Uploaded image for project: 'Qpid Proton'
  1. Qpid Proton
  2. PROTON-2477

ASAN use-after-free of proactor pconnection

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • proton-c
    • None

    Description

      qpid-dispatch github actions CI has hit this ASAN issue a couple of times since enabling use of latest proton-c/main in our CI tests (see attached).

      Appears to show a pconnection being freed at the end of batch processing, then accessing that freed pconnection while waiting for the next event.

       

      https://github.com/apache/qpid-dispatch/runs/4513058827?check_suite_focus=true#step:9:7347

       

      ==4956==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000171412 at pc 0x7f7144626f6d bp 0x7ffe23b9a600 sp 0x7ffe23b9a5f0
63: E           READ of size 1 at 0x616000171412 thread T0
63: E               #0 0x7f7144626f6c in next_runnable ../c/src/proactor/epoll.c:2403
63: E               #1 0x7f7144627e53 in next_event_batch ../c/src/proactor/epoll.c:2456
63: E               #2 0x7f714462d11a in pn_proactor_wait ../c/src/proactor/epoll.c:2715
63: E               #3 0x556f559f860e in thread_run ../src/server.c:1118
63: E               #4 0x556f55a001cf in qd_server_run ../src/server.c:1527
63: E               #5 0x556f55a5b7ea in main_process ../router/src/main.c:115
63: E               #6 0x556f55a5d7ee in main ../router/src/main.c:369
63: E               #7 0x7f714327e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
63: E               #8 0x556f5571574d in _start (/home/runner/work/qpid-dispatch/qpid-dispatch/qpid-dispatch/build/router/qdrouterd+0x56874d)
63: E           
63: E           0x616000171412 is located 146 bytes inside of 576-byte region [0x616000171380,0x6160001715c0)
63: E           freed by thread T0 here:
63: E               #0 0x7f71447f07cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
63: E               #1 0x7f714460d565 in pconnection_final_free ../c/src/proactor/epoll.c:832
63: E               #2 0x7f714460d8bc in pconnection_cleanup ../c/src/proactor/epoll.c:848
63: E               #3 0x7f71446104ab in pconnection_done ../c/src/proactor/epoll.c:1048
63: E               #4 0x7f714462d20e in pn_proactor_done ../c/src/proactor/epoll.c:2725
63: E               #5 0x556f559f88b5 in thread_run ../src/server.c:1151
63: E               #6 0x556f55a001cf in qd_server_run ../src/server.c:1527
63: E               #7 0x556f55a5b7ea in main_process ../router/src/main.c:115
63: E               #8 0x556f55a5d7ee in main ../router/src/main.c:369
63: E               #9 0x7f714327e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
63: E           
63: E           previously allocated by thread T2 here:
63: E               #0 0x7f71447f0bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
63: E               #1 0x7f714461dbda in pn_listener_accept2 ../c/src/proactor/epoll.c:1883
63: E               #2 0x7f7144638bd3 in pn_listener_accept ../c/src/proactor/proactor-internal.c:94
63: E               #3 0x556f559efbe1 in on_accept ../src/server.c:622
63: E               #4 0x556f559f44fc in handle_listener ../src/server.c:865
63: E               #5 0x556f559f3d83 in handle_event_with_context ../src/server.c:814
63: E               #6 0x556f559f3e0a in do_handle_listener ../src/server.c:825
63: E               #7 0x556f559f6a2f in handle ../src/server.c:1024
63: E               #8 0x556f559f86b1 in thread_run ../src/server.c:1133
63: E               #9 0x556f55871fbb in _thread_init ../src/posix/threading.c:172
63: E               #10 0x7f7144183608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9608)
63: E           
63: E           Thread T2 created by T0 here:
63: E               #0 0x7f714471d805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
63: E               #1 0x556f5587212a in sys_thread ../src/posix/threading.c:181
63: E               #2 0x556f55a00137 in qd_server_run ../src/server.c:1525
63: E               #3 0x556f55a5b7ea in main_process ../router/src/main.c:115
63: E               #4 0x556f55a5d7ee in main ../router/src/main.c:369
63: E               #5 0x7f714327e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
63: E           
63: E           SUMMARY: AddressSanitizer: heap-use-after-free ../c/src/proactor/epoll.c:2403 in next_runnable
63: E           Shadow bytes around the buggy address:
63: E             0x0c2c80026230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
63: E             0x0c2c80026240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
63: E             0x0c2c80026250: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
63: E             0x0c2c80026260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
63: E             0x0c2c80026270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
63: E           =>0x0c2c80026280: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
63: E             0x0c2c80026290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
63: E             0x0c2c800262a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
63: E             0x0c2c800262b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
63: E             0x0c2c800262c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
63: E             0x0c2c800262d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
63: E           Shadow byte legend (one shadow byte represents 8 application bytes):

       

      Attachments

        1. ASAN.txt
          9 kB
          Ken Giusti

        Activity

          People

            cliffjansen Clifford Jansen
            kgiusti Ken Giusti
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: