search

varlink / libvarlink

C implementation of the Varlink protocol and command line tool
Apache License 2.0
87 stars 15 forks source link

There seems to be a heap-use-after-free in test-server-client #54

Closed evverx closed 1 year ago

evverx commented 1 year ago 
CC=clang meson -Db_sanitize=address -Db_lundef=false build
meson test -C ./build/ --print-errorlog test-server-client
ninja: Entering directory `/libvarlink/build'
ninja: no work to do.
1/1 test-server-client        FAIL            0.30s   exit status 1
>>> MALLOC_PERTURB_=82 /libvarlink/build/lib/test-server-client
――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――― ✀  ―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
stderr:
=================================================================
==2638==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000b10 at pc 0x00000052a1ed bp 0x7ffff15b0230 sp 0x7ffff15b0228
READ of size 8 at 0x606000000b10 thread T0
    #0 0x52a1ec in varlink_call_reply /libvarlink/build/../lib/service.c:660:23
    #1 0x518172 in org_varlink_example_Echo /libvarlink/build/../lib/test-server-client.c:33:9
    #2 0x526bb2 in varlink_service_method_callback /libvarlink/build/../lib/service.c:282:16
    #3 0x5298f2 in varlink_service_dispatch_connection /libvarlink/build/../lib/service.c:555:29
    #4 0x528bee in varlink_service_process_events /libvarlink/build/../lib/service.c:604:29
    #5 0x518a8e in test_process_events /libvarlink/build/../lib/test-server-client.c:66:25
    #6 0x5173e5 in main /libvarlink/build/../lib/test-server-client.c:155:25
    #7 0x7fb5e6f4750f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) (BuildId: 765237b0355c030ff41d969eedcb87bfccb43595)
    #8 0x7fb5e6f475c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) (BuildId: 765237b0355c030ff41d969eedcb87bfccb43595)
    #9 0x41e414 in _start (/libvarlink/build/lib/test-server-client+0x41e414) (BuildId: 895f2f71b3295e0d2de926f12b3f985f4b8f704d)

0x606000000b10 is located 16 bytes inside of 64-byte region [0x606000000b00,0x606000000b40)
freed by thread T0 here:
    #0 0x4d2138 in __interceptor_free.part.0 asan_malloc_linux.cpp.o
    #1 0x52523c in varlink_call_unref /libvarlink/build/../lib/service.c:101:17
    #2 0x52a1bf in varlink_call_reply /libvarlink/build/../lib/service.c:660:42
    #3 0x518172 in org_varlink_example_Echo /libvarlink/build/../lib/test-server-client.c:33:9
    #4 0x526bb2 in varlink_service_method_callback /libvarlink/build/../lib/service.c:282:16
    #5 0x5298f2 in varlink_service_dispatch_connection /libvarlink/build/../lib/service.c:555:29
    #6 0x528bee in varlink_service_process_events /libvarlink/build/../lib/service.c:604:29
    #7 0x518a8e in test_process_events /libvarlink/build/../lib/test-server-client.c:66:25
    #8 0x5173e5 in main /libvarlink/build/../lib/test-server-client.c:155:25
    #9 0x7fb5e6f4750f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) (BuildId: 765237b0355c030ff41d969eedcb87bfccb43595)

previously allocated by thread T0 here:
    #0 0x4d3457 in __interceptor_calloc (/libvarlink/build/lib/test-server-client+0x4d3457) (BuildId: 895f2f71b3295e0d2de926f12b3f985f4b8f704d)
    #1 0x52b8df in varlink_call_new /libvarlink/build/../lib/service.c:69:16
    #2 0x52970e in varlink_service_dispatch_connection /libvarlink/build/../lib/service.c:551:29
    #3 0x528bee in varlink_service_process_events /libvarlink/build/../lib/service.c:604:29
    #4 0x518a8e in test_process_events /libvarlink/build/../lib/test-server-client.c:66:25
    #5 0x5173e5 in main /libvarlink/build/../lib/test-server-client.c:155:25
    #6 0x7fb5e6f4750f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) (BuildId: 765237b0355c030ff41d969eedcb87bfccb43595)

SUMMARY: AddressSanitizer: heap-use-after-free /libvarlink/build/../lib/service.c:660:23 in varlink_call_reply
Shadow bytes around the buggy address:
  0x0c0c7fff8110: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8120: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff8130: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fff8140: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8150: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fff8160: fd fd[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0c7fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2638==ABORTING