local socket: fix accept used after free #10785
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
==1729315==ERROR: AddressSanitizer: heap-use-after-free on address 0xf0501d60 at pc 0x032ffe43 bp 0xef4ed158 sp 0xef4ed148
READ of size 2 at 0xf0501d60 thread T0
#0 0x32ffe42 in nxsem_wait semaphore/sem_wait.c:94
#1 0x3548cf5 in _net_timedwait utils/net_lock.c:97
#2 0x3548f48 in net_sem_timedwait utils/net_lock.c:236
apache#3 0x3548f8c in net_sem_wait utils/net_lock.c:318
apache#4 0x350124d in local_accept local/local_accept.c:246
apache#5 0x3492719 in psock_accept socket/accept.c:149
apache#6 0x3492bcc in accept4 socket/accept.c:280
apache#7 0x662dc04 in accept net/lib_accept.c:50
apache#8 0x55c81ab in kvdb_loop kvdb/server.c:415
apache#9 0x55c860a in kvdbd_main kvdb/server.c:458
apache#10 0x33d968b in nxtask_startup sched/task_startup.c:70
apache#11 0x32ec039 in nxtask_start task/task_start.c:134
apache#12 0x34109be in pre_start sim/sim_initialstate.c:52
0xf0501d60 is located 288 bytes inside of 420-byte region [0xf0501c40,0xf0501de4)
freed by thread T0 here:
#0 0xf7aa6a3f in __interceptor_free ../../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x73aa06e in host_free sim/posix/sim_hostmemory.c:192
#2 0x34131d6 in mm_free sim/sim_heap.c:230
apache#3 0x3409388 in free umm_heap/umm_free.c:49
apache#4 0x35631f3 in local_free local/local_conn.c:225
apache#5 0x3563f75 in local_release local/local_release.c:129
apache#6 0x34f5a32 in local_close local/local_sockif.c:785
apache#7 0x3496ee8 in psock_close socket/net_close.c:102
apache#8 0x36500bc in sock_file_close socket/socket.c:115
apache#9 0x3635f6c in file_close vfs/fs_close.c:74
apache#10 0x3632439 in nx_close_from_tcb inode/fs_files.c:670
apache#11 0x36324f3 in nx_close inode/fs_files.c:697
apache#12 0x3632557 in close inode/fs_files.c:735
apache#13 0x55be289 in property_set_ kvdb/client.c:210
apache#14 0x55c0309 in property_set_int32_ kvdb/common.c:226
apache#15 0x55c03f5 in property_set_int32_oneway kvdb/common.c:236
Signed-off-by: ligd <liguiding1@xiaomi.com>
xiaoxiang781216
approved these changes
Sep 24, 2023
pkarashchenko
approved these changes
Sep 24, 2023
|
|
||
| void local_addref(FAR struct local_conn_s *conn) | ||
| { | ||
| DEBUGASSERT(conn->lc_crefs >= 0 && conn->lc_crefs < 255); |
There was a problem hiding this comment.
Is lc_crefs signed? If not then need to change to
Suggested change
| DEBUGASSERT(conn->lc_crefs >= 0 && conn->lc_crefs < 255); | |
| DEBUGASSERT(conn->lc_crefs < 255); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
local socket: fix accept used after free
0xf0501d60 is located 288 bytes inside of 420-byte region [0xf0501c40,0xf0501de4) freed by thread T0 here:
Impact
local socket
Testing
SIM & BES board