#312 libevent 2.0.12 and Clang 3.3 Analysis (Use After Free and Null Dereference)

Milestone: For_2.0

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2014-08-18

Created: 2013-09-22

Creator: Jeffrey Walton

Private: No

This report is the result of building libevent 2.0.12-stable under Clang 3.3 with its analyzer. There were a few major findings, but they could be false positives.

Clang 3.3 was built from sources. I can provide my recipe to fetch, compile, and install Clang 3.3 if desired.

The build occurred on Mac OS X 10.8.4 (x64):

$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Mon Jul 29 16:33:49 PDT 2013; root:xnu-2050.48.11~1/RELEASE_X86_64 x86_64

If you have Clang 3.3 installed, you can perform the build under with the following (its easier than trying to decipher auto tools):

$ export CC=/usr/local/bin/clang CXX=/usr/local/bin/clang++
$ ./configure
$ make CC="/usr/local/bin/clang --analyze" CXX="/usr/local/bin/clang++ --analyze"

Finally, sorry about the crummy formatting. There was no "plain text" checkbox, and I did not have time to read file help file to file a bug report. I've got other tasks I have to get on.

libtool: compile: /usr/local/bin/clang --analyze -DHAVE_CONFIG_H -I. -I./compat -I./include -I./include -g -O2 -Wall -fno-strict-aliasing -Wno-deprecated-declarations -D_THREAD_SAFE -MT event.lo -MD -MP -MF .deps/event.Tpo -c event.c -fno-common -DPIC -o .libs/event.o
event.c:949:3: warning: Use of memory after it is freed
TAILQ_REMOVE(&cfg->entries, entry, next);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./compat/sys/queue.h:357:6: note: expanded from macro 'TAILQ_REMOVE'
if (((elm)->field.tqe_next) != NULL) \ ^~~~~~~~~~~~~~~~~~~~~~~

libtool: compile: /usr/local/bin/clang --analyze -DHAVE_CONFIG_H -I. -I./compat -I./include -I./include -g -O2 -Wall -fno-strict-aliasing -Wno-deprecated-declarations -D_THREAD_SAFE -MT event.lo -MD -MP -MF .deps/event.Tpo -c event.c -fno-common -DPIC -o .libs/event.o
event.c:2454:3: warning: Access to field 'tv_sec' results in a dereference of a
null pointer (loaded from variable 'ev_tv')
evutil_timersub(ev_tv, &off, ev_tv);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/event2/util.h:380:40: note: expanded from macro 'evutil_timersub'

define evutil_timersub(tvp, uvp, vvp) timersub((tvp), (uvp), (vvp))

                                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/usr/include/sys/time.h:174:19: note: expanded from macro 'timersub'
(vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \ ^~~~~~~~~~~~~

libtool: compile: /usr/local/bin/clang --analyze -DHAVE_CONFIG_H -I. -I./compat -I./include -I./include -g -O2 -Wall -fno-strict-aliasing -Wno-deprecated-declarations -D_THREAD_SAFE -MT http.lo -MD -MP -MF .deps/http.Tpo -c http.c -fno-common -DPIC -o .libs/http.o
http.c:1589:25: warning: Access to field 'http_server' results in a dereference
of a null pointer (loaded from field 'evcon')
!evhttp_find_vhost(req->evcon->http_server, NULL, hostname))
^~~~~~~~~~~~~~~~~~~~~~~

Discussion

Jeffrey Walton - 2013-09-22

Here's a few more under Clang 3.3 on Ubuntu 12.10 (x64).

event.c:2139:4: warning: The left operand of '+' is a garbage value
evutil_timeradd(&now, &tmp, &ev->ev_timeout);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/event2/util.h:379:40: note: expanded from macro 'evutil_timeradd'

define evutil_timeradd(tvp, uvp, vvp) timeradd((tvp), (uvp), (vvp))

^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/usr/include/x86_64-linux-gnu/sys/time.h:172:36: note: expanded from macro
'timeradd'
(result)->tv_sec = (a)->tv_sec + (b)->tv_sec; \ ~~~~~~~~~~~ ^
event.c:2143:4: warning: The left operand of '+' is a garbage value
evutil_timeradd(&now, tv, &ev->ev_timeout);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/event2/util.h:379:40: note: expanded from macro 'evutil_timeradd'

define evutil_timeradd(tvp, uvp, vvp) timeradd((tvp), (uvp), (vvp))

^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/usr/include/x86_64-linux-gnu/sys/time.h:172:36: note: expanded from macro
'timeradd'
(result)->tv_sec = (a)->tv_sec + (b)->tv_sec; \ ~~~~~~~~~~~ ^
event.c:2454:3: warning: Access to field 'tv_sec' results in a dereference of a
null pointer (loaded from variable 'ev_tv')
evutil_timersub(ev_tv, &off, ev_tv);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/event2/util.h:380:40: note: expanded from macro 'evutil_timersub'

define evutil_timersub(tvp, uvp, vvp) timersub((tvp), (uvp), (vvp))

^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/usr/include/x86_64-linux-gnu/sys/time.h:182:24: note: expanded from macro
'timersub'
(result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ ^~~~~~~~~~~
event.c:2489:7: warning: The right operand of '==' is a garbage value
if (evutil_timercmp(&ev->ev_timeout, &now, >))
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/event2/util.h:412:18: note: expanded from macro 'evutil_timercmp'
(((tvp)->tv_sec == (uvp)->tv_sec) ? \ ^ ~~~~~~~~~~~~~
5 warnings generated.

/bin/bash ./libtool --tag=CC --mode=compile /usr/local/bin/clang --analyze -DHAVE_CONFIG_H -I. -I./compat -I./include -I./include -g -O2 -Wall -fno-strict-aliasing -MT evutil.lo -MD -MP -MF .deps/evutil.Tpo -c -o evutil.lo evutil.c
libtool: compile: /usr/local/bin/clang --analyze -DHAVE_CONFIG_H -I. -I./compat -I./include -I./include -g -O2 -Wall -fno-strict-aliasing -MT evutil.lo -MD -MP -MF .deps/evutil.Tpo -c evutil.c -fPIC -DPIC -o .libs/evutil.o
evutil.c:268:29: warning: The right operand of '!=' is a garbage value
|| listen_addr.sin_family != connect_addr.sin_family
^ ~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

libevent 2.0.12 and Clang 3.3 Analysis (Use After Free and Null Dereference)

Group

Searches

Help

#312 libevent 2.0.12 and Clang 3.3 Analysis (Use After Free and Null Dereference)

define evutil_timersub(tvp, uvp, vvp) timersub((tvp), (uvp), (vvp))

Discussion

define evutil_timeradd(tvp, uvp, vvp) timeradd((tvp), (uvp), (vvp))

define evutil_timeradd(tvp, uvp, vvp) timeradd((tvp), (uvp), (vvp))

define evutil_timersub(tvp, uvp, vvp) timersub((tvp), (uvp), (vvp))