Skip to content

multiple heap use after free errors #78

Closed
Closed
multiple heap use after free errors#78
@hongxuchen

Description

@hongxuchen
hongxuchen
opened on Dec 26, 2017

w01_000026,sig:6,Splice:13:30,src:w02_000505.txt

=================================================================
==24747==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000061b at pc 0x000000561eec bp 0x7fffe1def440 sp 0x7fffe1def438
READ of size 1 at 0x61900000061b thread T0
    #0 0x561eeb in skip_whitespaces /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5777:38
    #1 0x55b0df in cur /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5781:3
    #2 0x55e4f7 in parse_array /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5925:13
    #3 0x55a7ef in parse_value /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5963:7
    #4 0x5235a9 in doit /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:6045:10
    #5 0x5230e5 in json_walk /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:6421:3
    #6 0x5a5e8d in mjs_json_parse /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:11904:14
    #7 0x53eb63 in mjs_op_json_parse /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:11953:5
    #8 0x547e0f in mjs_execute /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9489:11
    #9 0x54357c in mjs_exec_internal /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9706:5
    #10 0x5439a8 in mjs_exec_file /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9729:11
    #11 0x54c981 in main /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:12009:11
    #12 0x7f27e221582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #13 0x419e88 in _start (/home/hongxu/FUSE/tests/mjs-ins/mjs_debug_main_FOT-new.out+0x419e88)

0x61900000061b is located 155 bytes inside of 902-byte region [0x619000000580,0x619000000906)
freed by thread T0 here:
    #0 0x4d2918 in realloc (/home/hongxu/FUSE/tests/mjs-ins/mjs_debug_main_FOT-new.out+0x4d2918)
    #1 0x50d7b9 in mbuf_resize /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:4908:26
    #2 0x54f8e6 in mjs_mk_string /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:13601:9
    #3 0x5a67b6 in frozen_cb /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:11811:13
    #4 0x55c15b in parse_string /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5871:9
    #5 0x55a4b7 in parse_value /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5957:7
    #6 0x55e38e in parse_array /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5923:9
    #7 0x55a7ef in parse_value /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5963:7
    #8 0x5235a9 in doit /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:6045:10
    #9 0x5230e5 in json_walk /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:6421:3
    #10 0x5a5e8d in mjs_json_parse /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:11904:14
    #11 0x53eb63 in mjs_op_json_parse /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:11953:5
    #12 0x547e0f in mjs_execute /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9489:11
    #13 0x54357c in mjs_exec_internal /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9706:5
    #14 0x5439a8 in mjs_exec_file /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9729:11
    #15 0x54c981 in main /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:12009:11
    #16 0x7f27e221582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4d2918 in realloc (/home/hongxu/FUSE/tests/mjs-ins/mjs_debug_main_FOT-new.out+0x4d2918)
    #1 0x50d7b9 in mbuf_resize /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:4908:26
    #2 0x54f8e6 in mjs_mk_string /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:13601:9
    #3 0x546de1 in mjs_execute /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9366:23
    #4 0x54357c in mjs_exec_internal /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9706:5
    #5 0x5439a8 in mjs_exec_file /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:9729:11
    #6 0x54c981 in main /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:12009:11
    #7 0x7f27e221582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /home/hongxu/FUSE/tests/mjs-ins/../mjs/mjs.c:5777:38 in skip_whitespaces
Shadow bytes around the buggy address:
  0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8090: 00 00 00 06 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff80c0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24747==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions