[Pan-users] use-after-free in latest pan.git

Tue, 06 May 2014 13:25:38 -0700 

Hi all.  This is a bug I reported some time ago, but I just learned about
the gcc -fsanitize=address option and now I have some fresh info, which I
don't know enough to interpret. (see attached)

Just today I noticed that all network activity stopped about ten seconds
before pan crashed.  Felt like I lost my internet connection for a short
time because another networked application had to stop and re-login at
exactly the same time pan crashed.

My amateur guess is that some networking code (gnutls?) timed out and
closed a connection to the news server without "telling" pan about it,
then pan continued on as if the connection were still there -- hence
the use-after-free. (This crash happens quite often when pan uses an
encrypted connection to the server.)

Thoughts?

==16688== ERROR: AddressSanitizer: heap-use-after-free on address 
0x602000007af0 at pc 0x7ae371 bp 0x7fffffffc280 sp 0x7fffffffc278
WRITE of size 1 at 0x602000007af0 thread T0
    #0 0x7ae370 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7ae370)
    #1 0x7afd4f (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7afd4f)
    #2 0x7e3589 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e3589)
    #3 0x7e4202 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e4202)
    #4 0x7e3f76 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e3f76)
    #5 0x7ffff23dda3e (/usr/lib64/libglib-2.0.so.0.3800.2+0x49a3e)
    #6 0x7ffff23dddc7 (/usr/lib64/libglib-2.0.so.0.3800.2+0x49dc7)
    #7 0x7ffff23de231 (/usr/lib64/libglib-2.0.so.0.3800.2+0x4a231)
    #8 0x7ffff4733d6e (/usr/lib64/libgtk-x11-2.0.so.0.2400.23+0x12fd6e)
    #9 0x6133a6 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x6133a6)
    #10 0x6154b8 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x6154b8)
    #11 0x617144 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x617144)
    #12 0x7ffff0c1fa74 (/lib64/libc-2.19.so+0x21a74)
    #13 0x5d0828 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x5d0828)
0x602000007af0 is located 176 bytes inside of 184-byte region 
[0x602000007a40,0x602000007af8)
freed by thread T0 here:
    #0 0x7ffff4e5d6ea 
(/usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.2/libasan.so.0.0.0+0x126ea)
    #1 0x7b1a4d (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7b1a4d)
    #2 0x7e5ee1 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e5ee1)
    #3 0x7e7b4e (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e7b4e)
    #4 0x7ae336 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7ae336)
    #5 0x7afd4f (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7afd4f)
    #6 0x7e3589 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e3589)
    #7 0x7e4202 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e4202)
    #8 0x7e3f76 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e3f76)
    #9 0x7ffff23dda3e (/usr/lib64/libglib-2.0.so.0.3800.2+0x49a3e)
previously allocated by thread T0 here:
    #0 0x7ffff4e5d4ea 
(/usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.2/libasan.so.0.0.0+0x124ea)
    #1 0x7e6612 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e6612)
    #2 0x7dc2a9 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7dc2a9)
    #3 0x86573d (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x86573d)
    #4 0x865595 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x865595)
    #5 0x7ffff23dda3e (/usr/lib64/libglib-2.0.so.0.3800.2+0x49a3e)
Shadow bytes around the buggy address:
  0x0c047fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c047fff8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fa
  0x0c047fff8f60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c047fff8f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c047fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==16688== ABORTING
[Thread 0x7fffd3a07700 (LWP 16727) exited]
[Thread 0x7fffd4208700 (LWP 16726) exited]
[Thread 0x7fffe80ed700 (LWP 16694) exited]
[Thread 0x7fffe8bf4700 (LWP 16693) exited]
[Thread 0x7fffe96fb700 (LWP 16692) exited]
[Thread 0x7ffff7e8a8c0 (LWP 16688) exited]
[Inferior 1 (process 16688) exited with code 01]


_______________________________________________
Pan-users mailing list
Pan-users@nongnu.org
https://lists.nongnu.org/mailman/listinfo/pan-users

Reply via email to