New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-use-after-free in function __archive_read_next_passphrase() (triggered by test suite) #540

Closed
hannob opened this Issue May 12, 2015 · 1 comment

Comments

Projects
None yet
2 participants
@hannob
Contributor

hannob commented May 12, 2015

Running "make check" with libarchive compiled with address sanitizer (-fsanitize=address in CFLAGS) will show a use-after-free error. Here's the output:

23: test_archive_read_add_passphrase_set_callback1 =================================================================
==18758==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000002e50 at pc 0x465bb4 bp 0x7fffa3f432f0 sp 0x7fffa3f432e0
READ of size 4 at 0x61e000002e50 thread T0
#0 0x465bb3 in __archive_read_next_passphrase libarchive/archive_read_add_passphrase.c:140
#1 0x692895 in test_archive_read_add_passphrase_set_callback1 libarchive/test/test_archive_read_add_passphrase.c:140
#2 0x677b0c in test_run libarchive/test/main.c:2405
#3 0x67a6ab in main libarchive/test/main.c:2871
#4 0x7f2733a85f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)
#5 0x4067a8 (/data/code/libarchive-test/libarchive_test+0x4067a8)

0x61e000002e50 is located 2512 bytes inside of 2536-byte region [0x61e000002480,0x61e000002e68)
freed by thread T0 here:
#0 0x7f273603250f in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x5750f)
#1 0x45fb73 in _archive_read_free libarchive/archive_read.c:1108
#2 0x5a2cbe in archive_free libarchive/archive_virtual.c:62
#3 0x5a2f01 in archive_read_free libarchive/archive_virtual.c:102
#4 0x69283c in test_archive_read_add_passphrase_set_callback1 libarchive/test/test_archive_read_add_passphrase.c:132
#5 0x677b0c in test_run libarchive/test/main.c:2405
#6 0x67a6ab in main libarchive/test/main.c:2871
#7 0x7f2733a85f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)

previously allocated by thread T0 here:
#0 0x7f27360328e5 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.2/libasan.so.1+0x578e5)
#1 0x458822 in archive_read_new libarchive/archive_read.c:104
#2 0x692768 in test_archive_read_add_passphrase_set_callback1 libarchive/test/test_archive_read_add_passphrase.c:120
#3 0x677b0c in test_run libarchive/test/main.c:2405
#4 0x67a6ab in main libarchive/test/main.c:2871
#5 0x7f2733a85f9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f)

SUMMARY: AddressSanitizer: heap-use-after-free libarchive/archive_read_add_passphrase.c:140 __archive_read_next_passphrase
Shadow bytes around the buggy address:
0x0c3c7fff8570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff8580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff8590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff85a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c7fff85b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3c7fff85c0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fa fa fa
0x0c3c7fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==18758==ABORTING
FAIL libarchive_test (exit status: 1)

@kientzle

This comment has been minimized.

Show comment
Hide comment
@kientzle

kientzle May 16, 2015

Contributor

Looks like this is just a bug in the test. The test runs a set of checks twice but doesn't correctly reset in between.

Fixed in commit d5bdfc3.

Contributor

kientzle commented May 16, 2015

Looks like this is just a bug in the test. The test runs a set of checks twice but doesn't correctly reset in between.

Fixed in commit d5bdfc3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment