segfault while putting large files read from stdin #21
Description
Hi,
Encountered a segfault during putting large files that are read from stdin. Appears to be the "heap-use-after-free" issue, a growbuffer is accessed after it was already freed. 100% reproducible.
Below is the output from the library built with gcc4.9 ASAN; putting a 160MB file:
$ LD_LIBRARY_PATH=build-debug/lib ./build-debug/bin/s3 put files/zzz < ../file.tar
Sending Part Seq 1, length=15728640
15712256 bytes remaining (85% complete) ...
15695872 bytes remaining (85% complete) ...
15679488 bytes remaining (85% complete) ...
15663104 bytes remaining (85% complete) ...
...
98304 bytes remaining (99% complete) ...
81920 bytes remaining (99% complete) ...
65536 bytes remaining (99% complete) ...
49152 bytes remaining (99% complete) ...
32768 bytes remaining (99% complete) ...
16384 bytes remaining (99% complete) ...
Sending Part Seq 2, length=15728640
=================================================================
==10047==ERROR: AddressSanitizer: heap-use-after-free on address 0x631000000800 at pc 0x402af5 bp 0x7ffe3afb1270 sp 0x7ffe3afb1268
READ of size 4 at 0x631000000800 thread T0
#0 0x402af4 in growbuffer_read src/s3.c:458
#1 0x40ab1e in putObjectDataCallback src/s3.c:2012
#2 0x7efd21abca7b in curl_read_func src/request.c:193
#3 0x7efd205c8295 (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x28295)
#4 0x7efd205c8f1c (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x28f1c)
#5 0x7efd205d29db (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x329db)
#6 0x7efd205d3180 in curl_multi_perform (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x33180)
#7 0x7efd205ca7b2 in curl_easy_perform (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x2a7b2)
#8 0x7efd21ac4b72 in request_perform src/request.c:1220
#9 0x7efd21ad5906 in S3_upload_part src/multipart.c:222
#10 0x40cb20 in put_object src/s3.c:2453
#11 0x41227d in main src/s3.c:3640
#12 0x7efd20828ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#13 0x402018 (/home/zz/_src/libs3/build-debug/bin/s3+0x402018)
0x631000000800 is located 0 bytes inside of 65560-byte region [0x631000000800,0x631000010818)
freed by thread T0 here:
#0 0x7efd20c205c7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x545c7)
#1 0x402e4e in growbuffer_read src/s3.c:473
#2 0x40ab1e in putObjectDataCallback src/s3.c:2012
#3 0x7efd21abca7b in curl_read_func src/request.c:193
#4 0x7efd205c8295 (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x28295)
previously allocated by thread T0 here:
#0 0x7efd20c207df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x402578 in growbuffer_append src/s3.c:415
#2 0x40c4c5 in put_object src/s3.c:2313
#3 0x41227d in main src/s3.c:3640
#4 0x7efd20828ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-use-after-free src/s3.c:458 growbuffer_read
Shadow bytes around the buggy address:
0x0c627fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c627fff8100:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c627fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c627fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c627fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c627fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c627fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==10047==ABORTING
With best regards,
Ivan.