Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASAN: heap-use-after-free in net_end_join #9037

Closed
nshy opened this issue Aug 25, 2023 · 0 comments · Fixed by #9041
Closed

ASAN: heap-use-after-free in net_end_join #9037

nshy opened this issue Aug 25, 2023 · 0 comments · Fixed by #9041
Assignees
@nshy
Labels
2.10 Target is 2.10 and all newer release/master branches bug Something isn't working

Comments

@nshy
Copy link
Contributor

nshy commented Aug 25, 2023

Found in 3.0.0-alpha1-16-g0e5a3cc21.

Reported on panic_on_wal_error.test run with WIP PR #8901.

==444025==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000301068 at pc 0x5585eb30abf4 bp 0x7f196e208230 sp 0x7f196e208228
READ of size 8 at 0x615000301068 thread T3
    #0 0x5585eb30abf3 in net_end_join(cmsg*) /home/shiny/dev/tarantool/src/box/iproto.cc:2807:37
    #1 0x5585eba5c6d0 in cmsg_deliver /home/shiny/dev/tarantool/src/lib/core/cbus.c:375:2
    #2 0x5585eba5faad in cbus_process /home/shiny/dev/tarantool/src/lib/core/cbus.c:610:3
    #3 0x5585eba5fdfc in cbus_loop /home/shiny/dev/tarantool/src/lib/core/cbus.c:617:3
    #4 0x5585eb2f9a0f in net_cord_f(__va_list_tag*) /home/shiny/dev/tarantool/src/box/iproto.cc:2966:2
    #5 0x5585eb2ed188 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*) /home/shiny/dev/tarantool/src/lib/core/fiber.h:1234:10
    #6 0x5585eba477af in fiber_loop /home/shiny/dev/tarantool/src/lib/core/fiber.c:1013:18
    #7 0x5585ec3ccb8c in coro_init /home/shiny/dev/tarantool/third_party/coro/coro.c:108:3

0x615000301068 is located 360 bytes inside of 479-byte region [0x615000300f00,0x6150003010df)
freed by thread T3 here:
    #0 0x5585eb29de12 in __interceptor_free.part.0 asan_malloc_linux.cpp.o
    #1 0x5585ec35127f in mempool_free /home/shiny/dev/tarantool/src/lib/small/small/mempool_malloc.c:96:2
    #2 0x5585eb310edb in iproto_msg_delete(iproto_msg*) /home/shiny/dev/tarantool/src/box/iproto.cc:784:2
    #3 0x5585eb30aae7 in net_end_join(cmsg*) /home/shiny/dev/tarantool/src/box/iproto.cc:2800:2
    #4 0x5585eba5c6d0 in cmsg_deliver /home/shiny/dev/tarantool/src/lib/core/cbus.c:375:2
    #5 0x5585eba5faad in cbus_process /home/shiny/dev/tarantool/src/lib/core/cbus.c:610:3
    #6 0x5585eba5fdfc in cbus_loop /home/shiny/dev/tarantool/src/lib/core/cbus.c:617:3
    #7 0x5585eb2f9a0f in net_cord_f(__va_list_tag*) /home/shiny/dev/tarantool/src/box/iproto.cc:2966:2
    #8 0x5585eb2ed188 in fiber_cxx_invoke(int (*)(__va_list_tag*), __va_list_tag*) /home/shiny/dev/tarantool/src/lib/core/fiber.h:1234:10
    #9 0x5585eba477af in fiber_loop /home/shiny/dev/tarantool/src/lib/core/fiber.c:1013:18
    #10 0x5585ec3ccb8c in coro_init /home/shiny/dev/tarantool/third_party/coro/coro.c:108:3

previously allocated by thread T3 here:
    #0 0x5585eb29ee49 in malloc (/home/shiny/dev/tarantool/build-asan-release/src/tarantool+0x915e49) (BuildId: 0db66c24d7f225b7f3e17ee3a9a1e45e95456387)
    #1 0x5585ec350bfc in small_wrapper_alloc /home/shiny/dev/tarantool/src/lib/small/include/small/util.h:275:25
    #2 0x5585ec350bfc in mempool_alloc /home/shiny/dev/tarantool/src/lib/small/small/mempool_malloc.c:72:2
    #3 0x5585eb3168f2 in iproto_msg_new(iproto_connection*) /home/shiny/dev/tarantool/src/box/iproto.cc:802:25
    #4 0x5585eb31303f in iproto_enqueue_batch(iproto_connection*, ibuf*) /home/shiny/dev/tarantool/src/box/iproto.cc:1180:28
    #5 0x5585eb31db5e in iproto_connection_on_input(ev_loop*, ev_io*, int) /home/shiny/dev/tarantool/src/box/iproto.cc:1356:7
    #6 0x5585ec3a47ee in ev_invoke_pending /home/shiny/dev/tarantool/third_party/libev/ev.c:3797:11
    #7 0x5585ec3a6d10 in ev_run /home/shiny/dev/tarantool/third_party/libev/ev.c:4221:7
    #8 0x5585eba5106a in cord_costart_thread_func /home/shiny/dev/tarantool/src/lib/core/fiber.c:1965:3
    #9 0x5585eba4df33 in cord_thread_func /home/shiny/dev/tarantool/src/lib/core/fiber.c:1762:14
    #10 0x7f197288c9ea in start_thread /usr/src/debug/glibc/glibc/nptl/pthread_create.c:444:8

Thread T3 created by T0 here:
    #0 0x5585eb213878 in __interceptor_pthread_create (/home/shiny/dev/tarantool/build-asan-release/src/tarantool+0x88a878) (BuildId: 0db66c24d7f225b7f3e17ee3a9a1e45e95456387)
    #1 0x5585eba4e83a in cord_start /home/shiny/dev/tarantool/src/lib/core/fiber.c:1798:6
    #2 0x5585eba50aa0 in cord_costart /home/shiny/dev/tarantool/src/lib/core/fiber.c:1990:6
    #3 0x5585eb2f8384 in iproto_init(int) /home/shiny/dev/tarantool/src/box/iproto.cc:3261:7
    #4 0x5585eb6a3269 in box_storage_init() /home/shiny/dev/tarantool/src/box/box.cc:5743:2
    #5 0x5585eb6a3269 in box_cfg_xc() /home/shiny/dev/tarantool/src/box/box.cc:5276:2
    #6 0x5585eb6a292e in box_cfg /home/shiny/dev/tarantool/src/box/box.cc:5466:3
    #7 0x5585eb2e8425 in load_cfg /home/shiny/dev/tarantool/src/main.cc:516:2
    #8 0x5585eb93f6c1 in lbox_cfg_load(lua_State*) /home/shiny/dev/tarantool/src/box/lua/cfg.cc:61:3
    #9 0x5585ebb55ac2 in lj_BC_FUNCC /home/shiny/dev/tarantool/build-asan-release/third_party/luajit/src/lj_vm.S:811

SUMMARY: AddressSanitizer: heap-use-after-free /home/shiny/dev/tarantool/src/box/iproto.cc:2807:37 in net_end_join(cmsg*)
Shadow bytes around the buggy address:
  0x0c2a800581b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800581c0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c2a800581d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800581e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800581f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a80058200: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c2a80058210: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c2a80058220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80058230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80058240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80058250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==444025==ABORTING
@nshy nshy added the bug Something isn't working label Aug 25, 2023
@nshy nshy self-assigned this Aug 25, 2023
nshy added a commit to nshy/tarantool that referenced this issue Aug 25, 2023
@nshy
iproto: fix use-after-free in net_end_join
4e2f2d2 
`msg` is used after it is freed in iproto_msg_delete.

Close tarantool#9037

NO_TEST=tested by ASAN
NO_DOC=bugfix
@nshy nshy mentioned this issue Aug 25, 2023
Merged
locker pushed a commit that referenced this issue Aug 28, 2023
@nshy @locker
iproto: fix use-after-free in net_end_join
4916389 
`msg` is used after it is freed in iproto_msg_delete.

Close #9037

NO_TEST=tested by ASAN
NO_DOC=bugfix
locker pushed a commit that referenced this issue Aug 28, 2023
@nshy @locker
iproto: fix use-after-free in net_end_join
90d763f 
`msg` is used after it is freed in iproto_msg_delete.

Close #9037

NO_TEST=tested by ASAN
NO_DOC=bugfix

(cherry picked from commit 4916389)
locker pushed a commit that referenced this issue Aug 28, 2023
@nshy @locker
iproto: fix use-after-free in net_end_join
a83b518 
`msg` is used after it is freed in iproto_msg_delete.

Close #9037

NO_TEST=tested by ASAN
NO_DOC=bugfix

(cherry picked from commit 4916389)
@locker locker added the 2.10 Target is 2.10 and all newer release/master branches label Aug 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nshy nshy

Labels
2.10 Target is 2.10 and all newer release/master branches bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

iproto: fix use-after-free in net_end_join nshy/tarantool
2 participants
@locker @nshy