[ https://issues.apache.org/jira/browse/DRILL-5541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rob Wu updated DRILL-5541: -------------------------- Comment: was deleted (was: I set up a server) > C++ Client Crashes During Simple "Man in the Middle" Attack Test with > Exploitable Write AV > ------------------------------------------------------------------------------------------ > > Key: DRILL-5541 > URL: https://issues.apache.org/jira/browse/DRILL-5541 > Project: Apache Drill > Issue Type: Bug > Components: Client - C++ > Affects Versions: 1.10.0 > Reporter: Rob Wu > Priority: Minor > > drillClient!boost_sb::shared_ptr<exec::user::GetSchemasResp>::reset<exec::user::GetSchemasResp>+0xa7: > 000007fe`c292f827 f0ff4b08 lock dec dword ptr [rbx+8] > ds:000007fe`c2b3de78=c29e6060 > Exploitability Classification: EXPLOITABLE > Recommended Bug Title: Exploitable - User Mode Write AV starting at > drillClient!boost_sb::shared_ptr<exec::user::GetSchemasResp>::reset<exec::user::GetSchemasResp>+0x00000000000000a7 > (Hash=0x4ae7fdff.0xb15af658) > User mode write access violations that are not near NULL are exploitable. > ====================================== > Stack Trace: > Child-SP RetAddr Call Site > 00000000`030df630 000007fe`c295bca1 > drillClient!boost_sb::shared_ptr<exec::user::GetSchemasResp>::reset<exec::user::GetSchemasResp>+0xa7 > > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\smart_ptr\shared_ptr.hpp > @ 620] > 00000000`030df680 000007fe`c295433c > drillClient!Drill::DrillClientImpl::processSchemasResult+0x281 > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1227] > 00000000`030df7a0 000007fe`c294cbf6 > drillClient!Drill::DrillClientImpl::handleRead+0x75c > [c:\users\bamboo\desktop\make_win_drill\drill-1.10.0.1\drill-1.10.0.1\contrib\native\client\src\clientlib\drillclientimpl.cpp > @ 1555] > 00000000`030df9c0 000007fe`c294ce9f > drillClient!boost_sb::asio::detail::win_iocp_socket_recv_op<boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::read_op<boost_sb::asio::basic_stream_socket<boost_sb::asio::ip::tcp,boost_sb::asio::stream_socket_service<boost_sb::asio::ip::tcp> > > >,boost_sb::asio::mutable_buffers_1,boost_sb::asio::detail::transfer_all_t,boost_sb::_bi::bind_t<void,boost_sb::_mfi::mf3<void,Drill::DrillClientImpl,unsigned > char * __ptr64,boost_sb::system::error_code const & __ptr64,unsigned > __int64>,boost_sb::_bi::list4<boost_sb::_bi::value<Drill::DrillClientImpl * > __ptr64>,boost_sb::_bi::value<unsigned char * > __ptr64>,boost_sb::arg<1>,boost_sb::arg<2> > > > >::do_complete+0x166 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\win_iocp_socket_recv_op.hpp > @ 97] > 00000000`030dfa90 000007fe`c296009d > drillClient!boost_sb::asio::detail::win_iocp_io_service::do_one+0x27f > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 406] > 00000000`030dfb70 000007fe`c295ffc9 > drillClient!boost_sb::asio::detail::win_iocp_io_service::run+0xad > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\detail\impl\win_iocp_io_service.ipp > @ 164] > 00000000`030dfbd0 000007fe`c2aa5b53 > drillClient!boost_sb::asio::io_service::run+0x29 > [c:\users\bamboo\desktop\make_win_drill\sb_boost\include\boost-1_57\boost\asio\impl\io_service.ipp > @ 60] > 00000000`030dfc10 000007fe`c2ad3e03 drillClient!boost_sb::`anonymous > namespace'::thread_start_function+0x43 > 00000000`030dfc50 000007fe`c2ad404e drillClient!_callthreadstartex+0x17 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] > 00000000`030dfc80 00000000`779e59cd drillClient!_threadstartex+0x102 > [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] > 00000000`030dfcb0 00000000`77c1a561 kernel32!BaseThreadInitThunk+0xd > 00000000`030dfce0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d > ====================================== > Register: > rax=000000000284bae0 rbx=000007fec2b3de70 rcx=00000000027ec210 > rdx=00000000027ec210 rsi=00000000027f2638 rdi=00000000027f25d0 > rip=000007fec292f827 rsp=00000000030df630 rbp=00000000027ec210 > r8=00000000027ec210 r9=0000000000000000 r10=00000000027d32fc > r11=000027eb001b0003 r12=00000000ffffffff r13=00000000028035a0 > r14=00000000027ec210 r15=0000000000000000 > iopl=0 nv up ei pl nz na pe nc > cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200 > drillClient!boost_sb::shared_ptr<exec::user::GetSchemasResp>::reset<exec::user::GetSchemasResp>+0xa7: > 000007fe`c292f827 f0ff4b08 lock dec dword ptr [rbx+8] > ds:000007fe`c2b3de78=c29e6060 -- This message was sent by Atlassian JIRA (v6.3.15#6346)