Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2612

Use-after-free in cache filter

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Fixed
    • None
    • 2.4.2
    • Core
    • None
    • MXS-SPRINT-87, MXS-SPRINT-88, MXS-SPRINT-89

    Description

      The crash happened on exit.

      =================================================================
      ==905==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000386e0 at pc 0x7ffff7654f9d bp 0x7fffffffc840 sp 0x7fffffffbfe8
      READ of size 8 at 0x6030000386e0 thread T0
          #0 0x7ffff7654f9c  (/lib64/libasan.so.5+0xdaf9c)
          #1 0x7ffff6770f0b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/lib64/libstdc++.so.6+0x149f0b)
          #2 0x423cfb in bool std::operator< <char, std::char_traits<char>, std::allocator<char> >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/markusjm/build-develop/bin/maxscale+0x423cfb)
          #3 0x4224e0 in std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::operator()(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/home/markusjm/build-develop/bin/maxscale+0x4224e0)
          #4 0x7ffff7126e01 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::_M_lower_bound(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >*, std::_Rb_tree_node_base*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_tree.h:1925
          #5 0x7ffff712515c in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_tree.h:2553
          #6 0x7ffff712382a in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, config::Type*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_map.h:1169
          #7 0x7ffff711f039 in config::Configuration::remove(config::Type*) /home/markusjm/MaxScale/server/core/config2.cc:436
          #8 0x7ffff711f36e in config::Type::~Type() /home/markusjm/MaxScale/server/core/config2.cc:464
          #9 0x7ffff2371e10 in config::ConcreteType<config::Enum<cache_in_trxs>, config::ParamEnum<cache_in_trxs> >::~ConcreteType() /home/markusjm/MaxScale/include/maxscale/config2.hh:958
          #10 0x7ffff2371e5e in config::Enum<cache_in_trxs>::~Enum() /home/markusjm/MaxScale/include/maxscale/config2.hh:1242
          #11 0x7ffff236e89c in CacheConfig::~CacheConfig() /home/markusjm/MaxScale/server/modules/filter/cache/cacheconfig.cc:168
          #12 0x7ffff2384195 in CacheFilter::~CacheFilter() /home/markusjm/MaxScale/server/modules/filter/cache/cachefilter.cc:152
          #13 0x7ffff238667c in maxscale::Filter<CacheFilter, CacheFilterSession>::destroyInstance(mxs_filter*) /home/markusjm/MaxScale/include/maxscale/filter.hh:586
          #14 0x7ffff716a876 in FilterDef::~FilterDef() /home/markusjm/MaxScale/server/core/filter.cc:121
          #15 0x7ffff717246c in std::_Sp_counted_ptr<FilterDef*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/9/bits/shared_ptr_base.h:377
          #16 0x7ffff70b3b64 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/9/bits/shared_ptr_base.h:155
          #17 0x7ffff70b2f97 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/9/bits/shared_ptr_base.h:730
          #18 0x7ffff70efc9d in std::__shared_ptr<FilterDef, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/9/bits/shared_ptr_base.h:1169
          #19 0x7ffff70efcb9 in std::shared_ptr<FilterDef>::~shared_ptr() /usr/include/c++/9/bits/shared_ptr.h:103
          #20 0x7ffff7171899 in void std::_Destroy<std::shared_ptr<FilterDef> >(std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:98
          #21 0x7ffff7170f56 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<FilterDef>*>(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:108
          #22 0x7ffff7170529 in void std::_Destroy<std::shared_ptr<FilterDef>*>(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:137
          #23 0x7ffff716eede in void std::_Destroy<std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef> >(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*, std::allocator<std::shared_ptr<FilterDef> >&) /usr/include/c++/9/bits/stl_construct.h:206
          #24 0x7ffff716e46d in std::vector<std::shared_ptr<FilterDef>, std::allocator<std::shared_ptr<FilterDef> > >::~vector() /usr/include/c++/9/bits/stl_vector.h:677
          #25 0x7ffff716de39 in ~<constructor> /home/markusjm/MaxScale/server/core/filter.cc:51
          #26 0x7ffff6057c06 in __cxa_finalize (/lib64/libc.so.6+0x3ac06)
          #27 0x7ffff70a4866  (/home/markusjm/build-develop/lib64/maxscale/libmaxscale-common.so.1.0.0+0x221866)
       
      0x6030000386e0 is located 0 bytes inside of 22-byte region [0x6030000386e0,0x6030000386f6)
      freed by thread T0 here:
          #0 0x7ffff768a9bf in operator delete(void*) (/lib64/libasan.so.5+0x1109bf)
          #1 0x7ffff711d884 in config::Param::~Param() /home/markusjm/MaxScale/server/core/config2.cc:306
          #2 0x7ffff2372c32 in config::ParamEnum<cache_in_trxs>::~ParamEnum() (/home/markusjm/build-develop/lib64/maxscale/libcache.so+0x66c32)
          #3 0x7ffff605766f in __run_exit_handlers (/lib64/libc.so.6+0x3a66f)
       
      previously allocated by thread T0 here:
          #0 0x7ffff7689a27 in operator new(unsigned long) (/lib64/libasan.so.5+0x10fa27)
          #1 0x7ffff677174c in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) (/lib64/libstdc++.so.6+0x14a74c)
       
      SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.5+0xdaf9c) 
      Shadow bytes around the buggy address:
        0x0c067ffff080: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
        0x0c067ffff090: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
        0x0c067ffff0a0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
        0x0c067ffff0b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
        0x0c067ffff0c0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
      =>0x0c067ffff0d0: fd fd fd fd fa fa fd fd fd fd fa fa[fd]fd fd fa
        0x0c067ffff0e0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
        0x0c067ffff0f0: 00 05 fa fa fd fd fd fa fa fa 00 00 06 fa fa fa
        0x0c067ffff100: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 01 fa
        0x0c067ffff110: fa fa 00 00 03 fa fa fa 00 00 03 fa fa fa fd fd
        0x0c067ffff120: fd fa fa fa fd fd fd fa fa fa 00 00 01 fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==905==ABORTING
      

      Attachments

        1. cache-rules.json
          0.1 kB
          markus makela
        2. dbfw-rules.txt
          0.1 kB
          markus makela
        3. masking-rules.json
          1 kB
          markus makela
        4. maxscale.cnf
          2 kB
          markus makela

        Activity

          People

            johan.wikman Johan Wikman
            markus makela markus makela
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.