segfault while putting large files read from stdin

[diameter]

Hi,

Encountered a segfault during putting large files that are read from stdin. Appears to be the "heap-use-after-free" issue, a growbuffer is accessed after it was already freed. 100% reproducible.

Below is the output from the library built with gcc4.9 ASAN; putting a 160MB file:

$ LD_LIBRARY_PATH=build-debug/lib ./build-debug/bin/s3 put files/zzz < ../file.tar 
Sending Part Seq 1, length=15728640
15712256 bytes remaining (85% complete) ...
15695872 bytes remaining (85% complete) ...
15679488 bytes remaining (85% complete) ...
15663104 bytes remaining (85% complete) ...
...
98304 bytes remaining (99% complete) ...
81920 bytes remaining (99% complete) ...
65536 bytes remaining (99% complete) ...
49152 bytes remaining (99% complete) ...
32768 bytes remaining (99% complete) ...
16384 bytes remaining (99% complete) ...
Sending Part Seq 2, length=15728640
=================================================================
==10047==ERROR: AddressSanitizer: heap-use-after-free on address 0x631000000800 at pc 0x402af5 bp 0x7ffe3afb1270 sp 0x7ffe3afb1268
READ of size 4 at 0x631000000800 thread T0
    #0 0x402af4 in growbuffer_read src/s3.c:458
    #1 0x40ab1e in putObjectDataCallback src/s3.c:2012
    #2 0x7efd21abca7b in curl_read_func src/request.c:193
    #3 0x7efd205c8295 (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x28295)
    #4 0x7efd205c8f1c (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x28f1c)
    #5 0x7efd205d29db (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x329db)
    #6 0x7efd205d3180 in curl_multi_perform (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x33180)
    #7 0x7efd205ca7b2 in curl_easy_perform (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x2a7b2)
    #8 0x7efd21ac4b72 in request_perform src/request.c:1220
    #9 0x7efd21ad5906 in S3_upload_part src/multipart.c:222
    #10 0x40cb20 in put_object src/s3.c:2453
    #11 0x41227d in main src/s3.c:3640
    #12 0x7efd20828ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #13 0x402018 (/home/zz/_src/libs3/build-debug/bin/s3+0x402018)

0x631000000800 is located 0 bytes inside of 65560-byte region [0x631000000800,0x631000010818)
freed by thread T0 here:
    #0 0x7efd20c205c7 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x545c7)
    #1 0x402e4e in growbuffer_read src/s3.c:473
    #2 0x40ab1e in putObjectDataCallback src/s3.c:2012
    #3 0x7efd21abca7b in curl_read_func src/request.c:193
    #4 0x7efd205c8295 (/usr/lib/x86_64-linux-gnu/libcurl.so.4+0x28295)

previously allocated by thread T0 here:
    #0 0x7efd20c207df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
    #1 0x402578 in growbuffer_append src/s3.c:415
    #2 0x40c4c5 in put_object src/s3.c:2313
    #3 0x41227d in main src/s3.c:3640
    #4 0x7efd20828ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free src/s3.c:458 growbuffer_read
Shadow bytes around the buggy address:
  0x0c627fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c627fff8100:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c627fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c627fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c627fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c627fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c627fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==10047==ABORTING

With best regards,
Ivan.

[mewalig]

I ran into this too. Anyone by chance have a patch available?

[sergeydobrodey]

I believe, two years are better than never (:

[sergeydobrodey]

Here is the fix #68