[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-users] 'heap-use-after-free' issue
|
From: |
Gisle Vanem |
|
Subject: |
[lwip-users] 'heap-use-after-free' issue |
|
Date: |
Tue, 11 Jul 2023 23:13:13 +0200 |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 |
Hello list.
Compiling a modified version of the test
program 'contrib/examples/example_app/test.c'
with ASAN (-fsanitize=address), running it and
stop it after a few seconds, triggers an 'heap-use-after-free'
exception inside libpcap of all places!
The program is multi-threaded (NO_SYS=0).
Call-stack:
==8748==ERROR: AddressSanitizer: heap-use-after-free on address
0x12c90b974da0 at pc 0x7ffbf5f1fc0c bp 0x00bb78bff330 sp 0x00bb78bfeac0
WRITE of size 1 at 0x12c90b974da0 thread T2
#0 0x7ffbf5f1fc0b in __asan_wrap_memmove
D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:813
#1 0x7ffc5cf610cb (C:\Windows\System32\ucrtbase.dll+0x1800110cb)
#2 0x7ffc5cf60d9d (C:\Windows\System32\ucrtbase.dll+0x180010d9d)
#3 0x7ffc5cf60bfa (C:\Windows\System32\ucrtbase.dll+0x180010bfa)
#4 0x7ffc275b2f8e in vsnprintf
f:\gv\WinKit\Include\10.0.22621.0\ucrt\stdio.h:1439
#5 0x7ffc275b2f1a in snprintf
f:\gv\WinKit\Include\10.0.22621.0\ucrt\stdio.h:1931
#6 0x7ffc275b3ab9 in pcap_vfmt_errmsg_for_win32_err
F:\MinGW32\src\inet\libpcap\fmtutils.c:467
#7 0x7ffc275b38b4 in pcap_fmt_errmsg_for_win32_err
F:\MinGW32\src\inet\libpcap\fmtutils.c:391
#8 0x7ffc275d4c09 in pcap_read_npf
F:\MinGW32\src\inet\libpcap\pcap-npf.c:701
#9 0x7ffc275cf320 in pcap_dispatch F:\MinGW32\src\inet\libpcap\pcap.c:2965
#10 0x7ffc275cf37b in pcap_next F:\MinGW32\src\inet\libpcap\pcap.c:629
#11 0x7ff6f03fdaf7 in pcapif_input_thread
F:\MinGW32\src\inet\lwip\contrib\ports\win32\pcapif.c:758
#12 0x7ff6f03bff6e in sys_thread_function
F:\MinGW32\src\inet\lwip\contrib\ports\win32\sys_arch.c:442
#13 0x7ffbf5f3dffe in __asan::AsanThread::ThreadStart(unsigned __int64)
...
0x12c90b974da0 is located 288 bytes inside of 1048-byte region
[0x12c90b974c80,0x12c90b975098)
freed by thread T0 here:
#0 0x7ffbf5f2e668 in free
D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\asan\asan_malloc_win.cpp:115
#1 0x7ffc275cf233 in pcap_close F:\MinGW32\src\inet\libpcap\pcap.c:4163
#2 0x7ff6f03fed43 in pcapif_shutdown
F:\MinGW32\src\inet\lwip\contrib\ports\win32\pcapif.c:727
#3 0x7ff6f03b9009 in main_loop
F:\MinGW32\src\inet\lwip\contrib\ports\win32\test.c:1176
#4 0x7ff6f03b8ae3 in main
F:\MinGW32\src\inet\lwip\contrib\ports\win32\test.c:1216
...
SUMMARY: AddressSanitizer: heap-use-after-free
D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:813
in __asan_wrap_memmove
---------------------------------
Seems to be caused by 'contrib/ports/win32/pcapif.c'
calling 'pcap_close()' too early in thread 'T0'.
Thus causing 'pcap_next()' and 'pcap_vfmt_errmsg_for_win32_err()'
in thread 'T2' to cause this 'heap-use-after-free' exception.
But if I modify 'pcapif_shutdown()' into this:
--- a/contrib/ports/win32/pcapif.c 2023-06-30 09:52:18
+++ b/contrib/ports/win32/pcapif.c 2023-07-11 22:54:07
@@ -674,20 +674,21 @@
{
struct pcapif_private *pa = (struct
pcapif_private*)PCAPIF_GET_STATE_PTR(netif);
if (pa) {
+ pa->shutdown_called = 1;
+ LWIP_TRACE(1, "pa->shutdown_called = %d\n", pa->shutdown_called);
#if PCAPIF_RX_USE_THREAD
pa->rx_run = 0;
+ /* wait for rxthread to end */
+ while(pa->rx_running)
+ Sleep(100);
#endif /* PCAPIF_RX_USE_THREAD */
if (pa->adapter) {
pcap_breakloop(pa->adapter);
pcap_close(pa->adapter);
}
-#if PCAPIF_RX_USE_THREAD
- /* wait for rxthread to end */
- while(pa->rx_running);
-#endif /* PCAPIF_RX_USE_THREAD */
--------------
it works. Any comments?
I'm using MSVC/clang-cl on Windows.
And yes, 'cl' also have '-fsanitize=address'.
Also filed an issue for it here:
https://savannah.nongnu.org/bugs/index.php?64413
--
--gv
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-users] 'heap-use-after-free' issue,
Gisle Vanem <=