Details
-
Bug
-
Resolution: Invalid
-
Not Evaluated
-
None
-
5.12.10
-
None
Description
int proc_main( int argc, char** argv ) { QApplication app ( argc, argv ); QApplication::setApplicationName( "APP" ); MainWindow mainWindow (nullptr); QDesktopWidget desktop; auto screenGeometry = desktop.screenGeometry(); mainWindow.setFixedSize( screenGeometry.width(), screenGeometry.height() ); mainWindow.show(); app.exec(); return 0; } void send_data(const uint8_t *Data, size_t Size) { // connect to VNC server // transfer data // shutdown and close socket QApplication::exit(0); } void do_fuzz(const uint8_t *Data, size_t Size) { std::thread fuzz_thread (send_data, Data, Size); char arg0[] = "./hsbrowser"; char arg1[] = "-platform"; char arg2[24] = "vnc:port=5900"; char* argv[] = {arg0, arg1, arg2}; proc_main(3, argv); fuzz_thread.join(); } void main() { do_fuzz(AnyRandomData, Size); }
With the same input data, the crash cannot be reproduced with ASLR enabled and it can be reproduced with ASLR disabled.
There are three similar backtraces that maybe are all caused by the same issue.
Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007ffff598a3e1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /home/florian/git/qt5/build_afl/install/lib/libQt5Core.so.5 #0 0x00007ffff598a3e1 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /home/florian/git/qt5/build_afl/install/lib/libQt5Core.so.5 #1 0x00007ffff744315d in QWidgetWindow::event (this=<optimized out>, event=0x7fffffffcca8) at ../../include/QtCore/../../../../qtbase/src/corelib/tools/qlist.h:544 #2 0x00007ffff7370119 in QApplicationPrivate::notify_helper (this=0x44cd70, receiver=0x45c090, e=0x7fffffffcca8) at /home/florian/git/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3650 #3 0x00007ffff7369c67 in QApplication::notify (this=0x7fffffffd260, receiver=<optimized out>, e=<optimized out>) at /home/florian/git/qt5/qtbase/src/widgets/kernel/qapplication.cpp:3006 #4 0x00007ffff598a41e in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /home/florian/git/qt5/build_afl/install/lib/libQt5Core.so.5 #5 0x00007ffff6611dd1 in QGuiApplicationPrivate::processKeyEvent (e=0x44f4e0) at /home/florian/git/qt5/qtbase/src/gui/kernel/qguiapplication.cpp:2289 #6 0x00007ffff65cbca6 in QWindowSystemInterface::handleShortcutEvent (window=<optimized out>, timestamp=<optimized out>, keyCode=71, modifiers=..., nativeScanCode=<optimized out>, nativeVirtualKey=<optimized out>, nativeModifiers=0, text=..., autorepeat=<optimized out>, count=1) at /home/florian/git/qt5/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:104 #7 0x00007ffff6611b88 in QGuiApplicationPrivate::processKeyEvent (e=0x44f5d0) at /home/florian/git/qt5/qtbase/src/gui/kernel/qguiapplication.cpp:2270 #8 0x00007ffff65c8a72 in QWindowSystemInterface::sendWindowSystemEvents (flags=...) at /home/florian/git/qt5/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:1151 #9 0x00007ffff65c8676 in QWindowSystemInterface::flushWindowSystemEvents (flags=...) at /home/florian/git/qt5/qtbase/src/gui/kernel/qwindowsysteminterface.cpp:1120 #10 0x00007ffff65ee687 in QPlatformWindow::setVisible (this=<optimized out>, visible=<optimized out>) at /home/florian/git/qt5/qtbase/src/gui/kernel/qplatformwindow.cpp:189 #11 0x00007ffff38c3934 in QFbWindow::setVisible (this=0x45c430, visible=false) at /home/florian/git/qt5/qtbase/src/platformsupport/fbconvenience/qfbwindow.cpp:91 #12 0x00007ffff662e02f in QWindowPrivate::setVisible (this=0x45c0f0, visible=<optimized out>) at /home/florian/git/qt5/qtbase/src/gui/kernel/qwindow.cpp:408 #13 0x00007ffff73f383f in QWidgetPrivate::hide_helper (this=0x457600) at /home/florian/git/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8208 #14 0x00007ffff73f20fe in QWidgetPrivate::setVisible (this=0x457600, visible=<optimized out>) at /home/florian/git/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8413 #15 0x00007ffff73d8948 in QWidget::hide (this=0x7fffffffd1a8) at /home/florian/git/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8182 #16 QWidgetPrivate::close_helper (this=0x457600, mode=QWidgetPrivate::CloseNoEvent) at /home/florian/git/qt5/qtbase/src/widgets/kernel/qwidget.cpp:8544 #17 0x00007ffff73ebe89 in QWidget::~QWidget (this=0x7fffffffd1a8) at /home/florian/git/qt5/qtbase/src/widgets/kernel/qwidget.cpp:1626 #18 0x000000000020dbea in proc_main (argc=1, argv=0x7fffffffd270) at ../main.cpp:45 #19 do_fuzz (Data=<optimized out>, Size=<optimized out>) at ../main.cpp:122 #20 LLVMFuzzerTestOneInput (Data=<optimized out>, Size=<optimized out>) at ../main.cpp:147 #21 main (argc=<optimized out>, argv=<optimized out>) at ../main.cpp:195
The same program rebuilt with address sanitizer. Input data is different:
==3582572==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000303d8 at pc 0x7ffff3c8d5fc bp 0x7fffed2f7c40 sp 0x7fffed2f7c38
READ of size 8 at 0x6030000303d8 thread T1191
#0 0x7ffff3c8d5fb in QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> >::operator->() const /home/florian/git/qt5/build_libfuzzer/qtbase/src/corelib/../../include/QtCore/../../../../qtbase/src/corelib/tools/qscopedpointer.h:118:16
#1 0x7ffff3c8d5fb in decltype(fp.operator->()) qGetPtrHelper<QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> > >(QScopedPointer<QObjectData, QScopedPointerDeleter<QObjectData> > const&) /home/florian/git/qt5/build_libfuzzer/qtbase/src/corelib/../../include/QtCore/../../../../qtbase/src/corelib/global/qglobal.h:1038:110
#2 0x7ffff3c8d5fb in QEventDispatcherGlib::d_func() /home/florian/git/qt5/build_libfuzzer/qtbase/src/corelib/.moc/../../../../../qtbase/src/corelib/kernel/qeventdispatcher_glib_p.h:66:5
#3 0x7ffff3c8d5fb in QEventDispatcherGlib::wakeUp() /home/florian/git/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:589:5
#4 0x7ffff3c8d5fb in QEventDispatcherGlib::interrupt() /home/florian/git/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:584:5
#5 0x7ffff3b078b9 in QCoreApplication::exit(int) /home/florian/git/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1447:20
#6 0x55a086 in send_data(unsigned char const*, unsigned long) /home/florian/git/hsbrowser/build/../main.cpp:98:5
#7 0x7ffff7e7b773 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xda773)
#8 0x7ffff2e3742f in start_thread nptl/pthread_create.c:473:8
#9 0x7ffff2bded02 in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x6030000303d8 is located 8 bytes inside of 24-byte region [0x6030000303d0,0x6030000303e8)
freed by thread T0 here:
#0 0x5577ad in operator delete(void*) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x5577ad)
#1 0x7ffff3bba118 in QObjectPrivate::deleteChildren() /home/florian/git/qt5/qtbase/src/corelib/kernel/qobject.cpp:2017:9
#2 0x7ffff3bb949b in QObject::~QObject() /home/florian/git/qt5/qtbase/src/corelib/kernel/qobject.cpp:1033:12
#3 0x7ffff68afa3e in QApplication::~QApplication() /home/florian/git/qt5/qtbase/src/widgets/kernel/qapplication.cpp:843:1
#4 0x559b9f in proc_main(int, char**) /home/florian/git/hsbrowser/build/../main.cpp:45:1
#5 0x55a826 in do_fuzz(unsigned char const*, unsigned long) /home/florian/git/hsbrowser/build/../main.cpp:110:2
#6 0x55ab98 in LLVMFuzzerTestOneInput /home/florian/git/hsbrowser/build/../main.cpp:135:2
#7 0x45d081 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45d081)
#8 0x45c58a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45c58a)
#9 0x45e914 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45e914)
#10 0x45eb29 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45eb29)
#11 0x44d116 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x44d116)
#12 0x477032 in main (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x477032)
#13 0x7ffff2aef564 in __libc_start_main csu/../csu/libc-start.c:332:16
previously allocated by thread T0 here:
#0 0x556f4d in operator new(unsigned long) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x556f4d)
#1 0x7fffec426f57 in QtGenericUnixDispatcher::createUnixEventDispatcher() /home/florian/git/qt5/qtbase/src/platformsupport/eventdispatchers/qgenericunixeventdispatcher.cpp:50:16
#2 0x7ffff50b08ea in QGuiApplicationPrivate::createEventDispatcher() /home/florian/git/qt5/qtbase/src/gui/kernel/qguiapplication.cpp:1414:45
#3 0x7ffff3b007ba in QCoreApplicationPrivate::init() /home/florian/git/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:858:9
#4 0x7ffff5099eb5 in QGuiApplicationPrivate::init() /home/florian/git/qt5/qtbase/src/gui/kernel/qguiapplication.cpp:1438:30
#5 0x7ffff68a91bc in QApplicationPrivate::init() /home/florian/git/qt5/qtbase/src/widgets/kernel/qapplication.cpp:558:29
#6 0x5599ba in proc_main(int, char**) /home/florian/git/hsbrowser/build/../main.cpp:30:15
#7 0x55a826 in do_fuzz(unsigned char const*, unsigned long) /home/florian/git/hsbrowser/build/../main.cpp:110:2
#8 0x55ab98 in LLVMFuzzerTestOneInput /home/florian/git/hsbrowser/build/../main.cpp:135:2
#9 0x45d081 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45d081)
#10 0x45c58a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45c58a)
#11 0x45e914 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45e914)
#12 0x45eb29 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45eb29)
#13 0x44d116 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x44d116)
#14 0x477032 in main (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x477032)
#15 0x7ffff2aef564 in __libc_start_main csu/../csu/libc-start.c:332:16
Thread T1191 created by T0 here:
#0 0x51020c in pthread_create (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x51020c)
#1 0x7ffff7e7ba49 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdaa49)
#2 0x55ab98 in LLVMFuzzerTestOneInput /home/florian/git/hsbrowser/build/../main.cpp:135:2
#3 0x45d081 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45d081)
#4 0x45c58a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45c58a)
#5 0x45e914 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45e914)
#6 0x45eb29 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x45eb29)
#7 0x44d116 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x44d116)
#8 0x477032 in main (/home/florian/git/hsbrowser/fuzz/hsbrowser.libfuzzer+0x477032)
#9 0x7ffff2aef564 in __libc_start_main csu/../csu/libc-start.c:332:16
The ASAN binary crashes with a segfault instead of the heap-use-after-free (other input data):
==3597767==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x7ffff3c8d5c2 bp 0x7fffed2f7c50 sp 0x7fffed2f7c50 T488)
==3597767==The signal is caused by a WRITE memory access.
==3597767==Hint: address points to the zero page.
#0 0x7ffff3c8d5c2 in std::__atomic_base<int>::operator++() /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/atomic_base.h:326:16
#1 0x7ffff3c8d5c2 in bool QAtomicOps<int>::ref<int>(std::atomic<int>&) /home/florian/git/qt5/build_libfuzzer/qtbase/src/corelib/../../include/QtCore/../../../../qtbase/src/corelib/thread/qatomic_cxx11.h:265:16
#2 0x7ffff3c8d5c2 in QBasicAtomicInteger<int>::ref() /home/florian/git/qt5/build_libfuzzer/qtbase/src/corelib/../../include/QtCore/../../../../qtbase/src/corelib/thread/qbasicatomic.h:114:40
#3 0x7ffff3c8d5c2 in QEventDispatcherGlib::wakeUp() /home/florian/git/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:590:38
#4 0x7ffff3c8d5c2 in QEventDispatcherGlib::interrupt() /home/florian/git/qt5/qtbase/src/corelib/kernel/qeventdispatcher_glib.cpp:584:5
#5 0x7ffff3b078b9 in QCoreApplication::exit(int) /home/florian/git/qt5/qtbase/src/corelib/kernel/qcoreapplication.cpp:1447:20
#6 0x55a086 in send_data(unsigned char const*, unsigned long) /home/florian/git/hsbrowser/build/../main.cpp:98:5
#7 0x7ffff7e7b773 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xda773)
#8 0x7ffff2e3742f in start_thread nptl/pthread_create.c:473:8
#9 0x7ffff2bded02 in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95