aleth icon indicating copy to clipboard operation
aleth copied to clipboard
verified publisher icon ethereum

Use-after-free when destroying ModularServer

Open chfast opened this issue 9 years ago • 0 comments

This can happen when closing eth client.

=================================================================
==25778==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000022a70 at pc 0x0000004952b9 bp 0x7ffd1a6b8900 sp 0x7ffd1a6b88f0
READ of size 8 at 0x607000022a70 thread T0
    #0 0x4952b8 in std::default_delete<dev::rpc::EthFace>::operator()(dev::rpc::EthFace*) const /usr/include/c++/5/bits/unique_ptr.h:76
    #1 0x4952b8 in std::unique_ptr<dev::rpc::EthFace, std::default_delete<dev::rpc::EthFace> >::~unique_ptr() /usr/include/c++/5/bits/unique_ptr.h:236
    #2 0x4952b8 in ModularServer<dev::rpc::EthFace, dev::rpc::DBFace, dev::rpc::WhisperFace, dev::rpc::NetFace, dev::rpc::Web3Face, dev::rpc::PersonalFace, dev::rpc::AdminEthFace, dev::rpc::AdminNetFace, dev::rpc::AdminUtilsFace, dev::rpc::DebugFace, dev::rpc::TestFace>::~ModularServer() /home/chfast/Projects/ethereum/cpp-ethereum/eth/../libweb3jsonrpc/ModularServer.h:130
    #3 0x4952b8 in ModularServer<dev::rpc::EthFace, dev::rpc::DBFace, dev::rpc::WhisperFace, dev::rpc::NetFace, dev::rpc::Web3Face, dev::rpc::PersonalFace, dev::rpc::AdminEthFace, dev::rpc::AdminNetFace, dev::rpc::AdminUtilsFace, dev::rpc::DebugFace, dev::rpc::TestFace>::~ModularServer() /home/chfast/Projects/ethereum/cpp-ethereum/eth/../libweb3jsonrpc/ModularServer.h:130
    #4 0x443ad2 in std::default_delete<ModularServer<> >::operator()(ModularServer<>*) const /usr/include/c++/5/bits/unique_ptr.h:76
    #5 0x443ad2 in std::unique_ptr<ModularServer<>, std::default_delete<ModularServer<> > >::~unique_ptr() /usr/include/c++/5/bits/unique_ptr.h:236
    #6 0x443ad2 in main /home/chfast/Projects/ethereum/cpp-ethereum/eth/main.cpp:1226
    #7 0x7f5882eeb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x44c2d8 in _start (/home/chfast/Projects/ethereum/build/cpp-ethereum/asan/eth/eth+0x44c2d8)

0x607000022a70 is located 0 bytes inside of 72-byte region [0x607000022a70,0x607000022ab8)
freed by thread T0 here:
    #0 0x7f5885e12b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
    #1 0x49466e in std::default_delete<dev::rpc::EthFace>::operator()(dev::rpc::EthFace*) const /usr/include/c++/5/bits/unique_ptr.h:76
    #2 0x49466e in std::unique_ptr<dev::rpc::EthFace, std::default_delete<dev::rpc::EthFace> >::~unique_ptr() /usr/include/c++/5/bits/unique_ptr.h:236
    #3 0x49466e in ModularServer<dev::rpc::EthFace, dev::rpc::DBFace, dev::rpc::WhisperFace, dev::rpc::NetFace, dev::rpc::Web3Face, dev::rpc::PersonalFace, dev::rpc::AdminEthFace, dev::rpc::AdminNetFace, dev::rpc::AdminUtilsFace, dev::rpc::DebugFace, dev::rpc::TestFace>::~ModularServer() /home/chfast/Projects/ethereum/cpp-ethereum/eth/../libweb3jsonrpc/ModularServer.h:130
    #4 0x49466e in ModularServer<dev::rpc::EthFace, dev::rpc::DBFace, dev::rpc::WhisperFace, dev::rpc::NetFace, dev::rpc::Web3Face, dev::rpc::PersonalFace, dev::rpc::AdminEthFace, dev::rpc::AdminNetFace, dev::rpc::AdminUtilsFace, dev::rpc::DebugFace, dev::rpc::TestFace>::~ModularServer() /home/chfast/Projects/ethereum/cpp-ethereum/eth/../libweb3jsonrpc/ModularServer.h:130
    #5 0x443a84 in std::default_delete<ModularServer<> >::operator()(ModularServer<>*) const /usr/include/c++/5/bits/unique_ptr.h:76
    #6 0x443a84 in std::unique_ptr<ModularServer<>, std::default_delete<ModularServer<> > >::~unique_ptr() /usr/include/c++/5/bits/unique_ptr.h:236
    #7 0x443a84 in main /home/chfast/Projects/ethereum/cpp-ethereum/eth/main.cpp:1227
    #8 0x7f5882eeb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f5885e12532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x445208 in main /home/chfast/Projects/ethereum/cpp-ethereum/eth/main.cpp:1270
    #2 0x7f5882eeb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/5/bits/unique_ptr.h:76 std::default_delete<dev::rpc::EthFace>::operator()(dev::rpc::EthFace*) const
Shadow bytes around the buggy address:
  0x0c0e7fffc4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc510: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x0c0e7fffc520: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c0e7fffc530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fffc540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fd]fd
  0x0c0e7fffc550: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==25778==ABORTING

chfast avatar Oct 06 '16 10:10 chfast