Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Retain msg( tls test) can lead to nanomq error (heap use after free) #98

Closed
xinyi-xs opened this issue Aug 4, 2022 · 0 comments
Closed

Retain msg( tls test) can lead to nanomq error (heap use after free) #98

xinyi-xs opened this issue Aug 4, 2022 · 0 comments
Assignees
@xinyi-xs
Labels
bug Something isn't working

Comments

@xinyi-xs
Copy link
Contributor

xinyi-xs commented Aug 4, 2022

Launch nanomq with tls on, then publish a message with retain flag, and then sub will crash nanomq.

./nanomq/nanomq start --conf ../etc/nanomq.conf
mosquitto_pub -m message -p 8883 --cafile path/to/cacert.pem  --insecure -t topic -r -d
mosquitto_sub --cafile path/to/cacert.pem  -t topic -p 8883  --insecure -d

=================================================================
==99250==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f00000830c at pc 0x55c8f6bb12cf bp 0x7f76145f7b90 sp 0x7f76145f7b80
WRITE of size 4 at 0x60f00000830c thread T8
    #0 0x55c8f6bb12ce in nni_atomic_dec_nv /home/lee/workspace/nanomq/nng/src/platform/posix/posix_atomic.c:120
    #1 0x55c8f6b9a7b5 in nni_msg_free /home/lee/workspace/nanomq/nng/src/core/message.c:458
    #2 0x55c8f6ecac3b in tlstran_pipe_send_cb /home/lee/workspace/nanomq/nng/src/sp/transport/mqtts/broker_tls.c:515
    #3 0x55c8f6baa70e in nni_taskq_thread /home/lee/workspace/nanomq/nng/src/core/taskq.c:50
    #4 0x55c8f6bab9ff in nni_thr_wrap /home/lee/workspace/nanomq/nng/src/core/thread.c:94
    #5 0x55c8f6bb49a6 in nni_plat_thr_main /home/lee/workspace/nanomq/nng/src/platform/posix/posix_thread.c:266
    #6 0x7f761b575b42 in start_thread nptl/pthread_create.c:442
    #7 0x7f761b6079ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)

0x60f00000830c is located 124 bytes inside of 168-byte region [0x60f000008290,0x60f000008338)
freed by thread T9 here:
    #0 0x7f761b7e1517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55c8f6bb0276 in nni_free /home/lee/workspace/nanomq/nng/src/platform/posix/posix_alloc.c:33
    #2 0x55c8f6b9a8a1 in nni_msg_free /home/lee/workspace/nanomq/nng/src/core/message.c:465
    #3 0x55c8f6ecac3b in tlstran_pipe_send_cb /home/lee/workspace/nanomq/nng/src/sp/transport/mqtts/broker_tls.c:515
    #4 0x55c8f6baa70e in nni_taskq_thread /home/lee/workspace/nanomq/nng/src/core/taskq.c:50
    #5 0x55c8f6bab9ff in nni_thr_wrap /home/lee/workspace/nanomq/nng/src/core/thread.c:94
    #6 0x55c8f6bb49a6 in nni_plat_thr_main /home/lee/workspace/nanomq/nng/src/platform/posix/posix_thread.c:266
    #7 0x7f761b575b42 in start_thread nptl/pthread_create.c:442

previously allocated by thread T9 here:
    #0 0x7f761b7e1a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x55c8f6bb024d in nni_zalloc /home/lee/workspace/nanomq/nng/src/platform/posix/posix_alloc.c:26
    #2 0x55c8f6b9a36c in nni_msg_alloc /home/lee/workspace/nanomq/nng/src/core/message.c:388
    #3 0x55c8f6ecdc7a in tlstran_pipe_send_start_v4 /home/lee/workspace/nanomq/nng/src/sp/transport/mqtts/broker_tls.c:1064
    #4 0x55c8f6ed004d in tlstran_pipe_send_start /home/lee/workspace/nanomq/nng/src/sp/transport/mqtts/broker_tls.c:1404
    #5 0x55c8f6ed01a8 in tlstran_pipe_send /home/lee/workspace/nanomq/nng/src/sp/transport/mqtts/broker_tls.c:1430
    #6 0x55c8f6b9ea35 in nni_pipe_send /home/lee/workspace/nanomq/nng/src/core/pipe.c:130
    #7 0x55c8f6bd0924 in nano_ctx_send /home/lee/workspace/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:428
    #8 0x55c8f6ba5ca7 in nni_ctx_send /home/lee/workspace/nanomq/nng/src/core/socket.c:1354
    #9 0x55c8f6b81713 in nng_ctx_send /home/lee/workspace/nanomq/nng/src/nng.c:401
    #10 0x55c8f6b77589 in server_cb /home/lee/workspace/nanomq/nanomq/apps/broker.c:330
    #11 0x55c8f6baaf06 in nni_task_exec /home/lee/workspace/nanomq/nng/src/core/taskq.c:144
    #12 0x55c8f6b8e2a3 in nni_aio_finish_impl /home/lee/workspace/nanomq/nng/src/core/aio.c:454
    #13 0x55c8f6b8e325 in nni_aio_finish_sync /home/lee/workspace/nanomq/nng/src/core/aio.c:469
    #14 0x55c8f6bd4885 in nano_pipe_recv_cb /home/lee/workspace/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:1088
    #15 0x55c8f6baaf06 in nni_task_exec /home/lee/workspace/nanomq/nng/src/core/taskq.c:144
    #16 0x55c8f6b8e2a3 in nni_aio_finish_impl /home/lee/workspace/nanomq/nng/src/core/aio.c:454
    #17 0x55c8f6b8e325 in nni_aio_finish_sync /home/lee/workspace/nanomq/nng/src/core/aio.c:469
    #18 0x55c8f6ecc68e in tlstran_pipe_recv_cb /home/lee/workspace/nanomq/nng/src/sp/transport/mqtts/broker_tls.c:814
    #19 0x55c8f6baa70e in nni_taskq_thread /home/lee/workspace/nanomq/nng/src/core/taskq.c:50
    #20 0x55c8f6bab9ff in nni_thr_wrap /home/lee/workspace/nanomq/nng/src/core/thread.c:94
    #21 0x55c8f6bb49a6 in nni_plat_thr_main /home/lee/workspace/nanomq/nng/src/platform/posix/posix_thread.c:266
    #22 0x7f761b575b42 in start_thread nptl/pthread_create.c:442

Thread T8 created by T0 here:
    #0 0x7f761b785685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x55c8f6bb4ad6 in nni_plat_thr_init /home/lee/workspace/nanomq/nng/src/platform/posix/posix_thread.c:279
    #2 0x55c8f6babcab in nni_thr_init /home/lee/workspace/nanomq/nng/src/core/thread.c:121
    #3 0x55c8f6baaa30 in nni_taskq_init /home/lee/workspace/nanomq/nng/src/core/taskq.c:95
    #4 0x55c8f6bab6c9 in nni_taskq_sys_init /home/lee/workspace/nanomq/nng/src/core/taskq.c:294
    #5 0x55c8f6b956cf in nni_init_helper /home/lee/workspace/nanomq/nng/src/core/init.c:35
    #6 0x55c8f6bb4e7b in nni_plat_init /home/lee/workspace/nanomq/nng/src/platform/posix/posix_thread.c:422
    #7 0x55c8f6b95750 in nni_init /home/lee/workspace/nanomq/nng/src/core/init.c:58
    #8 0x55c8f6bd8c28 in nni_proto_mqtt_open /home/lee/workspace/nanomq/nng/src/sp/protocol.c:37
    #9 0x55c8f6bd5166 in nng_nmq_tcp0_open /home/lee/workspace/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:1249
    #10 0x55c8f6b7b502 in broker /home/lee/workspace/nanomq/nanomq/apps/broker.c:893
    #11 0x55c8f6b7ed57 in broker_start /home/lee/workspace/nanomq/nanomq/apps/broker.c:1531
    #12 0x55c8f6b57e9b in main /home/lee/workspace/nanomq/nanomq/nanomq.c:139
    #13 0x7f761b50ad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Thread T9 created by T0 here:
    #0 0x7f761b785685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x55c8f6bb4ad6 in nni_plat_thr_init /home/lee/workspace/nanomq/nng/src/platform/posix/posix_thread.c:279
    #2 0x55c8f6babcab in nni_thr_init /home/lee/workspace/nanomq/nng/src/core/thread.c:121
    #3 0x55c8f6baaa30 in nni_taskq_init /home/lee/workspace/nanomq/nng/src/core/taskq.c:95
    #4 0x55c8f6bab6c9 in nni_taskq_sys_init /home/lee/workspace/nanomq/nng/src/core/taskq.c:294
    #5 0x55c8f6b956cf in nni_init_helper /home/lee/workspace/nanomq/nng/src/core/init.c:35
    #6 0x55c8f6bb4e7b in nni_plat_init /home/lee/workspace/nanomq/nng/src/platform/posix/posix_thread.c:422
    #7 0x55c8f6b95750 in nni_init /home/lee/workspace/nanomq/nng/src/core/init.c:58
    #8 0x55c8f6bd8c28 in nni_proto_mqtt_open /home/lee/workspace/nanomq/nng/src/sp/protocol.c:37
    #9 0x55c8f6bd5166 in nng_nmq_tcp0_open /home/lee/workspace/nanomq/nng/src/sp/protocol/mqtt/nmq_mqtt.c:1249
    #10 0x55c8f6b7b502 in broker /home/lee/workspace/nanomq/nanomq/apps/broker.c:893
    #11 0x55c8f6b7ed57 in broker_start /home/lee/workspace/nanomq/nanomq/apps/broker.c:1531
    #12 0x55c8f6b57e9b in main /home/lee/workspace/nanomq/nanomq/nanomq.c:139
    #13 0x7f761b50ad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /home/lee/workspace/nanomq/nng/src/platform/posix/posix_atomic.c:120 in nni_atomic_dec_nv
Shadow bytes around the buggy address:
  0x0c1e7fff9010: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff9020: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c1e7fff9030: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e7fff9040: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c1e7fff9050: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e7fff9060: fd[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==99250==ABORTING
@xinyi-xs xinyi-xs self-assigned this Aug 4, 2022
@xinyi-xs xinyi-xs added the bug Something isn't working label Aug 4, 2022
@xinyi-xs xinyi-xs closed this as completed Aug 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xinyi-xs xinyi-xs

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xinyi-xs