#2428 heap-use-after-free on strstr_sse42
gnuplot 5.5 (last modified in 9.18) on centos linux 7.7.1908
==4348== ERROR: AddressSanitizer: heap-use-after-free on address 0x60040000ce70 at pc 0x84c63c bp 0x7ffdf1c6ec10 sp 0x7ffdf1c6ec00
READ of size 1 at 0x60040000ce70 thread T0
#0 0x84c63b (/root/uniafl_evaluation/asan_program/gnuplot+0x84c63b)
#1 0x8491d3 (/root/uniafl_evaluation/asan_program/gnuplot+0x8491d3)
#2 0x849085 (/root/uniafl_evaluation/asan_program/gnuplot+0x849085)
#3 0x849085 (/root/uniafl_evaluation/asan_program/gnuplot+0x849085)
#4 0x849085 (/root/uniafl_evaluation/asan_program/gnuplot+0x849085)
#5 0x849085 (/root/uniafl_evaluation/asan_program/gnuplot+0x849085)
#6 0x849085 (/root/uniafl_evaluation/asan_program/gnuplot+0x849085)
#7 0x849085 (/root/uniafl_evaluation/asan_program/gnuplot+0x849085)
#8 0x849085 (/root/uniafl_evaluation/asan_program/gnuplot+0x849085)
#9 0x849085 (/root/uniafl_evaluation/asan_program/gnuplot+0x849085)
#10 0x844dd0 (/root/uniafl_evaluation/asan_program/gnuplot+0x844dd0)
#11 0x8abe38 (/root/uniafl_evaluation/asan_program/gnuplot+0x8abe38)
#12 0x8d8aa9 (/root/uniafl_evaluation/asan_program/gnuplot+0x8d8aa9)
#13 0x444d70 (/root/uniafl_evaluation/asan_program/gnuplot+0x444d70)
#14 0x59c4c8 (/root/uniafl_evaluation/asan_program/gnuplot+0x59c4c8)
#15 0x68cb95 (/root/uniafl_evaluation/asan_program/gnuplot+0x68cb95)
#16 0x463bc3 (/root/uniafl_evaluation/asan_program/gnuplot+0x463bc3)
#17 0x459f6c (/root/uniafl_evaluation/asan_program/gnuplot+0x459f6c)
#18 0x61b63b (/root/uniafl_evaluation/asan_program/gnuplot+0x61b63b)
#19 0x40772e (/root/uniafl_evaluation/asan_program/gnuplot+0x40772e)
#20 0x7f95d3c5f554 (/usr/lib64/libc-2.17.so+0x22554)
#21 0x4084ec (/root/uniafl_evaluation/asan_program/gnuplot+0x4084ec)
0x60040000ce70 is located 0 bytes inside of 16-byte region [0x60040000ce70,0x60040000ce80)
freed by thread T0 here:
#0 0x7f95d52f0dd9 (/usr/lib64/libasan.so.0.0.0+0x15dd9)
#1 0x849f72 (/root/uniafl_evaluation/asan_program/gnuplot+0x849f72)
previously allocated by thread T0 here:
#0 0x7f95d52f0ef9 (/usr/lib64/libasan.so.0.0.0+0x15ef9)
#1 0x4085f0 (/root/uniafl_evaluation/asan_program/gnuplot+0x4085f0)
Shadow bytes around the buggy address:
0x0c00ffff9970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff9990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c00ffff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c00ffff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fd]fd
0x0c00ffff99d0: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa fd fa
0x0c00ffff99e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 04 fa
0x0c00ffff99f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c00ffff9a00: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 04 fa
0x0c00ffff9a10: fa fa 01 fa fa fa 02 fa fa fa 02 fa fa fa 02 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==4348== ABORTING
information below from valgrind:
==4360== Invalid read of size 1
==4360== at 0x4C322D4: __strstr_sse42 (vg_replace_strmem.c:1644)
==4360== by 0x7ADA6D: enhanced_recursion.constprop.133 (term.c:2063)
==4360== by 0x7A997C: enhanced_recursion.constprop.132 (term.c:2307)
==4360== by 0x7E358B: ENHX11_put_text (x11.trm:2132)
==4360== by 0x802E6B: write_multiline (term.c:801)
==4360== by 0x434303: do_key_sample (boundary.c:1227)
==4360== by 0x55C244: do_plot (graphics.c:861)
==4360== by 0x61F74B: eval_plots (plot2d.c:3612)
==4360== by 0x44BB88: plot_command (command.c:1897)
==4360== by 0x4411AB: command (command.c:659)
==4360== by 0x4411AB: do_line (command.c:429)
==4360== by 0x5CD14B: load_file (misc.c:335)
==4360== by 0x406416: main (plot.c:636)
==4360== Address 0x65937b0 is 0 bytes inside a block of size 16 free'd
==4360== at 0x4C2B06D: free (vg_replace_malloc.c:538)
==4360== by 0x7AF457: enhanced_recursion.constprop.133 (term.c:2269)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE339: enhanced_recursion.constprop.133 (term.c:2312)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE57D: enhanced_recursion.constprop.133 (term.c:2127)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== Block was alloc'd at
==4360== at 0x4C29F73: malloc (vg_replace_malloc.c:307)
==4360== by 0x4066C0: gp_alloc (alloc.c:56)
==4360== by 0x7AF044: stylefont (term.c:2449)
==4360== by 0x7AF044: enhanced_recursion.constprop.133 (term.c:2261)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE339: enhanced_recursion.constprop.133 (term.c:2312)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE57D: enhanced_recursion.constprop.133 (term.c:2127)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== by 0x7AE258: enhanced_recursion.constprop.133 (term.c:2307)
==4360== Warning: invalid file descriptor -1 in syscall close()
==4360==
==4360== HEAP SUMMARY:
==4360== in use at exit: 36,459 bytes in 288 blocks
==4360== total heap usage: 2,475 allocs, 2,187 frees, 1,764,497 bytes allocated
==4360==
==4360== LEAK SUMMARY:
==4360== definitely lost: 0 bytes in 0 blocks
==4360== indirectly lost: 0 bytes in 0 blocks
==4360== possibly lost: 0 bytes in 0 blocks
==4360== still reachable: 36,459 bytes in 288 blocks
==4360== suppressed: 0 bytes in 0 blocks
==4360== Rerun with --leak-check=full to see details of leaked memory
==4360==
==4360== For lists of detected and suppressed errors, rerun with: -s
==4360== ERROR SUMMARY: 2716 errors from 15 contexts (suppressed: 0 from 0)
This one is nasty. It is due to a flaw in the code pattern used by multiple terminals for enhanced text mode font-handling. It affects at least x11, the cairo terminals, and the libgd terminals.
it seems pretty serious, could you please provide more details about this?
I do not fully understand why this reproducer in particular triggers the error, but the general issue is that the enhanced text algorithm builds up a modified output stream that applies the mark-up instructions in the original string. At the end of a markup text segment (normally the closing } of a bracketed string {...}) it flushes the output string. The problem was that the flush routine assumes that the previous processing has left a valid pointer to the font being used. Some terminals kept the font name in static storage, which is OK. But the x11 and gd terminals used a dynamically allocated copy. Something about the garbage string in your reproducer caused reallocation of that font name, after which the flush routine tried to retrieve it from a now invalid location. The fix makes sure that the scope of the font name is larger than the entire process+flush sequence.
My initial diagnosis that the cairo terminals were also affected by this was incorrect. There is a separate memory leak in cairo/pango font handling but it is deep in the fontconfig system library, not in the gnuplot code. Valgrind trace attached. This is from sending the same pathological test string in your reproducer to the pngcairo terminal. Note that this is "only" a leak and not a use-after-free.
I appreciate your time for replying , thanks!