Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-use-after-free on session timeout during connection interruption #4075

Open
basyskom-jvoe opened this issue Dec 18, 2020 · 2 comments
Open

Heap-use-after-free on session timeout during connection interruption #4075

basyskom-jvoe opened this issue Dec 18, 2020 · 2 comments
Labels
Component: Core Issues related to the core code Priority: Medium Issue with medium priority Type: Bug Bug in the code which needs to be fixed

Comments

@basyskom-jvoe
Copy link
Contributor

basyskom-jvoe commented Dec 18, 2020
edited
Loading

If the connection is interrupted (network cable pulled) when the session timeout occurs, there is a heap-use-after-free after the network cable is plugged back in.

The interesting part of the backtrace starts at UA_Client_run_iterate(), the function calls below belong to Qt OPC UA.

==11469==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060005112e0 at pc 0x7fe04a08aeee bp 0x7fe049b92d70 sp 0x7fe049b92d60

READ of size 8 at 0x6060005112e0 thread T49 (QThread)

    #0 0x7fe04a08aeed in UA_SecureChannel_processCompleteMessages /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19688

    #1 0x7fe04a0dc31e in receiveServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37951

    #2 0x7fe04a0dc638 in __UA_Client_Service /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37985

    #3 0x7fe04a0e32bf in sendCloseSession /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:39205

    #4 0x7fe04a0e3717 in UA_Client_disconnect /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:39233

    #5 0x7fe04a0f28b8 in UA_Client_Subscriptions_processPublishResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:41761

    #6 0x7fe04a0f30f4 in processPublishResponseAsync /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:41841

    #7 0x7fe04a0db40a in processAsyncResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37819

    #8 0x7fe04a0db946 in processServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37858

    #9 0x7fe04a08a802 in processMessage /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19656

    #10 0x7fe04a08ad6e in UA_SecureChannel_processCompleteMessages /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19701

    #11 0x7fe04a0dc31e in receiveServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37951

    #12 0x7fe04a0f43b2 in UA_Client_run_iterate /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:42046

    #13 0x7fe04a17a15e in Open62541AsyncBackend::iterateClient() /home/jvoe/Projects/qtopcua/src/plugins/opcua/open62541/qopen62541backend.cpp:1032

    #14 0x7fe04a1a0460 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (Open62541AsyncBackend::*)()>::call(void (Open62541AsyncBackend::*)(), Open62541AsyncBackend*, void**) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x184460)

    #15 0x7fe04a19e37d in void QtPrivate::FunctionPointer<void (Open62541AsyncBackend::*)()>::call<QtPrivate::List<>, void>(void (Open62541AsyncBackend::*)(), Open62541AsyncBackend*, void**) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x18237d)

    #16 0x7fe04a19881e in QtPrivate::QSlotObject<void (Open62541AsyncBackend::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x17c81e)

    #17 0x7fe0818347bf  (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2eb7bf)

    #18 0x7fe081839456 in QTimer::timeout(QTimer::QPrivateSignal) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2f0456)

    #19 0x7fe081839757 in QTimer::timerEvent(QTimerEvent*) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2f0757)

    #20 0x7fe08182b892 in QObject::event(QEvent*) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2e2892)

    #21 0x7fe0817f9bc0 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2b0bc0)

    #22 0x7fe081858058 in QTimerInfoList::activateTimers() (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x30f058)

    #23 0x7fe081858918  (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x30f918)

    #24 0x7fe07b8dc196 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a196)

    #25 0x7fe07b8dc3ef  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a3ef)

    #26 0x7fe07b8dc49b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a49b)

    #27 0x7fe081858cab in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x30fcab)

    #28 0x7fe0817f8469 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2af469)

    #29 0x7fe0815fd36b in QThread::exec() (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0xb436b)

    #30 0x7fe0815fe727  (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0xb5727)

    #31 0x7fe0813336b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #32 0x7fe0807654dc in clone (/lib/x86_64-linux-gnu/libc.so.6+0x1074dc)


0x6060005112e0 is located 0 bytes inside of 64-byte region [0x6060005112e0,0x606000511320)

freed by thread T49 (QThread) here:

    #0 0x7fe082ad032a in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9832a)

    #1 0x7fe04a084370 in deleteMessage /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:18751

    #2 0x7fe04a08475e in UA_SecureChannel_deleteMessages /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:18771

    #3 0x7fe04a0848f6 in UA_SecureChannel_deleteMembers /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:18791

    #4 0x7fe04a0e363f in sendCloseSecureChannel /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:39225

    #5 0x7fe04a0e37bc in UA_Client_disconnect /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:39241

    #6 0x7fe04a0f28b8 in UA_Client_Subscriptions_processPublishResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:41761

    #7 0x7fe04a0f30f4 in processPublishResponseAsync /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:41841

    #8 0x7fe04a0db40a in processAsyncResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37819

    #9 0x7fe04a0db946 in processServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37858

    #10 0x7fe04a08a802 in processMessage /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19656

    #11 0x7fe04a08ad6e in UA_SecureChannel_processCompleteMessages /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19701

    #12 0x7fe04a0dc31e in receiveServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37951

    #13 0x7fe04a0dc638 in __UA_Client_Service /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37985

    #14 0x7fe04a0e32bf in sendCloseSession /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:39205

    #15 0x7fe04a0e3717 in UA_Client_disconnect /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:39233

    #16 0x7fe04a0f28b8 in UA_Client_Subscriptions_processPublishResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:41761

    #17 0x7fe04a0f30f4 in processPublishResponseAsync /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:41841

    #18 0x7fe04a0db40a in processAsyncResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37819

    #19 0x7fe04a0db946 in processServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37858

    #20 0x7fe04a08a802 in processMessage /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19656

    #21 0x7fe04a08ad6e in UA_SecureChannel_processCompleteMessages /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19701

    #22 0x7fe04a0dc31e in receiveServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37951

    #23 0x7fe04a0f43b2 in UA_Client_run_iterate /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:42046

    #24 0x7fe04a17a15e in Open62541AsyncBackend::iterateClient() /home/jvoe/Projects/qtopcua/src/plugins/opcua/open62541/qopen62541backend.cpp:1032

    #25 0x7fe04a1a0460 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (Open62541AsyncBackend::*)()>::call(void (Open62541AsyncBackend::*)(), Open62541AsyncBackend*, void**) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x184460)

    #26 0x7fe04a19e37d in void QtPrivate::FunctionPointer<void (Open62541AsyncBackend::*)()>::call<QtPrivate::List<>, void>(void (Open62541AsyncBackend::*)(), Open62541AsyncBackend*, void**) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x18237d)

    #27 0x7fe04a19881e in QtPrivate::QSlotObject<void (Open62541AsyncBackend::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x17c81e)

    #28 0x7fe0818347bf  (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2eb7bf)

    #29 0x7fe081839456 in QTimer::timeout(QTimer::QPrivateSignal) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2f0456)


previously allocated by thread T49 (QThread) here:

    #0 0x7fe082ad0662 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98662)

    #1 0x7fe04a08a0b8 in addChunkPayload /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19612

    #2 0x7fe04a08cccb in putPayload /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19992

    #3 0x7fe04a08d2f1 in decryptAddChunk /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:20112

    #4 0x7fe04a08d4af in UA_SecureChannel_decryptAddChunk /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:20126

    #5 0x7fe04a0dc0e3 in client_processChunk /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37919

    #6 0x7fe04a08373b in completeChunkTrampoline /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:18572

    #7 0x7fe04a0831ab in processChunk /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:18510

    #8 0x7fe04a08357b in UA_Connection_processChunks /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:18544

    #9 0x7fe04a0838e4 in UA_Connection_receiveChunksBlocking /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:18596

    #10 0x7fe04a0dc2f3 in receiveServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37950

    #11 0x7fe04a0dc638 in __UA_Client_Service /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37985

    #12 0x7fe04a0e32bf in sendCloseSession /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:39205

    #13 0x7fe04a0e3717 in UA_Client_disconnect /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:39233

    #14 0x7fe04a0f28b8 in UA_Client_Subscriptions_processPublishResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:41761

    #15 0x7fe04a0f30f4 in processPublishResponseAsync /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:41841

    #16 0x7fe04a0db40a in processAsyncResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37819

    #17 0x7fe04a0db946 in processServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37858

    #18 0x7fe04a08a802 in processMessage /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19656

    #19 0x7fe04a08ad6e in UA_SecureChannel_processCompleteMessages /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19701

    #20 0x7fe04a0dc31e in receiveServiceResponse /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:37951

    #21 0x7fe04a0f43b2 in UA_Client_run_iterate /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:42046

    #22 0x7fe04a17a15e in Open62541AsyncBackend::iterateClient() /home/jvoe/Projects/qtopcua/src/plugins/opcua/open62541/qopen62541backend.cpp:1032

    #23 0x7fe04a1a0460 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (Open62541AsyncBackend::*)()>::call(void (Open62541AsyncBackend::*)(), Open62541AsyncBackend*, void**) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x184460)

    #24 0x7fe04a19e37d in void QtPrivate::FunctionPointer<void (Open62541AsyncBackend::*)()>::call<QtPrivate::List<>, void>(void (Open62541AsyncBackend::*)(), Open62541AsyncBackend*, void**) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x18237d)

    #25 0x7fe04a19881e in QtPrivate::QSlotObject<void (Open62541AsyncBackend::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) (/usr/local/Qt-5.15.1/plugins/opcua/libopen62541_backend.so+0x17c81e)

    #26 0x7fe0818347bf  (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2eb7bf)

    #27 0x7fe081839456 in QTimer::timeout(QTimer::QPrivateSignal) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2f0456)

    #28 0x7fe0817f9bc0 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0x2b0bc0)


Thread T49 (QThread) created by T0 here:

    #0 0x7fe082a6e1e3 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x361e3)

    #1 0x7fe0815fdfa8 in QThread::start(QThread::Priority) (/usr/local/Qt-5.15.1/lib/libQt5Core.so.5+0xb4fa8)


SUMMARY: AddressSanitizer: heap-use-after-free /home/jvoe/Projects/qtopcua/src/3rdparty/open62541/open62541.c:19688 UA_SecureChannel_processCompleteMessages

Shadow bytes around the buggy address:

  0x0c0c8009a200: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00

  0x0c0c8009a210: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa

  0x0c0c8009a220: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00

  0x0c0c8009a230: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0c8009a240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0c0c8009a250: fa fa fa fa fa fa fa fa fa fa fa fa[fd]fd fd fd

  0x0c0c8009a260: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 07

  0x0c0c8009a270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0c8009a280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0c8009a290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0c8009a2a0: fa fa fa fa 00 00 00 00 00 00 00 07 fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

==11469==ABORTING

The issue can be reproduced for every attempt.

Checklist

Please provide the following information:

[X ] open62541 Version (release number or git tag): 1.0
@jpfr
Copy link
Member

jpfr commented Dec 19, 2020

Is this really for v1.0 as indicated?

@basyskom-jvoe
Copy link
Contributor Author

@jpfr Yes, this happens with the v1.0 amalgamation build

@NoelGraf NoelGraf added Component: Core Issues related to the core code Priority: Medium Issue with medium priority Type: Bug Bug in the code which needs to be fixed labels Apr 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Core Issues related to the core code Priority: Medium Issue with medium priority Type: Bug Bug in the code which needs to be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jpfr @basyskom-jvoe @NoelGraf