Skip to content
Snippets Groups Projects
  1. Sep 20, 2022
  2. Sep 19, 2022
  3. Sep 18, 2022
    • Thomas Guillem's avatar
      medialibrary: fix heap-use-after-free · b2daa832
      Thomas Guillem authored and Rémi Denis-Courmont's avatar Rémi Denis-Courmont committed
      m_deviceLister is listening to media source tree callbacks and need be
      cleaned (and callbacks removed) before m_devices, since callbacks read
      m_devices.
      
      ==1750167==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100002c640 at pc 0x7f8906109b0e bp 0x7f88ef176630 sp 0x7f88ef176628
      READ of size 8 at 0x61100002c640 thread T22
          #0 0x7f8906109b0d in std::__shared_ptr<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2>::get() const /usr/include/c++/12/bits/shared_ptr_base.h:1666
          #1 0x7f8906109b0d in std::__shared_ptr_access<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2, false, false>::_M_get() const /usr/include/c++/12/bits/shared_ptr_base.h:1363
          #2 0x7f8906109b0d in std::__shared_ptr_access<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2, false, false>::operator->() const /usr/include/c++/12/bits/shared_ptr_base.h:1357
          #3 0x7f8906109b0d in operator() ../../modules/misc/medialibrary/fs/fs.cpp:195
          #4 0x7f8906109cac in operator()<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > > > /usr/include/c++/12/bits/predefined_ops.h:318
          #5 0x7f8906109cac in __find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, __gnu_cxx::__ops::_Iter_pred<vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > > /usr/include/c++/12/bits/stl_algobase.h:2067
          #6 0x7f8906109f54 in __find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, __gnu_cxx::__ops::_Iter_pred<vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > > /usr/include/c++/12/bits/stl_algobase.h:2112
          #7 0x7f8906109f54 in find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > /usr/include/c++/12/bits/stl_algo.h:3877
          #8 0x7f890610b532 in vlc::medialibrary::SDFileSystemFactory::deviceByUuid(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../../modules/misc/medialibrary/fs/fs.cpp:193
          #9 0x7f890610c16e in vlc::medialibrary::SDFileSystemFactory::onDeviceMounted(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ../../modules/misc/medialibrary/fs/fs.cpp:146
          #10 0x7f890610edd1 in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long) ../../modules/misc/medialibrary/fs/devicelister.cpp:131
          #11 0x7f890610f06e in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long, void*) ../../modules/misc/medialibrary/fs/devicelister.cpp:105
          #12 0x7f8908b01f44 in vlc_media_tree_Add ../../src/media_source/media_tree.c:303
          #13 0x7f8908b00dc0 in services_discovery_item_added ../../src/media_source/media_source.c:81
          #14 0x7f8907972be6 in services_discovery_AddItem ../../include/vlc_services_discovery.h:166
          #15 0x7f8907972be6 in entry_item_append ../../modules/access/dsm/sd.c:73
          #16 0x7f8907972daf in netbios_ns_discover_on_entry_added ../../modules/access/dsm/sd.c:117
          #17 0x7f8907980930 in netbios_ns_discover_thread (/home/tom/work/out/lib/x86_64-linux-gnu/libdsm.so.3+0x5930)
          #18 0x7f89086a3d7f in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7d7f)
          #19 0x7f89085bdbae in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfabae)
      
      0x61100002c640 is located 0 bytes inside of 256-byte region [0x61100002c640,0x61100002c740)
      freed by thread T0 here:
          #0 0x7f8908cba3c8 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164
          #1 0x7f890610c7d8 in std::__new_allocator<std::shared_ptr<medialibrary::fs::IDevice> >::deallocate(std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/new_allocator.h:158
          #2 0x7f890610c7d8 in std::allocator_traits<std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::deallocate(std::allocator<std::shared_ptr<medialibrary::fs::IDevice> >&, std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:496
          #3 0x7f890610c7d8 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_deallocate(std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/stl_vector.h:387
          #4 0x7f890610c7d8 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::~_Vector_base() /usr/include/c++/12/bits/stl_vector.h:366
          #5 0x7f890610cc47 in std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::~vector() /usr/include/c++/12/bits/stl_vector.h:733
          #6 0x7f890610ccb4 in vlc::medialibrary::SDFileSystemFactory::~SDFileSystemFactory() ../../modules/misc/medialibrary/fs/fs.h:45
          #7 0x7f89060dd7f0  (/home/tom/work/git/vlc/build-asan/modules/.libs/libmedialibrary_plugin.so+0xdd7f0)
          #8 0x7f8906192379 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/12/bits/shared_ptr_base.h:346
          #9 0x7f8906192379 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/12/bits/shared_ptr_base.h:317
          #10 0x7f8906192379 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/12/bits/shared_ptr_base.h:1071
          #11 0x7f8906192379 in std::__shared_ptr<medialibrary::fs::IFileSystemFactory, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/12/bits/shared_ptr_base.h:1524
          #12 0x7f8906192379 in std::shared_ptr<medialibrary::fs::IFileSystemFactory>::~shared_ptr() /usr/include/c++/12/bits/shared_ptr.h:175
          #13 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory> >(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:151
          #14 0x7f8906192379 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*>(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:163
          #15 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*>(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:196
          #16 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory> >(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::allocator<std::shared_ptr<medialibrary::fs::IFileSystemFactory> >&) /usr/include/c++/12/bits/alloc_traits.h:850
          #17 0x7f8906192379 in std::vector<std::shared_ptr<medialibrary::fs::IFileSystemFactory>, std::allocator<std::shared_ptr<medialibrary::fs::IFileSystemFactory> > >::~vector() /usr/include/c++/12/bits/stl_vector.h:730
          #18 0x7f8906192379 in medialibrary::FsHolder::~FsHolder() ../src/filesystem/FsHolder.cpp:66
      
      previously allocated by thread T22 here:
          #0 0x7f8908cb94c8 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
          #1 0x7f890610d4d8 in std::__new_allocator<std::shared_ptr<medialibrary::fs::IDevice> >::allocate(unsigned long, void const*) /usr/include/c++/12/bits/new_allocator.h:137
          #2 0x7f890610d789 in std::allocator_traits<std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::allocate(std::allocator<std::shared_ptr<medialibrary::fs::IDevice> >&, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:464
          #3 0x7f890610d789 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_allocate(unsigned long) /usr/include/c++/12/bits/stl_vector.h:378
          #4 0x7f890610d789 in void std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_realloc_insert<std::shared_ptr<medialibrary::fs::IDevice> const&>(__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > > >, std::shared_ptr<medialibrary::fs::IDevice> const&) /usr/include/c++/12/bits/vector.tcc:453
          #5 0x7f890610dc02 in std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::push_back(std::shared_ptr<medialibrary::fs::IDevice> const&) /usr/include/c++/12/bits/stl_vector.h:1287
          #6 0x7f890610c3b3 in vlc::medialibrary::SDFileSystemFactory::onDeviceMounted(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ../../modules/misc/medialibrary/fs/fs.cpp:151
          #7 0x7f890610edd1 in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long) ../../modules/misc/medialibrary/fs/devicelister.cpp:131
          #8 0x7f890610f06e in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long, void*) ../../modules/misc/medialibrary/fs/devicelister.cpp:105
          #9 0x7f8908b01f44 in vlc_media_tree_Add ../../src/media_source/media_tree.c:303
      
      Thread T22 created by T0 here:
          #0 0x7f8908c49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
          #1 0x7f890798126c in netbios_ns_discover_start (/home/tom/work/out/lib/x86_64-linux-gnu/libdsm.so.3+0x626c)
          #2 0x7f8908b022b5 in generic_start ../../src/modules/modules.c:275
      
      SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/12/bits/shared_ptr_base.h:1666 in std::__shared_ptr<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2>::get() const
      Shadow bytes around the buggy address:
        0x0c227fffd870: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x0c227fffd880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c227fffd890: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
        0x0c227fffd8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c227fffd8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
      =>0x0c227fffd8c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
        0x0c227fffd8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c227fffd8e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
        0x0c227fffd8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c227fffd900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
        0x0c227fffd910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==1750167==ABORTING
      b2daa832
  4. Sep 17, 2022
Loading