Uploaded image for project: 'Qpid Dispatch'
  1. Qpid Dispatch
  2. DISPATCH-2188

ASAN use after free from qdr_core_unbind_address_link_CT in system_tests_protocol_settings

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.17.0, 1.18.0
    • None
    • None

    Description

      https://travis-ci.com/github/apache/qpid-dispatch/jobs/519782806#L4771

      27: Router EB1 output file:
27: >>>>
27: =================================================================
27: ==15423==ERROR: AddressSanitizer: use-after-poison on address 0x6170000dc290 at pc 0x0000006e842a bp 0x7fbe59ae3070 sp 0x7fbe59ae3068
27: WRITE of size 8 at 0x6170000dc290 thread T1
27:     #0 0x6e8429 in qdr_core_unbind_address_link_CT /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:715:23
27:     #1 0x722f7f in del_outlink /home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:216:9
27:     #2 0x67a135 in qdrc_event_addr_raise /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:125:13
27:     #3 0x6e7f40 in qdr_core_unbind_address_link_CT /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c
27:     #4 0x666b5c in qdr_link_inbound_detach_CT /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:2064:17
27:     #5 0x6f2490 in router_core_thread /home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:239:13
27:     #6 0x7fbe5fdfe608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27:     #7 0x7fbe5f629292 in clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
27: 
27: 0x6170000dc290 is located 272 bytes inside of 704-byte region [0x6170000dc180,0x6170000dc440)
27: allocated by thread T1 here:
27:     #0 0x4bb5c7 in posix_memalign (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x4bb5c7)
27:     #1 0x57319e in qd_alloc /home/travis/build/apache/qpid-dispatch/src/alloc_pool.c:396:13
27:     #2 0x66cb80 in qdr_create_link_CT /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:1128:24
27:     #3 0x71fb5d in on_conn_event /home/travis/build/apache/qpid-dispatch/src/router_core/modules/edge_router/addr_proxy.c:281:32
27:     #4 0x679cb5 in qdrc_event_conn_raise /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:101:13
27:     #5 0x679cb5 in qdrc_event_conn_raise /home/travis/build/apache/qpid-dispatch/src/router_core/core_events.c:101:13
27:     #6 0x6524d0 in qdr_connection_opened_CT /home/travis/build/apache/qpid-dispatch/src/router_core/connections.c:1440:5
27:     #7 0x6f2490 in router_core_thread /home/travis/build/apache/qpid-dispatch/src/router_core/router_core_thread.c:239:13
27:     #8 0x7fbe5fdfe608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
27: 
27: Thread T1 created by T0 here:
27:     #0 0x4a520c in pthread_create (/home/travis/build/apache/qpid-dispatch/build/router/qdrouterd+0x4a520c)
27:     #1 0x6245c7 in sys_thread /home/travis/build/apache/qpid-dispatch/src/posix/threading.c:181:5
27:     #2 0x6d287a in qdr_core /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:124:20
27:     #3 0x75c06f in qd_router_setup_late /home/travis/build/apache/qpid-dispatch/src/router_node.c:2124:31
27:     #4 0x7fbe5b509ff4  (/lib/x86_64-linux-gnu/libffi.so.7+0x6ff4)
27: LLVMSymbolizer: error reading file: No such file or directory
27:     #5 0x7ffc3aaec1cf  ([stack]+0x211cf)
27: 
27: SUMMARY: AddressSanitizer: use-after-poison /home/travis/build/apache/qpid-dispatch/src/router_core/router_core.c:715:23 in qdr_core_unbind_address_link_CT
27: Shadow bytes around the buggy address:
27:   0x0c2e80013800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27:   0x0c2e80013810: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
27:   0x0c2e80013820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27:   0x0c2e80013830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27:   0x0c2e80013840: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27: =>0x0c2e80013850: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27:   0x0c2e80013860: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27:   0x0c2e80013870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
27:   0x0c2e80013880: f7 f7 f7 f7 f7 f7 f7 00 fa fa fa fa fa fa fa fa
27:   0x0c2e80013890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
27:   0x0c2e800138a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
27: Shadow byte legend (one shadow byte represents 8 application bytes):
27:   Addressable:           00
27:   Partially addressable: 01 02 03 04 05 06 07 
27:   Heap left redzone:       fa
27:   Freed heap region:       fd
27:   Stack left redzone:      f1
27:   Stack mid redzone:       f2
27:   Stack right redzone:     f3
27:   Stack after return:      f5
27:   Stack use after scope:   f8
27:   Global redzone:          f9
27:   Global init order:       f6
27:   Poisoned by user:        f7
27:   Container overflow:      fc
27:   Array cookie:            ac
27:   Intra object redzone:    bb
27:   ASan internal:           fe
27:   Left alloca redzone:     ca
27:   Right alloca redzone:    cb
27:   Shadow gap:              cc
27: ==15423==ABORTING

      Attachments

        Issue Links

          is a clone of

          Bug - A problem which impairs or prevents the functions of the product. DISPATCH-2057 TSAN data race from qdr_core_unbind_address_link_CT in system_tests_edge_router

          • Major - Major loss of function.
          • Open
          relates to

          Test - A new unit, integration or system test. DISPATCH-2168 [http2] qdr_address_t use after free in system_tests_http2

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              jdanek Jiri Daněk
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated: