02 03 04 05 06 07 
> 66:   Heap left redzone:       fa
> 66:   Freed heap region:       fd
> 66:   Stack left redzone:      f1
> 66:   Stack mid redzone:       f2
> 66:   Stack right redzone:     f3
> 66:   Stack after return:      f5
> 66:   Stack use after scope:   f8
> 66:   Global redzone:          f9
> 66:   Global init order:       f6
> 66:   Poisoned by user:        f7
> 66:   Container overflow:      fc
> 66:   Array cookie:            ac
> 66:   Intra object redzone:    bb
> 66:   ASan internal:           fe
> 66:   Left alloca redzone:     ca
> 66:   Right alloca redzone:    cb
> 66:   Shadow gap:              cc
> 66: ==21601==ABORTING
> {noformat}
> essentially the same stacktrace in the same job
> {noformat}
> 27: ERROR
> 27: test_90_block_link_route_EB1_INTB 
> (system_tests_policy_oversize_compound.MaxMessageSizeLinkRouteOversize) ... ok
> 27: 
> 27: ======================================================================
> 27: ERROR: tearDownClass 
> (system_tests_policy_oversize_compound.MaxMessageSizeBlockOversize)
> 27: ----------------------------------------------------------------------
> 27: Traceback (most recent call last):
> 27:   File "/Users/travis/build/apache/qpid-dispatch/tests/system_test.py", 
> line 836, in tearDownClass
> 27:     cls.tester.teardown()
> 27:   File "/Users/travis/build/apache/qpid-dispatch/tests/system_test.py", 
> line 779, in teardown
> 27:     raise RuntimeError("Errors during teardown: \n\n%s" % 
> "\n\n".join([str(e) for e in errors]))
> 27: RuntimeError: Errors during teardown: 
> 27: 
> 27: Process 20948 error: exit code -6, expected -1
> 27: qdrouterd -c EB1.conf -I /Users/travis/build/apache/qpid-dispatch/python
> 27: 
> /Users/travis/build/apache/qpid-dispatch/build/tests/system_test.dir/system_tests_policy_oversize_compound/MaxMessageSizeBlockOversize/setUpClass/EB1-4.cmd
> 27: >>>>
> 27: =================================================================
> 27: ==20948==ERROR: AddressSanitizer: use-after-poison on address 
> 0x61300006e328 at pc 0x00010e5d0469 bp 0x7ffee1727ca0 sp 0x7ffee1727c98
> 27: READ of size 8 at 0x61300006e328 thread T0
> 27:     #0 0x10e5d0468 in qd_link_pn container.c:1029
> 27:     #1 0x10e7fae37 in CORE_link_push router_node.c:1920
> 27:     #2 0x10e6a0df6 in qdr_connection_process connections.c:414
> 27:     #3 0x10e5bf6ce in writable_handler container.c:396
> 27:     #4 0x10e817b36 in thread_run server.c:1149
> 27:     #5 0x10e8171fa in qd_server_run server.c:1527
> 27:     #6 0x10e4da81e in main_process main.c:115
> 27:     #7 0x10e4d912b in main main.c:369
> 27:     #8 0x7fff5f8213d4 in start (libdyld.dylib:x86_64+0x163d4)
> 27: 
> 27: 0x61300006e328 is located 168 bytes inside of 320-byte region 
> [0x61300006e280,0x61300006e3c0)
> 27: allocated by thread T0 here:
> 27:     #0 0x10f0b63a7 in wrap_posix_memalign 
> (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5f3a7)
> 27:     #1 0x10e57f5df in qd_alloc alloc_pool.c:396
> 27:     #2 0x10e5c091a in qd_container_handle_event container.c:75
> 27:     #3 0x10e81e366 in handle server.c:1108
> 27:     #4 0x10e817a23 in thread_run server.c:1133
> 27:     #5 0x10e8171fa in qd_server_run server.c:1527
> 27:     #6 0x10e4da81e in main_process main.c:115
> 27:     #7 0x10e4d912b in main main.c:369
> 27:     #8 0x7fff5f8213d4 in start (libdyld.dylib:x86_64+0x163d4)
> 27: 
> 27: SUMMARY: AddressSanitizer: use-after-poison container.c:1029 in qd_link_pn
> 27: Shadow bytes around the buggy address:
> 27:   0x1c260000dc10: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 27:   0x1c260000dc20: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
> 27:   0x1c260000dc30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00
> 27:   0x1c260000dc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 27:   0x1c260000dc50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 27: =>0x1c260000dc60: 00 00 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
> 27:   0x1c260000dc70: f7 f7 f7 f7 00 00 00 00 fa fa fa fa fa fa fa fa
> 27:   0x1c260000dc80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
> 27:   0x1c260000dc90: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
> 27:   0x1c260000dca0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00
> 27:   0x1c260000dcb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 27: Shadow byte legend (one shadow byte represents 8 application bytes):
> 27:   Addressable:           00
> 27:   Partially addressable: 01 02 03 04 05 06 07 
> 27:   Heap left redzone:       fa
> 27:   Freed heap region:       fd
> 27:   Stack left redzone:      f1
> 27:   Stack mid redzone:       f2
> 27:   Stack right redzone:     f3
> 27:   Stack after return:      f5
> 27:   Stack use after scope:   f8
> 27:   Global redzone:          f9
> 27:   Global init order:       f6
> 27:   Poisoned by user:        f7
> 27:   Container overflow:      fc
> 27:   Array cookie:            ac
> 27:   Intra object redzone:    bb
> 27:   ASan internal:           fe
> 27:   Left alloca redzone:     ca
> 27:   Right alloca redzone:    cb
> 27:   Shadow gap:              cc
> 27: ==20948==ABORTING
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to