Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129927

[REG: 6.7 -> 6.8] Use after free in QTimeZone

    XMLWordPrintable

Details

    • Linux/X11
    • 25
    • 4fabde349 (dev), 334a3922c (6.8), 65093a84c (dev), dce6ef8fa (6.8)
    • Foundation Sprint 117, Foundation Sprint 118

    Description

      Attached example points to use after free in here:

      ==405873==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000033390 at pc 0x74c0c0e944b5 bp 0x74c0b91fed40 sp 0x74c0b91fe4e8
      READ of size 15 at 0x606000033390 thread T1 (QThread)
          #0 0x74c0c0e944b4 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:861
          #1 0x74c0c0e94bc6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
          #2 0x74c0c0e94bc6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
          #3 0x74c0c09821de in comparesEqual(QByteArrayView const&, QByteArrayView const&) /home/qt/work/qt/qtbase/src/corelib/text/qbytearrayview.h:356
          #4 0x74c0c09821de in operator==(QByteArrayView const&, QByteArrayView const&) /home/qt/work/qt/qtbase/src/corelib/text/qbytearrayview.h:364
          #5 0x74c0c09821de in comparesEqual(QByteArray const&, QByteArrayView const&) /home/qt/work/qt/qtbase/src/corelib/text/qbytearray.h:516
          #6 0x74c0c09821de in operator==(QByteArray const&, QByteArray const&) /home/qt/work/qt/qtbase/src/corelib/text/qbytearray.h:523
          #7 0x74c0c09821de in bool qHashEquals<QByteArray>(QByteArray const&, QByteArray const&) /home/qt/work/qt/qtbase/src/corelib/tools/qhashfunctions.h:281
          #8 0x74c0c09821de in QHashPrivate::Data<QHashPrivate::Node<QByteArray, QTzTimeZone> >::Bucket QHashPrivate::Data<QHashPrivate::Node<QByteArray, QTzTimeZone> >::findBucket<QByteArray>(QByteArray const&) const /home/qt/work/qt/qtbase/src/corelib/tools/qhash.h:696
          #9 0x74c0c0981397 in QHashPrivate::Node<QByteArray, QTzTimeZone>* QHashPrivate::Data<QHashPrivate::Node<QByteArray, QTzTimeZone> >::findNode<QByteArray>(QByteArray const&) const /home/qt/work/qt/qtbase/src/corelib/tools/qhash.h:705
          #10 0x74c0c0981397 in QHash<QByteArray, QTzTimeZone>::contains(QByteArray const&) const /home/qt/work/qt/qtbase/src/corelib/tools/qhash.h:1015
          #11 0x74c0c0981397 in QTzTimeZonePrivate::isTimeZoneIdAvailable(QByteArray const&) const /home/qt/work/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:1241
          #12 0x74c0c0981397 in QTzTimeZonePrivate::QTzTimeZonePrivate(QByteArray const&) /home/qt/work/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:993
          #13 0x74c0c08a2e17 in newBackendTimeZone /home/qt/work/qt/qtbase/src/corelib/time/qtimezone.cpp:49
          #14 0x74c0c08a2e17 in QTimeZone::QTimeZone(QByteArray const&) /home/qt/work/qt/qtbase/src/corelib/time/qtimezone.cpp:464
          #15 0x74c0c08a3099 in QTimeZone::systemTimeZone() /home/qt/work/qt/qtbase/src/corelib/time/qtimezone.cpp:1422
          #16 0x74c0c08a5482 in QTimeZone::displayName(QDateTime const&, QTimeZone::NameType, QLocale const&) const /home/qt/work/qt/qtbase/src/corelib/time/qtimezone.cpp:946
          #17 0x74c0c0855d49 in operator() /home/qt/work/qt/qtbase/src/corelib/text/qlocale.cpp:3692
          #18 0x74c0c0855d49 in QCalendarBackend::dateTimeToString(QStringView, QDateTime const&, QDate, QTime, QLocale const&) const /home/qt/work/qt/qtbase/src/corelib/text/qlocale.cpp:3724
          #19 0x74c0c088f346 in QCalendar::dateTimeToString(QStringView, QDateTime const&, QDate, QTime, QLocale const&) const /home/qt/work/qt/qtbase/src/corelib/time/qcalendar.cpp:1668
          #20 0x74c0c084b638 in QLocale::toString(QDateTime const&, QStringView, QCalendar) const /home/qt/work/qt/qtbase/src/corelib/text/qlocale.cpp:2256
          #21 0x74c0c0898ea1 in QDateTime::toString(QString const&) const /home/qt/work/qt/qtbase/src/corelib/time/qdatetime.cpp:4741
          #22 0x74c0c06fe620 in formatLogMessage /home/qt/work/qt/qtbase/src/corelib/global/qlogging.cpp:1677
          #23 0x74c0c06ff23e in qDefaultMessageHandler /home/qt/work/qt/qtbase/src/corelib/global/qlogging.cpp:2032
          #24 0x74c0c06fa50a in qt_message_print /home/qt/work/qt/qtbase/src/corelib/global/qlogging.cpp:2082
          #25 0x74c0c06ff81e in qt_message_output(QtMsgType, QMessageLogContext const&, QString const&) /home/qt/work/qt/qtbase/src/corelib/global/qlogging.cpp:2125
          #26 0x74c0c0710f3d in QDebug::~QDebug() /home/qt/work/qt/qtbase/src/corelib/io/qdebug.cpp:162
          #27 0x74c0c07d1d7b in QObject::deleteLater() /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:2490
          #28 0x6432e74aa33d in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QObject::*)()>::call(void (QObject::*)(), QObject*, void**)::{lambda()#1}::operator()() const /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:152
          #29 0x6432e74aa844 in void QtPrivate::FunctorCallBase::call_internal<void, QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QObject::*)()>::call(void (QObject::*)(), QObject*, void**)::{lambda()#1}>(void**, QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QObject::*)()>::call(void (QObject::*)(), QObject*, void**)::{lambda()#1}&&) /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:65
          #30 0x6432e74aa50f in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QObject::*)()>::call(void (QObject::*)(), QObject*, void**) /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:151
          #31 0x6432e74a9fe9 in void QtPrivate::FunctionPointer<void (QObject::*)()>::call<QtPrivate::List<>, void>(void (QObject::*)(), QObject*, void**) /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:199
          #32 0x6432e74a9d01 in QtPrivate::QCallableObject<void (QObject::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:570
          #33 0x74c0c07de217 in QtPrivate::QSlotObjectBase::call(QObject*, void**) /home/qt/work/qt/qtbase/src/corelib/kernel/qobjectdefs_impl.h:486
          #34 0x74c0c07de217 in void doActivate<false>(QObject*, int, void**) /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:4120
          #35 0x74c0c088b700 in QThread::finished(QThread::QPrivateSignal) /home/qt/work/qt/qtbase_build/src/corelib/Core_autogen/include/moc_qthread.cpp:201
          #36 0x74c0c0929320 in terminate_on_exception<QThreadPrivate::finish(void*)::<lambda()> > /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:361
          #37 0x74c0c0929666 in QThreadPrivate::finish(void*) /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:344
          #38 0x74c0c0929666 in operator() /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:293
          #39 0x74c0c0929666 in ~QScopeGuard /home/qt/work/qt/qtbase/src/corelib/tools/qscopeguard.h:41
          #40 0x74c0c0929666 in ~QScopeGuard /home/qt/work/qt/qtbase/src/corelib/tools/qscopeguard.h:38
          #41 0x74c0bfe45d9e in __GI___call_tls_dtors stdlib/cxa_thread_atexit_impl.c:159
          #42 0x74c0bfe94944 in start_thread nptl/pthread_create.c:450
          #43 0x74c0bff2684f  (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
      
      0x606000033390 is located 16 bytes inside of 63-byte region [0x606000033380,0x6060000333bf)
      freed by thread T1 (QThread) here:
      ==405873==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_descriptions.cpp:177 "((res.trace)) != (0)" (0x0, 0x0)
          #0 0x74c0c0ebd9a8 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cpp:74
          #1 0x74c0c0ede32e in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cpp:78
          #2 0x74c0c0e2d33c in GetStackTraceFromId ../../../../src/libsanitizer/asan/asan_descriptions.cpp:177
          #3 0x74c0c0e2ef9a in __asan::HeapAddressDescription::Print() const ../../../../src/libsanitizer/asan/asan_descriptions.cpp:425
          #4 0x74c0c0e326d3 in __asan::AddressDescription::Print(char const*) const ../../../../src/libsanitizer/asan/asan_descriptions.h:234
          #5 0x74c0c0e326d3 in __asan::ErrorGeneric::Print() ../../../../src/libsanitizer/asan/asan_errors.cpp:591
          #6 0x74c0c0ebd787 in __asan::ScopedInErrorReport::~ScopedInErrorReport() ../../../../src/libsanitizer/asan/asan_report.cpp:141
          #7 0x74c0c0ebd014 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../src/libsanitizer/asan/asan_report.cpp:478
          #8 0x74c0c0e944d7 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:861
          #9 0x74c0c0e94bc6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
          #10 0x74c0c0e94bc6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
          #11 0x74c0c09821de in comparesEqual(QByteArrayView const&, QByteArrayView const&) /home/qt/work/qt/qtbase/src/corelib/text/qbytearrayview.h:356
          #12 0x74c0c09821de in operator==(QByteArrayView const&, QByteArrayView const&) /home/qt/work/qt/qtbase/src/corelib/text/qbytearrayview.h:364
          #13 0x74c0c09821de in comparesEqual(QByteArray const&, QByteArrayView const&) /home/qt/work/qt/qtbase/src/corelib/text/qbytearray.h:516
          #14 0x74c0c09821de in operator==(QByteArray const&, QByteArray const&) /home/qt/work/qt/qtbase/src/corelib/text/qbytearray.h:523
          #15 0x74c0c09821de in bool qHashEquals<QByteArray>(QByteArray const&, QByteArray const&) /home/qt/work/qt/qtbase/src/corelib/tools/qhashfunctions.h:281
          #16 0x74c0c09821de in QHashPrivate::Data<QHashPrivate::Node<QByteArray, QTzTimeZone> >::Bucket QHashPrivate::Data<QHashPrivate::Node<QByteArray, QTzTimeZone> >::findBucket<QByteArray>(QByteArray const&) const /home/qt/work/qt/qtbase/src/corelib/tools/qhash.h:696
          #17 0x74c0c0981397 in QHashPrivate::Node<QByteArray, QTzTimeZone>* QHashPrivate::Data<QHashPrivate::Node<QByteArray, QTzTimeZone> >::findNode<QByteArray>(QByteArray const&) const /home/qt/work/qt/qtbase/src/corelib/tools/qhash.h:705
          #18 0x74c0c0981397 in QHash<QByteArray, QTzTimeZone>::contains(QByteArray const&) const /home/qt/work/qt/qtbase/src/corelib/tools/qhash.h:1015
          #19 0x74c0c0981397 in QTzTimeZonePrivate::isTimeZoneIdAvailable(QByteArray const&) const /home/qt/work/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:1241
          #20 0x74c0c0981397 in QTzTimeZonePrivate::QTzTimeZonePrivate(QByteArray const&) /home/qt/work/qt/qtbase/src/corelib/time/qtimezoneprivate_tz.cpp:993
          #21 0x74c0c08a2e17 in newBackendTimeZone /home/qt/work/qt/qtbase/src/corelib/time/qtimezone.cpp:49
          #22 0x74c0c08a2e17 in QTimeZone::QTimeZone(QByteArray const&) /home/qt/work/qt/qtbase/src/corelib/time/qtimezone.cpp:464
          #23 0x74c0c08a3099 in QTimeZone::systemTimeZone() /home/qt/work/qt/qtbase/src/corelib/time/qtimezone.cpp:1422
          #24 0x74c0c08a5482 in QTimeZone::displayName(QDateTime const&, QTimeZone::NameType, QLocale const&) const /home/qt/work/qt/qtbase/src/corelib/time/qtimezone.cpp:946
          #25 0x74c0c0855d49 in operator() /home/qt/work/qt/qtbase/src/corelib/text/qlocale.cpp:3692
          #26 0x74c0c0855d49 in QCalendarBackend::dateTimeToString(QStringView, QDateTime const&, QDate, QTime, QLocale const&) const /home/qt/work/qt/qtbase/src/corelib/text/qlocale.cpp:3724
          #27 0x74c0c088f346 in QCalendar::dateTimeToString(QStringView, QDateTime const&, QDate, QTime, QLocale const&) const /home/qt/work/qt/qtbase/src/corelib/time/qcalendar.cpp:1668
          #28 0x74c0c084b638 in QLocale::toString(QDateTime const&, QStringView, QCalendar) const /home/qt/work/qt/qtbase/src/corelib/text/qlocale.cpp:2256
          #29 0x74c0c0898ea1 in QDateTime::toString(QString const&) const /home/qt/work/qt/qtbase/src/corelib/time/qdatetime.cpp:4741
          #30 0x74c0c06fe620 in formatLogMessage /home/qt/work/qt/qtbase/src/corelib/global/qlogging.cpp:1677
          #31 0x74c0c06ff23e in qDefaultMessageHandler /home/qt/work/qt/qtbase/src/corelib/global/qlogging.cpp:2032
          #32 0x74c0c06fa50a in qt_message_print /home/qt/work/qt/qtbase/src/corelib/global/qlogging.cpp:2082
          #33 0x74c0c06ff81e in qt_message_output(QtMsgType, QMessageLogContext const&, QString const&) /home/qt/work/qt/qtbase/src/corelib/global/qlogging.cpp:2125
          #34 0x74c0c0710f3d in QDebug::~QDebug() /home/qt/work/qt/qtbase/src/corelib/io/qdebug.cpp:162
          #35 0x74c0c07d1d7b in QObject::deleteLater() /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:2490
          #36 0x6432e74aa33d in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QObject::*)()>::call(void (QObject::*)(), QObject*, void**)::{lambda()#1}::operator()() const /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:152
          #37 0x6432e74aa844 in void QtPrivate::FunctorCallBase::call_internal<void, QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QObject::*)()>::call(void (QObject::*)(), QObject*, void**)::{lambda()#1}>(void**, QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QObject::*)()>::call(void (QObject::*)(), QObject*, void**)::{lambda()#1}&&) /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:65
          #38 0x6432e74aa50f in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QObject::*)()>::call(void (QObject::*)(), QObject*, void**) /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:151
          #39 0x6432e74a9fe9 in void QtPrivate::FunctionPointer<void (QObject::*)()>::call<QtPrivate::List<>, void>(void (QObject::*)(), QObject*, void**) /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:199
          #40 0x6432e74a9d01 in QtPrivate::QCallableObject<void (QObject::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /home/user/Qt/6.8.0/gcc_64/include/QtCore/qobjectdefs_impl.h:570
          #41 0x74c0c07de217 in QtPrivate::QSlotObjectBase::call(QObject*, void**) /home/qt/work/qt/qtbase/src/corelib/kernel/qobjectdefs_impl.h:486
          #42 0x74c0c07de217 in void doActivate<false>(QObject*, int, void**) /home/qt/work/qt/qtbase/src/corelib/kernel/qobject.cpp:4120
          #43 0x74c0c088b700 in QThread::finished(QThread::QPrivateSignal) /home/qt/work/qt/qtbase_build/src/corelib/Core_autogen/include/moc_qthread.cpp:201
          #44 0x74c0c0929320 in terminate_on_exception<QThreadPrivate::finish(void*)::<lambda()> > /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:361
          #45 0x74c0c0929666 in QThreadPrivate::finish(void*) /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:344
          #46 0x74c0c0929666 in operator() /home/qt/work/qt/qtbase/src/corelib/thread/qthread_unix.cpp:293
          #47 0x74c0c0929666 in ~QScopeGuard /home/qt/work/qt/qtbase/src/corelib/tools/qscopeguard.h:41
          #48 0x74c0c0929666 in ~QScopeGuard /home/qt/work/qt/qtbase/src/corelib/tools/qscopeguard.h:38
          #49 0x74c0bfe45d9e in __GI___call_tls_dtors stdlib/cxa_thread_atexit_impl.c:159
          #50 0x74c0bfe94944 in start_thread nptl/pthread_create.c:450
          #51 0x74c0bff2684f  (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
      

      Attachments

        Issue Links

          For Gerrit Dashboard: QTBUG-129927
          # Subject Branch Project Status CR V

          Activity

            People

              thiago Thiago Macieira
              poikelin Joni Poikelin
              Vladimir Minenko Vladimir Minenko
              Alex Blasche Alex Blasche
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: