Uploaded image for project: 'Qt for Python'
  1. Qt for Python
  2. PYSIDE-1655

TypeSystemParser suffers from stack-use-after-scope ASAN issues

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Not Evaluated
    • None
    • 5.15.4
    • Shiboken
    • None
    • f0425d31701d96e8c048b889c9ca8b59e910e043 (pyside/pyside-setup/dev) 6a2634867fd6d241582dbdd45dc303922fcf2d49 (pyside/tqtc-pyside-setup/5.15)

    Description

      compiling shiboken with ASAN enabled will uncover a ton of issues, most importantly it is accessing invalid memory.

      A common pattern in the typesystemparser.cpp code is this (taken from our Qt 5.15 branch):

      $ ack -- '->takeAt\(.*\)\.value\(\);'
      typesystemparser.cpp
      1289:    const QStringRef typeName = attributes->takeAt(typeIndex).value();
      1362:            const auto extendsPackageName = attributes->takeAt(i).value();
      1624:            const QStringRef modeName = attributes->takeAt(i).value();
      1631:            const QStringRef format = attributes->takeAt(i).value();
      1800:            const QStringRef languageAttribute = attributes->takeAt(i).value();
      2002:            const QStringRef className = attributes->takeAt(i).value();
      2070:        const QStringRef value = attributes->takeAt(classIndex).value();
      2121:        const QStringRef modifier = attributes->takeAt(modifierIndex).value();
      2500:            const QStringRef action = attributes->takeAt(i).value();
      2572:            const QStringRef className = attributes->takeAt(i).value();
      2579:            const QStringRef value = attributes->takeAt(i).value();
      

      But even in current dev we still find it:

      typesystemparser.cpp
      1363:    const auto typeName = attributes->takeAt(typeIndex).value();
      1438:            const auto extendsPackageName = attributes->takeAt(i).value();
      

      This is unsafe, as the QStringRef returned by value() will reference memory that is part of the QXmlStreamAttribute which gets destroyed at the end of the line due to the takeAt call. This then leads to:

      =================================================================
      ==182832==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f45df6a6c00 at pc 0x5629da4d6295 bp 0x7ffc77b810c0 sp 0x7ffc77b810b0
      READ of size 8 at 0x7f45df6a6c00 thread T0
          #0 0x5629da4d6294 in QString::unicode() const /usr/include/qt/QtCore/qstring.h:1080
          #1 0x5629da4d701d in QStringRef::unicode() const /usr/include/qt/QtCore/qstring.h:1726
          #2 0x5629da4d707d in QStringRef::data() const /usr/include/qt/QtCore/qstring.h:1728
          #3 0x5629da646ea0 in TypeSystemParser::parseInjectCode(QXmlStreamReader const&, StackElement const&, StackElement*, QXmlStreamAttributes*) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typesystemparser.cpp:2581
          #4 0x5629da650573 in TypeSystemParser::startElement(QXmlStreamReader const&) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typesystemparser.cpp:3090
          #5 0x5629da6112b6 in TypeSystemParser::parseXml(QXmlStreamReader&) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typesystemparser.cpp:663
          #6 0x5629da610df0 in TypeSystemParser::parse(QXmlStreamReader&) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typesystemparser.cpp:640
          #7 0x5629da67b2b9 in TypeDatabase::parseFile(QIODevice*, bool) /home/milian/projects/kdab/qitissue/3rdParty/PySide2/sources/shiboken2/ApiExtractor/typedatabase.cpp:655
      

      the line numbers and head of this message are slightly off, as I was trying to figure out what this is. In an unpatched version it will be `QStringRef::isNull` that triggers this issue.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            kleint Friedemann Kleint
            milianw Milian Wolff
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: