Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GeoUserRaster causes use after free #309

Closed
jpswinski opened this issue Sep 6, 2023 · 1 comment
Closed

GeoUserRaster causes use after free #309

jpswinski opened this issue Sep 6, 2023 · 1 comment
Assignees
@elidwa

Comments

@jpswinski
Copy link
Member

The geouser_raster.lua selftest needed to be removed from the test runner because it causes an error when run under the address sanitizer.

############################################
Running Test Script: geouser_raster.lua
############################################


------------------
Test01: sample
------------------
=================================================================
==1660881==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa5d831d6 at pc 0x0000004adcec bp 0xffff5bbfb300 sp 0xffff5bbfaae8
READ of size 4 at 0xffffa5d831d6 thread T132
    #0 0x4adce8 in memcpy (/home/jswinski/meta/sliderule/stage/sliderule/bin/sliderule-v3.7.0+0x4adce8)
    #1 0xffffac9fc218 in VSIMemHandle::Read(void*, unsigned long, unsigned long) (/usr/local/lib/libgdal.so.32+0x314218)
    #2 0xffffac16e2e8  (/lib/aarch64-linux-gnu/libtiff.so.5+0x3e2e8)
    #3 0xffffac16eda0 in TIFFReadEncodedStrip (/lib/aarch64-linux-gnu/libtiff.so.5+0x3eda0)
    #4 0xffffacd3942c in GTiffDataset::ReadStrile(int, void*, long long) (/usr/local/lib/libgdal.so.32+0x65142c)
    #5 0xffffacd4ec4c in GTiffRasterBand::IReadBlock(int, int, void*) (/usr/local/lib/libgdal.so.32+0x666c4c)
    #6 0xffffad5be4d0 in GDALRasterBand::GetLockedBlockRef(int, int, int) (/usr/local/lib/libgdal.so.32+0xed64d0)
    #7 0x7839e4 in GdalRaster::readPixel(GdalRaster::Point const&) /home/jswinski/meta/sliderule/packages/geo/GdalRaster.cpp:275:27
    #8 0x7830b0 in GdalRaster::samplePOI(GdalRaster::Point const&) /home/jswinski/meta/sliderule/packages/geo/GdalRaster.cpp:170:17
    #9 0x792e64 in GeoRaster::getSamples(double, double, double, long, std::vector<RasterSample, std::allocator<RasterSample> >&, void*) /home/jswinski/meta/sliderule/packages/geo/GeoRaster.cpp:58:16
    #10 0x703b20 in RasterObject::luaSamples(lua_State*) /home/jswinski/meta/sliderule/packages/geo/RasterObject.cpp:200:18
    #11 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #12 0xffffaf2d7e24  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x19e24)
    #13 0xffffaf2cad50  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd50)
    #14 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #15 0xffffaf2c6368 in lua_callk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8368)
    #16 0xffffaf2dcacc  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x1eacc)
    #17 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #18 0xffffaf2d7e24  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x19e24)
    #19 0xffffaf2cad50  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd50)
    #20 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #21 0xffffaf2ca128  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc128)
    #22 0xffffaf2cb024  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xd024)
    #23 0xffffaf2c6438 in lua_pcallk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8438)
    #24 0x5ae8e8 in LuaEngine::docall(int, int) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:813:14
    #25 0x5afed0 in LuaEngine::handlescript(char const*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:1009:18
    #26 0x5ae1c0 in LuaEngine::pmain(lua_State*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:1125:33
    #27 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #28 0xffffaf2cad14  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd14)
    #29 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #30 0xffffaf2ca128  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc128)
    #31 0xffffaf2cb024  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xd024)
    #32 0xffffaf2c6438 in lua_pcallk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8438)
    #33 0x5aa988 in LuaEngine::protectedThread(void*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:548:22
    #34 0xffffaf3d0620 in start_thread /build/glibc-RIFKjK/glibc-2.31/nptl/pthread_create.c:477:8
    #35 0xffffac3fc498  /build/glibc-RIFKjK/glibc-2.31/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78

0xffffa5d831d6 is located 406 bytes inside of 411-byte region [0xffffa5d83040,0xffffa5d831db)
freed by thread T132 here:
    #0 0x537af4 in operator delete(void*) (/home/jswinski/meta/sliderule/stage/sliderule/bin/sliderule-v3.7.0+0x537af4)
    #1 0x701e6c in GeoUserRaster::create(lua_State*, int) /home/jswinski/meta/sliderule/packages/geo/GeoUserRaster.cpp:112:1
    #2 0x70178c in GeoUserRaster::luaCreate(lua_State*) /home/jswinski/meta/sliderule/packages/geo/GeoUserRaster.cpp:63:35
    #3 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #4 0xffffaf2d7e24  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x19e24)
    #5 0xffffaf2cad50  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd50)
    #6 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #7 0xffffaf2c6368 in lua_callk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8368)
    #8 0xffffaf2dcacc  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x1eacc)
    #9 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #10 0xffffaf2d7e24  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x19e24)
    #11 0xffffaf2cad50  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd50)
    #12 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #13 0xffffaf2ca128  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc128)
    #14 0xffffaf2cb024  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xd024)
    #15 0xffffaf2c6438 in lua_pcallk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8438)
    #16 0x5ae8e8 in LuaEngine::docall(int, int) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:813:14
    #17 0x5afed0 in LuaEngine::handlescript(char const*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:1009:18
    #18 0x5ae1c0 in LuaEngine::pmain(lua_State*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:1125:33
    #19 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #20 0xffffaf2cad14  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd14)
    #21 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #22 0xffffaf2ca128  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc128)
    #23 0xffffaf2cb024  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xd024)
    #24 0xffffaf2c6438 in lua_pcallk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8438)
    #25 0x5aa988 in LuaEngine::protectedThread(void*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:548:22
    #26 0xffffaf3d0620 in start_thread /build/glibc-RIFKjK/glibc-2.31/nptl/pthread_create.c:477:8
    #27 0xffffac3fc498  /build/glibc-RIFKjK/glibc-2.31/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78

previously allocated by thread T132 here:
    #0 0x5372b4 in operator new(unsigned long) (/home/jswinski/meta/sliderule/stage/sliderule/bin/sliderule-v3.7.0+0x5372b4)
    #1 0xffffac5f9a14 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct(unsigned long, char) (/lib/aarch64-linux-gnu/libstdc++.so.6+0x137a14)
    #2 0x78085c in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string<std::allocator<char> >(unsigned long, char, std::allocator<char> const&) /usr/bin/../lib/gcc/aarch64-linux-gnu/9/../../../../include/c++/9/bits/basic_string.h:546:9
    #3 0x77f720 in MathLib::b64decode[abi:cxx11](void const*, unsigned long const&) /home/jswinski/meta/sliderule/packages/core/MathLib.cpp:326:17
    #4 0x701cd4 in GeoUserRaster::create(lua_State*, int) /home/jswinski/meta/sliderule/packages/geo/GeoUserRaster.cpp:104:24
    #5 0x70178c in GeoUserRaster::luaCreate(lua_State*) /home/jswinski/meta/sliderule/packages/geo/GeoUserRaster.cpp:63:35
    #6 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #7 0xffffaf2d7e24  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x19e24)
    #8 0xffffaf2cad50  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd50)
    #9 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #10 0xffffaf2c6368 in lua_callk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8368)
    #11 0xffffaf2dcacc  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x1eacc)
    #12 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #13 0xffffaf2d7e24  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x19e24)
    #14 0xffffaf2cad50  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd50)
    #15 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #16 0xffffaf2ca128  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc128)
    #17 0xffffaf2cb024  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xd024)
    #18 0xffffaf2c6438 in lua_pcallk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8438)
    #19 0x5ae8e8 in LuaEngine::docall(int, int) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:813:14
    #20 0x5afed0 in LuaEngine::handlescript(char const*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:1009:18
    #21 0x5ae1c0 in LuaEngine::pmain(lua_State*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:1125:33
    #22 0xffffaf2ca93c  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc93c)
    #23 0xffffaf2cad14  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd14)
    #24 0xffffaf2cad94  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xcd94)
    #25 0xffffaf2ca128  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xc128)
    #26 0xffffaf2cb024  (/lib/aarch64-linux-gnu/liblua5.3.so.0+0xd024)
    #27 0xffffaf2c6438 in lua_pcallk (/lib/aarch64-linux-gnu/liblua5.3.so.0+0x8438)
    #28 0x5aa988 in LuaEngine::protectedThread(void*) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:548:22
    #29 0xffffaf3d0620 in start_thread /build/glibc-RIFKjK/glibc-2.31/nptl/pthread_create.c:477:8

Thread T132 created by T0 here:
    #0 0x4f3984 in pthread_create (/home/jswinski/meta/sliderule/stage/sliderule/bin/sliderule-v3.7.0+0x4f3984)
    #1 0x770cb0 in Thread::Thread(void* (*)(void*), void*, bool) /home/jswinski/meta/sliderule/platforms/linux/Thread.cpp:69:15
    #2 0x5a9f74 in LuaEngine::LuaEngine(char const*, int, char (*) [1024], unsigned int, void (*)(lua_State*, lua_Debug*), bool) /home/jswinski/meta/sliderule/packages/core/LuaEngine.cpp:93:28
    #3 0x53995c in main /home/jswinski/meta/sliderule/targets/server-linux/SlideRule.cpp:336:34
    #4 0xffffac34be0c in __libc_start_main /build/glibc-RIFKjK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x4999f4 in _start (/home/jswinski/meta/sliderule/stage/sliderule/bin/sliderule-v3.7.0+0x4999f4)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/jswinski/meta/sliderule/stage/sliderule/bin/sliderule-v3.7.0+0x4adce8) in memcpy
Shadow bytes around the buggy address:
  0x200ff4bb05e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff4bb05f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff4bb0600: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x200ff4bb0610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff4bb0620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x200ff4bb0630: fd fd fd fd fd fd fd fd fd fd[fd]fd fa fa fa fa
  0x200ff4bb0640: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x200ff4bb0650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff4bb0660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff4bb0670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x200ff4bb0680: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1660881==ABORTING
make: *** [Makefile:147: selftest] Error 1
@elidwa
Copy link
Contributor

elidwa commented Sep 8, 2023

This has been fixed on subset branch. Buffer user raster data had to be allocated on the heap. Ownership of the buffer is now past to VSIFile system. When file is VSISUnlinked, the memory is properly freed. I enabled geouser_raster.lua in the test_runner.lua on subset branch.

@elidwa elidwa closed this as completed Sep 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elidwa elidwa

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jpswinski @elidwa