bug-gnu-pspp
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PSPP-BUG: [bug #58595] Use after free in fh_get_referent

From: Friedrich Beckmann
Subject: PSPP-BUG: [bug #58595] Use after free in fh_get_referent
Date: Wed, 17 Jun 2020 06:28:56 -0400 (EDT)
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15 
Update of bug #58595 (project pspp):

                  Status:                    None => Confirmed              

    _______________________________________________________

Follow-up Comment #4:

Thanks! I just did not compile with -fsanitize=address. Now I see


uaf2:48: Fehler: Unbekannter Befehl `ATfKATA'.
=================================================================
==72749==ERROR: AddressSanitizer: heap-use-after-free on address
0x60b000003138 at pc 0x0001047cc50c bp 0x7ffeebc46410 sp 0x7ffeebc46408
READ of size 4 at 0x60b000003138 thread T0
    #0 0x1047cc50b in fh_get_referent file-handle-def.c:323
    #1 0x1047cd46e in make_key file-handle-def.c:629
    #2 0x1047ce714 in fh_is_locked file-handle-def.c:604
    #3 0x10414fb4e in cmd_begin_data data-reader.c:731
    #4 0x103fd05ed in do_parse_command command.c:233
    #5 0x103fcff9f in cmd_parse_in_state command.c:147
    #6 0x103fd081d in cmd_parse command.c:162
    #7 0x103fbb4dd in main main.c:136
    #8 0x7fff587a9014 in start (libdyld.dylib:x86_64+0x1014)

0x60b000003138 is located 40 bytes inside of 104-byte region
[0x60b000003110,0x60b000003178)
freed by thread T0 here:
    #0 0x1053f010d in wrap_free
(libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5710d)
    #1 0x1047cbaf9 in free_handle file-handle-def.c:134
    #2 0x1047cb939 in fh_unref file-handle-def.c:170
    #3 0x10414dbe1 in dfm_close_reader data-reader.c:110
    #4 0x10414fc96 in cmd_begin_data data-reader.c:747
    #5 0x103fd05ed in do_parse_command command.c:233
    #6 0x103fcff9f in cmd_parse_in_state command.c:147
    #7 0x103fd081d in cmd_parse command.c:162
    #8 0x103fbb4dd in main main.c:136
    #9 0x7fff587a9014 in start (libdyld.dylib:x86_64+0x1014)

previously allocated by thread T0 here:
    #0 0x1053f0497 in wrap_calloc
(libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57497)
    #1 0x104950298 in xcalloc xmalloc.c:112
    #2 0x10495024b in xzalloc xmalloc.c:97
    #3 0x1047cb1c9 in create_handle file-handle-def.c:215
    #4 0x1047cb10e in fh_init file-handle-def.c:103
    #5 0x103fbb02b in main main.c:92
    #6 0x7fff587a9014 in start (libdyld.dylib:x86_64+0x1014)

SUMMARY: AddressSanitizer: heap-use-after-free file-handle-def.c:323 in
fh_get_referent
Shadow bytes around the buggy address:
  0x1c16000005d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x1c16000005e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x1c16000005f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x1c1600000600: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x1c1600000610: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x1c1600000620: fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd fd fa
  0x1c1600000630: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c1600000640: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x1c1600000650: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x1c1600000660: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1600000670: 00 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==72749==ABORTING
******************************************************
You have discovered a bug in PSPP.  Please report this
to bug-gnu-pspp@gnu.org.  Please include this entire
message, *plus* several lines of output just above it.
For the best chance at having the bug fixed, also
include the syntax file that triggered it and a sample
of any data file used for input.
proximate cause:     Assertion Failure/Abort
version:             GNU pspp 1.3.0
host_system:         x86_64-apple-darwin17.7.0
build_system:        x86_64-apple-darwin17.7.0
locale_dir:          /Users/fritz/pspp/osxbundler/install/share/locale
compiler version:    4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)
******************************************************
Abort trap: 6
Fredo:Downloads fritz$ 



    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?58595>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]