Skip to content

Instantly share code, notes, and snippets.

@dioptre

dioptre/double free uwebsocket.js error.3.md

Created October 29, 2019 22:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dioptre/9a1ed85440578670bd981e5994aed7df to your computer and use it in GitHub Desktop.
Save dioptre/9a1ed85440578670bd981e5994aed7df to your computer and use it in GitHub Desktop.
Download ZIP
Raw
double free uwebsocket.js error.3.md

================================================================= ==17260==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100000696e0 at pc 0x7f6f38d6e0b2 bp 0x7ffe52399ce0 sp 0x7ffe52399cd8 READ of size 8 at 0x6100000696e0 thread T0 #0 0x7f6f38d6e0b1 in std::_Rb_tree<uWS::Subscriber*, uWS::Subscriber*, std::_IdentityuWS::Subscriber*, std::lessuWS::Subscriber*, std::allocatoruWS::Subscriber* >::_M_begin() (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1910b1) #1 0x7f6f38da2106 in std::_Rb_tree<uWS::Subscriber*, uWS::Subscriber*, std::_IdentityuWS::Subscriber*, std::lessuWS::Subscriber*, std::allocatoruWS::Subscriber* >::equal_range(uWS::Subscriber* const&) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c5106) #2 0x7f6f38da1ee7 in std::_Rb_tree<uWS::Subscriber*, uWS::Subscriber*, std::_IdentityuWS::Subscriber*, std::lessuWS::Subscriber*, std::allocatoruWS::Subscriber* >::erase(uWS::Subscriber* const&) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c4ee7) #3 0x7f6f38da1001 in uWS::TopicTree::unsubscribeAll(uWS::Subscriber*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c4001) #4 0x7f6f38de6d24 in auto uWS::WebSocketContext<true, true>::init()::'lambda'(auto*)::operator()<us_socket_t>(auto*) const (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x209d24) #5 0x7f6f38e1043c in us_internal_dispatch_ready_poll (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x23343c) #6 0xa5a5c7 in uv__io_poll /home/iojs/build/ws/out/../deps/uv/src/unix/linux-core.c:375 #7 0xa4a21a in uv_run /home/iojs/build/ws/out/../deps/uv/src/unix/core.c:370 #8 0x8e6f44 in node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::string, std::allocatorstd::string > const&, std::vector<std::string, std::allocatorstd::string > const&) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e6f44) #9 0x8e5238 in node::Start(int, char**) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e5238) #10 0x7f6f3f82709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a) #11 0x89ed84 in _start (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x89ed84)

0x6100000696e0 is located 160 bytes inside of 192-byte region [0x610000069640,0x610000069700) freed by thread T0 here: #0 0x7f6f3fe42982 in operator delete(void*) (/usr/lib/llvm-7/lib/clang/7.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xfd982) #1 0x7f6f38da1c33 in uWS::TopicTree::trimTree(uWS::Topic*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c4c33) #2 0x7f6f38da100d in uWS::TopicTree::unsubscribeAll(uWS::Subscriber*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c400d) #3 0x7f6f38de6d24 in auto uWS::WebSocketContext<true, true>::init()::'lambda'(auto*)::operator()<us_socket_t>(auto*) const (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x209d24) #4 0x7f6f38e1043c in us_internal_dispatch_ready_poll (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x23343c) #5 0xa5a5c7 in uv__io_poll /home/iojs/build/ws/out/../deps/uv/src/unix/linux-core.c:375 #6 0xa4a21a in uv_run /home/iojs/build/ws/out/../deps/uv/src/unix/core.c:370 #7 0x8e6f44 in node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::string, std::allocatorstd::string > const&, std::vector<std::string, std::allocatorstd::string > const&) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e6f44) #8 0x8e5238 in node::Start(int, char**) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e5238) #9 0x7f6f3f82709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

previously allocated by thread T0 here: #0 0x7f6f3fe41d42 in operator new(unsigned long) (/usr/lib/llvm-7/lib/clang/7.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xfcd42) #1 0x7f6f38df6023 in uWS::TopicTree::subscribe(std::basic_string_view<char, std::char_traits >, uWS::Subscriber*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x219023) #2 0x7f6f38dfa857 in void WebSocketWrapper::uWS_WebSocket_subscribe(v8::FunctionCallbackInfov8::Value const&) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x21d857) #3 0xb62a3e in v8::internal::MaybeHandlev8::internal::Object v8::internal::(anonymous namespace)::HandleApiCallHelper(v8::internal::Isolate*, v8::internal::Handlev8::internal::HeapObject, v8::internal::Handlev8::internal::HeapObject, v8::internal::Handlev8::internal::FunctionTemplateInfo, v8::internal::Handlev8::internal::Object, v8::internal::BuiltinArguments) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0xb62a3e) #4 0xb635a8 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0xb635a8) #5 0x15cf99f5be1c () #6 0x15cf99f118d4 () #7 0x15cf99f0ee74 () #8 0x15cf99f092c0 () #9 0xe725d2 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handlev8::internal::Object, v8::internal::Handlev8::internal::Object, int, v8::internal::Handlev8::internal::Object) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0xe725d2) #10 0xaff8e8 in v8::Function::Call(v8::Localv8::Context, v8::Localv8::Value, int, v8::Localv8::Value) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0xaff8e8) #11 0x7f6f38ddeda2 in auto void uWS_App_ws<uWS::TemplatedApp >(v8::FunctionCallbackInfov8::Value const&)::'lambda'(auto*, std::basic_string_view<char, std::char_traits >, uWS::OpCode)::operator()<uWS::WebSocket<true, true> >(auto*, std::basic_string_view<char, std::char_traits >, uWS::OpCode) const (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x201da2) #12 0x7f6f38dde959 in fu2::abi_400::detail::type_erasure::invocation_table::function_trait<void (uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode)>::internal_invoker<fu2::abi_400::detail::type_erasure::box<false, void uWS_App_ws<uWS::TemplatedApp >(v8::FunctionCallbackInfov8::Value const&)::'lambda'(auto, std::basic_string_view<char, std::char_traits >, uWS::OpCode), std::allocator<void uWS_App_ws<uWS::TemplatedApp >(v8::FunctionCallbackInfov8::Value const&)::'lambda'(auto*, std::basic_string_view<char, std::char_traits >, uWS::OpCode)> >, true>::invoke(fu2::abi_400::detail::type_erasure::data_accessor*, unsigned long, uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x201959) #13 0x7f6f38deba7c in auto fu2::abi_400::detail::type_erasure::erasure<true, fu2::abi_400::detail::config<true, false, fu2::capacity_default>, fu2::abi_400::detail::property<true, false, void (uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode)> >::invoke<0ul, fu2::abi_400::detail::type_erasure::erasure<true, fu2::abi_400::detail::config<true, false, fu2::capacity_default>, fu2::abi_400::detail::property<true, false, void (uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode)> >&, uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode>(fu2::abi_400::detail::type_erasure::erasure<true, fu2::abi_400::detail::config<true, false, fu2::capacity_default>, fu2::abi_400::detail::property<true, false, void (uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode)> >&, uWS::WebSocket<true, true>&&, std::basic_string_view<char, std::char_traits >&&, uWS::OpCode&&) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20ea7c) #14 0x7f6f38dead11 in fu2::abi_400::detail::type_erasure::invocation_table::operator_impl<0ul, fu2::abi_400::detail::function<fu2::abi_400::detail::config<true, false, fu2::capacity_default>, fu2::abi_400::detail::property<true, false, void (uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode)> >, void (uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode)>::operator()(uWS::WebSocket<true, true>, std::basic_string_view<char, std::char_traits >, uWS::OpCode) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20dd11) #15 0x7f6f38dea24a in uWS::WebSocketContext<true, true>::handleFragment(char, unsigned long, unsigned int, int, bool, uWS::WebSocketState, void) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20d24a) #16 0x7f6f38de8179 in bool uWS::WebSocketProtocol<true, uWS::WebSocketContext<true, true> >::consumeMessage<6u, unsigned char>(unsigned char, char*&, unsigned int&, uWS::WebSocketState, void) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20b179) #17 0x7f6f38de7905 in uWS::WebSocketProtocol<true, uWS::WebSocketContext<true, true> >::consume(char*, unsigned int, uWS::WebSocketState, void) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20a905) #18 0x7f6f38de7585 in auto uWS::WebSocketContext<true, true>::init()::'lambda'(auto*, char*, int)::operator()<us_socket_t>(auto*, char*, int) const (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20a585) #19 0x7f6f38e11e26 in ssl_on_data (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x234e26) #20 0x7f6f38e1043c in us_internal_dispatch_ready_poll (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x23343c) #21 0xa5a5c7 in uv__io_poll /home/iojs/build/ws/out/../deps/uv/src/unix/linux-core.c:375 #22 0xa4a21a in uv_run /home/iojs/build/ws/out/../deps/uv/src/unix/core.c:370 #23 0x8e6f44 in node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::string, std::allocatorstd::string > const&, std::vector<std::string, std::allocatorstd::string > const&) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e6f44) #24 0x8e5238 in node::Start(int, char**) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e5238) #25 0x7f6f3f82709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1910b1) in std::_Rb_tree<uWS::Subscriber*, uWS::Subscriber*, std::_IdentityuWS::Subscriber*, std::lessuWS::Subscriber*, std::allocatoruWS::Subscriber* >::_M_begin() Shadow bytes around the buggy address: 0x0c2080005280: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2080005290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c20800052a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c20800052b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c20800052c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c20800052d0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd 0x0c20800052e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c20800052f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa 0x0c2080005300: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2080005310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa 0x0c2080005320: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==17260==ABORTING

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment