Menu
▾
▴
#43 test failure because of a use-after-free
Our Gentoo Tinderbox reported a test failure at bug 914173
By looking at test-suite.log I can see:
==103==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000010 at pc 0x5575c34a16a4 bp 0x7ffc388e3c40 sp 0x7ffc388e3410
WRITE of size 8 at 0x604000000010 thread T0
#0 0x5575c34a16a3 in __asan_memset (/var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/src/.libs/hmac_test+0xb76a3)
#1 0x7f7a572d2e90 in mutils_memset /var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/lib/stdfns.c
#2 0x5575c34dcc14 in main /var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/src/hmac_test.c:79:2
#3 0x7f7a56e23c89 (/lib64/libc.so.6+0x23c89)
#4 0x7f7a56e23d44 in __libc_start_main (/lib64/libc.so.6+0x23d44)
#5 0x5575c34083b0 in _start (/var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/src/.libs/hmac_test+0x1e3b0)
0x604000000010 is located 0 bytes inside of 33-byte region [0x604000000010,0x604000000031)
freed by thread T0 here:
#0 0x5575c34a1f56 in free (/var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/src/.libs/hmac_test+0xb7f56)
#1 0x5575c34dcc05 in main /var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/src/hmac_test.c:75:2
#2 0x7f7a56e23c89 (/lib64/libc.so.6+0x23c89)
previously allocated by thread T0 here:
#0 0x5575c34a21fe in __interceptor_malloc (/var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/src/.libs/hmac_test+0xb81fe)
#1 0x7f7a572d634f in mutils_malloc /var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/lib/stdfns.c:90:8
#2 0x7f7a572d634f in mutils_asciify /var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/lib/stdfns.c:605:25
#3 0x5575c34dcbcf in main /var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/src/hmac_test.c:60:8
#4 0x7f7a56e23c89 (/lib64/libc.so.6+0x23c89)
SUMMARY: AddressSanitizer: heap-use-after-free (/var/tmp/portage/app-crypt/mhash-0.9.9.9-r3/work/mhash-0.9.9.9/src/.libs/hmac_test+0xb76a3) in __asan_memset
Shadow bytes around the buggy address:
0x603ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x603ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x603ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x603fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x603fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x604000000000: fa fa[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa
0x604000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x604000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x604000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x604000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x604000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==103==ABORTING
I didn't look deeply into this issue so I don't know if the bug is in the unittest itself or in the involed libraries/daemons, if so please check for any security implications.
If I can do further, please let me know.