[Boost-bugs] [Boost C++ Libraries] #10485: Boost.Filesystem: heap-use-after-free using C++11 range loop

Date view	Thread view	Subject view	Author view

Subject: [Boost-bugs] [Boost C++ Libraries] #10485: Boost.Filesystem: heap-use-after-free using C++11 range loop
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2014-09-09 16:14:17

Next message: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #10485: heap-use-after-free using C++11 range loop (was: Boost.Filesystem: heap-use-after-free using C++11 range loop)"
Previous message: Boost C++ Libraries: "[Boost-bugs] [Boost C++ Libraries] #10484: Finding The Very Best Method give Up Smoking"
Next in thread: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #10485: heap-use-after-free using C++11 range loop (was: Boost.Filesystem: heap-use-after-free using C++11 range loop)"
Reply: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #10485: heap-use-after-free using C++11 range loop (was: Boost.Filesystem: heap-use-after-free using C++11 range loop)"
Reply: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #10485: heap-use-after-free using C++11 range loop"
Reply: Boost C++ Libraries: "Re: [Boost-bugs] [Boost C++ Libraries] #10485: heap-use-after-free using C++11 range loop"

#10485: Boost.Filesystem: heap-use-after-free using C++11 range loop
----------------------+------------------------------
Reporter: iamvfx@â€¦ | Type: Bugs
   Status: new | Milestone: To Be Determined
Component: None | Version: Boost 1.54.0
Severity: Problem | Keywords:
----------------------+------------------------------
Repro code:

{{{
#include <stdio.h>
#include <boost/filesystem.hpp>

int main() {
     boost::filesystem::path dir("/");
     for (char c : dir.filename().string())
         printf("%c\n", c);
}
}}}

I know if I want to fix it I should store dir.filename().string() in a
variable (and it works), but in this case it will either crash application
or print garbage. Here's what Clang Address Sanitizer prints:

{{{
=================================================================
==12324==ERROR: AddressSanitizer: heap-use-after-free on address
0x60300000ef50 at pc 0x48448a bp 0x7fff08f73990 sp 0x7fff08f73988
READ of size 8 at 0x60300000ef50 thread T0
     #0 0x484489 in std::string::size() const /usr/bin/../lib/gcc/x86_64
-redhat-linux/4.8.3/../../../../include/c++/4.8.3/bits/basic_string.h:716
     #1 0x484489 in ~path /usr/bin/../lib/gcc/x86_64-redhat-
linux/4.8.3/../../../../include/c++/4.8.3/bits/basic_string.h:636
     #2 0x484489 in main
/run/media/constantine/Space/Boost_1.54.0_Bug_Repro_09.07.2014/main.cpp:6
     #3 0x7f0679cd0d64 in __libc_start_main (/lib64/libc.so.6+0x21d64)
     #4 0x483f1c in _start
(/run/media/constantine/Space/Boost_1.54.0_Bug_Repro_09.07.2014/Debug/app+0x483f1c)

0x60300000ef50 is located 0 bytes inside of 26-byte region
[0x60300000ef50,0x60300000ef6a)
freed by thread T0 here:
     #0 0x46e7b9 in operator delete(void*)
(/run/media/constantine/Space/Boost_1.54.0_Bug_Repro_09.07.2014/Debug/app+0x46e7b9)
     #1 0x4843f2 in std::string::_M_rep() const /usr/bin/../lib/gcc/x86_64
-redhat-linux/4.8.3/../../../../include/c++/4.8.3/bits/basic_string.h:249
     #2 0x4843f2 in ~basic_string /usr/bin/../lib/gcc/x86_64-redhat-
linux/4.8.3/../../../../include/c++/4.8.3/bits/basic_string.h:539
     #3 0x4843f2 in ~basic_string /usr/bin/../lib/gcc/x86_64-redhat-
linux/4.8.3/../../../../include/c++/4.8.3/bits/basic_string.h:539
     #4 0x4843f2 in ~path /usr/include/boost/filesystem/path.hpp:55
     #5 0x4843f2 in main
/run/media/constantine/Space/Boost_1.54.0_Bug_Repro_09.07.2014/main.cpp:6
     #6 0x7f0679cd0d64 in __libc_start_main (/lib64/libc.so.6+0x21d64)

previously allocated by thread T0 here:
     #0 0x46e4b9 in operator new(unsigned long)
(/run/media/constantine/Space/Boost_1.54.0_Bug_Repro_09.07.2014/Debug/app+0x46e4b9)
     #1 0x7f067a3411d8 (/lib64/libstdc++.so.6+0xbe1d8)
     #2 0x9

SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64
-redhat-linux/4.8.3/../../../../include/c++/4.8.3/bits/basic_string.h:716
std::string::size() const
Shadow bytes around the buggy address:
   0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa[fd]fd fd fd fa fa
   0x0c067fff9df0: 00 00 00 02 fa fa 00 00 00 03 fa fa 00 00 00 02
   0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable: 00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone: fa
   Heap right redzone: fb
   Freed heap region: fd
   Stack left redzone: f1
   Stack mid redzone: f2
   Stack right redzone: f3
   Stack partial redzone: f4
   Stack after return: f5
   Stack use after scope: f8
   Global redzone: f9
   Global init order: f6
   Poisoned by user: f7
   ASan internal: fe
==12324==ABORTING
}}}

-- 
Ticket URL: <https://svn.boost.org/trac/boost/ticket/10485>
Boost C++ Libraries <http://www.boost.org/>
Boost provides free peer-reviewed portable C++ source libraries.

Date view	Thread view	Subject view	Author view

This archive was generated by hypermail 2.1.7 : 2017-02-16 18:50:16 UTC