search

savoirfairelinux / opendht

OpenDHT: a C++17 Distributed Hash Table implementation
GNU General Public License v3.0
1.03k stars 172 forks source link

heap-use-after-free on current release #681

Closed AmarOk1412 closed 11 months ago

AmarOk1412 commented 1 year ago 
=================================================================
==727250==ERROR: AddressSanitizer: heap-use-after-free on address 0x612002543fd0 at pc 0x7f46578e1932 bp 0x7f458dfaeeb0 sp 0x7f458dfaeea0
WRITE of size 1 at 0x612002543fd0 thread T328
[1699561742.630|6668|jamiaccount.cpp         :1853] [Account 3b28f0a09d85512e] Dht status: IPv4 connected; IPv6 connecting
    #0 0x7f46578e1931 in dht::Dht::Search::insertNode(std::shared_ptr<dht::Node> const&, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >, std::vector<unsigned char, std::allocator<unsigned char> > const&) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1ee1931)
    #1 0x7f465792b653 in dht::Dht::searchNodeGetDone(dht::net::Request const&, dht::net::RequestAnswer&&, std::weak_ptr<dht::Dht::Search>, std::shared_ptr<dht::Query>) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1f2b653)
    #2 0x7f46579c60db in std::_Function_handler<void (dht::net::Request const&, dht::net::RequestAnswer&&), std::_Bind<void (dht::Dht::*(dht::Dht*, std::_Placeholder<1>, std::_Placeholder<2>, std::weak_ptr<dht::Dht::Search>, std::shared_ptr<dht::Query>))(dht::net::Request const&, dht::net::RequestAnswer&&, std::weak_ptr<dht::Dht::Search>, std::shared_ptr<dht::Query>)> >::_M_invoke(std::_Any_data const&, dht::net::Request const&, dht::net::RequestAnswer&&) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1fc60db)
    #3 0x7f4657a41520 in std::_Function_handler<void (dht::net::Request const&, dht::net::ParsedMessage&&), dht::net::NetworkEngine::sendFindNode(std::shared_ptr<dht::Node> const&, dht::Hash<20ul> const&, signed char, std::function<void (dht::net::Request const&, dht::net::RequestAnswer&&)>&&, std::function<void (dht::net::Request const&, bool)>&&)::{lambda(dht::net::Request const&, dht::net::ParsedMessage&&)#1}>::_M_invoke(std::_Any_data const&, dht::net::Request const&, dht::net::ParsedMessage&&) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x2041520)
    #4 0x7f4657a8c77c in dht::net::NetworkEngine::process(std::unique_ptr<dht::net::ParsedMessage, std::default_delete<dht::net::ParsedMessage> >&&, dht::SockAddr const&) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x208c77c)
    #5 0x7f4657a95aa1 in dht::net::NetworkEngine::processMessage(unsigned char const*, unsigned long, dht::SockAddr) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x2095aa1)
    #6 0x7f465793b84d in dht::Dht::periodic(unsigned char const*, unsigned long, dht::SockAddr, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > > const&) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1f3b84d)
    #7 0x7f46576585e7 in dht::DhtRunner::loop_() (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1c585e7)
    #8 0x7f465765989d in dht::DhtRunner::run(dht::DhtRunner::Config const&, dht::DhtRunner::Context&&)::{lambda()#2}::operator()() const (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1c5989d)
    #9 0x7f46556dc252  (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc252)
    #10 0x7f4655294ac2 in start_thread nptl/pthread_create.c:442
    #11 0x7f4655326a3f  (/lib/x86_64-linux-gnu/libc.so.6+0x126a3f)

0x612002543fd0 is located 272 bytes inside of 280-byte region [0x612002543ec0,0x612002543fd8)
freed by thread T328 here:
    #0 0x7f46670b724f in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:172
    #1 0x7f46578e10f3 in dht::Dht::Search::insertNode(std::shared_ptr<dht::Node> const&, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >, std::vector<unsigned char, std::allocator<unsigned char> > const&) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1ee10f3)
@@@ stun_on_request_complete get method
@@@ stun_on_request_complete get user data - method 3 - status 370004
@@@ sess: 0x6210013b5128
[1699561742.662|6374] Connection to 51.222.138.120 failed - reset
[1699561742.662|6374] [Account 52f3a1cf8ff6b1c2] Cache for TURN resolution failed.
    #2 0x7f458dfafc2f  (<unknown module>)

previously allocated by thread T328 here:
    #0 0x7f46670b61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x7f46578dfc82 in dht::Dht::Search::insertNode(std::shared_ptr<dht::Node> const&, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >, std::vector<unsigned char, std::allocator<unsigned char> > const&) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1edfc82)
    #2 0x7f458dfafc2f  (<unknown module>)

Thread T328 created by T17 here:
    #0 0x7f4667058685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x7f46556dc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328)
    #2 0xfffffffffffffff7  (<unknown module>)

Thread T17 created by T0 here:
    #0 0x7f4667058685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x7f46556dc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328)
    #2 0x7f46566781d6 in jami::ScheduledExecutor::ScheduledExecutor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/sblin/Projects/jami-project/client-qt/daemon/src/scheduled_executor.cpp:30
    #3 0x7f46564c27ce in jami::Manager::ManagerPimpl::ManagerPimpl(jami::Manager&) /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:457
    #4 0x7f465651d370 in std::_MakeUniq<jami::Manager::ManagerPimpl>::__single_object std::make_unique<jami::Manager::ManagerPimpl, jami::Manager&>(jami::Manager&) (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0xb1d370)
    #5 0x7f46564c7714 in jami::Manager::Manager() /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:755
    #6 0x7f46564c7461 in jami::Manager::instance() /home/sblin/Projects/jami-project/client-qt/daemon/src/manager.cpp:728
    #7 0x7f46566340e4 in libjami::init(libjami::InitFlag) /home/sblin/Projects/jami-project/client-qt/daemon/src/ring_api.cpp:69
    #8 0x5651235bbec6 in InstanceManagerInterface::InstanceManagerInterface(bool) /home/sblin/Projects/jami-project/client-qt/src/libclient/qtwrapper/instancemanager.cpp:54
    #9 0x5651246d0267  (/home/sblin/Projects/jami-project/client-qt/build/jami+0x1d5f267)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/sblin/Projects/jami-project/client-qt/daemon/src/.libs/libjami.so.0+0x1ee1931) in dht::Dht::Search::insertNode(std::shared_ptr<dht::Node> const&, std::chrono::time_point<std::chrono::_V2::steady_clock, std::chrono::duration<long, std::ratio<1l, 1000000000l> > >, std::vector<unsigned char, std::allocator<unsigned char> > const&)
Shadow bytes around the buggy address:
  0x0c24804a07a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c24804a07b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c24804a07c0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c24804a07d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c24804a07e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c24804a07f0: fd fd fd fd fd fd fd fd fd fd[fd]fa fa fa fa fa
  0x0c24804a0800: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c24804a0810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c24804a0820: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c24804a0830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c24804a0840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==727250==ABORTING
AmarOk1412 commented 11 months ago

https://github.com/savoirfairelinux/opendht/issues/656