Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use after free #443

Closed
orgads opened this issue Jan 16, 2024 · 1 comment
Closed

Use after free #443

orgads opened this issue Jan 16, 2024 · 1 comment

Comments

@orgads
Copy link
Contributor

orgads commented Jan 16, 2024

When running tests/async-rentry.js there is use-after-free.

ASAN:

$ ASAN_OPTIONS=new_delete_type_mismatch=0 LD_PRELOAD=/lib/x86_64-linux-gnu/libasan.so.8 node tests/async-rentry.js
pass
=================================================================
==2265968==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0000a98c0 at pc 0x7fcd998b7efc bp 0x7ffc337a3b60 sp 0x7ffc337a3b50
READ of size 8 at 0x61d0000a98c0 thread T0
    #0 0x7fcd998b7efb in ivm::Executor::GetCurrentEnvironment() ../src/isolate/executor.h:172
    #1 0x7fcd998b7efb in ivm::IsolateEnvironment::GetCurrent() ../src/isolate/environment.h:201
    #2 0x7fcd998b7efb in ~ExternalStringOneByte ../src/external_copy/string.cc:49
    #3 0x7fcd998b7efb in ~ExternalStringOneByte ../src/external_copy/string.cc:50
    #4 0x55b84df14461 in v8::internal::Heap::ExternalStringTable::TearDown() (/usr/local/bin/node+0xf14461) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #5 0x55b84df14493 in v8::internal::Heap::TearDownWithSharedHeap() (/usr/local/bin/node+0xf14493) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #6 0x55b84de86fae in v8::internal::Isolate::Deinit() (/usr/local/bin/node+0xe86fae) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #7 0x55b84de89cd5 in v8::internal::Isolate::Delete(v8::internal::Isolate*) (/usr/local/bin/node+0xe89cd5) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #8 0x55b84db05820 in node::NodeMainInstance::~NodeMainInstance() (/usr/local/bin/node+0xb05820) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #9 0x55b84da70b0e in node::Start(int, char**) (/usr/local/bin/node+0xa70b0e) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #10 0x7fcda2a280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7fcda2a28188 in __libc_start_main_impl ../csu/libc-start.c:360
    #12 0x55b84d9a0020 in _start (/usr/local/bin/node+0x9a0020) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)

0x61d0000a98c0 is located 576 bytes inside of 2400-byte region [0x61d0000a9680,0x61d0000a9fe0)
freed by thread T0 here:
    #0 0x7fcda32e0c50 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164
    #1 0x7fcd999c68c7 in std::__new_allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/13/bits/new_allocator.h:168
    #2 0x7fcd999c68c7 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/13/bits/alloc_traits.h:516
    #3 0x7fcd999c68c7 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() /usr/include/c++/13/bits/allocated_ptr.h:74
    #4 0x7fcd999c68c7 in std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/13/bits/shared_ptr_base.h:623
    #5 0x7fcd9990a1e3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/13/bits/shared_ptr_base.h:347
    #6 0x7fcd9990a1e3 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/13/bits/shared_ptr_base.h:317
    #7 0x7fcd9990a1e3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/13/bits/shared_ptr_base.h:1071
    #8 0x7fcd9990a1e3 in std::__shared_ptr<ivm::IsolateEnvironment, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/13/bits/shared_ptr_base.h:1524
    #9 0x7fcd9990a1e3 in std::__shared_ptr<ivm::IsolateEnvironment, (__gnu_cxx::_Lock_policy)2>::reset() /usr/include/c++/13/bits/shared_ptr_base.h:1642
    #10 0x7fcd9990a1e3 in ivm::IsolateHolder::Release() ../src/isolate/holder.cc:39
    #11 0x7fcd999c1eec in operator() ../src/module/isolate.cc:112
    #12 0x7fcd999c1eec in _FUN ../src/module/isolate.cc:115
    #13 0x55b84da0229b in node::CleanupQueue::Drain() (/usr/local/bin/node+0xa0229b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #14 0x55b84da2cb63 in node::Environment::RunCleanup() (/usr/local/bin/node+0xa2cb63) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #15 0x55b84d9cf90b in node::FreeEnvironment(node::Environment*) (/usr/local/bin/node+0x9cf90b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #16 0x55b84db05d71 in node::NodeMainInstance::Run() (/usr/local/bin/node+0xb05d71) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #17 0x55b84da70b03 in node::Start(int, char**) (/usr/local/bin/node+0xa70b03) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #18 0x7fcda2a280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7fcda32dfba8 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x7fcd999c36c3 in std::__new_allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/include/c++/13/bits/new_allocator.h:147
    #2 0x7fcd999c36c3 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/13/bits/alloc_traits.h:482
    #3 0x7fcd999c36c3 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<ivm::IsolateEnvironment, std::allocator<void>, (__gnu_cxx::_Lock_policy)2> >&) /usr/include/c++/13/bits/allocated_ptr.h:98
    #4 0x7fcd999c36c3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<ivm::IsolateEnvironment, std::allocator<void>>(ivm::IsolateEnvironment*&, std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/13/bits/shared_ptr_base.h:969
    #5 0x7fcd999c36c3 in std::__shared_ptr<ivm::IsolateEnvironment, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<void>>(std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/13/bits/shared_ptr_base.h:1712
    #6 0x7fcd999c36c3 in std::shared_ptr<ivm::IsolateEnvironment>::shared_ptr<std::allocator<void>>(std::_Sp_alloc_shared_tag<std::allocator<void> >) /usr/include/c++/13/bits/shared_ptr.h:464
    #7 0x7fcd999c36c3 in std::shared_ptr<std::enable_if<!std::is_array<ivm::IsolateEnvironment>::value, ivm::IsolateEnvironment>::type> std::make_shared<ivm::IsolateEnvironment>() /usr/include/c++/13/bits/shared_ptr.h:1010
    #8 0x7fcd999c36c3 in ivm::IsolateEnvironment::New(v8::Isolate*, v8::Local<v8::Context>) ../src/isolate/environment.h:182
    #9 0x7fcd999c36c3 in init ../src/module/isolate.cc:101
    #10 0x55b84da7c102 in std::_Function_handler<bool (node::binding::DLib*), node::binding::DLOpen(v8::FunctionCallbackInfo<v8::Value> const&)::{lambda(node::binding::DLib*)#1}>::_M_invoke(std::_Any_data const&, node::binding::DLib*&&) (/usr/local/bin/node+0xa7c102) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #11 0x55b84da2aadd in node::Environment::TryLoadAddon(char const*, int, std::function<bool (node::binding::DLib*)> const&) (/usr/local/bin/node+0xa2aadd) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #12 0x55b84da7b5ae in node::binding::DLOpen(v8::FunctionCallbackInfo<v8::Value> const&) (/usr/local/bin/node+0xa7b5ae) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #13 0x55b84dd5ab81 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) (/usr/local/bin/node+0xd5ab81) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #14 0x55b84dd5b0ea in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, unsigned long*, int) (/usr/local/bin/node+0xd5b0ea) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #15 0x55b84dd5b8e7 in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) (/usr/local/bin/node+0xd5b8e7) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #16 0x55b84e768df5 in Builtins_CEntry_Return1_ArgvOnStack_BuiltinExit (/usr/local/bin/node+0x1768df5) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #17 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #18 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #19 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #20 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #21 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #22 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #23 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #24 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #25 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #26 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #27 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #28 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #29 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #30 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #31 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #32 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #33 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #34 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #35 0x55b84e6dad1b in Builtins_InterpreterEntryTrampoline (/usr/local/bin/node+0x16dad1b) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #36 0x55b84e6d90db in Builtins_JSEntryTrampoline (/usr/local/bin/node+0x16d90db) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)
    #37 0x55b84e6d8e02 in Builtins_JSEntry (/usr/local/bin/node+0x16d8e02) (BuildId: 8893513ac0f7c7973f9f5afc317e342d8d58b13f)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/isolate/executor.h:172 in ivm::Executor::GetCurrentEnvironment()
Shadow bytes around the buggy address:
  0x61d0000a9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x61d0000a9680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x61d0000a9880: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x61d0000a9900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x61d0000a9b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2265968==ABORTING
@orgads
Copy link
Contributor Author

orgads commented Jan 16, 2024

This only happens in release build. Possibly related to some strict-aliasing warnings regarding uses of reinterpret_cast.

orgads added a commit to orgads/isolated-vm that referenced this issue Jan 17, 2024
@orgads
Fix use-after-free
c40af4b 
Fixes laverdet#443
@orgads orgads mentioned this issue Jan 17, 2024
Closed
orgads added a commit to orgads/isolated-vm that referenced this issue Jan 17, 2024
@orgads
Fix use-after-free
db24a06 
Fixes laverdet#443
orgads added a commit to orgads/isolated-vm that referenced this issue Jan 17, 2024
@orgads
Fix use-after-free
2bee3d5 
Fixes laverdet#443
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix use-after-free orgads/isolated-vm
1 participant
@orgads