Re: [Pan-users] use-after-free in latest pan.git (more info)

[walt]

On 05/06/2014 11:42 AM, walt wrote:
> Hi all.  This is a bug I reported some time ago, but I just learned about
> the gcc -fsanitize=address option and now I have some fresh info, which I
> don't know enough to interpret. (see attached)

Using addr2line (from binutils) I added some source code annotations at the
end of each line of debugging info. (see attached)


==16688== ERROR: AddressSanitizer: heap-use-after-free on address 
0x602000007af0 at pc 0x7ae371 bp 0x7fffffffc280 sp 0x7fffffffc278 
tasks/nntp.h:170
WRITE of size 1 at 0x602000007af0 thread T0
    #0 0x7ae370 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7ae370) 
tasks/nntp.cc:66
    #1 0x7afd4f (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7afd4f) 
tasks/nntp.cc:284
    #2 0x7e3589 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e3589) 
tasks/socket-impl-gio.cc:346
    #3 0x7e4202 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e4202) 
tasks/socket-impl-gio.cc:457 (discriminator 1)
    #4 0x7e3f76 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e3f76) 
tasks/socket-impl-gio.cc:436
    #5 0x7ffff23dda3e (/usr/lib64/libglib-2.0.so.0.3800.2+0x49a3e)
    #6 0x7ffff23dddc7 (/usr/lib64/libglib-2.0.so.0.3800.2+0x49dc7)
    #7 0x7ffff23de231 (/usr/lib64/libglib-2.0.so.0.3800.2+0x4a231)
    #8 0x7ffff4733d6e (/usr/lib64/libgtk-x11-2.0.so.0.2400.23+0x12fd6e)
    #9 0x6133a6 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x6133a6) gui/pan.cc:94
    #10 0x6154b8 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x6154b8) gui/pan.cc:553
    #11 0x617144 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x617144) 
gui/pan.cc:1107 (discriminator 1)
    #12 0x7ffff0c1fa74 (/lib64/libc-2.19.so+0x21a74)
    #13 0x5d0828 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x5d0828) ??:?
0x602000007af0 is located 176 bytes inside of 184-byte region 
[0x602000007a40,0x602000007af8)
freed by thread T0 here:
    #0 0x7ffff4e5d6ea 
(/usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.2/libasan.so.0.0.0+0x126ea)
    #1 0x7b1a4d (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7b1a4d) 
tasks/nntp.h:170
    #2 0x7e5ee1 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e5ee1) 
tasks/nntp-pool.cc:152 (discriminator 1)
    #3 0x7e7b4e (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e7b4e) 
tasks/nntp-pool.cc:327 (discriminator 3)
    #4 0x7ae336 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7ae336) 
tasks/nntp.cc:65 (discriminator 1)
    #5 0x7afd4f (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7afd4f) 
tasks/nntp.cc:284
    #6 0x7e3589 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e3589) 
tasks/socket-impl-gio.cc:346
    #7 0x7e4202 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e4202) 
tasks/socket-impl-gio.cc:457 (discriminator 1)
    #8 0x7e3f76 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e3f76) 
tasks/socket-impl-gio.cc:436
    #9 0x7ffff23dda3e (/usr/lib64/libglib-2.0.so.0.3800.2+0x49a3e)
previously allocated by thread T0 here:
    #0 0x7ffff4e5d4ea 
(/usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.2/libasan.so.0.0.0+0x124ea)
    #1 0x7e6612 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7e6612) 
tasks/nntp-pool.cc:198 (discriminator 1)
    #2 0x7dc2a9 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x7dc2a9) 
tasks/socket-impl-main.cc:107
    #3 0x86573d (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x86573d) 
general/worker-pool.cc:89
    #4 0x865595 (/home/wa1ter/src/pan2/obj/pan/gui/pan+0x865595) 
general/worker-pool.cc:81
    #5 0x7ffff23dda3e (/usr/lib64/libglib-2.0.so.0.3800.2+0x49a3e)
Shadow bytes around the buggy address:
  0x0c047fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c047fff8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fa
  0x0c047fff8f60: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c047fff8f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c047fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==16688== ABORTING
[Thread 0x7fffd3a07700 (LWP 16727) exited]
[Thread 0x7fffd4208700 (LWP 16726) exited]
[Thread 0x7fffe80ed700 (LWP 16694) exited]
[Thread 0x7fffe8bf4700 (LWP 16693) exited]
[Thread 0x7fffe96fb700 (LWP 16692) exited]
[Thread 0x7ffff7e8a8c0 (LWP 16688) exited]
[Inferior 1 (process 16688) exited with code 01]


_______________________________________________
Pan-users mailing list
Pan-users@nongnu.org
https://lists.nongnu.org/mailman/listinfo/pan-users