Use after free in WT_SESSION::open_cursor

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Minor - P4
    • WT2.9.0, 3.3.9
    • Affects Version/s: WT2.8.0
    • Component/s: None
    • None
    • None
    • None

      Hi! I compiled WT with asan and got next asan output when WT_SESSION::open_cursor return error.

      ==3381==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300000b640 at pc 0x7f8095ba351d bp 0x7fff60fd8660 sp 0x7fff60fd8658
READ of size 8 at 0x61300000b640 thread T0
    #0 0x7f8095ba351c in __curtable_close /wiredtiger/2.8.0/src/src/cursor/cur_table.c:716:2
    #1 0x7f8095b9f25e in __wt_curtable_open /wiredtiger/2.8.0/src/src/cursor/cur_table.c:978:3
    #2 0x7f8095c4c2b0 in __session_open_cursor_int /wiredtiger/2.8.0/src/src/session/session_api.c:288:4
    #3 0x7f8095c4f3f1 in __session_open_cursor /wiredtiger/2.8.0/src/src/session/session_api.c:423:2

0x61300000b640 is located 0 bytes inside of 368-byte region [0x61300000b640,0x61300000b7b0)
freed by thread T0 here:
    #0 0x4aa83b in __interceptor_free (/home/dshkirja/git/tb_1/build_asan.x86_64-unknown-linux/platform/bin64/tbdbdump+0x4aa83b)
    #1 0x7f8095bf1b9a in __wt_free_int /wiredtiger/2.8.0/src/src/os_posix/os_alloc.c:307:2
    #2 0x7f8095b970a6 in __wt_cursor_close /wiredtiger/2.8.0/src/src/cursor/cur_std.c:559:2
    #3 0x7f8095b9f217 in __wt_curtable_open /wiredtiger/2.8.0/src/src/cursor/cur_table.c:975:4
    #4 0x7f8095c4c2b0 in __session_open_cursor_int /wiredtiger/2.8.0/src/src/session/session_api.c:288:4
    #5 0x7f8095c4f3f1 in __session_open_cursor /wiredtiger/2.8.0/src/src/session/session_api.c:423:2

previously allocated by thread T0 here:
    #0 0x4aaca4 in calloc (/home/dshkirja/git/tb_1/build_asan.x86_64-unknown-linux/platform/bin64/tbdbdump+0x4aaca4)
    #1 0x7f8095bf10ec in __wt_calloc /wiredtiger/2.8.0/src/src/os_posix/os_alloc.c:51:11
    #2 0x7f8095b9eabf in __wt_curtable_open /wiredtiger/2.8.0/src/src/cursor/cur_table.c:894:2
    #3 0x7f8095c4c2b0 in __session_open_cursor_int /wiredtiger/2.8.0/src/src/session/session_api.c:288:4
    #4 0x7f8095c4f3f1 in __session_open_cursor /wiredtiger/2.8.0/src/src/session/session_api.c:423:2

SUMMARY: AddressSanitizer: heap-use-after-free /wiredtiger/2.8.0/src/src/cursor/cur_table.c:716:2 in __curtable_close
Shadow bytes around the buggy address:
  0x0c267fff9670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c267fff96c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c267fff96d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff96e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff96f0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c267fff9700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff9710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3381==ABORTING

            Assignee:
            Unassigned
            Reporter:
            Denis Shkirya
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: