Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-88246

[REG 5.15 -> 6.0] heap-use-after-free in QXmlStreamReader

    XMLWordPrintable

Details

    • 43aaf74f606de6ec97cb3c06c4e6dcee242c01d7 (qt/qtbase/dev)

    Description

      1. Have a build of Qt configured with "-sanitize address".
      2. Use that to build the attached program.
      3. Run the program on the attached input data:
        ./report input.xml
        

        Address sanitizer will report a heap-use-after-free, see below.

      This does not happen with Qt 5.15.

      =================================================================
      ==56265==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000728 at pc 0x000000832a43 bp 0x7ffee1bd69f0 sp 0x7ffee1bd69e8
      READ of size 1 at 0x619000000728 thread T0
          #0 0x832a42 in QXmlStreamReaderPrivate::parse() (/tmp/fuzzingqt6/build-xml/report+0x832a42)
          #1 0x852bd3 in QXmlStreamReader::readNext() (/tmp/fuzzingqt6/build-xml/report+0x852bd3)
          #2 0x4cb9da in main (/tmp/fuzzingqt6/build-xml/report+0x4cb9da)
          #3 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
          #4 0x420e6d in _start (/tmp/fuzzingqt6/build-xml/report+0x420e6d)
      
      0x619000000728 is located 424 bytes inside of 1152-byte region [0x619000000580,0x619000000a00)
      freed by thread T0 here:
          #0 0x4c967d in operator delete[](void*) (/tmp/fuzzingqt6/build-xml/report+0x4c967d)
          #1 0x8769c5 in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::rehash(unsigned long) (/tmp/fuzzingqt6/build-xml/report+0x8769c5)
          #2 0x873c01 in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) (/tmp/fuzzingqt6/build-xml/report+0x873c01)
          #3 0x873253 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) (/tmp/fuzzingqt6/build-xml/report+0x873253)
          #4 0x829994 in QXmlStreamReaderPrivate::parse() (/tmp/fuzzingqt6/build-xml/report+0x829994)
          #5 0x852bd3 in QXmlStreamReader::readNext() (/tmp/fuzzingqt6/build-xml/report+0x852bd3)
          #6 0x4cb9da in main (/tmp/fuzzingqt6/build-xml/report+0x4cb9da)
          #7 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
      
      previously allocated by thread T0 here:
          #0 0x4c8e2d in operator new[](unsigned long) (/tmp/fuzzingqt6/build-xml/report+0x4c8e2d)
          #1 0x875741 in QHashPrivate::Span<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::addStorage() (/tmp/fuzzingqt6/build-xml/report+0x875741)
          #2 0x873f3f in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) (/tmp/fuzzingqt6/build-xml/report+0x873f3f)
          #3 0x873253 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) (/tmp/fuzzingqt6/build-xml/report+0x873253)
          #4 0x855448 in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) (/tmp/fuzzingqt6/build-xml/report+0x855448)
          #5 0x84faaf in QXmlStreamReader::QXmlStreamReader(QByteArray const&) (/tmp/fuzzingqt6/build-xml/report+0x84faaf)
          #6 0x4cb91b in main (/tmp/fuzzingqt6/build-xml/report+0x4cb91b)
          #7 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
      
      SUMMARY: AddressSanitizer: heap-use-after-free (/tmp/fuzzingqt6/build-xml/report+0x832a42) in QXmlStreamReaderPrivate::parse()
      Shadow bytes around the buggy address:
        0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c327fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c327fff80c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c327fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c327fff80e0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
        0x0c327fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c327fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c327fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c327fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c327fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==56265==ABORTING
      

      Attachments

        1. input.xml
          0.1 kB
        2. main.cpp
          0.3 kB
        3. report.pro
          0.1 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            manordheim Mårten Nordheim
            rlohning Robert Löhning
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes