UPNP - Read after free
Found while using the agent
=================================================================
==585705==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000080020 at pc 0x55555a141666 bp 0x7fffd8fad760 sp 0x7fffd8fad750
READ of size 8 at 0x615000080020 thread T15
#0 0x55555a141665 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count(std::__weak_count<(__gnu_cxx::_Lock_policy)2> const&) /usr/include/c++/11.1.0/bits/shared_ptr_base.h:867
#1 0x55555af06657 in std::__shared_ptr<jami::upnp::UPnPProtocol, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<jami::upnp::UPnPProtocol, void>(std::__weak_ptr<jami::upnp::UPnPProtocol, (__gnu_cxx::_Lock_policy)2> const&) /usr/include/c++/11.1.0/bits/shared_ptr_base.h:1173
#2 0x55555af051fd in std::shared_ptr<jami::upnp::UPnPProtocol>::shared_ptr<jami::upnp::UPnPProtocol, void>(std::weak_ptr<jami::upnp::UPnPProtocol> const&) /usr/include/c++/11.1.0/bits/shared_ptr.h:326
#3 0x55555af04000 in std::enable_shared_from_this<jami::upnp::UPnPProtocol>::shared_from_this() /usr/include/c++/11.1.0/bits/shared_ptr.h:808
#4 0x55555af51dab in jami::upnp::PUPnP::weak() /ring-project/daemon/src/upnp/protocol/pupnp/pupnp.h:247
#5 0x55555af247d7 in jami::upnp::PUPnP::ctrlPtCallback(Upnp_EventType_e, void const*, void*) /ring-project/daemon/src/upnp/protocol/pupnp/pupnp.cpp:757
#6 0x7ffff6c417a6 (/usr/lib/libupnp.so.17+0xf7a6)
#7 0x7ffff6c3ec06 (/usr/lib/libupnp.so.17+0xcc06)
#8 0x7ffff4c41258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
#9 0x7ffff38f25e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
0x615000080020 is located 32 bytes inside of 456-byte region [0x615000080000,0x6150000801c8)
freed by thread T11 here:
#0 0x7ffff767ad69 in operator delete(void*, unsigned long) /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cpp:172
#1 0x555559e4da57 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (/ring-project/daemon/test/agent/agent+0x48f9a57)
#2 0x555559e4c4ed in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/11.1.0/bits/alloc_traits.h:492
#3 0x555559e48d11 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() (/ring-project/daemon/test/agent/agent+0x48f4d11)
#4 0x555559e4ffee in std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (/ring-project/daemon/test/agent/agent+0x48fbfee)
#5 0x555559d6ffc6 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_weak_release() /usr/include/c++/11.1.0/bits/shared_ptr_base.h:207
#6 0x555559d62b18 in std::__weak_count<(__gnu_cxx::_Lock_policy)2>::~__weak_count() /usr/include/c++/11.1.0/bits/shared_ptr_base.h:795
#7 0x55555af51bf9 in std::__weak_ptr<jami::upnp::PUPnP, (__gnu_cxx::_Lock_policy)2>::~__weak_ptr() /usr/include/c++/11.1.0/bits/shared_ptr_base.h:1605
#8 0x55555af51c67 in std::weak_ptr<jami::upnp::PUPnP>::~weak_ptr() /usr/include/c++/11.1.0/bits/shared_ptr.h:686
#9 0x55555af201d6 in ~<lambda> /ring-project/daemon/src/upnp/protocol/pupnp/pupnp.cpp:622
#10 0x55555af3abe5 in ~<lambda> /ring-project/daemon/src/upnp/protocol/pupnp/pupnp.h:144
#11 0x55555af4c6e4 in _M_destroy /usr/include/c++/11.1.0/bits/std_function.h:174
#12 0x55555af4717e in _M_manager /usr/include/c++/11.1.0/bits/std_function.h:200
#13 0x55555af42ae9 in _M_manager /usr/include/c++/11.1.0/bits/std_function.h:283
#14 0x555559aac0a6 in std::_Function_base::~_Function_base() /usr/include/c++/11.1.0/bits/std_function.h:245
#15 0x555559c82285 in std::function<void ()>::~function() /usr/include/c++/11.1.0/bits/std_function.h:328
#16 0x55555a94f2f4 in void std::_Destroy<std::function<void ()> >(std::function<void ()>*) /usr/include/c++/11.1.0/bits/stl_construct.h:140
#17 0x55555a94dc89 in void std::_Destroy_aux<false>::__destroy<std::function<void ()>*>(std::function<void ()>*, std::function<void ()>*) /usr/include/c++/11.1.0/bits/stl_construct.h:152
#18 0x55555a94b7da in void std::_Destroy<std::function<void ()>*>(std::function<void ()>*, std::function<void ()>*) /usr/include/c++/11.1.0/bits/stl_construct.h:185
#19 0x55555a947fbf in void std::_Destroy<std::function<void ()>*, std::function<void ()> >(std::function<void ()>*, std::function<void ()>*, std::allocator<std::function<void ()> >&) /usr/include/c++/11.1.0/bits/alloc_traits.h:746
#20 0x55555a94563c in std::vector<std::function<void ()>, std::allocator<std::function<void ()> > >::~vector() /usr/include/c++/11.1.0/bits/stl_vector.h:680
#21 0x55555a93c72a in jami::ScheduledExecutor::loop() /ring-project/daemon/src/scheduled_executor.cpp:142
#22 0x55555a938dcd in operator() /ring-project/daemon/src/scheduled_executor.cpp:32
#23 0x55555a94285f in __invoke_impl<void, jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > /usr/include/c++/11.1.0/bits/invoke.h:61
#24 0x55555a94271a in __invoke<jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > /usr/include/c++/11.1.0/bits/invoke.h:96
#25 0x55555a9425ef in _M_invoke<0> /usr/include/c++/11.1.0/bits/std_thread.h:253
#26 0x55555a942525 in operator() /usr/include/c++/11.1.0/bits/std_thread.h:260
#27 0x55555a9424dd in _M_run /usr/include/c++/11.1.0/bits/std_thread.h:211
#28 0x7ffff45643c3 in execute_native_thread_routine /build/gcc/src/gcc/libstdc++-v3/src/c++11/thread.cc:82
previously allocated by thread T1 here:
#0 0x7ffff7679ca1 in operator new(unsigned long) /build/gcc/src/gcc/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x555559e4da17 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) (/ring-project/daemon/test/agent/agent+0x48f9a17)
#2 0x555559e4c3ad in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/11.1.0/bits/alloc_traits.h:460
#3 0x555559e48b97 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2> >&) (/ring-project/daemon/test/agent/agent+0x48f4b97)
#4 0x555559e43e3a in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>>(jami::upnp::PUPnP*&, std::_Sp_alloc_shared_tag<std::allocator<jami::upnp::PUPnP> >) /usr/include/c++/11.1.0/bits/shared_ptr_base.h:648
#5 0x555559e391ab in std::__shared_ptr<jami::upnp::PUPnP, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<jami::upnp::PUPnP>>(std::_Sp_alloc_shared_tag<std::allocator<jami::upnp::PUPnP> >) /usr/include/c++/11.1.0/bits/shared_ptr_base.h:1337
#6 0x555559e2c43d in std::shared_ptr<jami::upnp::PUPnP>::shared_ptr<std::allocator<jami::upnp::PUPnP>>(std::_Sp_alloc_shared_tag<std::allocator<jami::upnp::PUPnP> >) (/ring-project/daemon/test/agent/agent+0x48d843d)
#7 0x555559e1f90c in std::shared_ptr<jami::upnp::PUPnP> std::allocate_shared<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>>(std::allocator<jami::upnp::PUPnP> const&) (/ring-project/daemon/test/agent/agent+0x48cb90c)
#8 0x555559e169a8 in std::shared_ptr<jami::upnp::PUPnP> std::make_shared<jami::upnp::PUPnP>() (/ring-project/daemon/test/agent/agent+0x48c29a8)
#9 0x555559dd7ee5 in jami::upnp::UPnPContext::init() /usr/include/c++/11.1.0/bits/upnp_context.cpp:118
#10 0x555559dd302e in operator() /usr/include/c++/11.1.0/bits/upnp_context.cpp:46
#11 0x555559dffdd1 in operator() /ring-project/daemon/src/upnp/upnp_thread_util.h:31
#12 0x555559e0b81e in __invoke_impl<void, jami::upnp::UpnpThreadUtil::runOnUpnpContextQueue<jami::upnp::UPnPContext::UPnPContext()::<lambda()> >(jami::upnp::UPnPContext::UPnPContext()::<lambda()>&&)::<lambda()>&> /usr/include/c++/11.1.0/bits/invoke.h:61
#13 0x555559e0827b in __invoke_r<void, jami::upnp::UpnpThreadUtil::runOnUpnpContextQueue<jami::upnp::UPnPContext::UPnPContext()::<lambda()> >(jami::upnp::UPnPContext::UPnPContext()::<lambda()>&&)::<lambda()>&> /usr/include/c++/11.1.0/bits/invoke.h:111
#14 0x555559e05f68 in _M_invoke /usr/include/c++/11.1.0/bits/std_function.h:291
#15 0x55555a02c996 in std::function<void ()>::operator()() const /usr/include/c++/11.1.0/bits/std_function.h:560
#16 0x55555a93c6c0 in jami::ScheduledExecutor::loop() /ring-project/daemon/src/scheduled_executor.cpp:137
#17 0x55555a938dcd in operator() /ring-project/daemon/src/scheduled_executor.cpp:32
#18 0x55555a94285f in __invoke_impl<void, jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > /usr/include/c++/11.1.0/bits/invoke.h:61
#19 0x55555a94271a in __invoke<jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > /usr/include/c++/11.1.0/bits/invoke.h:96
#20 0x55555a9425ef in _M_invoke<0> /usr/include/c++/11.1.0/bits/std_thread.h:253
#21 0x55555a942525 in operator() /usr/include/c++/11.1.0/bits/std_thread.h:260
#22 0x55555a9424dd in _M_run /usr/include/c++/11.1.0/bits/std_thread.h:211
#23 0x7ffff45643c3 in execute_native_thread_routine /build/gcc/src/gcc/libstdc++-v3/src/c++11/thread.cc:82
Thread T15 created by T11 here:
#0 0x7ffff7619fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7ffff6c3e520 (/usr/lib/libupnp.so.17+0xc520)
Thread T11 created by T1 here:
#0 0x7ffff7619fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7ffff45646aa in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:663
#2 0x55555a9394f8 in jami::ScheduledExecutor::ScheduledExecutor() /ring-project/daemon/src/scheduled_executor.cpp:27
#3 0x55555af0deae in jami::upnp::PUPnP::PUPnP() /ring-project/daemon/src/upnp/protocol/pupnp/pupnp.cpp:100
#4 0x555559e4dacc in void __gnu_cxx::new_allocator<jami::upnp::PUPnP>::construct<jami::upnp::PUPnP>(jami::upnp::PUPnP*) (/ring-project/daemon/test/agent/agent+0x48f9acc)
#5 0x555559e4c58e in void std::allocator_traits<std::allocator<jami::upnp::PUPnP> >::construct<jami::upnp::PUPnP>(std::allocator<jami::upnp::PUPnP>&, jami::upnp::PUPnP*) /usr/include/c++/11.1.0/bits/alloc_traits.h:512
#6 0x555559e4925e in std::_Sp_counted_ptr_inplace<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>, (__gnu_cxx::_Lock_policy)2>::_Sp_counted_ptr_inplace<>(std::allocator<jami::upnp::PUPnP>) (/ring-project/daemon/test/agent/agent+0x48f525e)
#7 0x555559e43ed7 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>>(jami::upnp::PUPnP*&, std::_Sp_alloc_shared_tag<std::allocator<jami::upnp::PUPnP> >) /usr/include/c++/11.1.0/bits/shared_ptr_base.h:650
#8 0x555559e391ab in std::__shared_ptr<jami::upnp::PUPnP, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<jami::upnp::PUPnP>>(std::_Sp_alloc_shared_tag<std::allocator<jami::upnp::PUPnP> >) /usr/include/c++/11.1.0/bits/shared_ptr_base.h:1337
#9 0x555559e2c43d in std::shared_ptr<jami::upnp::PUPnP>::shared_ptr<std::allocator<jami::upnp::PUPnP>>(std::_Sp_alloc_shared_tag<std::allocator<jami::upnp::PUPnP> >) (/ring-project/daemon/test/agent/agent+0x48d843d)
#10 0x555559e1f90c in std::shared_ptr<jami::upnp::PUPnP> std::allocate_shared<jami::upnp::PUPnP, std::allocator<jami::upnp::PUPnP>>(std::allocator<jami::upnp::PUPnP> const&) (/ring-project/daemon/test/agent/agent+0x48cb90c)
#11 0x555559e169a8 in std::shared_ptr<jami::upnp::PUPnP> std::make_shared<jami::upnp::PUPnP>() (/ring-project/daemon/test/agent/agent+0x48c29a8)
#12 0x555559dd7ee5 in jami::upnp::UPnPContext::init() /usr/include/c++/11.1.0/bits/upnp_context.cpp:118
#13 0x555559dd302e in operator() /usr/include/c++/11.1.0/bits/upnp_context.cpp:46
#14 0x555559dffdd1 in operator() /ring-project/daemon/src/upnp/upnp_thread_util.h:31
#15 0x555559e0b81e in __invoke_impl<void, jami::upnp::UpnpThreadUtil::runOnUpnpContextQueue<jami::upnp::UPnPContext::UPnPContext()::<lambda()> >(jami::upnp::UPnPContext::UPnPContext()::<lambda()>&&)::<lambda()>&> /usr/include/c++/11.1.0/bits/invoke.h:61
#16 0x555559e0827b in __invoke_r<void, jami::upnp::UpnpThreadUtil::runOnUpnpContextQueue<jami::upnp::UPnPContext::UPnPContext()::<lambda()> >(jami::upnp::UPnPContext::UPnPContext()::<lambda()>&&)::<lambda()>&> /usr/include/c++/11.1.0/bits/invoke.h:111
#17 0x555559e05f68 in _M_invoke /usr/include/c++/11.1.0/bits/std_function.h:291
#18 0x55555a02c996 in std::function<void ()>::operator()() const /usr/include/c++/11.1.0/bits/std_function.h:560
#19 0x55555a93c6c0 in jami::ScheduledExecutor::loop() /ring-project/daemon/src/scheduled_executor.cpp:137
#20 0x55555a938dcd in operator() /ring-project/daemon/src/scheduled_executor.cpp:32
#21 0x55555a94285f in __invoke_impl<void, jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > /usr/include/c++/11.1.0/bits/invoke.h:61
#22 0x55555a94271a in __invoke<jami::ScheduledExecutor::ScheduledExecutor()::<lambda()> > /usr/include/c++/11.1.0/bits/invoke.h:96
#23 0x55555a9425ef in _M_invoke<0> /usr/include/c++/11.1.0/bits/std_thread.h:253
#24 0x55555a942525 in operator() /usr/include/c++/11.1.0/bits/std_thread.h:260
#25 0x55555a9424dd in _M_run /usr/include/c++/11.1.0/bits/std_thread.h:211
#26 0x7ffff45643c3 in execute_native_thread_routine /build/gcc/src/gcc/libstdc++-v3/src/c++11/thread.cc:82
Thread T1 created by T0 here:
#0 0x7ffff7619fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x7ffff45646aa in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /build/gcc/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:663
#2 0x55555a9394f8 in jami::ScheduledExecutor::ScheduledExecutor() /ring-project/daemon/src/scheduled_executor.cpp:27
#3 0x55555a5f3ab2 in jami::Manager::ManagerPimpl::ManagerPimpl(jami::Manager&) /ring-project/daemon/src/manager.cpp:459
#4 0x55555a5fc60e in jami::Manager::Manager() /ring-project/daemon/src/manager.cpp:737
#5 0x55555a5fbfcb in jami::Manager::instance() /ring-project/daemon/src/manager.cpp:713
#6 0x555559c7a228 in DRing::init(DRing::InitFlag) /ring-project/daemon/src/ring_api.cpp:57
#7 0x555559b24d07 in main /usr/include/c++/11.1.0/main.cpp:326
#8 0x7ffff381bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/include/c++/11.1.0/bits/shared_ptr_base.h:867 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count(std::__weak_count<(__gnu_cxx::_Lock_policy)2> const&)
Shadow bytes around the buggy address:
0x0c2a80007fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80007fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80007fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80007fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80007ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a80008000: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80008010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80008020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a80008030: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2a80008040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a80008050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==585705==ABORTING