Uploaded image for project: 'C++ Couchbase Client'
  1. C++ Couchbase Client
  2. CXXCBC-282

Heap use after free in boostrap_handler

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 1.0.0
    • None
    • None
    • None

    Description

      I saw this during fit tests locally, with address and undefined behavior sanitizers on. Appears that the bootstrap_handler was deleted in one thread, but used soon thereafter in another:

      /Users/david.kelly/projects/gerrit/transactions-fit-performer/performers/cpp/couchbase-cxx-client/core/sasl/scram-sha/scram-sha.cc:365:9: runtime error: member access within address 0x00016216db80 which does not point to an object of type 'couchbase::core::sasl::mechanism::scram::ClientBackend'
      		 
      0x00016216db80: note: object has invalid vptr
      		 
       0b 00 00 00  d9 5e 00 00 08 00 00 00  be be be be be be be be  be be be be be be be be  be be be be
      		 
                    ^~~~~~~~~~~~~~~~~~~~~~~
      		 
                    invalid vptr
      		 
      SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/david.kelly/projects/gerrit/transactions-fit-performer/performers/cpp/couchbase-cxx-client/core/sasl/scram-sha/scram-sha.cc:365:9 in
      		 
      =================================================================
      		 
      ==7648==ERROR: AddressSanitizer: heap-use-after-free on address 0x00016216dcb7 at pc 0x00010281d77c bp 0x00016de8b620 sp 0x00016de8b618
      		 
      READ of size 1 at 0x00016216dcb7 thread T9
      		 
          #0 0x10281d778 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__is_long() const string:1459
      		 
          #1 0x10282c3cc in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__move_assign(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&, std::__1::integral_constant<bool, true>) string:2470
      		 
          #2 0x102811a84 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::operator=(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&&) string:2492
      		 
          #3 0x102818c68 in couchbase::core::sasl::mechanism::scram::ClientBackend::generateSaltedPassword(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) scram-sha.cc:365
      		 
          #4 0x102814c9c in couchbase::core::sasl::mechanism::scram::ClientBackend::step(std::__1::basic_string_view<char, std::__1::char_traits<char> >) scram-sha.cc:316
      		 
          #5 0x10451f97c in couchbase::core::sasl::ClientContext::step(std::__1::basic_string_view<char, std::__1::char_traits<char> >) client.h:120
      		 
          #6 0x10449b378 in couchbase::core::io::mcbp_session_impl::bootstrap_handler::handle(couchbase::core::io::mcbp_message&&) mcbp_session.cxx:255
      		 
          #7 0x10449134c in couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long)::operator()(std::__1::error_code, unsigned long) const mcbp_session.cxx:1352
      		 
          #8 0x10448ef84 in decltype(static_cast<couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long)&>(fp)(static_cast<std::__1::error_code>(fp0), static_cast<unsigned long>(fp0))) std::__1::__invoke<couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long)&, std::__1::error_code, unsigned long>(couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long)&, std::__1::error_code&&, unsigned long&&) type_traits:3918
      		 
          #9 0x10448ecb8 in void std::__1::__invoke_void_return_wrapper<void, true>::__call<couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long)&, std::__1::error_code, unsigned long>(couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long)&, std::__1::error_code&&, unsigned long&&) invoke.h:61
      		 
          #10 0x10448eb28 in std::__1::__function::__alloc_func<couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long), std::__1::allocator<couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long)>, void (std::__1::error_code, unsigned long)>::operator()(std::__1::error_code&&, unsigned long&&) function.h:178
      		 
          #11 0x104487974 in std::__1::__function::__func<couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long), std::__1::allocator<couchbase::core::io::mcbp_session_impl::do_read()::'lambda'(std::__1::error_code, unsigned long)>, void (std::__1::error_code, unsigned long)>::operator()(std::__1::error_code&&, unsigned long&&) function.h:352
      		 
          #12 0x1053c7efc in std::__1::__function::__value_func<void (std::__1::error_code, unsigned long)>::operator()(std::__1::error_code&&, unsigned long&&) const function.h:505
      		 
          #13 0x1053a75d8 in std::__1::function<void (std::__1::error_code, unsigned long)>::operator()(std::__1::error_code, unsigned long) const function.h:1182
      		 
          #14 0x10542a7b8 in asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>::operator()() bind_handler.hpp:288
      		 
          #15 0x10542a598 in void asio::asio_handler_invoke<asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long> >(asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>&, ...) handler_invoke_hook.hpp:87
      		 
          #16 0x10542a194 in void asio_handler_invoke_helpers::invoke<asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>, std::__1::function<void (std::__1::error_code, unsigned long)> >(asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>&, std::__1::function<void (std::__1::error_code, unsigned long)>&) handler_invoke_helpers.hpp:54
      		 
          #17 0x10542ce94 in void asio::detail::asio_handler_invoke<asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>, std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>(asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>&, asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>*) bind_handler.hpp:343
      		 
          #18 0x10542cc98 in void asio_handler_invoke_helpers::invoke<asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>, asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long> >(asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>&, asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>&) handler_invoke_helpers.hpp:54
      		 
          #19 0x10542c59c in void asio::detail::executor_function::complete<asio::detail::binder2<std::__1::function<void (std::__1::error_code, unsigned long)>, std::__1::error_code, unsigned long>, std::__1::allocator<void> >(asio::detail::executor_function::impl_base*, bool) executor_function.hpp:115
      		 
          #20 0x1047c581c in asio::detail::executor_function::operator()() executor_function.hpp:63
      		 
          #21 0x1047c5648 in void asio::asio_handler_invoke<asio::detail::executor_function>(asio::detail::executor_function&, ...) handler_invoke_hook.hpp:87
      		 
          
       
      		 
      freed by thread T8 here:
      		 
      [2023-01-16 09:21:32.189] [transactions] [info] starting attempt 1/1f89ab9b-b61a-417a-3b78-6036c091741b/4cf04197-d588-4300-5650-b5f38d3d4b8d/
      		 
          #0 0x11202a330 in wrap__ZdlPv+0x74 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x4e330)
      		 
          #1 0x1027ed4f4 in couchbase::core::sasl::mechanism::scram::Sha512ClientBackend::~Sha512ClientBackend() scram-sha.h:142
      		 
          #2 0x1045da934 in std::__1::default_delete<couchbase::core::sasl::MechanismBackend>::operator()(couchbase::core::sasl::MechanismBackend*) const unique_ptr.h:57
      		 
          #3 0x1045da5d4 in std::__1::unique_ptr<couchbase::core::sasl::MechanismBackend, std::__1::default_delete<couchbase::core::sasl::MechanismBackend> >::reset(couchbase::core::sasl::MechanismBackend*) unique_ptr.h:318
      		 
          #4 0x1045da394 in std::__1::unique_ptr<couchbase::core::sasl::MechanismBackend, std::__1::default_delete<couchbase::core::sasl::MechanismBackend> >::~unique_ptr() unique_ptr.h:272
      		 
          #5 0x1045da204 in std::__1::unique_ptr<couchbase::core::sasl::MechanismBackend, std::__1::default_delete<couchbase::core::sasl::MechanismBackend> >::~unique_ptr() unique_ptr.h:272
      		 
          #6 0x1045da198 in couchbase::core::sasl::ClientContext::~ClientContext() client.h:72
      		 
          #7 0x1045a25b8 in couchbase::core::sasl::ClientContext::~ClientContext() client.h:72
      		 
          #8 0x1045daf14 in couchbase::core::io::mcbp_session_impl::bootstrap_handler::~bootstrap_handler() mcbp_session.cxx:106
      		 
          #9 0x1045daea0 in couchbase::core::io::mcbp_session_impl::bootstrap_handler::~bootstrap_handler() mcbp_session.cxx:104
      		 
          #10 0x10459dae8 in std::__1::__shared_ptr_emplace<couchbase::core::io::mcbp_session_impl::bootstrap_handler, std::__1::allocator<couchbase::core::io::mcbp_session_impl::bootstrap_handler> >::__on_zero_shared() shared_ptr.h:315
      		 
          #11 0x104484800 in std::__1::__shared_count::__release_shared() shared_ptr.h:177
      		 
          #12 0x104484548 in std::__1::__shared_weak_count::__release_shared() shared_ptr.h:219
      		 
          #13 0x1045dd024 in std::__1::shared_ptr<couchbase::core::io::mcbp_session_impl::bootstrap_handler>::~shared_ptr() shared_ptr.h:959
      		 
          #14 0x104588080 in std::__1::shared_ptr<couchbase::core::io::mcbp_session_impl::bootstrap_handler>::~shared_ptr() shared_ptr.h:957
      		 
          #15 0x1044330c8 in couchbase::core::io::mcbp_session_impl::stop(couchbase::retry_reason) mcbp_session.cxx:796
      		 
          #16 0x104669d84 in couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code)::operator()(std::__1::error_code) const mcbp_session.cxx:717
      		 
          #17 0x1046682dc in asio::detail::binder1<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), std::__1::error_code>::operator()() bind_handler.hpp:170
      		 
          #18 0x104668108 in void asio::asio_handler_invoke<asio::detail::binder1<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), std::__1::error_code> >(asio::detail::binder1<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), std::__1::error_code>&, ...) handler_invoke_hook.hpp:87
      		 
          #19 0x104667d04 in void asio_handler_invoke_helpers::invoke<asio::detail::binder1<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), std::__1::error_code>, couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code)>(asio::detail::binder1<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), std::__1::error_code>&, couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code)&) handler_invoke_helpers.hpp:54
      		 
          #20 0x1046676c0 in void asio::detail::handler_work<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), asio::any_io_executor, void>::complete<asio::detail::binder1<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), std::__1::error_code> >(asio::detail::binder1<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), std::__1::error_code>&, couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code)&) handler_work.hpp:511
      		 
          #21 0x104666c54 in asio::detail::wait_handler<couchbase::core::io::mcbp_session_impl::bootstrap(couchbase::core::utils::movable_function<void (std::__1::error_code, couchbase::core::topology::configuration)>&&, bool)::'lambda'(std::__1::error_code), asio::any_io_executor>::do_complete(void*, asio::detail::scheduler_operation*, std::__1::error_code const&, unsigned long) wait_handler.hpp:75
      		 
          #22 0x1025acc54 in asio::detail::scheduler_operation::complete(void*, std::__1::error_code const&, unsigned long) scheduler_operation.hpp:39
      		 
          #23 0x1025ac51c in asio::detail::scheduler::do_run_one(asio::detail::conditionally_enabled_mutex::scoped_lock&, asio::detail::scheduler_thread_info&, std::__1::error_code const&) scheduler.ipp:491
      		 
          #24 0x1025ac170 in asio::detail::scheduler::run(std::__1::error_code&) scheduler.ipp:209
      		 
          #25 0x1025ae748 in asio::io_context::run() io_context.ipp:62
      		 
          #26 0x1025ae708 in fit_cxx::Connection::Connection(protocol::shared::ClusterConnectionCreateRequest const*)::'lambda'()::operator()() const connection.h:103
      		 
          #27 0x1025ae6a0 in decltype(static_cast<fit_cxx::Connection::Connection(protocol::shared::ClusterConnectionCreateRequest const*)::'lambda'()>(fp)()) std::__1::__invoke<fit_cxx::Connection::Connection(protocol::shared::ClusterConnectionCreateRequest const*)::'lambda'()>(fit_cxx::Connection::Connection(protocol::shared::ClusterConnectionCreateRequest const*)::'lambda'()&&) type_traits:3918
      		 
          #28 0x1025ae67c in void std::__1::__thread_execute<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fit_cxx::Connection::Connection(protocol::shared::ClusterConnectionCreateRequest const*)::'lambda'()>(std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fit_cxx::Connection::Connection(protocol::shared::ClusterConnectionCreateRequest const*)::'lambda'()>&, std::__1::__tuple_indices<>) thread:287
      		 
          #29 0x1025ae2fc in void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct, std::__1::default_delete<std::__1::__thread_struct> >, fit_cxx::Connection::Connection(protocol::shared::ClusterConnectionCreateRequest const*)::'lambda'()> >(void*) thread:298
      		 
       
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free string:1459 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__is_long() const
      		 
      Shadow bytes around the buggy address:
      		 
        0x00702c44db40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x00702c44db50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x00702c44db60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x00702c44db70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x00702c44db80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x00702c44db90: fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa fa
      		 
        0x00702c44dba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x00702c44dbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x00702c44dbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x00702c44dbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x00702c44dbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07
      		 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==7648==ABORTING
      		 
      [1]    7648 abort      ASAN_OPTIONS=detect_container_overflow=0 ./fit_cxx
      		 
      ➜  cmake-build

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            avsej Sergey Avseyev
            david.kelly David Kelly (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes