[Live-devel] stack-use-after-return while handling SETUP

Meng Ruijie ruijie_meng at u.nus.edu
Tue Jun 13 06:26:48 PDT 2023


Here is one bug about stack-use-after-return in live.2023.05.10 running in Ubuntu 20.04. It happens while handling the SETUP client request.

You can reproduce this bug as the README in the attachment. It is one flaky bug as we observed. The following is the ASAN bug report:

=================================================================
==98936==ERROR: AddressSanitizer: stack-use-after-return on address 0x7ffff4688360 at pc 0x00000043bfdb bp 0x7fffffffd480 sp 0x7fffffffcc08
READ of size 2 at 0x7ffff4688360 thread T0
    #0 0x43bfda in printf_common(void*, char const*, __va_list_tag*) (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x43bfda)
    #1 0x43d860 in snprintf (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x43d860)
    #2 0x4da7b1 in RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup2(ServerMediaSession*) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp
    #3 0x4d716c in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:887:19
    #4 0x5b7a66 in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live/liveMedia/GenericMediaServer.cpp:324:3
    #5 0x605e35 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler.cpp:153:7
    #6 0x60c409 in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live/BasicUsageEnvironment/BasicTaskScheduler0.cpp:82:5
    #7 0x4ca479 in main /home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer.cpp:462:24
    #8 0x7ffff770a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x41d73d in _start (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x41d73d)

Address 0x7ffff4688360 is located in stack of thread T0 at offset 864 in frame
    #0 0x4d575f in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live/liveMedia/RTSPServer.cpp:699

  This frame has 14 object(s):
    [32, 36) 'decodedSize' (line 743)
    [48, 248) 'cmdName' (line 788)
    [320, 520) 'urlPreSuffix' (line 789)
    [592, 792) 'urlSuffix' (line 790)
    [864, 1064) 'cseq' (line 791) <== Memory access at offset 864 is inside this variable
    [1136, 1336) 'sessionIdStr' (line 792)
    [1408, 1412) 'contentLength' (line 793)
    [1424, 1425) 'urlIsRTSPS' (line 794)
    [1440, 1840) 'urlTotalSuffix' (line 871)
    [1904, 1905) 'reuseConnection' (line 914)
    [1920, 1921) 'deliverViaTCP' (line 914)
    [1936, 1944) 'proxyURLSuffix' (line 915)
    [1968, 2168) 'sessionCookie' (line 933)
    [2240, 2440) 'acceptStr' (line 934)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return (/home/ubuntu/experiments/live/testProgs/testOnDemandRTSPServer+0x43bfda) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
  0x10007e8c9010: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x10007e8c9020: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x10007e8c9030: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x10007e8c9040: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x10007e8c9050: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x10007e8c9060: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5[f5]f5 f5 f5
  0x10007e8c9070: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x10007e8c9080: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x10007e8c9090: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x10007e8c90a0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x10007e8c90b0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==98936==ABORTING
Aborted (core dumped)

------
Kind Regards,
Ruijie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20230613/fab8ab23/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: use-after-return-setup.rar
Type: application/vnd.rar
Size: 6979 bytes
Desc: use-after-return-setup.rar
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20230613/fab8ab23/attachment-0001.bin>


More information about the live-devel mailing list