Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-71491

stack-buffer-overflow with ASAN in xcb code

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: P2: Important P2: Important
    • 5.12.0
    • 5.12
    • GUI: Window management
    • None
    • Ubuntu 18.04
    • Linux/X11

      I get this on Ubuntu 18.04 when running any Qt application.

      Here's the stack trace from a Qt Quick application:

      09:13:15: Starting /home/mitch/dev/temp/quick-qt5_12_debug-Debug/quick...
QML debugging is enabled. Only use this in a safe environment.
=================================================================
==5769==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc74822eac at pc 0x7f3e207cf733 bp 0x7ffc74822320 sp 0x7ffc74821ac8
READ of size 20 at 0x7ffc74822eac thread T0
    #0 0x7f3e207cf732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
    #1 0x7f3e1749d4c9 in xcb_send_request_with_fds64 (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc4c9)
    #2 0x7f3e1749d728 in xcb_send_request (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc728)
    #3 0x7f3e174a3fb0 in xcb_change_property (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0x12fb0)
    #4 0x7f3e13c45802 in QXcbWindow::setMotifWmHints(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1101
    #5 0x7f3e13c5fd9c in QXcbWindow::setWindowFlags(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1031
    #6 0x7f3e13c64adf in QXcbWindow::create() /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:528
    #7 0x7f3e13be8642 in QXcbIntegration::createPlatformWindow(QWindow*) const /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbintegration.cpp:252
    #8 0x7f3e1f83fb7d in QWindowPrivate::create(bool, unsigned long long) /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:516
    #9 0x7f3e1f83ffb6 in QWindow::create() /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:639
    #10 0x7f3e1f84350e in QWindowPrivate::setVisible(bool) /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:352
    #11 0x7f3e1f8214b7 in QWindow::setVisible(bool) /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:612
    #12 0x7f3e1f83f794 in QWindow::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) .moc/moc_qwindow.cpp:601
    #13 0x7f3e1ed4d6e9 in QQmlPropertyData::writeProperty(QObject*, void*, QFlags<QQmlPropertyData::WriteFlag>) const /home/mitch/dev/qt5.12-debug/qtbase/include/QtQml/5.12.0/QtQml/private/../../../../../../../qt5.12/qtdeclarative/src/qml/qml/qqmlpropertycache_p.h:346
    #14 0x7f3e1ef7ee40 in QQmlObjectCreator::setPropertyValue(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:565
    #15 0x7f3e1ef8a333 in QQmlObjectCreator::setPropertyBinding(QQmlPropertyData const*, QV4::CompiledData::Binding const*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1086
    #16 0x7f3e1ef93907 in QQmlObjectCreator::setupBindings(bool) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:777
    #17 0x7f3e1ef95e68 in QQmlObjectCreator::populateInstance(int, QObject*, QObject*, QQmlPropertyData const*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1461
    #18 0x7f3e1ef888b2 in QQmlObjectCreator::createInstance(int, QObject*, bool) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:1299
    #19 0x7f3e1ef97124 in QQmlObjectCreator::create(int, QObject*, QQmlInstantiationInterrupt*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlobjectcreator.cpp:203
    #20 0x7f3e1ed5d998 in QQmlComponentPrivate::beginCreate(QQmlContextData*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:871
    #21 0x7f3e1ed5e601 in QQmlComponent::beginCreate(QQmlContext*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:823
    #22 0x7f3e1ed53ccf in QQmlComponent::create(QQmlContext*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlcomponent.cpp:783
    #23 0x7f3e1ef49cf2 in QQmlApplicationEnginePrivate::finishLoad(QQmlComponent*) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:134
    #24 0x7f3e1ef4a665 in QQmlApplicationEnginePrivate::startLoad(QUrl const&, QByteArray const&, bool) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:118
    #25 0x7f3e1ef4a7a7 in QQmlApplicationEngine::load(QUrl const&) /home/mitch/dev/qt5.12/qtdeclarative/src/qml/qml/qqmlapplicationengine.cpp:259
    #26 0x55667fba9c59 in main ../quick/main.cpp:12
    #27 0x7f3e1c902b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #28 0x55667fba9a09 in _start (/home/mitch/dev/temp/quick-qt5_12_debug-Debug/quick+0x1a09)

Address 0x7ffc74822eac is located in stack of thread T0 at offset 2604 in frame
    #0 0x7f3e13c43f09 in QXcbWindow::setMotifWmHints(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1038

  This frame has 41 object(s):
    [32, 36) '<unknown>'
    [96, 100) '<unknown>'
    [160, 164) 'defaultFlags'
    [224, 228) '<unknown>'
    [288, 292) '<unknown>'
    [352, 356) '<unknown>'
    [416, 420) '<unknown>'
    [480, 484) '<unknown>'
    [544, 548) '<unknown>'
    [608, 612) '<unknown>'
    [672, 676) '<unknown>'
    [736, 740) '<unknown>'
    [800, 804) '<unknown>'
    [864, 868) '<unknown>'
    [928, 932) '<unknown>'
    [992, 996) '<unknown>'
    [1056, 1060) '<unknown>'
    [1120, 1124) '<unknown>'
    [1184, 1188) '<unknown>'
    [1248, 1252) '<unknown>'
    [1312, 1316) '<unknown>'
    [1376, 1380) '<unknown>'
    [1440, 1444) '<unknown>'
    [1504, 1508) '<unknown>'
    [1568, 1572) '<unknown>'
    [1632, 1636) '<unknown>'
    [1696, 1700) '<unknown>'
    [1760, 1764) '<unknown>'
    [1824, 1828) '<unknown>'
    [1888, 1892) '<unknown>'
    [1952, 1956) '<unknown>'
    [2016, 2020) '<unknown>'
    [2080, 2084) '<unknown>'
    [2144, 2148) '<unknown>'
    [2208, 2212) '<unknown>'
    [2272, 2276) '<unknown>'
    [2336, 2340) '<unknown>'
    [2400, 2404) '<unknown>'
    [2464, 2468) '<unknown>'
    [2528, 2532) '<unknown>'
    [2592, 2604) 'mwmhints' <== Memory access at offset 2604 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address:
  0x10000e8fc580: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
  0x10000e8fc590: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
  0x10000e8fc5a0: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
  0x10000e8fc5b0: f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
  0x10000e8fc5c0: f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
=>0x10000e8fc5d0: f2 f2 f2 f2 00[04]f2 f2 00 00 00 00 00 00 00 00
  0x10000e8fc5e0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2
  0x10000e8fc5f0: f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2
  0x10000e8fc600: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2
  0x10000e8fc610: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2
  0x10000e8fc620: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 f8 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5769==ABORTING
09:13:16: /home/mitch/dev/temp/quick-qt5_12_debug-Debug/quick exited with code 1

      Widget application:

      09:15:30: Starting /home/mitch/dev/temp/widgets-qt5_12_debug-Debug/widgets...
=================================================================
==6136==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff498baec at pc 0x7fb5e3f12733 bp 0x7ffff498af60 sp 0x7ffff498a708
READ of size 20 at 0x7ffff498baec thread T0
    #0 0x7fb5e3f12732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
    #1 0x7fb5db0064c9 in xcb_send_request_with_fds64 (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc4c9)
    #2 0x7fb5db006728 in xcb_send_request (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xc728)
    #3 0x7fb5db00cfb0 in xcb_change_property (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0x12fb0)
    #4 0x7fb5d77ae802 in QXcbWindow::setMotifWmHints(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1101
    #5 0x7fb5d77c8d9c in QXcbWindow::setWindowFlags(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1031
    #6 0x7fb5d77cdadf in QXcbWindow::create() /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:528
    #7 0x7fb5d7751642 in QXcbIntegration::createPlatformWindow(QWindow*) const /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbintegration.cpp:252
    #8 0x7fb5df6d1b7d in QWindowPrivate::create(bool, unsigned long long) /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:516
    #9 0x7fb5df6d1fb6 in QWindow::create() /home/mitch/dev/qt5.12/qtbase/src/gui/kernel/qwindow.cpp:639
    #10 0x7fb5e2b772b5 in QWidgetPrivate::create_sys(unsigned long long, bool, bool) /home/mitch/dev/qt5.12/qtbase/src/widgets/kernel/qwidget.cpp:1483
    #11 0x7fb5e2b78ba5 in QWidget::create(unsigned long long, bool, bool) /home/mitch/dev/qt5.12/qtbase/src/widgets/kernel/qwidget.cpp:1337
    #12 0x7fb5e2bb52e3 in QWidget::setVisible(bool) /home/mitch/dev/qt5.12/qtbase/src/widgets/kernel/qwidget.cpp:8271
    #13 0x7fb5e2ba5b0b in QWidget::show() /home/mitch/dev/qt5.12/qtbase/src/widgets/kernel/qwidget.cpp:7874
    #14 0x55718c1dd26a in main ../widgets/main.cpp:8
    #15 0x7fb5e0fd2b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #16 0x55718c1dd099 in _start (/home/mitch/dev/temp/widgets-qt5_12_debug-Debug/widgets+0x4099)

Address 0x7ffff498baec is located in stack of thread T0 at offset 2604 in frame
    #0 0x7fb5d77acf09 in QXcbWindow::setMotifWmHints(QFlags<Qt::WindowType>) /home/mitch/dev/qt5.12/qtbase/src/plugins/platforms/xcb/qxcbwindow.cpp:1038

  This frame has 41 object(s):
    [32, 36) '<unknown>'
    [96, 100) '<unknown>'
    [160, 164) 'defaultFlags'
    [224, 228) '<unknown>'
    [288, 292) '<unknown>'
    [352, 356) '<unknown>'
    [416, 420) '<unknown>'
    [480, 484) '<unknown>'
    [544, 548) '<unknown>'
    [608, 612) '<unknown>'
    [672, 676) '<unknown>'
    [736, 740) '<unknown>'
    [800, 804) '<unknown>'
    [864, 868) '<unknown>'
    [928, 932) '<unknown>'
    [992, 996) '<unknown>'
    [1056, 1060) '<unknown>'
    [1120, 1124) '<unknown>'
    [1184, 1188) '<unknown>'
    [1248, 1252) '<unknown>'
    [1312, 1316) '<unknown>'
    [1376, 1380) '<unknown>'
    [1440, 1444) '<unknown>'
    [1504, 1508) '<unknown>'
    [1568, 1572) '<unknown>'
    [1632, 1636) '<unknown>'
    [1696, 1700) '<unknown>'
    [1760, 1764) '<unknown>'
    [1824, 1828) '<unknown>'
    [1888, 1892) '<unknown>'
    [1952, 1956) '<unknown>'
    [2016, 2020) '<unknown>'
    [2080, 2084) '<unknown>'
    [2144, 2148) '<unknown>'
    [2208, 2212) '<unknown>'
    [2272, 2276) '<unknown>'
    [2336, 2340) '<unknown>'
    [2400, 2404) '<unknown>'
    [2464, 2468) '<unknown>'
    [2528, 2532) '<unknown>'
    [2592, 2604) 'mwmhints' <== Memory access at offset 2604 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address:
  0x10007e929700: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
  0x10007e929710: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
  0x10007e929720: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2
  0x10007e929730: f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
  0x10007e929740: f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2
=>0x10007e929750: f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 00[04]f2 f2
  0x10007e929760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e929770: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 f2 f2 f8 f2
  0x10007e929780: f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 04 f2
  0x10007e929790: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2
  0x10007e9297a0: f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 04 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6136==ABORTING
09:15:30: /home/mitch/dev/temp/widgets-qt5_12_debug-Debug/widgets exited with code 1

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            paeglis Gatis Paeglis
            mitch_curtis Mitch Curtis
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                There are no open Gerrit changes