Menu

#2322 heap-use-after-free

None
closed-wont-fix
nobody
None
2020-09-27
2020-09-25
liuchenyifan
No

gnuplot 5.5 in centos linux 7.7.1908

==22921== ERROR: AddressSanitizer: heap-use-after-free on address 0x60040000baf0 at pc 0x846a4f bp 0x7ffd38e1d020 sp 0x7ffd38e1d010
READ of size 1 at 0x60040000baf0 thread T0
#0 0x846a4e (/root/bug_finder/target_program/asan_program/gnuplot+0x846a4e)

#1 0x8abe38 (/root/bug_finder/target_program/asan_program/gnuplot+0x8abe38)
#2 0x8d8aa9 (/root/bug_finder/target_program/asan_program/gnuplot+0x8d8aa9)
#3 0x518678 (/root/bug_finder/target_program/asan_program/gnuplot+0x518678)
#4 0x53bf68 (/root/bug_finder/target_program/asan_program/gnuplot+0x53bf68)
#5 0x6c77f2 (/root/bug_finder/target_program/asan_program/gnuplot+0x6c77f2)
#6 0x465bdb (/root/bug_finder/target_program/asan_program/gnuplot+0x465bdb)
#7 0x459f6c (/root/bug_finder/target_program/asan_program/gnuplot+0x459f6c)
#8 0x61b63b (/root/bug_finder/target_program/asan_program/gnuplot+0x61b63b)
#9 0x40772e (/root/bug_finder/target_program/asan_program/gnuplot+0x40772e)
#10 0x7f625bbe1554 (/usr/lib64/libc-2.17.so+0x22554)
#11 0x4084ec (/root/bug_finder/target_program/asan_program/gnuplot+0x4084ec)

0x60040000baf0 is located 0 bytes inside of 16-byte region [0x60040000baf0,0x60040000bb00)
freed by thread T0 here:
#0 0x7f625d272dd9 (/usr/lib64/libasan.so.0.0.0+0x15dd9)

#1 0x843ef1 (/root/bug_finder/target_program/asan_program/gnuplot+0x843ef1)

previously allocated by thread T0 here:
#0 0x7f625d272ef9 (/usr/lib64/libasan.so.0.0.0+0x15ef9)

#1 0x4085f0 (/root/bug_finder/target_program/asan_program/gnuplot+0x4085f0)

Shadow bytes around the buggy address:
0x0c00ffff9700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9710: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c00ffff9720: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c00ffff9730: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c00ffff9740: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c00ffff9750: fa fa fd fd fa fa fd fd fa fa fd fd fa fa[fd]fd
0x0c00ffff9760: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c00ffff9770: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c00ffff9780: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c00ffff9790: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c00ffff97a0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==22921== ABORTING

1 Attachments
bug3

Discussion

  • liuchenyifan

    liuchenyifan - 2020-09-25
    • Attachments has changed:

    Diff:

    --- old
+++ new
@@ -0,0 +1 @@
+bug3 (33.3 kB; application/octet-stream)
    • Group: -->
    • Priority: -->
     

  • liuchenyifan

    liuchenyifan - 2020-09-25

    information below from valgrind

    ==10188== Invalid read of size 1
    ==10188== at 0x4C322D4: __strstr_sse42 (vg_replace_strmem.c:1644)
    ==10188== by 0x7A96AB: enhanced_recursion.constprop.132 (term.c:2063)
    ==10188== by 0x7E358B: ENHX11_put_text (x11.trm:2132)
    ==10188== by 0x802E6B: write_multiline (term.c:801)
    ==10188== by 0x4EE158: key_text (graph3d.c:3463)
    ==10188== by 0x50B815: do_3dplot (graph3d.c:1092)
    ==10188== by 0x651E70: eval_3dplots (plot3d.c:2872)
    ==10188== by 0x44E1C5: splot_command (command.c:2323)
    ==10188== by 0x4411AB: command (command.c:659)
    ==10188== by 0x4411AB: do_line (command.c:429)
    ==10188== by 0x5CD14B: load_file (misc.c:335)
    ==10188== by 0x406416: main (plot.c:636)
    ==10188== Address 0x6564760 is 0 bytes inside a block of size 16 free'd
    ==10188== at 0x4C2B06D: free (vg_replace_malloc.c:538)
    ==10188== by 0x7AA84A: enhanced_recursion.constprop.132 (term.c:2269)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== Block was alloc'd at
    ==10188== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
    ==10188== by 0x4066C0: gp_alloc (alloc.c:56)
    ==10188== by 0x7AA447: stylefont (term.c:2449)
    ==10188== by 0x7AA447: enhanced_recursion.constprop.132 (term.c:2261)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188==
    ==10188== Invalid read of size 1
    ==10188== at 0x4C322D4: __strstr_sse42 (vg_replace_strmem.c:1644)
    ==10188== by 0x7A96C0: enhanced_recursion.constprop.132 (term.c:2064)
    ==10188== by 0x7E358B: ENHX11_put_text (x11.trm:2132)
    ==10188== by 0x802E6B: write_multiline (term.c:801)
    ==10188== by 0x4EE158: key_text (graph3d.c:3463)
    ==10188== by 0x50B815: do_3dplot (graph3d.c:1092)
    ==10188== by 0x651E70: eval_3dplots (plot3d.c:2872)
    ==10188== by 0x44E1C5: splot_command (command.c:2323)
    ==10188== by 0x4411AB: command (command.c:659)
    ==10188== by 0x4411AB: do_line (command.c:429)
    ==10188== by 0x5CD14B: load_file (misc.c:335)
    ==10188== by 0x406416: main (plot.c:636)
    ==10188== Address 0x6564760 is 0 bytes inside a block of size 16 free'd
    ==10188== at 0x4C2B06D: free (vg_replace_malloc.c:538)
    ==10188== by 0x7AA84A: enhanced_recursion.constprop.132 (term.c:2269)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== Block was alloc'd at
    ==10188== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
    ==10188== by 0x4066C0: gp_alloc (alloc.c:56)
    ==10188== by 0x7AA447: stylefont (term.c:2449)
    ==10188== by 0x7AA447: enhanced_recursion.constprop.132 (term.c:2261)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188==

    ==10188== Invalid read of size 1
    ==10188== at 0x6154079: vfprintf (in /usr/lib64/libc-2.17.so)
    ==10188== by 0x617843A: vsprintf (in /usr/lib64/libc-2.17.so)
    ==10188== by 0x615A5D6: sprintf (in /usr/lib64/libc-2.17.so)
    ==10188== by 0x75CA41: ENHX11_FLUSH (x11.trm:2054)
    ==10188== by 0x7E35DC: ENHX11_put_text (x11.trm:2135)
    ==10188== by 0x802E6B: write_multiline (term.c:801)
    ==10188== by 0x4EE158: key_text (graph3d.c:3463)
    ==10188== by 0x50B815: do_3dplot (graph3d.c:1092)
    ==10188== by 0x651E70: eval_3dplots (plot3d.c:2872)
    ==10188== by 0x44E1C5: splot_command (command.c:2323)
    ==10188== by 0x4411AB: command (command.c:659)
    ==10188== by 0x4411AB: do_line (command.c:429)
    ==10188== by 0x5CD14B: load_file (misc.c:335)
    ==10188== Address 0x6564760 is 0 bytes inside a block of size 16 free'd
    ==10188== at 0x4C2B06D: free (vg_replace_malloc.c:538)
    ==10188== by 0x7AA84A: enhanced_recursion.constprop.132 (term.c:2269)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== Block was alloc'd at
    ==10188== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
    ==10188== by 0x4066C0: gp_alloc (alloc.c:56)
    ==10188== by 0x7AA447: stylefont (term.c:2449)
    ==10188== by 0x7AA447: enhanced_recursion.constprop.132 (term.c:2261)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188==

    ==10188== Invalid read of size 1
    ==10188== at 0x4C2D0F2: strlen (vg_replace_strmem.c:459)
    ==10188== by 0x7AA439: stylefont (term.c:2449)
    ==10188== by 0x7AA439: enhanced_recursion.constprop.132 (term.c:2261)
    ==10188== by 0x7E358B: ENHX11_put_text (x11.trm:2132)
    ==10188== by 0x802E6B: write_multiline (term.c:801)
    ==10188== by 0x4EE158: key_text (graph3d.c:3463)
    ==10188== by 0x50B815: do_3dplot (graph3d.c:1092)
    ==10188== by 0x651E70: eval_3dplots (plot3d.c:2872)
    ==10188== by 0x44E1C5: splot_command (command.c:2323)
    ==10188== by 0x4411AB: command (command.c:659)
    ==10188== by 0x4411AB: do_line (command.c:429)
    ==10188== by 0x5CD14B: load_file (misc.c:335)
    ==10188== by 0x406416: main (plot.c:636)
    ==10188== Address 0x6564760 is 0 bytes inside a block of size 16 free'd
    ==10188== at 0x4C2B06D: free (vg_replace_malloc.c:538)
    ==10188== by 0x7AA84A: enhanced_recursion.constprop.132 (term.c:2269)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== Block was alloc'd at
    ==10188== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
    ==10188== by 0x4066C0: gp_alloc (alloc.c:56)
    ==10188== by 0x7AA447: stylefont (term.c:2449)
    ==10188== by 0x7AA447: enhanced_recursion.constprop.132 (term.c:2261)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188==
    ==10188== Invalid read of size 1
    ==10188== at 0x4C2D1D7: strcpy (vg_replace_strmem.c:511)
    ==10188== by 0x7AA45A: stylefont (term.c:2450)
    ==10188== by 0x7AA45A: enhanced_recursion.constprop.132 (term.c:2261)
    ==10188== by 0x7E358B: ENHX11_put_text (x11.trm:2132)
    ==10188== by 0x802E6B: write_multiline (term.c:801)
    ==10188== by 0x4EE158: key_text (graph3d.c:3463)
    ==10188== by 0x50B815: do_3dplot (graph3d.c:1092)
    ==10188== by 0x651E70: eval_3dplots (plot3d.c:2872)
    ==10188== by 0x44E1C5: splot_command (command.c:2323)
    ==10188== by 0x4411AB: command (command.c:659)
    ==10188== by 0x4411AB: do_line (command.c:429)
    ==10188== by 0x5CD14B: load_file (misc.c:335)
    ==10188== by 0x406416: main (plot.c:636)
    ==10188== Address 0x6564760 is 0 bytes inside a block of size 16 free'd
    ==10188== at 0x4C2B06D: free (vg_replace_malloc.c:538)
    ==10188== by 0x7AA84A: enhanced_recursion.constprop.132 (term.c:2269)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== Block was alloc'd at
    ==10188== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
    ==10188== by 0x4066C0: gp_alloc (alloc.c:56)
    ==10188== by 0x7AA447: stylefont (term.c:2449)
    ==10188== by 0x7AA447: enhanced_recursion.constprop.132 (term.c:2261)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188== by 0x7AA832: enhanced_recursion.constprop.132 (term.c:2264)
    ==10188==

    ==10188== Warning: invalid file descriptor -1 in syscall close()
    ==10188==
    ==10188== HEAP SUMMARY:
    ==10188== in use at exit: 1,375,753 bytes in 313 blocks
    ==10188== total heap usage: 1,996 allocs, 1,683 frees, 47,079,803 bytes allocated
    ==10188==
    ==10188== LEAK SUMMARY:
    ==10188== definitely lost: 0 bytes in 0 blocks
    ==10188== indirectly lost: 0 bytes in 0 blocks
    ==10188== possibly lost: 0 bytes in 0 blocks
    ==10188== still reachable: 1,375,753 bytes in 313 blocks
    ==10188== suppressed: 0 bytes in 0 blocks
    ==10188== Rerun with --leak-check=full to see details of leaked memory
    ==10188==
    ==10188== For lists of detected and suppressed errors, rerun with: -s
    ==10188== ERROR SUMMARY: 1354 errors from 5 contexts (suppressed: 0 from 0)

     

  • Ethan Merritt

    Ethan Merritt - 2020-09-27
    • status: open --> closed-wont-fix
     

  • Ethan Merritt

    Ethan Merritt - 2020-09-27

    This comes from feeding the parser a double-quoted string of length >32K characters containing mostly curly brackets. That's not a scenario that can happen in normal use so special measures to deal with it are very low priority.

     

Log in to post a comment.