Opened 2 years ago
Last modified 19 months ago
#2431 closed defect
HTTP3: Clang reports heap-use-after-free in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:231 — at Version 1
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | documentation | Version: | 1.23.x |
| Keywords: | http3 | Cc: | |
| uname -a: | Linux 4.19.91-008.ali4000.alios7.x86_64 #1 SMP Fri Sep 4 17:33:26 CST 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.23.3
built by gcc 9.3.0 (GCC) built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --with-debug --with-http_v3_module --prefix=/home/yefei.dyf/nginx --with-cc-opt=-I/home/yefei.dyf/boringssl/include --with-ld-opt='-L/home/yefei.dyf/boringssl/ssl -L/home/yefei.dyf/boringssl/crypto' --with-google_perftools_module |
||
Description (last modified by )
==4234==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00004a4a0 at pc 0x0000004e9d7f bp 0x7ffedf26fdd0 sp 0x7ffedf26f580
READ of size 6 at 0x61e00004a4a0 thread T0
#0 0x4e9d7e in interceptor_memcpy.part.41 (nginx +0x4e9d7e)
#1 0x82b1af in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:231
#2 0x82cd6f in ngx_http_v3_duplicate src/http/v3/ngx_http_v3_table.c:421
#3 0x829a78 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1519
#4 0x829a78 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001
#5 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225
#6 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755
#7 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35
#8 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422
#9 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841
#10 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200
#11 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645
#12 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195
#13 0x5864fc in main src/core/nginx.c:448
#14 0x7fe4638fd444 in libc_start_main (/lib64/libc.so.6+0x22444)
#15 0x4ac228 (nginx +0x4ac228)
freed by thread T0 here:
#0 0x54e7e0 in free (nginx+0x54e7e0)
#1 0x82aded in ngx_http_v3_evict src/http/v3/ngx_http_v3_table.c:381
#2 0x82afec in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:210
#3 0x82cd6f in ngx_http_v3_duplicate src/http/v3/ngx_http_v3_table.c:421
#4 0x829a78 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1519
#5 0x829a78 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001
#6 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225
#7 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755
#8 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35
#9 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422
#10 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841
#11 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200
#12 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645
#13 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195
#14 0x5864fc in main src/core/nginx.c:448
#15 0x7fe4638fd444 in libc_start_main (/lib64/libc.so.6+0x22444)
previously allocated by thread T0 here:
#0 0x54eaf8 in malloc (nginx+0x54eaf8)
#1 0x5fc3a3 in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x82b12d in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:221
#3 0x82c91a in ngx_http_v3_ref_insert src/http/v3/ngx_http_v3_table.c:195
#4 0x829f52 in ngx_http_v3_parse_field_inr src/http/v3/ngx_http_v3_parse.c:1624
#5 0x829f52 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1479
#6 0x829f52 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001
#7 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225
#8 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755
#9 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35
#10 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422
#11 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841
#12 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200
#13 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645
#14 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195
#15 0x5864fc in main src/core/nginx.c:448
#16 0x7fe4638fd444 in libc_start_main (/lib64/libc.so.6+0x22444)
SUMMARY: AddressSanitizer: heap-use-after-free (nginx+0x4e9d7e) in interceptor_memcpy.part.41
Shadow bytes around the buggy address:
0x0c3c80001440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c80001450: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c3c80001460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c80001470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c80001480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3c80001490: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4234==ABORTING
