[MXS-2612] Use-after-free in cache filter - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.4.2
Component/s: Core
Labels:
None

Sprint:
MXS-SPRINT-87, MXS-SPRINT-88, MXS-SPRINT-89

Description

The crash happened on exit.

=================================================================

==905==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000386e0 at pc 0x7ffff7654f9d bp 0x7fffffffc840 sp 0x7fffffffbfe8

READ of size 8 at 0x6030000386e0 thread T0

    #0 0x7ffff7654f9c  (/lib64/libasan.so.5+0xdaf9c)

    #1 0x7ffff6770f0b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/lib64/libstdc++.so.6+0x149f0b)

    #2 0x423cfb in bool std::operator< <char, std::char_traits<char>, std::allocator<char> >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/markusjm/build-develop/bin/maxscale+0x423cfb)

    #3 0x4224e0 in std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::operator()(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/home/markusjm/build-develop/bin/maxscale+0x4224e0)

    #4 0x7ffff7126e01 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::_M_lower_bound(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >*, std::_Rb_tree_node_base*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_tree.h:1925

    #5 0x7ffff712515c in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_tree.h:2553

    #6 0x7ffff712382a in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, config::Type*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_map.h:1169

    #7 0x7ffff711f039 in config::Configuration::remove(config::Type*) /home/markusjm/MaxScale/server/core/config2.cc:436

    #8 0x7ffff711f36e in config::Type::~Type() /home/markusjm/MaxScale/server/core/config2.cc:464

    #9 0x7ffff2371e10 in config::ConcreteType<config::Enum<cache_in_trxs>, config::ParamEnum<cache_in_trxs> >::~ConcreteType() /home/markusjm/MaxScale/include/maxscale/config2.hh:958

    #10 0x7ffff2371e5e in config::Enum<cache_in_trxs>::~Enum() /home/markusjm/MaxScale/include/maxscale/config2.hh:1242

    #11 0x7ffff236e89c in CacheConfig::~CacheConfig() /home/markusjm/MaxScale/server/modules/filter/cache/cacheconfig.cc:168

    #12 0x7ffff2384195 in CacheFilter::~CacheFilter() /home/markusjm/MaxScale/server/modules/filter/cache/cachefilter.cc:152

    #13 0x7ffff238667c in maxscale::Filter<CacheFilter, CacheFilterSession>::destroyInstance(mxs_filter*) /home/markusjm/MaxScale/include/maxscale/filter.hh:586

    #14 0x7ffff716a876 in FilterDef::~FilterDef() /home/markusjm/MaxScale/server/core/filter.cc:121

    #15 0x7ffff717246c in std::_Sp_counted_ptr<FilterDef*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/9/bits/shared_ptr_base.h:377

    #16 0x7ffff70b3b64 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/9/bits/shared_ptr_base.h:155

    #17 0x7ffff70b2f97 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/9/bits/shared_ptr_base.h:730

    #18 0x7ffff70efc9d in std::__shared_ptr<FilterDef, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/9/bits/shared_ptr_base.h:1169

    #19 0x7ffff70efcb9 in std::shared_ptr<FilterDef>::~shared_ptr() /usr/include/c++/9/bits/shared_ptr.h:103

    #20 0x7ffff7171899 in void std::_Destroy<std::shared_ptr<FilterDef> >(std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:98

    #21 0x7ffff7170f56 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<FilterDef>*>(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:108

    #22 0x7ffff7170529 in void std::_Destroy<std::shared_ptr<FilterDef>*>(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:137

    #23 0x7ffff716eede in void std::_Destroy<std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef> >(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*, std::allocator<std::shared_ptr<FilterDef> >&) /usr/include/c++/9/bits/stl_construct.h:206

    #24 0x7ffff716e46d in std::vector<std::shared_ptr<FilterDef>, std::allocator<std::shared_ptr<FilterDef> > >::~vector() /usr/include/c++/9/bits/stl_vector.h:677

    #25 0x7ffff716de39 in ~<constructor> /home/markusjm/MaxScale/server/core/filter.cc:51

    #26 0x7ffff6057c06 in __cxa_finalize (/lib64/libc.so.6+0x3ac06)

    #27 0x7ffff70a4866  (/home/markusjm/build-develop/lib64/maxscale/libmaxscale-common.so.1.0.0+0x221866)

0x6030000386e0 is located 0 bytes inside of 22-byte region [0x6030000386e0,0x6030000386f6)

freed by thread T0 here:

    #0 0x7ffff768a9bf in operator delete(void*) (/lib64/libasan.so.5+0x1109bf)

    #1 0x7ffff711d884 in config::Param::~Param() /home/markusjm/MaxScale/server/core/config2.cc:306

    #2 0x7ffff2372c32 in config::ParamEnum<cache_in_trxs>::~ParamEnum() (/home/markusjm/build-develop/lib64/maxscale/libcache.so+0x66c32)

    #3 0x7ffff605766f in __run_exit_handlers (/lib64/libc.so.6+0x3a66f)

previously allocated by thread T0 here:

    #0 0x7ffff7689a27 in operator new(unsigned long) (/lib64/libasan.so.5+0x10fa27)

    #1 0x7ffff677174c in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) (/lib64/libstdc++.so.6+0x14a74c)

SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.5+0xdaf9c)

Shadow bytes around the buggy address:

  0x0c067ffff080: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd

  0x0c067ffff090: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa

  0x0c067ffff0a0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa

  0x0c067ffff0b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd

  0x0c067ffff0c0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa

=>0x0c067ffff0d0: fd fd fd fd fa fa fd fd fd fd fa fa[fd]fd fd fa

  0x0c067ffff0e0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00

  0x0c067ffff0f0: 00 05 fa fa fd fd fd fa fa fa 00 00 06 fa fa fa

  0x0c067ffff100: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 01 fa

  0x0c067ffff110: fa fa 00 00 03 fa fa fa 00 00 03 fa fa fa fd fd

  0x0c067ffff120: fd fa fa fa fd fd fd fa fa fa 00 00 01 fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==905==ABORTING

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

cache-rules.json
0.1 kB
2019-07-24 05:23
dbfw-rules.txt
0.1 kB
2019-07-24 05:23
masking-rules.json
1 kB
2019-07-24 05:23
maxscale.cnf
2 kB
2019-07-24 05:27

Activity

People

Assignee:: Johan Wikman

Reporter:: markus makela

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019-07-24 05:26

Updated:: 2019-09-13 04:27

Resolved:: 2019-08-29 05:03

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.