Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-115254

[ASAN] Potential data race in QNAM + SSL/OpenSSL

    XMLWordPrintable

Details

    • Bug
    • Resolution: Incomplete
    • P2: Important
    • None
    • dev
    • Network: HTTP, Network: SSL
    • None

    Description

      ASAN complains about a double-delete of the SSL_CTX:

      Totals: 46 passed, 0 failed, 0 skipped, 0 blacklisted, 15166ms
********* Finished testing of tst_Http2 *********
=================================================================
==472904==ERROR: AddressSanitizer: attempting double-free on 0x60200014d4f0 in thread T45 (QNetworkAccessM):
    #0 0x7ffbabaab4d7 in __interceptor_free ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7ffb9a34f23a in CRYPTO_free crypto/mem.c:277
    #2 0x7ffb9a34e93d in init_thread_destructor crypto/initthread.c:199
    #3 0x7ffb9b7c75a0 in __nptl_deallocate_tsd /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:301
    #4 0x7ffb9b7c8629 in __nptl_deallocate_tsd /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:256
    #5 0x7ffb9b7c8629 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:488
    #6 0x7ffb9a9fa132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x60200014d4f0 is located 0 bytes inside of 8-byte region [0x60200014d4f0,0x60200014d4f8)
freed by thread T0 here:
    #0 0x7ffbabaab4d7 in __interceptor_free ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7ffb9a34f23a in CRYPTO_free crypto/mem.c:277
    #2 0x7ffb9a34edc3 in init_thread_deregister crypto/initthread.c:444
    #3 0x7ffb9a34e984 in ossl_cleanup_thread crypto/initthread.c:213
    #4 0x7ffb9a34deb7 in OPENSSL_cleanup crypto/init.c:433
    #5 0x7ffb9a9218a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108

********* Finished testing of tst_Http2 *********
=================================================================
==472904==ERROR: AddressSanitizer: attempting double-free on 0x60200014d4f0 in thread T45 (QNetworkAccessM):
    #0 0x7ffbabaab4d7 in __interceptor_free ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7ffb9a34f23a in CRYPTO_free crypto/mem.c:277
    #2 0x7ffb9a34e93d in init_thread_destructor crypto/initthread.c:199
    #3 0x7ffb9b7c75a0 in __nptl_deallocate_tsd /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:301
    #4 0x7ffb9b7c8629 in __nptl_deallocate_tsd /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:256
    #5 0x7ffb9b7c8629 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:488
    #6 0x7ffb9a9fa132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x60200014d4f0 is located 0 bytes inside of 8-byte region [0x60200014d4f0,0x60200014d4f8)
freed by thread T0 here:
    #0 0x7ffbabaab4d7 in __interceptor_free ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7ffb9a34f23a in CRYPTO_free crypto/mem.c:277
    #2 0x7ffb9a34edc3 in init_thread_deregister crypto/initthread.c:444
    #3 0x7ffb9a34e984 in ossl_cleanup_thread crypto/initthread.c:213
    #4 0x7ffb9a34deb7 in OPENSSL_cleanup crypto/init.c:433
    #5 0x7ffb9a9218a6 in __run_exit_handlers /build/glibc-SzIz7B/glibc-2.31/stdlib/exit.c:108

previously allocated by thread T45 (QNetworkAccessM) here:
    #0 0x7ffbabaab7cf in __interceptor_malloc ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7ffb9a34ef9e in CRYPTO_malloc crypto/mem.c:196
    #2 0x7ffb9a34f028 in CRYPTO_zalloc crypto/mem.c:216
    #3 0x7ffb9a34e71f in init_get_thread_local crypto/initthread.c:101
    #4 0x7ffb9a34ebdb in ossl_init_thread_start crypto/initthread.c:371
    #5 0x7ffb9a2e184a in ossl_err_get_state_int crypto/err/err.c:699
    #6 0x7ffb9a2e2bab in ERR_set_mark crypto/err/err_mark.c:19
    #7 0x7ffb9a704535 in ssl_evp_cipher_fetch ssl/ssl_lib.c:6937
    #8 0x7ffb9a6ede9f in ssl_load_ciphers ssl/ssl_ciph.c:333
    #9 0x7ffb9a6fd513 in SSL_CTX_new_ex ssl/ssl_lib.c:3805
    #10 0x7ffb9a6fda5f in SSL_CTX_new ssl/ssl_lib.c:3973
    #11 0x7ffb92c819b9 in q_SSL_CTX_new(ssl_method_st const*) /home/marc/Qt/qtbase-submit/src/plugins/tls/openssl/qsslsocket_openssl_symbols.cpp:283
    #12 0x7ffb92c819b9 in QSslContext::initSslContext(QSslContext*, QSslSocket::SslMode, QSslConfiguration const&, bool) /home/marc/Qt/qtbase-submit/src/plugins/tls/openssl/qsslcontext_openssl.cpp:354
    #13 0x7ffb92c8d831 in QSslContext::sharedFromConfiguration(QSslSocket::SslMode, QSslConfiguration const&, bool) /home/marc/Qt/qtbase-submit/src/plugins/tls/openssl/qsslcontext_openssl.cpp:144
    #14 0x7ffb92c9d185 in QTlsPrivate::TlsCryptographOpenSSL::initSslContext() /home/marc/Qt/qtbase-submit/src/plugins/tls/openssl/qtls_openssl.cpp:1373
    #15 0x7ffb92d4af98 in QTlsPrivate::TlsCryptographOpenSSL::startClientEncryption() /home/marc/Qt/qtbase-submit/src/plugins/tls/openssl/qtls_openssl.cpp:514
    #16 0x7ffba8675192 in QSslSocketPrivate::startClientEncryption() /home/marc/Qt/qtbase-submit/src/network/ssl/qsslsocket.cpp:2858
    #17 0x7ffba89eec62 in QSslSocket::startClientEncryption() /home/marc/Qt/qtbase-submit/src/network/ssl/qsslsocket.cpp:1713
    #18 0x7ffba89f74b0 in QSslSocketPrivate::_q_connectedSlot() /home/marc/Qt/qtbase-submit/src/network/ssl/qsslsocket.cpp:2463
    #19 0x7ffba89fe79c in QSslSocket::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/marc/Qt/qtbase-submit-build/src/network/Network_autogen/include/moc_qsslsocket.cpp:266
    #20 0x7ffba1e21a78 in void doActivate<false>(QObject*, int, void**) /home/marc/Qt/qtbase-submit/src/corelib/kernel/qobject.cpp:3989
    #21 0x7ffba18d3aeb in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) /home/marc/Qt/qtbase-submit/src/corelib/kernel/qobject.cpp:4037
    #22 0x7ffba837771d in QAbstractSocket::connected() /home/marc/Qt/qtbase-submit-build/src/network/Network_autogen/include/moc_qabstractsocket.cpp:384
    #23 0x7ffba851fafa in QAbstractSocketPrivate::fetchConnectionParameters() /home/marc/Qt/qtbase-submit/src/network/socket/qabstractsocket.cpp:1272
    #24 0x7ffba8b8dce2 in QAbstractSocketPrivate::_q_testConnection() /home/marc/Qt/qtbase-submit/src/network/socket/qabstractsocket.cpp:1085
    #25 0x7ffba8b8e662 in non-virtual thunk to QAbstractSocketPrivate::connectionNotification() (/home/marc/Qt/qtbase-submit-build/lib/libQt6Network.so.6+0x1e4b662)
    #26 0x7ffba851b243 in QAbstractSocketEngine::connectionNotification() /home/marc/Qt/qtbase-submit/src/network/socket/qabstractsocketengine.cpp:144
    #27 0x7ffba852739e in QNativeSocketEngine::connectionNotification() /home/marc/Qt/qtbase-submit/src/network/socket/qnativesocketengine.cpp:597
    #28 0x7ffba8e25915 in QWriteNotifier::event(QEvent*) /home/marc/Qt/qtbase-submit/src/network/socket/qnativesocketengine.cpp:1271
    #29 0x7ffba8e25915 in QWriteNotifier::event(QEvent*) /home/marc/Qt/qtbase-submit/src/network/socket/qnativesocketengine.cpp:1267
    #30 0x7ffba0e64c62 in QCoreApplicationPrivate::notify_helper(QObject*, QEvent*) /home/marc/Qt/qtbase-submit/src/corelib/kernel/qcoreapplication.cpp:1285
    #31 0x7ffba0e65f3e in doNotify /home/marc/Qt/qtbase-submit/src/corelib/kernel/qcoreapplication.cpp:1214
    #32 0x7ffba0e65f3e in QCoreApplication::notify(QObject*, QEvent*) /home/marc/Qt/qtbase-submit/src/corelib/kernel/qcoreapplication.cpp:1197
    #33 0x7ffba0e65f3e in QCoreApplication::notifyInternal2(QObject*, QEvent*) /home/marc/Qt/qtbase-submit/src/corelib/kernel/qcoreapplication.cpp:1118

Thread T45 (QNetworkAccessM) created by T0 here:
    #0 0x7ffbaba53716 in __interceptor_pthread_create ../../../../gcc/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x7ffb9fb82491 in QThread::start(QThread::Priority) /home/marc/Qt/qtbase-submit/src/corelib/thread/qthread_unix.cpp:721
    #2 0x7ffba8458b70 in QNetworkAccessManagerPrivate::createThread() /home/marc/Qt/qtbase-submit/src/network/access/qnetworkaccessmanager.cpp:1626
    #3 0x7ffba8c9eb2c in QNetworkReplyHttpImplPrivate::postRequest(QNetworkRequest const&) /home/marc/Qt/qtbase-submit/src/network/access/qnetworkreplyhttpimpl.cpp:631
    #4 0x7ffba8cadd4a in QNetworkReplyHttpImplPrivate::_q_startOperation() /home/marc/Qt/qtbase-submit/src/network/access/qnetworkreplyhttpimpl.cpp:1868
    #5 0x7ffba8cafe90 in QNetworkReplyHttpImpl::QNetworkReplyHttpImpl(QNetworkAccessManager*, QNetworkRequest const&, QNetworkAccessManager::Operation&, QIODevice*) /home/marc/Qt/qtbase-submit/src/network/access/qnetworkreplyhttpimpl.cpp:215
    #6 0x7ffba8e0dfd8 in QNetworkAccessManager::createRequest(QNetworkAccessManager::Operation, QNetworkRequest const&, QIODevice*) /home/marc/Qt/qtbase-submit/src/network/access/qnetworkaccessmanager.cpp:1240
    #7 0x7ffba8456da1 in QNetworkAccessManager::get(QNetworkRequest const&) /home/marc/Qt/qtbase-submit/src/network/access/qnetworkaccessmanager.cpp:779
    #8 0x55c6052bc66a in tst_Http2::trailingHEADERS() /home/marc/Qt/qtbase-submit/tests/auto/network/access/http2/tst_http2.cpp:1305
    #9 0x55c6053002fe in tst_Http2::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/marc/Qt/qtbase-submit-build/tests/auto/network/access/http2/tst_http2_autogen/include/tst_http2.moc:305
    #10 0x55c605301d31 in tst_Http2::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) /home/marc/Qt/qtbase-submit-build/tests/auto/network/access/http2/tst_http2_autogen/include/tst_http2.moc:275
    #11 0x7ffba156e0b4 in QMetaMethodInvoker::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) /home/marc/Qt/qtbase-submit/src/corelib/kernel/qmetaobject.cpp:2713
    #12 0x7ffba157d8ca in QMetaMethod::invokeImpl(QMetaMethod, void*, Qt::ConnectionType, long long, void const* const*, char const* const*, QtPrivate::QMetaTypeInterface const* const*) /home/marc/Qt/qtbase-submit/src/corelib/kernel/qmetaobject.cpp:2552
    #13 0x7ffbab430d6f in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType, QMetaMethodReturnArgument) const /home/marc/Qt/qtbase-submit-build/include/QtCore/../../../qtbase-submit/src/corelib/kernel/qmetaobject.h:148
    #14 0x7ffbab430d6f in std::enable_if<!std::disjunction<>::value, bool>::type QMetaMethod::invoke<>(QObject*, Qt::ConnectionType) const /home/marc/Qt/qtbase-submit-build/include/QtCore/../../../qtbase-submit/src/corelib/kernel/qmetaobject.h:160
    #15 0x7ffbab430d6f in QTest::TestMethods::invokeTestOnData(int) const /home/marc/Qt/qtbase-submit/src/testlib/qtestcase.cpp:1134
    #16 0x7ffbab43a43e in QTest::TestMethods::invokeTest(int, QLatin1String, QTest::WatchDog*) const /home/marc/Qt/qtbase-submit/src/testlib/qtestcase.cpp:1426
    #17 0x7ffbab43d9fb in QTest::TestMethods::invokeTests(QObject*) const /home/marc/Qt/qtbase-submit/src/testlib/qtestcase.cpp:1752
    #18 0x7ffbab48902c in QTest::qRun() /home/marc/Qt/qtbase-submit/src/testlib/qtestcase.cpp:2365
    #19 0x7ffbab48c553 in QTest::qExec(QObject*, int, char**) /home/marc/Qt/qtbase-submit/src/testlib/qtestcase.cpp:2251
    #20 0x55c6051b0d7b in main /home/marc/Qt/qtbase-submit/tests/auto/network/access/http2/tst_http2.cpp:1525
    #21 0x7ffb9a8ff082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: double-free ../../../../gcc/libsanitizer/asan/asan_malloc_linux.cpp:127 in __interceptor_free
==472904==ABORTING

      Maybe it's just tst_Http2, but maybe we have a deeper problem.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            manordheim MÃ¥rten Nordheim
            mmutz Marc Mutz
            Vladimir Minenko Vladimir Minenko
            Alex Blasche Alex Blasche
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes