Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use after free in fastcgi session code #8865

Open
ssandler opened this issue Aug 5, 2021 · 0 comments
Open

Use after free in fastcgi session code #8865

ssandler opened this issue Aug 5, 2021 · 0 comments

Comments

@ssandler
Copy link
Contributor

ssandler commented Aug 5, 2021

Describe the bug
I ran an asan build of hhvm and caught this use-after-free issue in fastcgi mode. It took about a half hour and many thousands of requests before this was hit.

The asan error is big, so I put it in a gist here: https://gist.github.com/ssandler/3597e4bd8accb7c3e8b97f2f00fd6584

But here's a snippet:

==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250001208a1 at pc 0x0000025376ba bp 0x7fe0a660b710 sp 0x7fe0a660b708
READ of size 2 at 0x6250001208a1 thread T7
    #0 0x25376b9 in HPHP::FastCGISession::readDataAvailable(unsigned long) (/usr/bin/hhvm+0x25376b9)
    #1 0x7343327 in folly::AsyncSocket::handleRead() (/usr/bin/hhvm+0x7343327)
    #2 0x733f500 in folly::AsyncSocket::ioReady(unsigned short) (/usr/bin/hhvm+0x733f500)
    #3 0x7fe2c7a4c8f7  (/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6+0x1e8f7)
    #4 0x7fe2c7a4d33e in event_base_loop (/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6+0x1f33e)
    #5 0x7363804 in folly::EventBase::loopBody(int, bool) (/usr/bin/hhvm+0x7363804)
    #6 0x7365a93 in folly::EventBase::loopForever() (/usr/bin/hhvm+0x7365a93)
    #7 0x8248be6 in proxygen::WorkerThread::runLoop() (/usr/bin/hhvm+0x8248be6)
    #8 0x8249052  (/usr/bin/hhvm+0x8249052)
    #9 0x7fe2c0c9a6de  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xbd6de)
    #10 0x7fe2c6d436da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #11 0x7fe2c035771e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12171e)

0x6250001208a1 is located 4001 bytes inside of 8032-byte region [0x62500011f900,0x625000121860)
freed by thread T7 here:
    #0 0xfb94fd in free (/usr/bin/hhvm+0xfb94fd)
    #1 0x72d1992 in folly::IOBuf::freeExtBuffer() (/usr/bin/hhvm+0x72d1992)
    #2 0x72d1551 in folly::IOBuf::coalesceAndReallocate(unsigned long, unsigned long, folly::IOBuf*, unsigned long) (/usr/bin/hhvm+0x72d1551)
    #3 0x72d1272 in folly::IOBuf::coalesceSlow(unsigned long) (/usr/bin/hhvm+0x72d1272)
    #4 0x2536e97 in HPHP::FastCGISession::readDataAvailable(unsigned long) (/usr/bin/hhvm+0x2536e97)
    #5 0x7343327 in folly::AsyncSocket::handleRead() (/usr/bin/hhvm+0x7343327)
    #6 0x733f500 in folly::AsyncSocket::ioReady(unsigned short) (/usr/bin/hhvm+0x733f500)
    #7 0x7fe2c7a4c8f7  (/usr/lib/x86_64-linux-gnu/libevent-2.1.so.6+0x1e8f7)

Also this may be useful:

addr2line -e /usr/bin/hhvm 0x25376b9 0x2536e97 0x2536db4
/build/hhvm/hphp/runtime/server/fastcgi/fastcgi-protocol.h:32
/build/hhvm/third-party/folly/src/folly/io/IOBuf.h:1205
/build/hhvm/third-party/folly/src/folly/io/IOBuf.h:1205

Environment

  • Operating system
    Ubuntu 18.04'
  • Installation method
    built from source with -fsanitize=address
  • HHVM Version

Please include the output of hhvm --version and hh_client --version

HipHop VM 4.80.6 (rel)
Compiler: remotes/origin/4.80.6-slack-0-g0d1cc2f708e29ce3bffe6bd33ca27ad87d908d04
Repo schema: 368419f649dc5856326d84e9ed95fdef2fbad95f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ssandler