[screen-devel] [bug #46507] Use-after-free in KillWindow

[anonymous]

URL:
  <http://savannah.gnu.org/bugs/?46507>

                 Summary: Use-after-free in KillWindow
                 Project: GNU Screen
            Submitted by: None
            Submitted on: Mon 23 Nov 2015 11:04:16 PM UTC
                Category: Crash/Freeze/Infloop
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 4.3.1
           Fixed Release: None
         Planned Release: None
           Work Required: None

    _______________________________________________________

Details:

I have a script that runs remote commands on a few dozen servers, by opening
many screen windows (one per server), each of which runs an ssh command and
then closes.  Maybe half the time, this script causes screen to segfault in
SetCanvasWindow() as the windows close.  Suspecting some kind of memory
corruption, I built screen (Git branch screen-v4, commit 4b12d96) with
AddressSanitizer, and obtained the heap-use-after-free report below.  I
reproduced this report three times (only the specific addresses vary) and can
probably do so again.

It looks like D_other points to a window that has been freed.  I haven’t
figured out exactly how this happens, but perhaps the SetCanvasWindow() call
inside KillWindow() manages to set D_other to the window being killed?

=================================================================
==27833==ERROR: AddressSanitizer: heap-use-after-free on address
0x62a000068868 at pc 0x0000004fb112 bp 0x7fffdd376700 sp 0x7fffdd3766f0
READ of size 8 at 0x62a000068868 thread T0
    #0 0x4fb111 in AclCheckPermWin /home/anders/wd/screen/src/acls.c:1087
    #1 0x4d0cc3 in FindNiceWindow /home/anders/wd/screen/src/process.c:6697
    #2 0x4c7824 in KillWindow /home/anders/wd/screen/src/process.c:5439
    #3 0x409145 in WindowDied /home/anders/wd/screen/src/screen.c:1583
    #4 0x47557e in win_readev_fn /home/anders/wd/screen/src/window.c:1904
    #5 0x51196d in sched /home/anders/wd/screen/src/sched.c:237
    #6 0x40879c in main /home/anders/wd/screen/src/screen.c:1490
    #7 0x7f5601422a3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #8 0x403ed8 in _start (/home/anders/wd/screen/src/screen+0x403ed8)

0x62a000068868 is located 9832 bytes inside of 20920-byte region
[0x62a000066200,0x62a00006b3b8)
freed by thread T0 here:
    #0 0x7f56020d820a in __interceptor_free
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9820a)
    #1 0x470a74 in FreeWindow /home/anders/wd/screen/src/window.c:1083
    #2 0x4c7ab6 in KillWindow /home/anders/wd/screen/src/process.c:5459
    #3 0x409145 in WindowDied /home/anders/wd/screen/src/screen.c:1583
    #4 0x47557e in win_readev_fn /home/anders/wd/screen/src/window.c:1904
    #5 0x51196d in sched /home/anders/wd/screen/src/sched.c:237
    #6 0x40879c in main /home/anders/wd/screen/src/screen.c:1490
    #7 0x7f5601422a3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

previously allocated by thread T0 here:
    #0 0x7f56020d86a9 in __interceptor_calloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x986a9)
    #1 0x46d5e5 in MakeWindow /home/anders/wd/screen/src/window.c:629
    #2 0x4cd678 in DoScreen /home/anders/wd/screen/src/process.c:6191
    #3 0x4a7095 in DoAction /home/anders/wd/screen/src/process.c:2121
    #4 0x4c2325 in DoCommand /home/anders/wd/screen/src/process.c:4662
    #5 0x461a93 in DoCommandMsg /home/anders/wd/screen/src/socket.c:1791
    #6 0x45e1db in ReceiveMsg /home/anders/wd/screen/src/socket.c:1215
    #7 0x4117ff in serv_read_fn /home/anders/wd/screen/src/screen.c:3199
    #8 0x51196d in sched /home/anders/wd/screen/src/sched.c:237
    #9 0x40879c in main /home/anders/wd/screen/src/screen.c:1490
    #10 0x7f5601422a3f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-use-after-free
/home/anders/wd/screen/src/acls.c:1087 AclCheckPermWin
Shadow bytes around the buggy address:
  0x0c54800050b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800050c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800050d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800050e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c54800050f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5480005100: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c5480005110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5480005120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5480005130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5480005140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5480005150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==27833==ABORTING




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?46507>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/