use-after-free in remove_overlapping #627

Closed
opened 2 months ago by emersion · 3 comments

I'm working on hyperlink OSC support for tcell, and I've been hitting this:

=================================================================
==23891==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000029c38 at pc 0x55aaa59a0d1e bp 0x7ffc157e35e0 sp 0x7ffc157e35d0
READ of size 8 at 0x606000029c38 thread T0
    #0 0x55aaa59a0d1d in remove_overlapping ../url-mode.c:444
    #1 0x55aaa59a0ff5 in urls_collect ../url-mode.c:490
    #2 0x55aaa58f9efa in execute_binding ../input.c:304
    #3 0x55aaa5907f00 in key_press_release ../input.c:1049
    #4 0x55aaa59097ee in keyboard_key ../input.c:1221
    #5 0x7fd8b8772acc  (/usr/lib/libffi.so.7+0x6acc)
    #6 0x7fd8b8772039  (/usr/lib/libffi.so.7+0x6039)
    #7 0x7fd8b962efe3  (/usr/lib/libwayland-client.so.0+0x9fe3)
    #8 0x7fd8b962b562  (/usr/lib/libwayland-client.so.0+0x6562)
    #9 0x7fd8b962ccab in wl_display_dispatch_queue_pending (/usr/lib/libwayland-client.so.0+0x7cab)
    #10 0x55aaa59ba38f in fdm_wayl ../wayland.c:1117
    #11 0x55aaa58eff50 in fdm_poll ../fdm.c:463
    #12 0x55aaa591da70 in main ../main.c:554
    #13 0x7fd8b89e4b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #14 0x55aaa589739d in _start (/home/simon/src/foot/build/foot+0x30039d)

0x606000029c38 is located 56 bytes inside of 64-byte region [0x606000029c00,0x606000029c40)
freed by thread T0 here:
    #0 0x7fd8b98d9f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x55aaa59a06b8 in remove_overlapping ../url-mode.c:474
    #2 0x55aaa59a0ff5 in urls_collect ../url-mode.c:490
    #3 0x55aaa58f9efa in execute_binding ../input.c:304
    #4 0x55aaa5907f00 in key_press_release ../input.c:1049
    #5 0x55aaa59097ee in keyboard_key ../input.c:1221
    #6 0x7fd8b8772acc  (/usr/lib/libffi.so.7+0x6acc)

previously allocated by thread T0 here:
    #0 0x7fd8b98da279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55aaa599e782 in osc8_uris ../url-mode.c:426
    #2 0x55aaa59a0ece in urls_collect ../url-mode.c:488
    #3 0x55aaa58f9efa in execute_binding ../input.c:304
    #4 0x55aaa5907f00 in key_press_release ../input.c:1049
    #5 0x55aaa59097ee in keyboard_key ../input.c:1221
    #6 0x7fd8b8772acc  (/usr/lib/libffi.so.7+0x6acc)

SUMMARY: AddressSanitizer: heap-use-after-free ../url-mode.c:444 in remove_overlapping
Shadow bytes around the buggy address:
  0x0c0c7fffd330: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fffd340: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fffd350: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c7fffd360: 00 00 05 fa fa fa fa fa 00 00 00 00 00 00 05 fa
  0x0c0c7fffd370: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fffd380: fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa
  0x0c0c7fffd390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffd3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffd3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fffd3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23891==ABORTING
I'm working on hyperlink OSC support for tcell, and I've been hitting this: ``` ================================================================= ==23891==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000029c38 at pc 0x55aaa59a0d1e bp 0x7ffc157e35e0 sp 0x7ffc157e35d0 READ of size 8 at 0x606000029c38 thread T0 #0 0x55aaa59a0d1d in remove_overlapping ../url-mode.c:444 #1 0x55aaa59a0ff5 in urls_collect ../url-mode.c:490 #2 0x55aaa58f9efa in execute_binding ../input.c:304 #3 0x55aaa5907f00 in key_press_release ../input.c:1049 #4 0x55aaa59097ee in keyboard_key ../input.c:1221 #5 0x7fd8b8772acc (/usr/lib/libffi.so.7+0x6acc) #6 0x7fd8b8772039 (/usr/lib/libffi.so.7+0x6039) #7 0x7fd8b962efe3 (/usr/lib/libwayland-client.so.0+0x9fe3) #8 0x7fd8b962b562 (/usr/lib/libwayland-client.so.0+0x6562) #9 0x7fd8b962ccab in wl_display_dispatch_queue_pending (/usr/lib/libwayland-client.so.0+0x7cab) #10 0x55aaa59ba38f in fdm_wayl ../wayland.c:1117 #11 0x55aaa58eff50 in fdm_poll ../fdm.c:463 #12 0x55aaa591da70 in main ../main.c:554 #13 0x7fd8b89e4b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #14 0x55aaa589739d in _start (/home/simon/src/foot/build/foot+0x30039d) 0x606000029c38 is located 56 bytes inside of 64-byte region [0x606000029c00,0x606000029c40) freed by thread T0 here: #0 0x7fd8b98d9f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x55aaa59a06b8 in remove_overlapping ../url-mode.c:474 #2 0x55aaa59a0ff5 in urls_collect ../url-mode.c:490 #3 0x55aaa58f9efa in execute_binding ../input.c:304 #4 0x55aaa5907f00 in key_press_release ../input.c:1049 #5 0x55aaa59097ee in keyboard_key ../input.c:1221 #6 0x7fd8b8772acc (/usr/lib/libffi.so.7+0x6acc) previously allocated by thread T0 here: #0 0x7fd8b98da279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x55aaa599e782 in osc8_uris ../url-mode.c:426 #2 0x55aaa59a0ece in urls_collect ../url-mode.c:488 #3 0x55aaa58f9efa in execute_binding ../input.c:304 #4 0x55aaa5907f00 in key_press_release ../input.c:1049 #5 0x55aaa59097ee in keyboard_key ../input.c:1221 #6 0x7fd8b8772acc (/usr/lib/libffi.so.7+0x6acc) SUMMARY: AddressSanitizer: heap-use-after-free ../url-mode.c:444 in remove_overlapping Shadow bytes around the buggy address: 0x0c0c7fffd330: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7fffd340: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7fffd350: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00 0x0c0c7fffd360: 00 00 05 fa fa fa fa fa 00 00 00 00 00 00 05 fa 0x0c0c7fffd370: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa =>0x0c0c7fffd380: fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa 0x0c0c7fffd390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fffd3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fffd3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fffd3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fffd3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==23891==ABORTING ```
Poster

I think this comes from invalid input, I've been messing up my OSC sequence with something like:

printf '\e]8;;http://example.com;\e\\This is a link\e]8;;;\e\\\n'
I think this comes from invalid input, I've been messing up my OSC sequence with something like: ``` printf '\e]8;;http://example.com;\e\\This is a link\e]8;;;\e\\\n' ```
Owner

I haven't been able to reproduce, but believe the issue is the nested loops of the URLs (inner and outer).

While one can safely remove the current item from the list inside a tll_foreach(), it doesn't handle another iterator pointing to the item being deleted. Or, to be precise, if the "other" iterator's next item is the item being deleted, then we have a problem.

I haven't been able to reproduce, but believe the issue is the nested loops of the URLs (inner and outer). While one can safely remove the current item from the list inside a `tll_foreach()`, it doesn't handle _another_ iterator pointing to the item being deleted. Or, to be precise, if the "other" iterator's **next** item is the item being deleted, then we have a problem.
Owner

Also noticed that we're leaking FDs (SHM pool FDs associated with the URL label subsurfaces).

With lots of URLs (ls --hyperlink /usr/bin), this can lead to a crash pretty quickly if entering/exiting URL mode a couple of times, depending on your FD limit.

Also noticed that we're leaking FDs (SHM pool FDs associated with the URL label subsurfaces). With lots of URLs (`ls --hyperlink /usr/bin`), this can lead to a crash pretty quickly if entering/exiting URL mode a couple of times, depending on your FD limit.
dnkl added the
bug
label 2 months ago
dnkl closed this issue 2 months ago
Sign in to join this conversation.
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.