Actions
Bug #15165
closed
heap-use-after-free (READ of size 8) in obj_free (gc.c:2266)
Description
This is triggered while compiling 22de2030c5 on my Debian machine. Compiled with:
CC=clang CXX=clang++ LDFLAGS="-O0 -fno-omit-frame-pointer -g3 -fsanitize=address -fsanitize-coverage=trace-pc-guard" ASAN_OPTIONS=detect_leaks=0 CFLAGS="-O0 -fno-omit-frame-pointer -g3 -fsanitize=address -fsanitize-coverage=trace-pc-guard" LD=clang make all
Patch:
https://github.com/ruby/ruby/pull/1964
Crash:
generating encdb.h [523/4506]
=================================================================
==61672==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000e670 at pc 0x55cfaf4cb68c bp 0x7ffc415ac8c0 sp 0x7ffc415ac8b8
READ of size 8 at 0x60600000e670 thread T0
#0 0x55cfaf4cb68b in obj_free /home/jtruba/rubies/ruby-trunk/gc.c:2266:17
#1 0x55cfaf4c93da in gc_page_sweep /home/jtruba/rubies/ruby-trunk/gc.c:3562:10
#2 0x55cfaf4c80de in gc_sweep_step /home/jtruba/rubies/ruby-trunk/gc.c:3730:19
#3 0x55cfaf4c697e in gc_sweep_continue /home/jtruba/rubies/ruby-trunk/gc.c:3796:5
#4 0x55cfaf4c6695 in heap_prepare /home/jtruba/rubies/ruby-trunk/gc.c:1741:2
#5 0x55cfaf4c6448 in heap_get_freeobj_from_next_freepage /home/jtruba/rubies/ruby-trunk/gc.c:1761:2
#6 0x55cfaf4c60ef in heap_get_freeobj /home/jtruba/rubies/ruby-trunk/gc.c:1795:10
#7 0x55cfaf4c5ea6 in newobj_slowpath /home/jtruba/rubies/ruby-trunk/gc.c:1925:11
#8 0x55cfaf4c5a22 in newobj_slowpath_wb_protected /home/jtruba/rubies/ruby-trunk/gc.c:1937:12
#9 0x55cfaf4a271d in newobj_of /home/jtruba/rubies/ruby-trunk/gc.c:1974:4
#10 0x55cfaf4a27ce in rb_wb_protected_newobj_of /home/jtruba/rubies/ruby-trunk/gc.c:1990:12
#11 0x55cfaf925f32 in str_alloc /home/jtruba/rubies/ruby-trunk/string.c:715:5
#12 0x55cfaf91f592 in str_new0 /home/jtruba/rubies/ruby-trunk/string.c:737:11
#13 0x55cfaf91f4ab in rb_enc_str_new /home/jtruba/rubies/ruby-trunk/string.c:789:11
#14 0x55cfaf9a7142 in rb_intern3 /home/jtruba/rubies/ruby-trunk/symbol.c:600:11
#15 0x55cfaf72535a in tokenize_ident /home/jtruba/rubies/ruby-trunk/parse.y:7321:16
#16 0x55cfaf71a139 in parse_ident /home/jtruba/rubies/ruby-trunk/parse.y:7576:13
#17 0x55cfaf709576 in parser_yylex /home/jtruba/rubies/ruby-trunk/parse.y:8255:12
#18 0x55cfaf6dae43 in yylex /home/jtruba/rubies/ruby-trunk/parse.y:8265:9
#19 0x55cfaf6aea5b in ruby_yyparse /home/jtruba/rubies/ruby-trunk/parse.c:5254:16
#20 0x55cfaf6f640e in yycompile0 /home/jtruba/rubies/ruby-trunk/parse.y:4882:9
#21 0x55cfafb483c4 in rb_suppress_tracing /home/jtruba/rubies/ruby-trunk/vm_trace.c:401:11
#22 0x55cfaf6f1302 in yycompile /home/jtruba/rubies/ruby-trunk/parse.y:4926:5
#23 0x55cfaf6f0f91 in rb_parser_compile_file_path /home/jtruba/rubies/ruby-trunk/parse.y:5065:12
#24 0x55cfaf8b9dd2 in load_file_internal /home/jtruba/rubies/ruby-trunk/ruby.c:1984:11
#25 0x55cfaf465d84 in rb_ensure /home/jtruba/rubies/ruby-trunk/eval.c:1052:11
#26 0x55cfaf8b2660 in load_file /home/jtruba/rubies/ruby-trunk/ruby.c:2103:24
#27 0x55cfaf8b17e4 in rb_parser_load_file /home/jtruba/rubies/ruby-trunk/ruby.c:2125:12
#28 0x55cfaf5a3e9f in rb_load_internal0 /home/jtruba/rubies/ruby-trunk/load.c:606:24
#29 0x55cfaf5a5298 in rb_require_internal /home/jtruba/rubies/ruby-trunk/load.c:992:15
#30 0x55cfaf5a4417 in rb_require_safe /home/jtruba/rubies/ruby-trunk/load.c:1038:18
#31 0x55cfaf5a43d6 in rb_f_require /home/jtruba/rubies/ruby-trunk/load.c:820:12
#32 0x55cfafb2320c in call_cfunc_1 /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:1748:12
#33 0x55cfafaffd41 in vm_call_cfunc_with_frame /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:1931:11
#34 0x55cfafae8cc5 in vm_call_cfunc /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:1947:12
#35 0x55cfafae6039 in vm_call_method_each_type /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:2269:9
#36 0x55cfafae59ba in vm_call_method /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:2406:13
#37 0x55cfafa8f86b in vm_call_general /home/jtruba/rubies/ruby-trunk/./vm_insnhelper.c:2438:12
#38 0x55cfafa9cf26 in vm_exec_core /home/jtruba/rubies/ruby-trunk/insns.def:767:5
#39 0x55cfafad69eb in rb_vm_exec /home/jtruba/rubies/ruby-trunk/vm.c:1812:22
#40 0x55cfafada946 in rb_iseq_eval_main /home/jtruba/rubies/ruby-trunk/vm.c:2071:11
#41 0x55cfaf461079 in ruby_exec_internal /home/jtruba/rubies/ruby-trunk/eval.c:261:2
#42 0x55cfaf4608d7 in ruby_exec_node /home/jtruba/rubies/ruby-trunk/eval.c:325:12
#43 0x55cfaf460706 in ruby_run_node /home/jtruba/rubies/ruby-trunk/eval.c:317:25
#44 0x55cfaf27b7f4 in main /home/jtruba/rubies/ruby-trunk/./main.c:42:9
#45 0x7fd4b91bbb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
#46 0x55cfaf1a552b in _start (/home/jtruba/rubies/ruby-trunk/miniruby+0x14352b)
0x60600000e670 is located 16 bytes inside of 56-byte region [0x60600000e660,0x60600000e698)
freed by thread T0 here:
#0 0x55cfaf24c612 in __interceptor_free /home/jtruba/to_install/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:78:3
#1 0x55cfaf4ba088 in objspace_xfree /home/jtruba/rubies/ruby-trunk/gc.c:8160:5
#2 0x55cfaf4ba024 in ruby_sized_xfree /home/jtruba/rubies/ruby-trunk/gc.c:8256:2
#3 0x55cfaf4a1fdf in ruby_xfree /home/jtruba/rubies/ruby-trunk/gc.c:8263:5
#4 0x55cfaf8f6af0 in st_free_table /home/jtruba/rubies/ruby-trunk/st.c:690:5
#5 0x55cfaf4cb5d2 in obj_free /home/jtruba/rubies/ruby-trunk/gc.c:2264:6
#6 0x55cfaf4c93da in gc_page_sweep /home/jtruba/rubies/ruby-trunk/gc.c:3562:10
#7 0x55cfaf4c80de in gc_sweep_step /home/jtruba/rubies/ruby-trunk/gc.c:3730:19
#8 0x55cfaf4c697e in gc_sweep_continue /home/jtruba/rubies/ruby-trunk/gc.c:3796:5
#9 0x55cfaf4c6695 in heap_prepare /home/jtruba/rubies/ruby-trunk/gc.c:1741:2
#10 0x55cfaf4c6448 in heap_get_freeobj_from_next_freepage /home/jtruba/rubies/ruby-trunk/gc.c:1761:2
#11 0x55cfaf4c60ef in heap_get_freeobj /home/jtruba/rubies/ruby-trunk/gc.c:1795:10
#12 0x55cfaf4c5ea6 in newobj_slowpath /home/jtruba/rubies/ruby-trunk/gc.c:1925:11
#13 0x55cfaf4c5a22 in newobj_slowpath_wb_protected /home/jtruba/rubies/ruby-trunk/gc.c:1937:12
#14 0x55cfaf4a271d in newobj_of /home/jtruba/rubies/ruby-trunk/gc.c:1974:4
#15 0x55cfaf4a27ce in rb_wb_protected_newobj_of /home/jtruba/rubies/ruby-trunk/gc.c:1990:12
#16 0x55cfaf925f32 in str_alloc /home/jtruba/rubies/ruby-trunk/string.c:715:5
#17 0x55cfaf91f592 in str_new0 /home/jtruba/rubies/ruby-trunk/string.c:737:11
#18 0x55cfaf91f4ab in rb_enc_str_new /home/jtruba/rubies/ruby-trunk/string.c:789:11
#19 0x55cfaf9a7142 in rb_intern3 /home/jtruba/rubies/ruby-trunk/symbol.c:600:11
#20 0x55cfaf72535a in tokenize_ident /home/jtruba/rubies/ruby-trunk/parse.y:7321:16
#21 0x55cfaf71a139 in parse_ident /home/jtruba/rubies/ruby-trunk/parse.y:7576:13
#22 0x55cfaf709576 in parser_yylex /home/jtruba/rubies/ruby-trunk/parse.y:8255:12
#23 0x55cfaf6dae43 in yylex /home/jtruba/rubies/ruby-trunk/parse.y:8265:9
#24 0x55cfaf6aea5b in ruby_yyparse /home/jtruba/rubies/ruby-trunk/parse.c:5254:16
#25 0x55cfaf6f640e in yycompile0 /home/jtruba/rubies/ruby-trunk/parse.y:4882:9
#26 0x55cfafb483c4 in rb_suppress_tracing /home/jtruba/rubies/ruby-trunk/vm_trace.c:401:11
#27 0x55cfaf6f1302 in yycompile /home/jtruba/rubies/ruby-trunk/parse.y:4926:5
#28 0x55cfaf6f0f91 in rb_parser_compile_file_path /home/jtruba/rubies/ruby-trunk/parse.y:5065:12
#29 0x55cfaf8b9dd2 in load_file_internal /home/jtruba/rubies/ruby-trunk/ruby.c:1984:11
previously allocated by thread T0 here:
#0 0x55cfaf24c953 in malloc /home/jtruba/to_install/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
#1 0x55cfaf4b9601 in objspace_xmalloc0 /home/jtruba/rubies/ruby-trunk/gc.c:7985:5
#2 0x55cfaf4b948e in ruby_xmalloc0 /home/jtruba/rubies/ruby-trunk/gc.c:8169:12
#3 0x55cfaf4b92fd in ruby_xmalloc_body /home/jtruba/rubies/ruby-trunk/gc.c:8178:12
#4 0x55cfaf4b04eb in ruby_xmalloc /home/jtruba/rubies/ruby-trunk/gc.c:9948:12
#5 0x55cfaf8f60b9 in st_init_table_with_size /home/jtruba/rubies/ruby-trunk/st.c:593:24
#6 0x55cfaf8f682f in st_init_table /home/jtruba/rubies/ruby-trunk/st.c:623:12
#7 0x55cfaf4ea158 in rb_ident_hash_new /home/jtruba/rubies/ruby-trunk/hash.c:3041:25
#8 0x55cfaf99aa6a in struct_make_members_list /home/jtruba/rubies/ruby-trunk/struct.c:354:23
#9 0x55cfaf99b13c in rb_struct_define_without_accessor /home/jtruba/rubies/ruby-trunk/struct.c:420:15
#10 0x55cfaf78636c in Init_Range /home/jtruba/rubies/ruby-trunk/range.c:1538:17
#11 0x55cfaf4fec5c in rb_call_inits /home/jtruba/rubies/ruby-trunk/inits.c:43:5
#12 0x55cfaf45d310 in ruby_setup /home/jtruba/rubies/ruby-trunk/eval.c:74:2
#13 0x55cfaf45d5d8 in ruby_init /home/jtruba/rubies/ruby-trunk/eval.c:91:17
#14 0x55cfaf27b77a in main /home/jtruba/rubies/ruby-trunk/./main.c:41:2
#15 0x7fd4b91bbb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-use-after-free /home/jtruba/rubies/ruby-trunk/gc.c:2266:17 in obj_free
Shadow bytes around the buggy address:
0x0c0c7fff9c70: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9c80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff9c90: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c7fff9ca0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9cb0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fff9cc0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd[fd]fd
0x0c0c7fff9cd0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9ce0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff9cf0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff9d00: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff9d10: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==61672==ABORTING
Updated by ko1 (Koichi Sasada) over 5 years ago
- Status changed from Open to Closed
Applied in changeset trunk|r64857.
fix use-after-free in obj_free.
-
gc.c (obj_free): a table can be accessed for debug counters.
[Bug #15165] [Fix GH-1964]A patch from Joe Truba jtruba@meraki.com
Also check USE_DEBUG_COUNTER macro.
Updated by ko1 (Koichi Sasada) over 5 years ago
Thank you.
I want to know how to use clang's ASAN. You specified CFLAGS and LDFLAGS. both needed?
Updated by bannable (Joe Truba) over 5 years ago
ko1 (Koichi Sasada) wrote:
Thank you.
I want to know how to use clang's ASAN. You specified CFLAGS and LDFLAGS. both needed?
Yes, both are needed.
ASAN needs the -fsanitize=address passed for both compile and linking. The ASAN library also has to be linked to the final executable, so you need to use clang instead of ld for linking.
In my experience, the ASAN_OPTIONS=detect_leaks=0 is also required. ASAN will report about 1000 separate memory leaks every time the miniruby or ruby binaries are called otherwise, which halts the compile. I have not looked into those leaks.
Actions
Like0
Like0Like0Like0