Use after free #55

新しいイシュー

クローズ

devnexenが2019-08-09 17:42:34 +02:00に作成 · 4件のコメント

devnexen がコメント

2019-08-09 17:42:34 +02:00

メンバー

Just by launching make tests

`

==12942==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b0000054a8 at pc 0x7f8d6b735773 bp 0x7fff133de6d0 sp 0x7fff133de6c8
READ of size 4 at 0x62b0000054a8 thread T0
#0 0x7f8d6b735772 in PH7_VmEmitInstr engine/vm.c:299
#1 0x7f8d6b76433d in VmEvalChunk engine/vm.c:8999
#2 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#3 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#4 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#5 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308
#6 0x563853924149 in _start (/home/dcarlier/Contribs/Aer/binary/aer+0x1149)

0x62b0000054a8 is located 21160 bytes inside of 24596-byte region [0x62b000000200,0x62b000006214)
freed by thread T0 here:
#0 0x7f8d6c4cb1d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7)
#1 0x7f8d6b6b2928 in SyOSHeapFree engine/lib/memory.c:39
#2 0x7f8d6b6b2945 in MemOSFree engine/lib/memory.c:108
#3 0x7f8d6b6b3caa in MemBackendFree engine/lib/memory.c:273
#4 0x7f8d6b6b5fba in SyMemBackendFree engine/lib/memory.c:290
#5 0x7f8d6b6a3c62 in SySetRelease engine/lib/dataset.c:97
#6 0x7f8d6b710ffe in PH7_CompileAerScript engine/compiler.c:5174
#7 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986
#8 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#9 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#10 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#11 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
#0 0x7f8d6c4cb98e in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10798e)
#1 0x7f8d6b6b296c in SyOSHeapRealloc engine/lib/memory.c:31
#2 0x7f8d6b6b4b7f in MemOSRealloc engine/lib/memory.c:98
#3 0x7f8d6b6b3730 in MemBackendRealloc engine/lib/memory.c:208
#4 0x7f8d6b6b5c89 in SyMemBackendRealloc engine/lib/memory.c:246
#5 0x7f8d6b6a2bba in SySetPut engine/lib/dataset.c:31
#6 0x7f8d6b6bbe16 in SyLexTokenizeInput engine/lib/tokenizer.c:72
#7 0x7f8d6b6c89cf in PH7_TokenizeAerScript engine/lexer.c:604
#8 0x7f8d6b7103dd in PH7_CompileScript engine/compiler.c:5093
#9 0x7f8d6b710e91 in PH7_CompileAerScript engine/compiler.c:5167
#10 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986
#11 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003
#12 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644
#13 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482)
#14 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free engine/vm.c:299 in PH7_VmEmitInstr
Shadow bytes around the buggy address:
0x0c567fff8a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c567fff8a90: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c567fff8aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c567fff8ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==12942==ABORTING
make: *** [Makefile:165: tests/reference_test.test] Error 1`

Just by launching `make tests` ` ================================================================= ==12942==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b0000054a8 at pc 0x7f8d6b735773 bp 0x7fff133de6d0 sp 0x7fff133de6c8 READ of size 4 at 0x62b0000054a8 thread T0 #0 0x7f8d6b735772 in PH7_VmEmitInstr engine/vm.c:299 #1 0x7f8d6b76433d in VmEvalChunk engine/vm.c:8999 #2 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003 #3 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644 #4 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482) #5 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308 #6 0x563853924149 in _start (/home/dcarlier/Contribs/Aer/binary/aer+0x1149) 0x62b0000054a8 is located 21160 bytes inside of 24596-byte region [0x62b000000200,0x62b000006214) freed by thread T0 here: #0 0x7f8d6c4cb1d7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x1071d7) #1 0x7f8d6b6b2928 in SyOSHeapFree engine/lib/memory.c:39 #2 0x7f8d6b6b2945 in MemOSFree engine/lib/memory.c:108 #3 0x7f8d6b6b3caa in MemBackendFree engine/lib/memory.c:273 #4 0x7f8d6b6b5fba in SyMemBackendFree engine/lib/memory.c:290 #5 0x7f8d6b6a3c62 in SySetRelease engine/lib/dataset.c:97 #6 0x7f8d6b710ffe in PH7_CompileAerScript engine/compiler.c:5174 #7 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986 #8 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003 #9 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644 #10 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482) #11 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308 previously allocated by thread T0 here: #0 0x7f8d6c4cb98e in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10798e) #1 0x7f8d6b6b296c in SyOSHeapRealloc engine/lib/memory.c:31 #2 0x7f8d6b6b4b7f in MemOSRealloc engine/lib/memory.c:98 #3 0x7f8d6b6b3730 in MemBackendRealloc engine/lib/memory.c:208 #4 0x7f8d6b6b5c89 in SyMemBackendRealloc engine/lib/memory.c:246 #5 0x7f8d6b6a2bba in SySetPut engine/lib/dataset.c:31 #6 0x7f8d6b6bbe16 in SyLexTokenizeInput engine/lib/tokenizer.c:72 #7 0x7f8d6b6c89cf in PH7_TokenizeAerScript engine/lexer.c:604 #8 0x7f8d6b7103dd in PH7_CompileScript engine/compiler.c:5093 #9 0x7f8d6b710e91 in PH7_CompileAerScript engine/compiler.c:5167 #10 0x7f8d6b76402c in VmEvalChunk engine/vm.c:8986 #11 0x7f8d6b764cba in PH7_VmInit engine/vm.c:1003 #12 0x7f8d6b7b27c8 in ph7_vm_init engine/api.c:644 #13 0x563853924482 in main (/home/dcarlier/Contribs/Aer/binary/aer+0x1482) #14 0x7f8d6b2fc09a in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free engine/vm.c:299 in PH7_VmEmitInstr Shadow bytes around the buggy address: 0x0c567fff8a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c567fff8a90: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd 0x0c567fff8aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12942==ABORTING make: *** [Makefile:165: tests/reference_test.test] Error 1`