Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-2689

Use after free in WT_SESSION::open_cursor

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Fixed
    • Affects Version/s: WT2.8.0
    • Fix Version/s: WT2.9.0, 3.3.9
    • Labels:
      None

      Description

      Hi! I compiled WT with asan and got next asan output when WT_SESSION::open_cursor return error.

      ==3381==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300000b640 at pc 0x7f8095ba351d bp 0x7fff60fd8660 sp 0x7fff60fd8658
      READ of size 8 at 0x61300000b640 thread T0
          #0 0x7f8095ba351c in __curtable_close /wiredtiger/2.8.0/src/src/cursor/cur_table.c:716:2
          #1 0x7f8095b9f25e in __wt_curtable_open /wiredtiger/2.8.0/src/src/cursor/cur_table.c:978:3
          #2 0x7f8095c4c2b0 in __session_open_cursor_int /wiredtiger/2.8.0/src/src/session/session_api.c:288:4
          #3 0x7f8095c4f3f1 in __session_open_cursor /wiredtiger/2.8.0/src/src/session/session_api.c:423:2
       
      0x61300000b640 is located 0 bytes inside of 368-byte region [0x61300000b640,0x61300000b7b0)
      freed by thread T0 here:
          #0 0x4aa83b in __interceptor_free (/home/dshkirja/git/tb_1/build_asan.x86_64-unknown-linux/platform/bin64/tbdbdump+0x4aa83b)
          #1 0x7f8095bf1b9a in __wt_free_int /wiredtiger/2.8.0/src/src/os_posix/os_alloc.c:307:2
          #2 0x7f8095b970a6 in __wt_cursor_close /wiredtiger/2.8.0/src/src/cursor/cur_std.c:559:2
          #3 0x7f8095b9f217 in __wt_curtable_open /wiredtiger/2.8.0/src/src/cursor/cur_table.c:975:4
          #4 0x7f8095c4c2b0 in __session_open_cursor_int /wiredtiger/2.8.0/src/src/session/session_api.c:288:4
          #5 0x7f8095c4f3f1 in __session_open_cursor /wiredtiger/2.8.0/src/src/session/session_api.c:423:2
       
      previously allocated by thread T0 here:
          #0 0x4aaca4 in calloc (/home/dshkirja/git/tb_1/build_asan.x86_64-unknown-linux/platform/bin64/tbdbdump+0x4aaca4)
          #1 0x7f8095bf10ec in __wt_calloc /wiredtiger/2.8.0/src/src/os_posix/os_alloc.c:51:11
          #2 0x7f8095b9eabf in __wt_curtable_open /wiredtiger/2.8.0/src/src/cursor/cur_table.c:894:2
          #3 0x7f8095c4c2b0 in __session_open_cursor_int /wiredtiger/2.8.0/src/src/session/session_api.c:288:4
          #4 0x7f8095c4f3f1 in __session_open_cursor /wiredtiger/2.8.0/src/src/session/session_api.c:423:2
       
      SUMMARY: AddressSanitizer: heap-use-after-free /wiredtiger/2.8.0/src/src/cursor/cur_table.c:716:2 in __curtable_close
      Shadow bytes around the buggy address:
        0x0c267fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c267fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c267fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c267fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c267fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x0c267fff96c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
        0x0c267fff96d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c267fff96e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c267fff96f0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
        0x0c267fff9700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c267fff9710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==3381==ABORTING
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Denis Shkirya Denis Shkirya
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: