mosh icon indicating copy to clipboard operation
mosh copied to clipboard
verified publisher icon higepon

heap-use-after-free in car_op in Rust bindings

Open riking opened this issue 1 year ago • 1 comments

See #236 , where speculation about running GC at the wrong time causing memory errors has been proven out here

https://asan.saethlin.dev/ub?crate=rmosh&version=0.0.13

rmosh::vm::ops::<impl rmosh::vm::Vm>::car_op

test test_compiler2 ... =================================================================
==7027==ERROR: AddressSanitizer: heap-use-after-free on address 0x507000625668 at pc 0x55705593c86a bp 0x7f467b8b6fd0 sp 0x7f467b8b6790
READ of size 16 at 0x507000625668 thread T59
    #0 0x55705593c869 in __asan_memcpy /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3
    #1 0x557055cc3fb1 in rmosh::vm::ops::_$LT$impl$u20$rmosh..vm..Vm$GT$::car_op::h3878baefff843b62 /build/src/vm/ops.rs:69:39
    #2 0x557055cc3fb1 in rmosh::vm::run::_$LT$impl$u20$rmosh..vm..Vm$GT$::run_ops::h789b0a66f122e505 /build/src/vm/run.rs:875:21
    #3 0x557055c8f7fd in rmosh::vm::run::_$LT$impl$u20$rmosh..vm..Vm$GT$::run::h88997df2d2cdb688 /build/src/vm/run.rs:108:19
    #4 0x5570559d6ca7 in vm_tests::test_compiler2::hfa9c07012bfb0527 /build/tests/vm_tests.rs:2151:15
    #5 0x5570559d59e2 in vm_tests::test_compiler2::_$u7b$$u7b$closure$u7d$$u7d$::hd4c8cab6ccf70bd3 /build/tests/vm_tests.rs:2132:20

0x507000625668 is located 24 bytes inside of 72-byte region [0x507000625650,0x507000625698)
freed by thread T59 here:
    #0 0x55705593e496 in free /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x557057038f71 in std::sys::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::dealloc::h3234d6f339a1fed3 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/unix/alloc.rs:42:9
    #2 0x557055db2931 in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::deallocate::he0a912895c5cca61 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/alloc.rs:254:22
    #3 0x557056099534 in _$LT$alloc..boxed..Box$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::ha7c1eb3071d70f02 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:1243:17
    #4 0x557055da09a9 in core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$rmosh..objects..Pair$GT$$GT$::h9fdc08f20f9e9307 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:507:1
    #5 0x557055eff3e7 in core::mem::drop::hff12f070c8d579b3 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/mem/mod.rs:992:24
    #6 0x557055fb0626 in rmosh::gc::Gc::free::h997f5ad9ac6050ee /build/src/gc.rs:1266:21
    #7 0x557055fb0626 in rmosh::gc::Gc::sweep::h25ab1fb2f3a96aa5 /build/src/gc.rs:1391:21
    #8 0x557055fae9b7 in rmosh::gc::Gc::collect_garbage::h4f0a052a6975cbcf /build/src/gc.rs:659:9
    #9 0x557055d50937 in rmosh::vm::Vm::load_compiler::h7de2fdab184bf872 /build/src/vm.rs:405:9
    #10 0x557055c8f757 in rmosh::vm::run::_$LT$impl$u20$rmosh..vm..Vm$GT$::run::h88997df2d2cdb688 /build/src/vm/run.rs:104:13
    #11 0x5570559d6ca7 in vm_tests::test_compiler2::hfa9c07012bfb0527 /build/tests/vm_tests.rs:2151:15
    #12 0x5570559d59e2 in vm_tests::test_compiler2::_$u7b$$u7b$closure$u7d$$u7d$::hd4c8cab6ccf70bd3 /build/tests/vm_tests.rs:2132:20

previously allocated by thread T59 here:
    #0 0x55705593e73e in malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x557057038c6e in std::sys::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::alloc::hcddadaf82412a8f7 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/unix/alloc.rs:14:13
    #2 0x5570572b4d98 in __rdl_alloc /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/alloc.rs:394:13
    #3 0x557055db12a2 in alloc::alloc::Global::alloc_impl::h847af921d4ed69a2 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/alloc.rs:181:73
    #4 0x557055db2997 in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::allocate::h4b72ffd6f34663ba /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/alloc.rs:241:9
    #5 0x557055fa018c in alloc::boxed::Box$LT$T$GT$::new::hd92c888be9696a09 /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/alloc/src/boxed.rs:217:9
    #6 0x557055fa018c in rmosh::gc::Gc::alloc::h4ee0cf3f1d39c179 /build/src/gc.rs:423:25
    #7 0x557055f93a7f in rmosh::gc::Gc::cons::h349ac05bc22cf81b /build/src/gc.rs:190:20
    #8 0x557055f945fc in rmosh::gc::Gc::list3::h6cb8f3bc988f4902 /build/src/gc.rs:212:9
    #9 0x5570559d61ef in vm_tests::test_compiler2::hfa9c07012bfb0527 /build/tests/vm_tests.rs:2137:16
    #10 0x5570559d59e2 in vm_tests::test_compiler2::_$u7b$$u7b$closure$u7d$$u7d$::hd4c8cab6ccf70bd3 /build/tests/vm_tests.rs:2132:20

SUMMARY: AddressSanitizer: heap-use-after-free /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:63:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x507000625380: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x507000625400: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x507000625480: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x507000625500: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
  0x507000625580: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
=>0x507000625600: fd fd fd fd fd fa fa fa fa fa fd fd fd[fd]fd fd
  0x507000625680: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x507000625700: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x507000625780: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x507000625800: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x507000625880: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7027==ABORTING

riking avatar Feb 28 '24 00:02 riking

Thank you for the report! The pair seems allocated at https://github.com/higepon/mosh/blob/master/rmosh/tests/vm_tests.rs#L2137 and it becomes a part of a list of vm ops.

IIRC it should be reachable from GC. Hmm.

Please let me know if you have any thoughts or clue here.

higepon avatar Feb 28 '24 00:02 higepon