[lwip-devel] [bug #64413] 'heap-use-after-free' issue

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #64413] 'heap-use-after-free' issue

From:	Gisle Vanem
Subject:	[lwip-devel] [bug #64413] 'heap-use-after-free' issue
Date:	Tue, 11 Jul 2023 17:12:40 -0400 (EDT)

URL:
  <https://savannah.nongnu.org/bugs/?64413>

                 Summary: 'heap-use-after-free' issue
                   Group: lwIP - A Lightweight TCP/IP stack
               Submitter: gvanem
               Submitted: Tue 11 Jul 2023 09:12:37 PM UTC
                Category: Contrib
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Tue 11 Jul 2023 09:12:37 PM UTC By: Gisle Vanem <gvanem>
Compiling a modified version of the test
program 'contrib/examples/example_app/test.c'
with ASAN (-fsanitize=address), running it and
stop it after a few seconds, triggers an 'heap-use-after-free'
exception inside libpcap of all places!
The program is multi-threaded (NO_SYS=0).

Call-stack:

==8748==ERROR: AddressSanitizer: heap-use-after-free on address
0x12c90b974da0 at pc 0x7ffbf5f1fc0c bp 0x00bb78bff330 sp 0x00bb78bfeac0
WRITE of size 1 at 0x12c90b974da0 thread T2
    #0 0x7ffbf5f1fc0b in __asan_wrap_memmove
D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:813
    #1 0x7ffc5cf610cb  (C:\Windows\System32\ucrtbase.dll+0x1800110cb)
    #2 0x7ffc5cf60d9d  (C:\Windows\System32\ucrtbase.dll+0x180010d9d)
    #3 0x7ffc5cf60bfa  (C:\Windows\System32\ucrtbase.dll+0x180010bfa)
    #4 0x7ffc275b2f8e in vsnprintf
f:\gv\WinKit\Include\10.0.22621.0\ucrt\stdio.h:1439
    #5 0x7ffc275b2f1a in snprintf
f:\gv\WinKit\Include\10.0.22621.0\ucrt\stdio.h:1931
    #6 0x7ffc275b3ab9 in pcap_vfmt_errmsg_for_win32_err
F:\MinGW32\src\inet\libpcap\fmtutils.c:467
    #7 0x7ffc275b38b4 in pcap_fmt_errmsg_for_win32_err
F:\MinGW32\src\inet\libpcap\fmtutils.c:391
    #8 0x7ffc275d4c09 in pcap_read_npf
F:\MinGW32\src\inet\libpcap\pcap-npf.c:701
    #9 0x7ffc275cf320 in pcap_dispatch
F:\MinGW32\src\inet\libpcap\pcap.c:2965
    #10 0x7ffc275cf37b in pcap_next F:\MinGW32\src\inet\libpcap\pcap.c:629
    #11 0x7ff6f03fdaf7 in pcapif_input_thread
F:\MinGW32\src\inet\lwip\contrib\ports\win32\pcapif.c:758
    #12 0x7ff6f03bff6e in sys_thread_function
F:\MinGW32\src\inet\lwip\contrib\ports\win32\sys_arch.c:442
    #13 0x7ffbf5f3dffe in __asan::AsanThread::ThreadStart(unsigned __int64)
    ...

0x12c90b974da0 is located 288 bytes inside of 1048-byte region
[0x12c90b974c80,0x12c90b975098)
freed by thread T0 here:
    #0 0x7ffbf5f2e668 in free
D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\asan\asan_malloc_win.cpp:115
    #1 0x7ffc275cf233 in pcap_close F:\MinGW32\src\inet\libpcap\pcap.c:4163
    #2 0x7ff6f03fed43 in pcapif_shutdown
F:\MinGW32\src\inet\lwip\contrib\ports\win32\pcapif.c:727
    #3 0x7ff6f03b9009 in main_loop
F:\MinGW32\src\inet\lwip\contrib\ports\win32\test.c:1176
    #4 0x7ff6f03b8ae3 in main
F:\MinGW32\src\inet\lwip\contrib\ports\win32\test.c:1216
    ...


SUMMARY: AddressSanitizer: heap-use-after-free
D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:813
in __asan_wrap_memmove

---------------------------------

Seems to be caused by 'contrib/ports/win32/pcapif.c'
calling 'pcap_close()' too early in thread 'T0'.

Thus causing 'pcap_next()' and 'pcap_vfmt_errmsg_for_win32_err()'
in thread 'T2' to cause this 'heap-use-after-free' exception.

But if I modify 'pcapif_shutdown()' into this:

--- a/contrib/ports/win32/pcapif.c 2023-06-30 09:52:18
+++ b/contrib/ports/win32/pcapif.c 2023-07-11 22:54:07
@@ -674,20 +674,21 @@
 {
   struct pcapif_private *pa = (struct
pcapif_private*)PCAPIF_GET_STATE_PTR(netif);
   if (pa) {
+    pa->shutdown_called = 1;
+    LWIP_TRACE(1, "pa->shutdown_called = %d\n", pa->shutdown_called);
 #if PCAPIF_RX_USE_THREAD
     pa->rx_run = 0;
+    /* wait for rxthread to end */
+    while(pa->rx_running)
+       Sleep(100);
 #endif /* PCAPIF_RX_USE_THREAD */
     if (pa->adapter) {
       pcap_breakloop(pa->adapter);
       pcap_close(pa->adapter);
     }
-#if PCAPIF_RX_USE_THREAD
-    /* wait for rxthread to end */
-    while(pa->rx_running);
-#endif /* PCAPIF_RX_USE_THREAD */

--------------

it works. Any comments?

I'm using MSVC/clang-cl on Windows.
And yes, 'cl' also have '-fsanitize=address'.









    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?64413>

_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #64413] 'heap-use-after-free' issue, Gisle Vanem <=

Prev by Date: [lwip-devel] [bug #64409] When tcp_err() is invoked, tcp_pcb is freed but fs_close_custom() is not called by httpd.c
Next by Date: [lwip-devel] [bug #64423] ICMP PING not working with bridge code (2.2.0 RC1)
Previous by thread: [lwip-devel] [bug #64409] When tcp_err() is invoked, tcp_pcb is freed but fs_close_custom() is not called by httpd.c
Next by thread: [lwip-devel] [bug #64423] ICMP PING not working with bridge code (2.2.0 RC1)
Index(es):
- Date
- Thread