Skip to content

ASan seems to report a heap-use-after-free in systemd-logind #9604

Closed
Closed
ASan seems to report a heap-use-after-free in systemd-logind#9604
Labels
bug 🐛Programming errors, that need preferential fixinglogin
Milestone
v240
@evverx

Description

@evverx
evverx
opened on Jul 17, 2018

It happens sporadically and I haven't found a way to reproduce it reliably yet:

=================================================================
==416==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000000120 at pc 0x7efff9a9fae9 bp 0x7ffe2527a440 sp 0x7ffe2527a430
READ of size 4 at 0x608000000120 thread T0
    #0 0x7efff9a9fae8 in sd_bus_slot_unref ../src/libsystemd/sd-bus/bus-slot.c:196
    #1 0x7efff9ad180d in process_closing_reply_callback ../src/libsystemd/sd-bus/sd-bus.c:2818
    #2 0x7efff9ad1b3e in process_closing ../src/libsystemd/sd-bus/sd-bus.c:2834
    #3 0x7efff9ad251e in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:2933
    #4 0x7efff9ad26b2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:2952
    #5 0x7efff9ac95ad in bus_ensure_running ../src/libsystemd/sd-bus/sd-bus.c:2016
    #6 0x7efff9ad35cc in sd_bus_flush ../src/libsystemd/sd-bus/sd-bus.c:3060
    #7 0x7efff9ad5c2a in quit_callback ../src/libsystemd/sd-bus/sd-bus.c:3386
    #8 0x7efff9b78857 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:3139
    #9 0x7efff9b79b65 in dispatch_exit ../src/libsystemd/sd-event/sd-event.c:3236
    #10 0x7efff9b7cba5 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:3506
    #11 0x7efff9b7d91b in sd_event_run ../src/libsystemd/sd-event/sd-event.c:3571
    #12 0x5561da880fa6 in manager_run ../src/login/logind.c:1194
    #13 0x5561da8816f6 in main ../src/login/logind.c:1252
    #14 0x7efff7dd0f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
    #15 0x5561da872459 in _start (/usr/lib/systemd/systemd-logind+0x88459)
0x608000000120 is located 0 bytes inside of 96-byte region [0x608000000120,0x608000000180)
freed by thread T0 here:
    #0 0x7efffa6c24b8 in __interceptor_free (/usr/lib64/libasan.so.4+0xde4b8)
    #1 0x7efff9a9b740 in mfree ../src/basic/alloc-util.h:34
    #2 0x7efff9a9fd37 in sd_bus_slot_unref ../src/libsystemd/sd-bus/bus-slot.c:209
    #3 0x7efff9ad17fe in process_closing_reply_callback ../src/libsystemd/sd-bus/sd-bus.c:2815
    #4 0x7efff9ad1b3e in process_closing ../src/libsystemd/sd-bus/sd-bus.c:2834
    #5 0x7efff9ad251e in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:2933
    #6 0x7efff9ad26b2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:2952
    #7 0x7efff9ac95ad in bus_ensure_running ../src/libsystemd/sd-bus/sd-bus.c:2016
    #8 0x7efff9ad35cc in sd_bus_flush ../src/libsystemd/sd-bus/sd-bus.c:3060
    #9 0x7efff9ad5c2a in quit_callback ../src/libsystemd/sd-bus/sd-bus.c:3386
    #10 0x7efff9b78857 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:3139
    #11 0x7efff9b79b65 in dispatch_exit ../src/libsystemd/sd-event/sd-event.c:3236
    #12 0x7efff9b7cba5 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:3506
    #13 0x7efff9b7d91b in sd_event_run ../src/libsystemd/sd-event/sd-event.c:3571
    #14 0x5561da880fa6 in manager_run ../src/login/logind.c:1194
    #15 0x5561da8816f6 in main ../src/login/logind.c:1252
    #16 0x7efff7dd0f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
previously allocated by thread T0 here:
    #0 0x7efffa6c2a38 in __interceptor_calloc (/usr/lib64/libasan.so.4+0xdea38)
    #1 0x7efff9a9b7fc in bus_slot_allocate ../src/libsystemd/sd-bus/bus-slot.c:22
    #2 0x7efff9ac8dab in sd_bus_call_async ../src/libsystemd/sd-bus/sd-bus.c:1971
    #3 0x7efff9a108f7 in sd_bus_call_method_async ../src/libsystemd/sd-bus/bus-convenience.c:79
    #4 0x7efff9a0ef67 in bus_add_match_internal_async ../src/libsystemd/sd-bus/bus-control.c:840
    #5 0x7efff9ad4d3c in bus_add_match_full ../src/libsystemd/sd-bus/sd-bus.c:3229
    #6 0x7efff9ad51c6 in sd_bus_add_match_async ../src/libsystemd/sd-bus/sd-bus.c:3285
    #7 0x7efff9a176a5 in sd_bus_match_signal_async ../src/libsystemd/sd-bus/bus-convenience.c:668
    #8 0x5561da87b25b in manager_connect_bus ../src/login/logind.c:704
    #9 0x5561da87ff13 in manager_startup ../src/login/logind.c:1109
    #10 0x5561da8814bc in main ../src/login/logind.c:1240
    #11 0x7efff7dd0f29 in __libc_start_main (/lib64/libc.so.6+0x20f29)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/libsystemd/sd-bus/bus-slot.c:196 in sd_bus_slot_unref
Shadow bytes around the buggy address:
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8010: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c107fff8020: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8030: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8040: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8050: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8060: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==416==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug 🐛Programming errors, that need preferential fixinglogin

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions