[vlc-commits] [Git][videolan/vlc][master] medialibrary: fix heap-use-after-free
Rémi Denis-Courmont (@Courmisch)
gitlab at videolan.org
Sun Sep 18 07:57:34 UTC 2022
Rémi Denis-Courmont pushed to branch master at VideoLAN / VLC
Commits:
b2daa832 by Thomas Guillem at 2022-09-18T07:43:00+00:00
medialibrary: fix heap-use-after-free
m_deviceLister is listening to media source tree callbacks and need be
cleaned (and callbacks removed) before m_devices, since callbacks read
m_devices.
==1750167==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100002c640 at pc 0x7f8906109b0e bp 0x7f88ef176630 sp 0x7f88ef176628
READ of size 8 at 0x61100002c640 thread T22
#0 0x7f8906109b0d in std::__shared_ptr<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2>::get() const /usr/include/c++/12/bits/shared_ptr_base.h:1666
#1 0x7f8906109b0d in std::__shared_ptr_access<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2, false, false>::_M_get() const /usr/include/c++/12/bits/shared_ptr_base.h:1363
#2 0x7f8906109b0d in std::__shared_ptr_access<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2, false, false>::operator->() const /usr/include/c++/12/bits/shared_ptr_base.h:1357
#3 0x7f8906109b0d in operator() ../../modules/misc/medialibrary/fs/fs.cpp:195
#4 0x7f8906109cac in operator()<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > > > /usr/include/c++/12/bits/predefined_ops.h:318
#5 0x7f8906109cac in __find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, __gnu_cxx::__ops::_Iter_pred<vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > > /usr/include/c++/12/bits/stl_algobase.h:2067
#6 0x7f8906109f54 in __find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, __gnu_cxx::__ops::_Iter_pred<vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > > /usr/include/c++/12/bits/stl_algobase.h:2112
#7 0x7f8906109f54 in find_if<__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice> > >, vlc::medialibrary::SDFileSystemFactory::deviceByUuid(const std::string&)::<lambda(const std::shared_ptr<medialibrary::fs::IDevice>&)> > /usr/include/c++/12/bits/stl_algo.h:3877
#8 0x7f890610b532 in vlc::medialibrary::SDFileSystemFactory::deviceByUuid(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../../modules/misc/medialibrary/fs/fs.cpp:193
#9 0x7f890610c16e in vlc::medialibrary::SDFileSystemFactory::onDeviceMounted(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ../../modules/misc/medialibrary/fs/fs.cpp:146
#10 0x7f890610edd1 in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long) ../../modules/misc/medialibrary/fs/devicelister.cpp:131
#11 0x7f890610f06e in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long, void*) ../../modules/misc/medialibrary/fs/devicelister.cpp:105
#12 0x7f8908b01f44 in vlc_media_tree_Add ../../src/media_source/media_tree.c:303
#13 0x7f8908b00dc0 in services_discovery_item_added ../../src/media_source/media_source.c:81
#14 0x7f8907972be6 in services_discovery_AddItem ../../include/vlc_services_discovery.h:166
#15 0x7f8907972be6 in entry_item_append ../../modules/access/dsm/sd.c:73
#16 0x7f8907972daf in netbios_ns_discover_on_entry_added ../../modules/access/dsm/sd.c:117
#17 0x7f8907980930 in netbios_ns_discover_thread (/home/tom/work/out/lib/x86_64-linux-gnu/libdsm.so.3+0x5930)
#18 0x7f89086a3d7f in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7d7f)
#19 0x7f89085bdbae in clone (/lib/x86_64-linux-gnu/libc.so.6+0xfabae)
0x61100002c640 is located 0 bytes inside of 256-byte region [0x61100002c640,0x61100002c740)
freed by thread T0 here:
#0 0x7f8908cba3c8 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:164
#1 0x7f890610c7d8 in std::__new_allocator<std::shared_ptr<medialibrary::fs::IDevice> >::deallocate(std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/new_allocator.h:158
#2 0x7f890610c7d8 in std::allocator_traits<std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::deallocate(std::allocator<std::shared_ptr<medialibrary::fs::IDevice> >&, std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:496
#3 0x7f890610c7d8 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_deallocate(std::shared_ptr<medialibrary::fs::IDevice>*, unsigned long) /usr/include/c++/12/bits/stl_vector.h:387
#4 0x7f890610c7d8 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::~_Vector_base() /usr/include/c++/12/bits/stl_vector.h:366
#5 0x7f890610cc47 in std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::~vector() /usr/include/c++/12/bits/stl_vector.h:733
#6 0x7f890610ccb4 in vlc::medialibrary::SDFileSystemFactory::~SDFileSystemFactory() ../../modules/misc/medialibrary/fs/fs.h:45
#7 0x7f89060dd7f0 (/home/tom/work/git/vlc/build-asan/modules/.libs/libmedialibrary_plugin.so+0xdd7f0)
#8 0x7f8906192379 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/12/bits/shared_ptr_base.h:346
#9 0x7f8906192379 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/12/bits/shared_ptr_base.h:317
#10 0x7f8906192379 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/12/bits/shared_ptr_base.h:1071
#11 0x7f8906192379 in std::__shared_ptr<medialibrary::fs::IFileSystemFactory, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/12/bits/shared_ptr_base.h:1524
#12 0x7f8906192379 in std::shared_ptr<medialibrary::fs::IFileSystemFactory>::~shared_ptr() /usr/include/c++/12/bits/shared_ptr.h:175
#13 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory> >(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:151
#14 0x7f8906192379 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*>(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:163
#15 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*>(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*) /usr/include/c++/12/bits/stl_construct.h:196
#16 0x7f8906192379 in void std::_Destroy<std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory> >(std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::shared_ptr<medialibrary::fs::IFileSystemFactory>*, std::allocator<std::shared_ptr<medialibrary::fs::IFileSystemFactory> >&) /usr/include/c++/12/bits/alloc_traits.h:850
#17 0x7f8906192379 in std::vector<std::shared_ptr<medialibrary::fs::IFileSystemFactory>, std::allocator<std::shared_ptr<medialibrary::fs::IFileSystemFactory> > >::~vector() /usr/include/c++/12/bits/stl_vector.h:730
#18 0x7f8906192379 in medialibrary::FsHolder::~FsHolder() ../src/filesystem/FsHolder.cpp:66
previously allocated by thread T22 here:
#0 0x7f8908cb94c8 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:95
#1 0x7f890610d4d8 in std::__new_allocator<std::shared_ptr<medialibrary::fs::IDevice> >::allocate(unsigned long, void const*) /usr/include/c++/12/bits/new_allocator.h:137
#2 0x7f890610d789 in std::allocator_traits<std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::allocate(std::allocator<std::shared_ptr<medialibrary::fs::IDevice> >&, unsigned long) /usr/include/c++/12/bits/alloc_traits.h:464
#3 0x7f890610d789 in std::_Vector_base<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_allocate(unsigned long) /usr/include/c++/12/bits/stl_vector.h:378
#4 0x7f890610d789 in void std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::_M_realloc_insert<std::shared_ptr<medialibrary::fs::IDevice> const&>(__gnu_cxx::__normal_iterator<std::shared_ptr<medialibrary::fs::IDevice>*, std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > > >, std::shared_ptr<medialibrary::fs::IDevice> const&) /usr/include/c++/12/bits/vector.tcc:453
#5 0x7f890610dc02 in std::vector<std::shared_ptr<medialibrary::fs::IDevice>, std::allocator<std::shared_ptr<medialibrary::fs::IDevice> > >::push_back(std::shared_ptr<medialibrary::fs::IDevice> const&) /usr/include/c++/12/bits/stl_vector.h:1287
#6 0x7f890610c3b3 in vlc::medialibrary::SDFileSystemFactory::onDeviceMounted(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) ../../modules/misc/medialibrary/fs/fs.cpp:151
#7 0x7f890610edd1 in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long) ../../modules/misc/medialibrary/fs/devicelister.cpp:131
#8 0x7f890610f06e in vlc::medialibrary::DeviceLister::onChildrenAdded(vlc_media_tree*, input_item_node_t*, input_item_node_t* const*, unsigned long, void*) ../../modules/misc/medialibrary/fs/devicelister.cpp:105
#9 0x7f8908b01f44 in vlc_media_tree_Add ../../src/media_source/media_tree.c:303
Thread T22 created by T0 here:
#0 0x7f8908c49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x7f890798126c in netbios_ns_discover_start (/home/tom/work/out/lib/x86_64-linux-gnu/libdsm.so.3+0x626c)
#2 0x7f8908b022b5 in generic_start ../../src/modules/modules.c:275
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/12/bits/shared_ptr_base.h:1666 in std::__shared_ptr<medialibrary::fs::IDevice, (__gnu_cxx::_Lock_policy)2>::get() const
Shadow bytes around the buggy address:
0x0c227fffd870: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c227fffd880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fffd890: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
0x0c227fffd8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fffd8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
=>0x0c227fffd8c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c227fffd8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c227fffd8e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c227fffd8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fffd900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c227fffd910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1750167==ABORTING
- - - - -
1 changed file:
- modules/misc/medialibrary/fs/fs.h
Changes:
=====================================
modules/misc/medialibrary/fs/fs.h
=====================================
@@ -103,13 +103,13 @@ private:
private:
vlc_object_t *const m_parent;
const std::string m_scheme;
- std::shared_ptr<IDeviceLister> m_deviceLister;
IFileSystemFactoryCb *m_callbacks;
bool m_isNetwork;
mutable vlc::threads::mutex m_mutex;
mutable vlc::threads::condition_variable m_cond;
std::vector<std::shared_ptr<IDevice>> m_devices;
+ std::shared_ptr<IDeviceLister> m_deviceLister;
};
} /* namespace medialibrary */
View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/b2daa8327ce975fc0a60c072d0918e44c5de2e15
--
View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/b2daa8327ce975fc0a60c072d0918e44c5de2e15
You're receiving this email because of your account on code.videolan.org.
VideoLAN code repository instance
More information about the vlc-commits
mailing list