Use after free in std::system_error constructor

[fredemmott]

Describe the bug

std::system_error (in _System_error) constructs a temporary std::string with _Makestr, then stores a .c_str() to it without retaining it, which is invalid.

In my real application, I am seeing an stdext::bad_alloc from within _Throw_fs_error, even in release builds. In debug builds, I see the use-after-free bit pattern, with a trace like this:

The debugger shows that at the time of the _Doraise() call, the string has been overwritten with the 0xdd - use-after-free bit pattern.

I'm able to reproduce this with /fsanitize-address-use-after-return.

Command-line test case

Either of these repros works:

#include <filesystem>
#include <print>

int main(int argc, char** argv) {
    // REPRO 1:
    auto ex = []() {
        std::string what{"abc"};
        std::error_code ec{2, std::system_category()};
        return std::system_error{ec, what};
    }();
    std::println("{}", ex.what());
    // REPRO 2:
    try {
        const std::filesystem::path p { "does-not-exist" };
        std::println("Empty? {}", std::filesystem::is_empty(p));
    } catch (const std::filesystem::filesystem_error& e) {
        std::println("Ex: {}", e.what());
    }
  return 0;
}

The std::filesystem::is_empty() case has a user-after free both for _What and for the path.

PS C:\Users\fred\code\filesystem-test> cl /std:c++latest /EHsc /MDd /Zi /W4 /fsanitize=address /fsanitize-address-use-after-return test.cpp
Microsoft (R) C/C++ Optimizing Compiler Version 19.42.34435 for x64
Copyright (C) Microsoft Corporation.  All rights reserved.

/std:c++latest is provided as a preview of language features from the latest C++
working draft, and we're eager to hear about bugs and suggestions for improvements.
However, note that these features are provided as-is without support, and subject
to changes or removal as the working draft evolves. See
https://go.microsoft.com/fwlink/?linkid=2045807 for details.

test.cpp
test.cpp(4): warning C4100: 'argv': unreferenced formal parameter
test.cpp(4): warning C4100: 'argc': unreferenced formal parameter
Microsoft (R) Incremental Linker Version 14.42.34435.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:test.exe
/debug
/InferAsanLibs
test.obj
PS C:\Users\fred\code\filesystem-test> ./test.exe
=================================================================
==29036==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x00161e0ff210 at pc 0x7ff67786271f bp 0x00161e0ff0d0 sp 0x00161e0ff0d8
WRITE of size 8 at 0x00161e0ff210 thread T0
    #0 0x7ff67786271e in std::_Container_base12::_Container_base12(void) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xmemory:1199
    #1 0x7ff67785fbbe in std::_String_val<struct std::_Simple_types<char>>::_String_val<struct std::_Simple_types<char>>(void) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xstring:402
    #2 0x7ff6778119b3 in std::_Compressed_pair<class std::allocator<char>, class std::_String_val<struct std::_Simple_types<char>>, 1>::_Compressed_pair<class std::allocator<char>, class std::_String_val<struct std::_Simple_types<char>>, 1><>(struct std::_Zero_then_variadic_args_t) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xmemory:1495
    #3 0x7ff677861bf6 in std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>(char const *const) C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xstring:749
    #4 0x7ff6778116eb in `main'::`2'::<lambda_1>::operator() C:\Users\fred\code\filesystem-test\test.cpp:7
    #5 0x7ff677811292 in main C:\Users\fred\code\filesystem-test\test.cpp:6
    #6 0x7ff6778cb238 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #7 0x7ff6778cb181 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #8 0x7ff6778cb03d in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #9 0x7ff6778cb2ad in mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
    #10 0x7ff94bd0259c  (C:\WINDOWS\System32\KERNEL32.DLL+0x18001259c)
    #11 0x7ff94d58af37  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005af37)

Address 0x00161e0ff210 is located in stack of thread T0 at offset 0 in frame
    #0 0x7ff67781155f in `main'::`2'::<lambda_1>::operator() C:\Users\fred\code\filesystem-test\test.cpp:6

  This frame has 2 object(s):
    [32, 72) 'what'
    [48, 64) 'ec'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp, SEH and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.42.34433\include\xmemory:1199 in std::_Container_base12::_Container_base12(void)
Shadow bytes around the buggy address:
  0x00161e0fef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00161e0ff000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00161e0ff080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00161e0ff100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00161e0ff180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00161e0ff200: 00 00[f1]f1 f1 f1 00 00 00 00 00 f2 f2 f2 f2 00
  0x00161e0ff280: 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
  0x00161e0ff300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00161e0ff380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00161e0ff400: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00
  0x00161e0ff480: 00 00 f2 f2 f2 f2 01 f2 f8 f2 f8 f2 f8 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29036==ABORTING

Expected behavior

• std::system_error should manage lifetime of temporary strings it creates
• std::filesystem::is_empty() should throw an exception on error, not internally crash

STL version

Microsoft Visual Studio Community 2022
Version 17.12.3

Additional context

None.

[fredemmott]

This also reproduces in 17.13.0:

Microsoft Visual Studio Community 2022
Version 17.13.0

[StephanTLavavej]

Your real application appears to be using _HAS_EXCEPTIONS=0 (our quasi-supported mode for disabling EH), due to the presence of stdext::exception and _Doraise. This is critically important information.

I can see what's wrong in that scenario - it's in runtime_error(const string&), where we're assuming the std::exception will copy the .c_str(), but the _HAS_EXCEPTIONS=0 stdext::exception just stores the pointer. This appears to affect other usage throughout the STL.

I don't immediately see what's happening in your self-contained repro (with ASan), which does not appear to be setting _HAS_EXCEPTIONS=0.

[fredemmott]

Thanks; _HAS_EXCEPTIONS=0 is unintended in my app; it appears to be added by Chromium Embedded Framework, which I'll isolate then see what happens.

It's definitely not set in the isolated repro - the command line in this issue is a copy-and-paste.

[fredemmott]

In my real app:

With:

• cmake modified to strip out _HAS_EXCEPTIONS
• completely clean build (rm -rf build)
• building from scratch
• grep shows that _HAS_EXCEPTIONS is no longer leaking out of CEF

I am:

• no longer seeing calls to DoRaise
• no longer actually seeing use-after-free bit patterns or corruption, unless I enable ASAN

[StephanTLavavej]

no longer seeing calls to DoRaise
no longer actually seeing use-after-free bit patterns or corruption, unless I enable ASAN

Great, that aligns with my understanding. (The normal std::exception will copy the const char *'s contents, instead of just storing the raw pointer.)

That means we do have a bug in the _HAS_EXCEPTIONS=0 mode, which is not terribly surprising.

For what you're seeing with ASan, I think this is specific to /fsanitize-address-use-after-return. I can reduce your repro all the way to:

C:\Temp>type meow.cpp

#include <cstdio>
#include <string>
using namespace std;

int main() {
    string str{"abc"};
    printf("%s\n", str.c_str());
}

C:\Temp>cl /EHsc /nologo /W4 /std:c++latest /MTd /Od /Zi /fsanitize=address meow.cpp && meow
meow.cpp
abc

C:\Temp>cl /EHsc /nologo /W4 /std:c++latest /MTd /Od /Zi /fsanitize=address /fsanitize-address-use-after-return meow.cpp && meow
meow.cpp
=================================================================
==10484==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x0089ce2ffb30 at pc 0x7ff705a02ecf bp 0x0089ce2ff9f0 sp 0x0089ce2ff9f8
WRITE of size 8 at 0x0089ce2ffb30 thread T0
    #0 0x7ff705a02ece in std::_Container_base12::_Container_base12(void) C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.44.34823\include\xmemory:1231
    #1 0x7ff705a02c7e in std::_String_val<struct std::_Simple_types<char>>::_String_val<struct std::_Simple_types<char>>(void) C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.44.34823\include\xstring:402
    #2 0x7ff705a01263 in std::_Compressed_pair<class std::allocator<char>, class std::_String_val<struct std::_Simple_types<char>>, 1>::_Compressed_pair<class std::allocator<char>, class std::_String_val<struct std::_Simple_types<char>>, 1><>(struct std::_Zero_then_variadic_args_t) C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.44.34823\include\xmemory:1527
    #3 0x7ff705a02d86 in std::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>::basic_string<char, struct std::char_traits<char>, class std::allocator<char>>(char const *const) C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.44.34823\include\xstring:746
    #4 0x7ff705a0119f in main C:\Temp\meow.cpp:6
    #5 0x7ff705a091b8 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #6 0x7ff705a090d1 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #7 0x7ff705a08f8d in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #8 0x7ff705a0922d in mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
    #9 0x7ffd2c2ce8d6  (C:\WINDOWS\System32\KERNEL32.DLL+0x18002e8d6)
    #10 0x7ffd2e13bf2b  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800bbf2b)

Address 0x0089ce2ffb30 is located in stack of thread T0 at offset 0 in frame
    #0 0x7ff705a0107f in main C:\Temp\meow.cpp:5

  This frame has 1 object(s):
    [32, 72) 'str'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp, SEH and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.44.34823\include\xmemory:1231 in std::_Container_base12::_Container_base12(void)
Shadow bytes around the buggy address:
  0x0089ce2ff880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0089ce2ff900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0089ce2ff980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0089ce2ffa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0089ce2ffa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0089ce2ffb00: 00 00 00 00 00 00[f1]f1 f1 f1 00 00 00 00 00 f3
  0x0089ce2ffb80: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0089ce2ffc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0089ce2ffc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0089ce2ffd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0089ce2ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10484==ABORTING

I reached out to the ASan team, and this option is apparently supported on Windows (see https://learn.microsoft.com/en-us/cpp/sanitizers/error-stack-use-after-return?view=msvc-170 ), but it still repros even if I set the environment variable with set ASAN_OPTIONS=detect_stack_use_after_return=1.

[fredemmott]

Thanks, yeah - agreed this seems likely to be an ASAN issue; it seems extremely unlikely that std::string is actually bad.

FWIW I enabled that ASAN mode as it's in the 'zero false positives' list at https://learn.microsoft.com/en-us/cpp/sanitizers/asan?view=msvc-170

[StephanTLavavej]

Yeah, we're definitely looking at an ASan bug here. I was able to fully reduce away std::string, leaving just the pattern of having a base class with a data member initializer:

C:\Temp>"C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Auxiliary\Build\vcvarsall.bat" x64
**********************************************************************
** Visual Studio 2022 Developer Command Prompt v17.14.0-pre.1.0
** Copyright (c) 2022 Microsoft Corporation
**********************************************************************
[vcvarsall.bat] Environment initialized for: 'x64'

C:\Temp>type meow.cpp

#include <cstdio>
using namespace std;

struct Proxy {};

struct ContainerBase12 {
    constexpr ContainerBase12() noexcept = default;

    Proxy* m_proxy = nullptr;
};

struct String : ContainerBase12 {
    const char* m_data;
    explicit String(const char* ptr) : m_data{ptr} {}
};

int main() {
    String str{"abc"};
    printf("%s\n", str.m_data);
}

C:\Temp>cl /EHsc /nologo /W4 /std:c++latest /MTd /Od /Zi /fsanitize=address meow.cpp && meow
meow.cpp
abc

C:\Temp>set ASAN_OPTIONS=detect_stack_use_after_return=1

C:\Temp>cl /EHsc /nologo /W4 /std:c++latest /MTd /Od /Zi /fsanitize=address /fsanitize-address-use-after-return meow.cpp && meow
meow.cpp
=================================================================
==15080==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x029f01589000 at pc 0x7ff6bee6124f bp 0x00f8762ffc10 sp 0x00f8762ffc18
WRITE of size 8 at 0x029f01589000 thread T0
    #0 0x7ff6bee6124e in ContainerBase12::ContainerBase12(void) C:\Temp\meow.cpp:9
    #1 0x7ff6bee61293 in String::String(char const *) C:\Temp\meow.cpp:14
    #2 0x7ff6bee61127 in main C:\Temp\meow.cpp:18
    #3 0x7ff6bee63028 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #4 0x7ff6bee62f41 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #5 0x7ff6bee62dfd in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #6 0x7ff6bee6309d in mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
    #7 0x7ffd2c2ce8d6  (C:\WINDOWS\System32\KERNEL32.DLL+0x18002e8d6)
    #8 0x7ffd2e13bf2b  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800bbf2b)

Address 0x029f01589000 is located in stack of thread T0 at offset 0 in frame
    #0 0x7ff6bee6103f in main C:\Temp\meow.cpp:17

  This frame has 1 object(s):
    [32, 48) 'str'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp, SEH and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow C:\Temp\meow.cpp:9 in ContainerBase12::ContainerBase12(void)
Shadow bytes around the buggy address:
  0x029f01588d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x029f01588e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x029f01588e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x029f01588f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x029f01588f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x029f01589000:[f1]f1 f1 f1 00 00 f3 f3 f3 f3 00 00 00 00 00 00
  0x029f01589080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x029f01589100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x029f01589180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x029f01589200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x029f01589280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15080==ABORTING

There is provably no conformance issue here, so it's an ASan false positive.

[fredemmott]

Thanks; feel free to close this depending on how 'quasi-supported' _HAS_EXCEPTIONS=0 is - modifying my app to make sure that doesn't leak out from the Chromium components is definitely the right fix for me, not just a workaround.

[davidmrdavid]

The Windows ASan police (me, in this case) 👮 is on this so you can rest assured it's actively being investigated. Thanks for the report.

[StephanTLavavej]

David filed internal VSO-2381114 (thanks!) to track the ASan bug with /fsanitize-address-use-after-return.

I've filed #5276 to track the _HAS_EXCEPTIONS=0 bug, with more detailed analysis and quoting the relevant code lines.

Closing this issue as fully decomposed. Thanks again for the report and quick responses!