Use after free #55

New Issue

Closed

opened 2019-08-09 17:42:34 +02:00 by devnexen · 4 comments

devnexen commented 2019-08-09 17:42:34 +02:00

Member

Copy Link

Just by launching make tests

`

==12942==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b0000054a8 at pc 0x7f8d6b735773 bp 0x7fff133de6d0 sp 0x7fff133de6c8
READ of size 4 at 0x62b0000054a8 thread T0
#0 0x7f8d6b735772 in PH7_VmEmitInstr engine/vm.c:299
#1 0x7f8d6b76433d in VmEvalChunk engine/vm.c:8999
#2 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#3 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#4 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#5 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308
#6 0x563853924149 in _start (/home/dcarlier/Contribs/Aer/binary/aer+0x1149)

0x62b0000054a8 is located 21160 bytes inside of 24596-byte region [0x62b000000200,0x62b000006214)
freed by thread T0 here:
#0 0x7f8d6c4cb1d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7)
#1 0x7f8d6b6b2928 in SyOSHeapFree engine/lib/memory.c:39
#2 0x7f8d6b6b2945 in MemOSFree engine/lib/memory.c:108
#3 0x7f8d6b6b3caa in MemBackendFree engine/lib/memory.c:273
#4 0x7f8d6b6b5fba in SyMemBackendFree engine/lib/memory.c:290
#5 0x7f8d6b6a3c62 in SySetRelease engine/lib/dataset.c:97
#6 0x7f8d6b710ffe in PH7_CompileAerScript engine/compiler.c:5174
#7 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986
#8 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#9 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#10 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#11 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
#0 0x7f8d6c4cb98e in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10798e)
#1 0x7f8d6b6b296c in SyOSHeapRealloc engine/lib/memory.c:31
#2 0x7f8d6b6b4b7f in MemOSRealloc engine/lib/memory.c:98
#3 0x7f8d6b6b3730 in MemBackendRealloc engine/lib/memory.c:208
#4 0x7f8d6b6b5c89 in SyMemBackendRealloc engine/lib/memory.c:246
#5 0x7f8d6b6a2bba in SySetPut engine/lib/dataset.c:31
#6 0x7f8d6b6bbe16 in SyLexTokenizeInput engine/lib/tokenizer.c:72
#7 0x7f8d6b6c89cf in PH7_TokenizeAerScript engine/lexer.c:604
#8 0x7f8d6b7103dd in PH7_CompileScript engine/compiler.c:5093
#9 0x7f8d6b710e91 in PH7_CompileAerScript engine/compiler.c:5167
#10 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986
#11 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#12 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#13 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#14 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free engine/vm.c:299 in PH7_VmEmitInstr
Shadow bytes around the buggy address:
0x0c567fff8a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c567fff8a90: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c567fff8aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==12942==ABORTING
make: *** [Makefile:165: tests/reference_test.test] Error 1`

Just by launching `make tests` ` ================================================================= ==12942==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b0000054a8 at pc 0x7f8d6b735773 bp 0x7fff133de6d0 sp 0x7fff133de6c8 READ of size 4 at 0x62b0000054a8 thread T0 #0 0x7f8d6b735772 in PH7_VmEmitInstr engine/vm.c:299 #1 0x7f8d6b76433d in VmEvalChunk engine/vm.c:8999 #2 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003 #3 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644 #4 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482) #5 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308 #6 0x563853924149 in _start (/home/dcarlier/Contribs/Aer/binary/aer+0x1149) 0x62b0000054a8 is located 21160 bytes inside of 24596-byte region [0x62b000000200,0x62b000006214) freed by thread T0 here: #0 0x7f8d6c4cb1d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7) #1 0x7f8d6b6b2928 in SyOSHeapFree engine/lib/memory.c:39 #2 0x7f8d6b6b2945 in MemOSFree engine/lib/memory.c:108 #3 0x7f8d6b6b3caa in MemBackendFree engine/lib/memory.c:273 #4 0x7f8d6b6b5fba in SyMemBackendFree engine/lib/memory.c:290 #5 0x7f8d6b6a3c62 in SySetRelease engine/lib/dataset.c:97 #6 0x7f8d6b710ffe in PH7_CompileAerScript engine/compiler.c:5174 #7 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986 #8 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003 #9 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644 #10 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482) #11 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7f8d6c4cb98e in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10798e) #1 0x7f8d6b6b296c in SyOSHeapRealloc engine/lib/memory.c:31 #2 0x7f8d6b6b4b7f in MemOSRealloc engine/lib/memory.c:98 #3 0x7f8d6b6b3730 in MemBackendRealloc engine/lib/memory.c:208 #4 0x7f8d6b6b5c89 in SyMemBackendRealloc engine/lib/memory.c:246 #5 0x7f8d6b6a2bba in SySetPut engine/lib/dataset.c:31 #6 0x7f8d6b6bbe16 in SyLexTokenizeInput engine/lib/tokenizer.c:72 #7 0x7f8d6b6c89cf in PH7_TokenizeAerScript engine/lexer.c:604 #8 0x7f8d6b7103dd in PH7_CompileScript engine/compiler.c:5093 #9 0x7f8d6b710e91 in PH7_CompileAerScript engine/compiler.c:5167 #10 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986 #11 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003 #12 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644 #13 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482) #14 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free engine/vm.c:299 in PH7_VmEmitInstr Shadow bytes around the buggy address: 0x0c567fff8a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c567fff8a90: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd 0x0c567fff8aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12942==ABORTING make: *** [Makefile:165: tests/reference_test.test] Error 1`

belliash commented 2019-08-23 13:07:57 +02:00

Owner

Copy Link

Does it occur on 4881ddf6de?

Does it occur on 4881ddf6de?

devnexen commented 2019-08-26 16:10:02 +02:00

Author

Member

Copy Link

For the record, it does not occur with this tag.

For the record, it does not occur with this tag.

belliash commented 2019-08-29 14:30:17 +02:00

Owner

Copy Link

Reverted 3dcc908788 with 3b9d91f186.

Reverted 3dcc908788 with 3b9d91f186.

belliash self-assigned this 2019-08-29 14:30:30 +02:00

belliash commented 2019-08-29 14:30:51 +02:00

Owner

Copy Link

Will investigate deeper after vacation.

Will investigate deeper after vacation.

belliash referenced this issue from a commit 2019-10-28 21:35:26 +01:00

Completely remove this broken threading implementation. Fixes #55.

belliash closed this issue 2019-10-28 21:35:26 +01:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

release/v0.1

crypto_module

v0.1.1

v0.1.0

Labels

Clear labels   

aerscript

Changes related to Aer specification

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

idea

This is an idea

  

question

More information is needed

  

won't fix

This won't be fixed

No Label

aerscript

bug

duplicate

enhancement

help wanted

idea

question

won't fix

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

belliash

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: aerscript/Aer#55

No description provided.