Skip to content

Instantly share code, notes, and snippets.

@dioptre

dioptre/double free uwebsocket.js error.2.md

Created October 29, 2019 22:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dioptre/aed0df0a58649128e734d01f590d209f to your computer and use it in GitHub Desktop.
Save dioptre/aed0df0a58649128e734d01f590d209f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
double free uwebsocket.js error.2.md 
=================================================================
==16741==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000004d1e0 at pc 0x7f5c8ca3b0b2 bp 0x7fff96079340 sp 0x7fff96079338
READ of size 8 at 0x61000004d1e0 thread T0
    #0 0x7f5c8ca3b0b1 in std::_Rb_tree<uWS::Subscriber*, uWS::Subscriber*, std::_Identity<uWS::Subscriber*>, std::less<uWS::Subscriber*>, std::allocator<uWS::Subscriber*> >::_M_begin() (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1910b1)
    #1 0x7f5c8ca6f106 in std::_Rb_tree<uWS::Subscriber*, uWS::Subscriber*, std::_Identity<uWS::Subscriber*>, std::less<uWS::Subscriber*>, std::allocator<uWS::Subscriber*> >::equal_range(uWS::Subscriber* const&) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c5106)
    #2 0x7f5c8ca6eee7 in std::_Rb_tree<uWS::Subscriber*, uWS::Subscriber*, std::_Identity<uWS::Subscriber*>, std::less<uWS::Subscriber*>, std::allocator<uWS::Subscriber*> >::erase(uWS::Subscriber* const&) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c4ee7)
    #3 0x7f5c8ca6e001 in uWS::TopicTree::unsubscribeAll(uWS::Subscriber*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c4001)
    #4 0x7f5c8cab3d24 in auto uWS::WebSocketContext<true, true>::init()::'lambda'(auto*)::operator()<us_socket_t>(auto*) const (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x209d24)
    #5 0x7f5c8cadd43c in us_internal_dispatch_ready_poll (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x23343c)
    #6 0xa5a5c7 in uv__io_poll /home/iojs/build/ws/out/../deps/uv/src/unix/linux-core.c:375
    #7 0xa4a21a in uv_run /home/iojs/build/ws/out/../deps/uv/src/unix/core.c:370
    #8 0x8e6f44 in node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::string, std::allocator<std::string> > const&, std::vector<std::string, std::allocator<std::string> > const&) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e6f44)
    #9 0x8e5238 in node::Start(int, char**) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e5238)
    #10 0x7f5c934f609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #11 0x89ed84 in _start (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x89ed84)

0x61000004d1e0 is located 160 bytes inside of 192-byte region [0x61000004d140,0x61000004d200)
freed by thread T0 here:
    #0 0x7f5c93b11982 in operator delete(void*) (/usr/lib/llvm-7/lib/clang/7.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xfd982)
    #1 0x7f5c8ca6ec33 in uWS::TopicTree::trimTree(uWS::Topic*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c4c33)
    #2 0x7f5c8ca6e00d in uWS::TopicTree::unsubscribeAll(uWS::Subscriber*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1c400d)
    #3 0x7f5c8cab3d24 in auto uWS::WebSocketContext<true, true>::init()::'lambda'(auto*)::operator()<us_socket_t>(auto*) const (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x209d24)
    #4 0x7f5c8cadd43c in us_internal_dispatch_ready_poll (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x23343c)
    #5 0xa5a5c7 in uv__io_poll /home/iojs/build/ws/out/../deps/uv/src/unix/linux-core.c:375
    #6 0xa4a21a in uv_run /home/iojs/build/ws/out/../deps/uv/src/unix/core.c:370
    #7 0x8e6f44 in node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::string, std::allocator<std::string> > const&, std::vector<std::string, std::allocator<std::string> > const&) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e6f44)
    #8 0x8e5238 in node::Start(int, char**) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e5238)
    #9 0x7f5c934f609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

previously allocated by thread T0 here:
    #0 0x7f5c93b10d42 in operator new(unsigned long) (/usr/lib/llvm-7/lib/clang/7.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xfcd42)
    #1 0x7f5c8cac3023 in uWS::TopicTree::subscribe(std::basic_string_view<char, std::char_traits<char> >, uWS::Subscriber*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x219023)
    #2 0x7f5c8cac7857 in void WebSocketWrapper::uWS_WebSocket_subscribe<true>(v8::FunctionCallbackInfo<v8::Value> const&) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x21d857)
    #3 0xb62a3e in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0xb62a3e)
    #4 0xb635a8 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0xb635a8)
    #5 0x18445f4dbe1c  (<unknown module>)
    #6 0x18445f4918d4  (<unknown module>)
    #7 0x18445f48ee74  (<unknown module>)
    #8 0x18445f4892c0  (<unknown module>)
    #9 0xe725d2 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0xe725d2)
    #10 0xaff8e8 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0xaff8e8)
    #11 0x7f5c8caabda2 in auto void uWS_App_ws<uWS::TemplatedApp<true> >(v8::FunctionCallbackInfo<v8::Value> const&)::'lambda'(auto*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode)::operator()<uWS::WebSocket<true, true> >(auto*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode) const (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x201da2)
    #12 0x7f5c8caab959 in fu2::abi_400::detail::type_erasure::invocation_table::function_trait<void (uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode)>::internal_invoker<fu2::abi_400::detail::type_erasure::box<false, void uWS_App_ws<uWS::TemplatedApp<true> >(v8::FunctionCallbackInfo<v8::Value> const&)::'lambda'(auto*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode), std::allocator<void uWS_App_ws<uWS::TemplatedApp<true> >(v8::FunctionCallbackInfo<v8::Value> const&)::'lambda'(auto*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode)> >, true>::invoke(fu2::abi_400::detail::type_erasure::data_accessor*, unsigned long, uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x201959)
    #13 0x7f5c8cab8a7c in auto fu2::abi_400::detail::type_erasure::erasure<true, fu2::abi_400::detail::config<true, false, fu2::capacity_default>, fu2::abi_400::detail::property<true, false, void (uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode)> >::invoke<0ul, fu2::abi_400::detail::type_erasure::erasure<true, fu2::abi_400::detail::config<true, false, fu2::capacity_default>, fu2::abi_400::detail::property<true, false, void (uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode)> >&, uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode>(fu2::abi_400::detail::type_erasure::erasure<true, fu2::abi_400::detail::config<true, false, fu2::capacity_default>, fu2::abi_400::detail::property<true, false, void (uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode)> >&, uWS::WebSocket<true, true>*&&, std::basic_string_view<char, std::char_traits<char> >&&, uWS::OpCode&&) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20ea7c)
    #14 0x7f5c8cab7d11 in fu2::abi_400::detail::type_erasure::invocation_table::operator_impl<0ul, fu2::abi_400::detail::function<fu2::abi_400::detail::config<true, false, fu2::capacity_default>, fu2::abi_400::detail::property<true, false, void (uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode)> >, void (uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode)>::operator()(uWS::WebSocket<true, true>*, std::basic_string_view<char, std::char_traits<char> >, uWS::OpCode) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20dd11)
    #15 0x7f5c8cab724a in uWS::WebSocketContext<true, true>::handleFragment(char*, unsigned long, unsigned int, int, bool, uWS::WebSocketState<true>*, void*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20d24a)
    #16 0x7f5c8cab5179 in bool uWS::WebSocketProtocol<true, uWS::WebSocketContext<true, true> >::consumeMessage<6u, unsigned char>(unsigned char, char*&, unsigned int&, uWS::WebSocketState<true>*, void*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20b179)
    #17 0x7f5c8cab4905 in uWS::WebSocketProtocol<true, uWS::WebSocketContext<true, true> >::consume(char*, unsigned int, uWS::WebSocketState<true>*, void*) (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20a905)
    #18 0x7f5c8cab4585 in auto uWS::WebSocketContext<true, true>::init()::'lambda'(auto*, char*, int)::operator()<us_socket_t>(auto*, char*, int) const (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x20a585)
    #19 0x7f5c8cadee26 in ssl_on_data (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x234e26)
    #20 0x7f5c8cadd43c in us_internal_dispatch_ready_poll (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x23343c)
    #21 0xa5a5c7 in uv__io_poll /home/iojs/build/ws/out/../deps/uv/src/unix/linux-core.c:375
    #22 0xa4a21a in uv_run /home/iojs/build/ws/out/../deps/uv/src/unix/core.c:370
    #23 0x8e6f44 in node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::string, std::allocator<std::string> > const&, std::vector<std::string, std::allocator<std::string> > const&) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e6f44)
    #24 0x8e5238 in node::Start(int, char**) (/home/a/.nvm/versions/node/v10.15.3/bin/node+0x8e5238)
    #25 0x7f5c934f609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/a/projects/bb/bbs/node_modules/uWebSockets.js/uws_linux_x64_64.node+0x1910b1) in std::_Rb_tree<uWS::Subscriber*, uWS::Subscriber*, std::_Identity<uWS::Subscriber*>, std::less<uWS::Subscriber*>, std::allocator<uWS::Subscriber*> >::_M_begin()
Shadow bytes around the buggy address:
  0x0c20800019e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c20800019f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2080001a00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080001a10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2080001a20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2080001a30: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c2080001a40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080001a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2080001a60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080001a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2080001a80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==16741==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment