-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use after free in pseudofork on win32 #17522
Comments
On Sun, 2 Feb 2020 at 07:16, xenu ***@***.***> wrote:
*Description*
Microsoft recently added
<https://devblogs.microsoft.com/cppblog/addresssanitizer-asan-for-windows-with-msvc/>
ASan support to Visual C++ so I decided to test perl with it. It turns out
that it makes op\fork.t fail.
Is it possible to build your perl with debugging symbols? I forget how to
do it, but iirc you can generate a separate debugging symbol file even
without enabling DEBUGGING using msvc. That i think would give us the debug
info to see the proper stack trace.
… Here's simplified code from the test that triggers use after free:
BEGIN {
fork and exit;
}
and here's the output of the script:
>perl a.pl
=================================================================
==428==ERROR: AddressSanitizer: heap-use-after-free on address 0x04907d8c at pc 0x709628ff bp 0x060bf67c sp 0x060bf67c
READ of size 4 at 0x04907d8c thread T1
#0 0x709628fe (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100228fe)
#1 0x70962ca2 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10022ca2)
#2 0x70963ef9 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10023ef9)
#3 0x70961aec (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10021aec)
#4 0x70b0500d (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c500d)
#5 0x6ca59bb0 (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10049bb0)
#6 0x6ca5a2ae (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x1004a2ae)
#7 0x74ce6358 (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
#8 0x77537b73 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
#9 0x77537b43 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)
0x04907d8c is located 44 bytes inside of 64-byte region [0x04907d60,0x04907da0)
freed by thread T0 here:
#0 0x6ca50ef1 (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10040ef1)
#1 0x70b011f4 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c11f4)
#2 0x70b034b3 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c34b3)
#3 0x70af6efb (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101b6efb)
#4 0x70a95a2e (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10155a2e)
#5 0x709ced3a (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008ed3a)
#6 0x709ce997 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e997)
#7 0x70a0181c (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100c181c)
#8 0x70a913ca (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101513ca)
#9 0x709c8bec (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10088bec)
#10 0x709ce439 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e439)
#11 0x709acf2e (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cf2e)
#12 0x709ac918 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918)
#13 0x709cfb0c (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c)
#14 0x709c75bd (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd)
#15 0x709c6a11 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11)
#16 0x70b07950 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950)
#17 0x8e1014 (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014)
#18 0x8e11eb (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb)
#19 0x74ce6358 (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
#20 0x77537b73 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
#21 0x77537b43 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)
previously allocated by thread T0 here:
#0 0x6ca51035 (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x10041035)
#1 0x70b01093 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c1093)
#2 0x70b0347a (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c347a)
#3 0x70af6ce9 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101b6ce9)
#4 0x709acc94 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cc94)
#5 0x709ac918 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918)
#6 0x709cfb0c (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c)
#7 0x709c75bd (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd)
#8 0x709c6a11 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11)
#9 0x70b07950 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950)
#10 0x8e1014 (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014)
#11 0x8e11eb (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb)
#12 0x74ce6358 (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
#13 0x77537b73 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
#14 0x77537b43 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)
Thread T1 created by T0 here:
#0 0x6ca5a3f2 (C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\bin\HostX86\x86\clang_rt.asan_dynamic-i386.dll+0x1004a3f2)
#1 0x70b05252 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c5252)
#2 0x70a38a16 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100f8a16)
#3 0x70a913ca (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101513ca)
#4 0x709c8bec (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10088bec)
#5 0x709ce439 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008e439)
#6 0x709acf2e (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006cf2e)
#7 0x709ac918 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1006c918)
#8 0x709cfb0c (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x1008fb0c)
#9 0x709c75bd (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100875bd)
#10 0x709c6a11 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x10086a11)
#11 0x70b07950 (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x101c7950)
#12 0x8e1014 (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x401014)
#13 0x8e11eb (C:\Users\xenu\Documents\git\perl5\t\perl.exe+0x4011eb)
#14 0x74ce6358 (C:\Windows\System32\KERNEL32.DLL+0x6b816358)
#15 0x77537b73 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b73)
#16 0x77537b43 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e7b43)
SUMMARY: AddressSanitizer: heap-use-after-free (C:\Users\xenu\Documents\git\perl5\t\perl531.dll+0x100228fe)
Shadow bytes around the buggy address:
0x30920f60: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x30920f70: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
0x30920f80: 00 00 00 05 fa fa fa fa 00 00 00 00 00 00 02 fa
0x30920f90: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa
0x30920fa0: 00 00 00 00 00 00 01 fa fa fa fa fa fd fd fd fd
=>0x30920fb0: fd[fd]fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
0x30920fc0: fa fa fa fa 00 00 00 00 00 00 04 fa fa fa fa fa
0x30920fd0: 00 00 00 00 00 00 06 fa fa fa fa fa fd fd fd fd
0x30920fe0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x30920ff0: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa
0x30921000: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==428==ABORTING
*Perl configuration*
Summary of my perl5 (revision 5 version 31 subversion 9) configuration:
Derived from: 3a25432
Platform:
osname=MSWin32
osvers=10.0.18363.592
archname=MSWin32-x86-multi-thread-64int
uname=''
config_args='undef'
hint=recommended
useposix=true
d_sigaction=undef
useithreads=define
usemultiplicity=define
use64bitint=define
use64bitall=undef
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cl'
ccflags ='-nologo -GF -W3 -fsanitize=address -MD -DWIN32 -D_CONSOLE -DNO_STRICT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS -DPERL_TEXTMODE_SCRIPTS -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS'
optimize='-O1 -Zi -GL'
cppflags='-DWIN32'
ccversion='19.24.28316'
gccversion=''
gccosandvers=''
intsize=4
longsize=4
ptrsize=4
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=undef
longlongsize=8
d_longdbl=define
longdblsize=8
longdblkind=0
ivtype='__int64'
ivsize=8
nvtype='double'
nvsize=8
Off_t='__int64'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='link'
ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf -ltcg -libpath:"c:\perl\lib\CORE" -machine:x86 -subsystem:console,"5.01"'
libpth="C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.24.28314\\lib\x86"
libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib vcruntime.lib ucrt.lib clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib
perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib vcruntime.lib ucrt.lib clang_rt.asan_dynamic-i386.lib clang_rt.asan_dynamic_runtime_thunk-i386.lib
libc=ucrt.lib
so=dll
useshrplib=true
libperl=perl531.lib
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_win32.xs
dlext=dll
d_dlsymun=undef
ccdlflags=' '
cccdlflags=' '
lddlflags='-dll -nologo -nodefaultlib -debug -opt:ref,icf -ltcg -libpath:"c:\perl\lib\CORE" -machine:x86 -subsystem:console,"5.01"'
Characteristics of this binary (from libperl):
Compile-time options:
HAS_TIMES
HAVE_INTERP_INTERN
MULTIPLICITY
PERLIO_LAYERS
PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_IMPLICIT_CONTEXT
PERL_IMPLICIT_SYS
PERL_MALLOC_WRAP
PERL_OP_PARENT
PERL_PRESERVE_IVUV
USE_64_BIT_INT
USE_ITHREADS
USE_LARGE_FILES
USE_LOCALE
USE_LOCALE_COLLATE
USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC
USE_LOCALE_TIME
USE_PERLIO
USE_PERL_ATOF
USE_THREAD_SAFE_LOCALE
Locally applied patches:
uncommitted-changes
Built under MSWin32
Compiled at Feb 2 2020 06:52:11
@inc:
C:/Users/xenu/Documents/git/perl5/lib
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#17522?email_source=notifications&email_token=AAAZ5R6M2LMNU3K6KWNTBV3RAZQLFA5CNFSM4KOXYAYKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IKMKLSA>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAZ5R4JD3TV73FVHMKVYCDRAZQLFANCNFSM4KOXYAYA>
.
--
perl -Mre=debug -e "/just|another|perl|hacker/"
|
Oh, I posted that just before going to bed and I didn't notice there were no source lines in the output. The symbols are there (msvc build always builds with them), but for some reason asan isn't using them. Here's the backtrace of the asan exception from windbg:
|
wtf, asan does pick up the symbols, but only when I copy Anyway, here's the annotated asan output:
|
Does this (or something similar) still occur? The code that allocated that particular block of memory was removed in 79f75ea. |
Description
Microsoft recently added ASan support to Visual C++ so I decided to test perl with it. It turns out that it makes
op\fork.t
fail.Here's simplified code from the test that triggers use after free:
and here's the output of the script:
Perl configuration
The text was updated successfully, but these errors were encountered: