Details
-
Bug
-
Resolution: Done
-
P1: Critical
-
6.0.0 Beta4
-
Ubuntu 20.04 LTS 64 bit
clang 10.0.0
Built using qmake
-
43aaf74f606de6ec97cb3c06c4e6dcee242c01d7 (qt/qtbase/dev)
Description
- Have a build of Qt configured with "-sanitize address".
- Use that to build the attached program.
- Run the program on the attached input data:
./report input.xml
Address sanitizer will report a heap-use-after-free, see below.
This does not happen with Qt 5.15.
=================================================================
==56265==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000728 at pc 0x000000832a43 bp 0x7ffee1bd69f0 sp 0x7ffee1bd69e8
READ of size 1 at 0x619000000728 thread T0
#0 0x832a42 in QXmlStreamReaderPrivate::parse() (/tmp/fuzzingqt6/build-xml/report+0x832a42)
#1 0x852bd3 in QXmlStreamReader::readNext() (/tmp/fuzzingqt6/build-xml/report+0x852bd3)
#2 0x4cb9da in main (/tmp/fuzzingqt6/build-xml/report+0x4cb9da)
#3 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x420e6d in _start (/tmp/fuzzingqt6/build-xml/report+0x420e6d)
0x619000000728 is located 424 bytes inside of 1152-byte region [0x619000000580,0x619000000a00)
freed by thread T0 here:
#0 0x4c967d in operator delete[](void*) (/tmp/fuzzingqt6/build-xml/report+0x4c967d)
#1 0x8769c5 in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::rehash(unsigned long) (/tmp/fuzzingqt6/build-xml/report+0x8769c5)
#2 0x873c01 in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) (/tmp/fuzzingqt6/build-xml/report+0x873c01)
#3 0x873253 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) (/tmp/fuzzingqt6/build-xml/report+0x873253)
#4 0x829994 in QXmlStreamReaderPrivate::parse() (/tmp/fuzzingqt6/build-xml/report+0x829994)
#5 0x852bd3 in QXmlStreamReader::readNext() (/tmp/fuzzingqt6/build-xml/report+0x852bd3)
#6 0x4cb9da in main (/tmp/fuzzingqt6/build-xml/report+0x4cb9da)
#7 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 here:
#0 0x4c8e2d in operator new[](unsigned long) (/tmp/fuzzingqt6/build-xml/report+0x4c8e2d)
#1 0x875741 in QHashPrivate::Span<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::addStorage() (/tmp/fuzzingqt6/build-xml/report+0x875741)
#2 0x873f3f in QHashPrivate::Data<QHashPrivate::Node<QStringView, QXmlStreamReaderPrivate::Entity> >::findOrInsert(QStringView const&) (/tmp/fuzzingqt6/build-xml/report+0x873f3f)
#3 0x873253 in QHash<QStringView, QXmlStreamReaderPrivate::Entity>::iterator QHash<QStringView, QXmlStreamReaderPrivate::Entity>::emplace<QXmlStreamReaderPrivate::Entity const&>(QStringView&&, QXmlStreamReaderPrivate::Entity const&) (/tmp/fuzzingqt6/build-xml/report+0x873253)
#4 0x855448 in QXmlStreamReaderPrivate::QXmlStreamReaderPrivate(QXmlStreamReader*) (/tmp/fuzzingqt6/build-xml/report+0x855448)
#5 0x84faaf in QXmlStreamReader::QXmlStreamReader(QByteArray const&) (/tmp/fuzzingqt6/build-xml/report+0x84faaf)
#6 0x4cb91b in main (/tmp/fuzzingqt6/build-xml/report+0x4cb91b)
#7 0x7fedb34e90b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free (/tmp/fuzzingqt6/build-xml/report+0x832a42) in QXmlStreamReaderPrivate::parse()
Shadow bytes around the buggy address:
0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff80b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff80c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff80e0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c327fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==56265==ABORTING
Attachments
| For Gerrit Dashboard: QTBUG-88246 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 321003,6 | QXmlStreamReader: don't store pointers | dev | qt/qtbase | Status: MERGED | +2 | 0 |