Race condition in r2r

[trufae]

==51943==ERROR: AddressSanitizer: heap-use-after-free on address 0x000105304384 at pc 0x0001056d8cb4 bp 0x00016b7926d0 sp 0x00016b7926c8
READ of size 1 at 0x000105304384 thread T1
    #0 0x1056d8cb0 in r_th_lock_enter thread_lock.c:98
    #1 0x104706924 in sigchld_th run.c:457
    #2 0x1056d6764 in _r_th_launcher thread.c:36
    #3 0x1bbbe0268 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64e+0x7268)
    #4 0x1bbbdb088 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x2088)

0x000105304384 is located 4 bytes inside of 72-byte region [0x000105304380,0x0001053043c8)
freed by thread T2 here:
    #0 0x106047c94 in wrap_free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3fc94)
    #1 0x1056d92e4 in r_th_lock_free thread_lock.c:162
    #2 0x10471923c in subprocess_runner run.c:808
    #3 0x104710174 in run_r2_test run.c:921
    #4 0x10470f900 in r2r_run_cmd_test run.c:960
    #5 0x104716c78 in r2r_run_test run.c:1297
    #6 0x10471e9e8 in worker_th r2r.c:629
    #7 0x1056d6764 in _r_th_launcher thread.c:36
    #8 0x1bbbe0268 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64e+0x7268)
    #9 0x1bbbdb088 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x2088)

previously allocated by thread T2 here:
    #0 0x106047f24 in wrap_calloc+0x9c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3ff24)
    #1 0x1056d84a8 in r_th_lock_new thread_lock.c:71
    #2 0x104707d08 in r2r_subprocess_start run.c:533
    #3 0x104718f2c in subprocess_runner run.c:795
    #4 0x104710174 in run_r2_test run.c:921
    #5 0x10470f900 in r2r_run_cmd_test run.c:960
    #6 0x104716c78 in r2r_run_test run.c:1297
    #7 0x10471e9e8 in worker_th r2r.c:629
    #8 0x1056d6764 in _r_th_launcher thread.c:36
    #9 0x1bbbe0268 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64e+0x7268)
    #10 0x1bbbdb088 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x2088)

Thread T1 created by T0 here:
    #0 0x106041f58 in wrap_pthread_create+0x54 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x39f58)
    #1 0x1056d6074 in r_th_new thread.c:219
    #2 0x104705fb4 in r2r_subprocess_init run.c:486
    #3 0x10471a55c in main r2r.c:336
    #4 0x104a51088 in start+0x204 (dyld:arm64e+0x5088)

Thread T2 created by T0 here:
    #0 0x106041f58 in wrap_pthread_create+0x54 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x39f58)
    #1 0x1056d6074 in r_th_new thread.c:219
    #2 0x10471c748 in main r2r.c:481
    #3 0x104a51088 in start+0x204 (dyld:arm64e+0x5088)

SUMMARY: AddressSanitizer: heap-use-after-free thread_lock.c:98 in r_th_lock_enter
Shadow bytes around the buggy address:
  0x007020a80820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007020a80830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007020a80840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007020a80850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007020a80860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x007020a80870:[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x007020a80880: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x007020a80890: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x007020a808a0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x007020a808b0: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x007020a808c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

[DaKnig]

how to reproduce?

[trufae]

You have to build r2 with the thread sanitizer (edit sys/sanitize.sh), comment the first line and uncomment the second line:

 # SANITIZE=${SANITIZE:="address undefined signed-integer-overflow"}
 SANITIZE=${SANITIZE:="thread"}

then run the script and you can repro the bug when running r2r -i test/db/cmd and pressing ^C