lightftp with asan mightbe segv

[CodeLogicError]

I try add asan with the lightftp and fuzz lightftp. use CC=clang ( 16.0.6 ) and CFLAGS -fsanitize=address, build cd Source/debug . make it. when I continuous send ftp login and list command. It crashed .

==26459==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff2df5030 (pc 0x7ffff7b40aa0 bp 0x7ffff24ea590 sp 0x7ffff24ea4d8 T3)
==26459==The signal is caused by a READ memory access.
    #0 0x7ffff7b40aa0 in __GI___pthread_mutex_unlock_usercnt nptl/pthread_mutex_unlock.c:51:14
    #1 0x555555653215 in cleanup_handler /LightFTP/Source/Debug/../ftpserv.c:54:5
    #2 0x55555565263f in list_thread /LightFTP/Source/Debug/../ftpserv.c:545:5
    #3 0x7ffff7b3c043 in start_thread nptl/pthread_create.c:442:8
    #4 0x7ffff7bbb85f in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV nptl/pthread_mutex_unlock.c:51:14 in __GI___pthread_mutex_unlock_usercnt
Thread T3 created by T2 here:
    #0 0x5555555f94fa in pthread_create (/LightFTP/Source/Debug/fftp+0xa54fa) (BuildId: d6d1bc101abb09ae1afea352f6a9541f8e32a87c)
    #1 0x5555556505a7 in worker_thread_start /LightFTP/Source/Debug/../ftpserv.c:289:34
    #2 0x555555653f8b in ftpLIST /LightFTP/Source/Debug/../ftpserv.c:631:9
    #3 0x55555565b9c1 in ftp_client_thread /LightFTP/Source/Debug/../ftpserv.c:1672:26
    #4 0x7ffff7b3c043 in start_thread nptl/pthread_create.c:442:8

Thread T2 created by T1 here:
    #0 0x5555555f94fa in pthread_create (/LightFTP/Source/Debug/fftp+0xa54fa) (BuildId: d6d1bc101abb09ae1afea352f6a9541f8e32a87c)
    #1 0x55555565c8a9 in ftpmain /LightFTP/Source/Debug/../ftpserv.c:1787:18
    #2 0x7ffff7b3c043 in start_thread nptl/pthread_create.c:442:8

Thread T1 created by T0 here:
    #0 0x5555555f94fa in pthread_create (/LightFTP/Source/Debug/fftp+0xa54fa) (BuildId: d6d1bc101abb09ae1afea352f6a9541f8e32a87c)
    #1 0x55555565d454 in main /LightFTP/Source/Debug/../main.c:139:7
    #2 0x7ffff7ada1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

==26459==ABORTING

I use gdb to show what happend. it might do when Source/ftpserv.c :535 clientsocket = create_datasocket(context); Source/ftpserv.c :137 clientsocket = accept(context->DataSocket, (struct sockaddr *)&laddr, &asz); stack is not will, like pthread_cleanup_push destroy the stack. the memory is munmap , I don't known what happend. Then do the Source/ftpserv.c :137 cleanup_handler function. The memery is already munmap, so it crash. If don't add asan , might use the same memory so not crash .

[hfiref0x]

Hello,

more details are needed. If this bug is not exploitable it is unlikely to be addressed quickly.

[UldisRinkevichs]

Using Linux machine with 32GB RAM we do not encounter any bugs during stress test session with 2 ASAN-enabled binaries built with GCC and CLANG. Environment was: Linux Mint 21.2 Kernel: 6.2.0-39-generic clang version 14.0.0-1ubuntu1.1 gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)

Script for stressing used eight curl's in parallel to list /lib directory.

As I see @CodeLogicError was using newer clang version. Sometimes using too new compilers is not a good idea. Close as can't reprodice/won't use unstable compiler.