[jira] [Commented] (PROTON-2460) heap-use-after-free in pn_strdup called from pn_experimental::pni_iocp_recv

Mon, 31 Oct 2022 10:23:07 -0700 


    [ 
https://issues.apache.org/jira/browse/PROTON-2460?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17626714#comment-17626714
 ] 

ASF subversion and git services commented on PROTON-2460:
---------------------------------------------------------

Commit e245c19d8ea421994eacffd46bf078ae169ce8b6 in qpid-proton's branch 
refs/heads/main from Clifford Jansen
[ https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=e245c19d8 ]

PROTON-2460: if max frame size not set by application, set default max frame 
size to 32k


> heap-use-after-free in pn_strdup called from pn_experimental::pni_iocp_recv
> ---------------------------------------------------------------------------
>
>                 Key: PROTON-2460
>                 URL: https://issues.apache.org/jira/browse/PROTON-2460
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: cpp-binding
>    Affects Versions: proton-c-0.36.0
>            Reporter: Jiri Daněk
>            Priority: Major
>         Attachments: log.txt
>
>
> Microsoft has been implementing Sanitizers in MSVC. It is supposed to be 
> available in VS2019, but it did not work for me (CMake failed to validate 
> compiler when I added {{/fsanitize=address}} to {{-DCMAKE_C_FLAGS}}.) I 
> decided to pick up VS2022 beta, where I got one sanitizer report.
> As far as I know this is the first time sanitizers were run on the IOCP 
> proactor code.
> {noformat}
> 26: Test command: "C:\Program Files\Python310\python.exe" 
> "C:/Users/Vitorio/CLionProjects/qpid-proton/scripts/env.py" "--" 
> "PATH=C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/cpp/examples;C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/c;C:/Users/Vitorio/CLionProjects/qpid-proton/cmake-build-debug-visual-studio-2022/cpp"
>  "PYTHONPATH=C:/Users/Vitorio/CLionProjects/qpid-proton/tests/py" 
> "HAS_CPP11=" "C:/Program Files/Python310/python.exe" 
> "C:/Users/Vitorio/CLionProjects/qpid-proton/cpp/examples/testme" "-v" 
> "ContainerExampleTest"
> 26: Test timeout computed to be: 1500
> 26: test_encode_decode (__main__.ContainerExampleTest) ... ok
> 26: test_flow_control (__main__.ContainerExampleTest) ... ok
> 26: test_helloworld (__main__.ContainerExampleTest) ... ok
> 26: test_message_properties (__main__.ContainerExampleTest) ... ok
> 26: test_multithreaded_client (__main__.ContainerExampleTest) ... ok
> 26: test_request_response (__main__.ContainerExampleTest) ... ok
> 26: test_request_response_direct (__main__.ContainerExampleTest) ... ok
> 26: test_scheduled_send (__main__.ContainerExampleTest) ... ok
> 26: test_scheduled_send_03 (__main__.ContainerExampleTest) ... ERROR
> 26: test_simple_recv_direct_send (__main__.ContainerExampleTest) ... ok
> 26: test_simple_recv_send (__main__.ContainerExampleTest) ... ERROR
> 26: test_simple_send_direct_recv (__main__.ContainerExampleTest) ... ok
> 26: test_simple_send_recv (__main__.ContainerExampleTest) ... ERROR
> {noformat}
> ...
> {noformat}
> 26: ________________________________ stderr(18088) 
> ________________________________
> 26: =================================================================
> 26: ==18088==ERROR: AddressSanitizer: heap-use-after-free on address 
> 0x1227308a78e0 at pc 0x7ffbaed05d1e bp 0x00b894bfe9f0 sp 0x00b894bfe9f8
> 26: READ of size 2 at 0x1227308a78e0 thread T1
> 26:     #0 0x7ffbaed05d50 in _asan_wrap_GlobalSize+0x4304a 
> (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x180045d50)
> 26:     #1 0x7ffbb3ee33af in pn_strdup 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\util.c:122
> 26:     #2 0x7ffbb3ee441c in pn_error_set 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:78
> 26:     #3 0x7ffbb3ee3f16 in pn_error_copy 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:120
> 26:     #4 0x7ffbd946e478 in pn_experimental::pni_iocp_recv 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1126
> 26:     #5 0x7ffbd9465adf in pconnection_process 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2367
> 26:     #6 0x7ffbd9463b73 in psocket_process 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
> 26:     #7 0x7ffbd94639b2 in proactor_completion_loop 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
> 26:     #8 0x7ffbd9462f84 in pn_proactor_wait 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
> 26:     #9 0x7ffbcab00478 in proton::container::impl::thread 
> C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
> 26:     #10 0x7ffbcaaad15c in std::invoke<void (__cdecl 
> proton::container::impl::*)(void),proton::container::impl *> C:\Program 
> Files\Microsoft Visual 
> Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
> 26:     #11 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl 
> proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program 
> Files\Microsoft Visual 
> Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
> 26:     #12 0x7ffbb4074c7b in register_onexit_function+0xeb 
> (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
> 26:     #13 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d 
> (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
> 26:     #14 0x7ffbf7007033 in BaseThreadInitThunk+0x13 
> (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
> 26:     #15 0x7ffbf8162650 in RtlUserThreadStart+0x20 
> (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
> 26: 
> 26: 0x1227308a78e0 is located 0 bytes inside of 74-byte region 
> [0x1227308a78e0,0x1227308a792a)
> 26: freed by thread T1 here:
> 26:     #0 0x7ffbaed0f071 in _asan_wrap_GlobalSize+0x4c36b 
> (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18004f071)
> 26:     #1 0x7ffbb3ee15ad in pni_mem_subdeallocate 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\memory.c:276
> 26:     #2 0x7ffbb3ee456c in pn_error_clear 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:67
> 26:     #3 0x7ffbb3ee43ab in pn_error_set 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:75
> 26:     #4 0x7ffbb3ee3f16 in pn_error_copy 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:120
> 26:     #5 0x7ffbd946e478 in pn_experimental::pni_iocp_recv 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1126
> 26:     #6 0x7ffbd9465adf in pconnection_process 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2367
> 26:     #7 0x7ffbd9463b73 in psocket_process 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
> 26:     #8 0x7ffbd94639b2 in proactor_completion_loop 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
> 26:     #9 0x7ffbd9462f84 in pn_proactor_wait 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
> 26:     #10 0x7ffbcab00478 in proton::container::impl::thread 
> C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
> 26:     #11 0x7ffbcaaad15c in std::invoke<void (__cdecl 
> proton::container::impl::*)(void),proton::container::impl *> C:\Program 
> Files\Microsoft Visual 
> Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
> 26:     #12 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl 
> proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program 
> Files\Microsoft Visual 
> Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
> 26:     #13 0x7ffbb4074c7b in register_onexit_function+0xeb 
> (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
> 26:     #14 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d 
> (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
> 26:     #15 0x7ffbf7007033 in BaseThreadInitThunk+0x13 
> (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
> 26:     #16 0x7ffbf8162650 in RtlUserThreadStart+0x20 
> (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
> 26: 
> 26: previously allocated by thread T1 here:
> 26:     #0 0x7ffbaed0f201 in _asan_wrap_GlobalSize+0x4c4fb 
> (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18004f201)
> 26:     #1 0x7ffbb3ee1608 in pni_mem_allocate 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\memory.c:270
> 26:     #2 0x7ffbb3ee33c1 in pn_strdup 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\util.c:122
> 26:     #3 0x7ffbb3ee441c in pn_error_set 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:78
> 26:     #4 0x7ffbb3ee42f7 in pn_error_vformat 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:91
> 26:     #5 0x7ffbb3ee40dc in pn_error_format 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\core\error.c:99
> 26:     #6 0x7ffbd9473b91 in pn_experimental::pni_win32_error 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:567
> 26:     #7 0x7ffbd9473781 in pn_experimental::iocpdesc_fail 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:572
> 26:     #8 0x7ffbd946e906 in pn_experimental::complete_read 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1107
> 26:     #9 0x7ffbd94694c2 in do_complete 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:1817
> 26:     #10 0x7ffbd9465738 in pconnection_process 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2335
> 26:     #11 0x7ffbd9463b73 in psocket_process 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2487
> 26:     #12 0x7ffbd94639b2 in proactor_completion_loop 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2528
> 26:     #13 0x7ffbd9462f84 in pn_proactor_wait 
> C:\Users\Vitorio\CLionProjects\qpid-proton\c\src\proactor\win_iocp.cpp:2552
> 26:     #14 0x7ffbcab00478 in proton::container::impl::thread 
> C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:747
> 26:     #15 0x7ffbcaaad15c in std::invoke<void (__cdecl 
> proton::container::impl::*)(void),proton::container::impl *> C:\Program 
> Files\Microsoft Visual 
> Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\type_traits:1494
> 26:     #16 0x7ffbcaab66cb in std::thread::_Invoke<std::tuple<void (__cdecl 
> proton::container::impl::*)(void),proton::container::impl *>,0,1> C:\Program 
> Files\Microsoft Visual 
> Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:55
> 26:     #17 0x7ffbb4074c7b in register_onexit_function+0xeb 
> (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x180074c7b)
> 26:     #18 0x7ffbaed1e573 in _asan_wrap_GlobalSize+0x5b86d 
> (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005e573)
> 26:     #19 0x7ffbf7007033 in BaseThreadInitThunk+0x13 
> (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
> 26:     #20 0x7ffbf8162650 in RtlUserThreadStart+0x20 
> (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
> 26: 
> 26: Thread T1 created by T0 here:
> 26:     #0 0x7ffbaed1f3b8 in _asan_wrap_GlobalSize+0x5c6b2 
> (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x18005f3b8)
> 26:     #1 0x7ffbb40753fe in beginthreadex+0x14e 
> (C:\WINDOWS\SYSTEM32\ucrtbased.dll+0x1800753fe)
> 26:     #2 0x7ffbcaaaf072 in std::thread::_Start<void (__cdecl 
> proton::container::impl::*)(void),proton::container::impl *> C:\Program 
> Files\Microsoft Visual 
> Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:75
> 26:     #3 0x7ffbcaaa82c0 in std::thread::thread<void (__cdecl 
> proton::container::impl::*)(void),proton::container::impl *,0> C:\Program 
> Files\Microsoft Visual 
> Studio\2022\Preview\VC\Tools\MSVC\14.30.30705\include\thread:90
> 26:     #4 0x7ffbcab0897c in proton::container::impl::run 
> C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\proactor_container_impl.cpp:795
> 26:     #5 0x7ffbcaafe905 in proton::container::run 
> C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\src\container.cpp:94
> 26:     #6 0x7ff7c015c88a in broker::run 
> C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\examples\broker.cpp:381
> 26:     #7 0x7ff7c01128a4 in main 
> C:\Users\Vitorio\CLionProjects\qpid-proton\cpp\examples\broker.cpp:419
> 26:     #8 0x7ff7c0160918 in invoke_main 
> d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
> 26:     #9 0x7ff7c016086d in __scrt_common_main_seh 
> d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
> 26:     #10 0x7ff7c016072d in __scrt_common_main 
> d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
> 26:     #11 0x7ff7c016098d in mainCRTStartup 
> d:\a01\_work\20\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
> 26:     #12 0x7ffbf7007033 in BaseThreadInitThunk+0x13 
> (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
> 26:     #13 0x7ffbf8162650 in RtlUserThreadStart+0x20 
> (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
> 26: 
> 26: SUMMARY: AddressSanitizer: heap-use-after-free 
> (C:\Users\Vitorio\CLionProjects\qpid-proton\cmake-build-debug-visual-studio-2022\cpp\clang_rt.asan_dbg_dynamic-x86_64.dll+0x180045d50)
>  in _asan_wrap_GlobalSize+0x4304a
> 26: Shadow bytes around the buggy address:
> 26:   0x045e16994ec0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
> 26:   0x045e16994ed0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
> 26:   0x045e16994ee0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
> 26:   0x045e16994ef0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
> 26:   0x045e16994f00: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
> 26: =>0x045e16994f10: 00 00 00 00 00 00 06 fa fa fa fa fa[fd]fd fd fd
> 26:   0x045e16994f20: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
> 26:   0x045e16994f30: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
> 26:   0x045e16994f40: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
> 26:   0x045e16994f50: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
> 26:   0x045e16994f60: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
> 26: Shadow byte legend (one shadow byte represents 8 application bytes):
> 26:   Addressable:           00
> 26:   Partially addressable: 01 02 03 04 05 06 07 
> 26:   Heap left redzone:       fa
> 26:   Freed heap region:       fd
> 26:   Stack left redzone:      f1
> 26:   Stack mid redzone:       f2
> 26:   Stack right redzone:     f3
> 26:   Stack after return:      f5
> 26:   Stack use after scope:   f8
> 26:   Global redzone:          f9
> 26:   Global init order:       f6
> 26:   Poisoned by user:        f7
> 26:   Container overflow:      fc
> 26:   Array cookie:            ac
> 26:   Intra object redzone:    bb
> 26:   ASan internal:           fe
> 26:   Left alloca redzone:     ca
> 26:   Right alloca redzone:    cb
> 26:   Shadow gap:              cc
> 26: ==18088==ABORTING
> 26: ________________________________ stderr(18088) 
> ________________________________
> 26: 
> Failed
> {noformat}
> To enable sanitizer, I followed blog 
> https://devblogs.microsoft.com/cppblog/address-sanitizer-for-msvc-now-generally-available/.
>  I added the /fsanitize=address compile flag, then I had to manually find and 
> copy the {{clang_rt.asan_dbg_dynamic-x86_64.dll}} from VS directory to the 
> directory where the compiled test binary is located.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to