[MXS-2612] Use-after-free in cache filter Created: 2019-07-24  Updated: 2019-09-13  Resolved: 2019-08-29

Status: Closed
Project: MariaDB MaxScale
Component/s: Core
Affects Version/s: None
Fix Version/s: 2.4.2

Type: Bug Priority: Minor
Reporter: markus makela Assignee: Johan Wikman
Resolution: Fixed Votes: 0
Labels: None

Attachments: File cache-rules.json     Text File dbfw-rules.txt     File masking-rules.json     File maxscale.cnf    
Sprint: MXS-SPRINT-87, MXS-SPRINT-88, MXS-SPRINT-89

 Description   

The crash happened on exit.

=================================================================
 
==905==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000386e0 at pc 0x7ffff7654f9d bp 0x7fffffffc840 sp 0x7fffffffbfe8
 
READ of size 8 at 0x6030000386e0 thread T0
 
    #0 0x7ffff7654f9c  (/lib64/libasan.so.5+0xdaf9c)
 
    #1 0x7ffff6770f0b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::compare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/lib64/libstdc++.so.6+0x149f0b)
 
    #2 0x423cfb in bool std::operator< <char, std::char_traits<char>, std::allocator<char> >(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/markusjm/build-develop/bin/maxscale+0x423cfb)
 
    #3 0x4224e0 in std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::operator()(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) const (/home/markusjm/build-develop/bin/maxscale+0x4224e0)
 
    #4 0x7ffff7126e01 in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::_M_lower_bound(std::_Rb_tree_node<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >*, std::_Rb_tree_node_base*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_tree.h:1925
 
    #5 0x7ffff712515c in std::_Rb_tree<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*>, std::_Select1st<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_tree.h:2553
 
    #6 0x7ffff712382a in std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, config::Type*, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, config::Type*> > >::find(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/stl_map.h:1169
 
    #7 0x7ffff711f039 in config::Configuration::remove(config::Type*) /home/markusjm/MaxScale/server/core/config2.cc:436
 
    #8 0x7ffff711f36e in config::Type::~Type() /home/markusjm/MaxScale/server/core/config2.cc:464
 
    #9 0x7ffff2371e10 in config::ConcreteType<config::Enum<cache_in_trxs>, config::ParamEnum<cache_in_trxs> >::~ConcreteType() /home/markusjm/MaxScale/include/maxscale/config2.hh:958
 
    #10 0x7ffff2371e5e in config::Enum<cache_in_trxs>::~Enum() /home/markusjm/MaxScale/include/maxscale/config2.hh:1242
 
    #11 0x7ffff236e89c in CacheConfig::~CacheConfig() /home/markusjm/MaxScale/server/modules/filter/cache/cacheconfig.cc:168
 
    #12 0x7ffff2384195 in CacheFilter::~CacheFilter() /home/markusjm/MaxScale/server/modules/filter/cache/cachefilter.cc:152
 
    #13 0x7ffff238667c in maxscale::Filter<CacheFilter, CacheFilterSession>::destroyInstance(mxs_filter*) /home/markusjm/MaxScale/include/maxscale/filter.hh:586
 
    #14 0x7ffff716a876 in FilterDef::~FilterDef() /home/markusjm/MaxScale/server/core/filter.cc:121
 
    #15 0x7ffff717246c in std::_Sp_counted_ptr<FilterDef*, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/9/bits/shared_ptr_base.h:377
 
    #16 0x7ffff70b3b64 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/9/bits/shared_ptr_base.h:155
 
    #17 0x7ffff70b2f97 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/9/bits/shared_ptr_base.h:730
 
    #18 0x7ffff70efc9d in std::__shared_ptr<FilterDef, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/9/bits/shared_ptr_base.h:1169
 
    #19 0x7ffff70efcb9 in std::shared_ptr<FilterDef>::~shared_ptr() /usr/include/c++/9/bits/shared_ptr.h:103
 
    #20 0x7ffff7171899 in void std::_Destroy<std::shared_ptr<FilterDef> >(std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:98
 
    #21 0x7ffff7170f56 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<FilterDef>*>(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:108
 
    #22 0x7ffff7170529 in void std::_Destroy<std::shared_ptr<FilterDef>*>(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*) /usr/include/c++/9/bits/stl_construct.h:137
 
    #23 0x7ffff716eede in void std::_Destroy<std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef> >(std::shared_ptr<FilterDef>*, std::shared_ptr<FilterDef>*, std::allocator<std::shared_ptr<FilterDef> >&) /usr/include/c++/9/bits/stl_construct.h:206
 
    #24 0x7ffff716e46d in std::vector<std::shared_ptr<FilterDef>, std::allocator<std::shared_ptr<FilterDef> > >::~vector() /usr/include/c++/9/bits/stl_vector.h:677
 
    #25 0x7ffff716de39 in ~<constructor> /home/markusjm/MaxScale/server/core/filter.cc:51
 
    #26 0x7ffff6057c06 in __cxa_finalize (/lib64/libc.so.6+0x3ac06)
 
    #27 0x7ffff70a4866  (/home/markusjm/build-develop/lib64/maxscale/libmaxscale-common.so.1.0.0+0x221866)
 
 
 
0x6030000386e0 is located 0 bytes inside of 22-byte region [0x6030000386e0,0x6030000386f6)
 
freed by thread T0 here:
 
    #0 0x7ffff768a9bf in operator delete(void*) (/lib64/libasan.so.5+0x1109bf)
 
    #1 0x7ffff711d884 in config::Param::~Param() /home/markusjm/MaxScale/server/core/config2.cc:306
 
    #2 0x7ffff2372c32 in config::ParamEnum<cache_in_trxs>::~ParamEnum() (/home/markusjm/build-develop/lib64/maxscale/libcache.so+0x66c32)
 
    #3 0x7ffff605766f in __run_exit_handlers (/lib64/libc.so.6+0x3a66f)
 
 
 
previously allocated by thread T0 here:
 
    #0 0x7ffff7689a27 in operator new(unsigned long) (/lib64/libasan.so.5+0x10fa27)
 
    #1 0x7ffff677174c in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) (/lib64/libstdc++.so.6+0x14a74c)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.5+0xdaf9c) 
Shadow bytes around the buggy address:
 
  0x0c067ffff080: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
 
  0x0c067ffff090: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
 
  0x0c067ffff0a0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
 
  0x0c067ffff0b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
 
  0x0c067ffff0c0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
 
=>0x0c067ffff0d0: fd fd fd fd fa fa fd fd fd fd fa fa[fd]fd fd fa
 
  0x0c067ffff0e0: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
 
  0x0c067ffff0f0: 00 05 fa fa fd fd fd fa fa fa 00 00 06 fa fa fa
 
  0x0c067ffff100: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 01 fa
 
  0x0c067ffff110: fa fa 00 00 03 fa fa fa 00 00 03 fa fa fa fd fd
 
  0x0c067ffff120: fd fa fa fa fd fd fd fa fa fa 00 00 01 fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==905==ABORTING


Generated at Thu Feb 08 04:15:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.