unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* use after free in python notmuch2 bindings
@ 2022-01-02 13:51 David Bremner
  2022-01-07 13:06 ` David Bremner
  0 siblings, 1 reply; 9+ messages in thread
From: David Bremner @ 2022-01-02 13:51 UTC (permalink / raw)
  To: notmuch

[-- Attachment #1: Type: text/plain, Size: 737 bytes --]


I've been attempting to port nmweb to the new bindings, but I got stuck
on a bug that segfaults python. I attached a reduced version that
reproduces the problem for me. It uses recent messages from the notmuch
list; it others can't reproduce let me know and I will try to make
something more self contained including a message set.

It's a bit tricky to get ASAN working but I managed with

% env ASAN_OPTIONS=alloc_dealloc_mismatch=0 LD_PRELOAD="libasan.so.6 libstdc++.so.6" LD_LIBRARY_PATH=../../lib python3 ~/test.py

You can see in the attached output that one of the notmuch messages
structs is used after being freed. I suspect it has something to do with
the iterator code in the bindings, but I have not examined it in detail.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: reproducer for use after free --]
[-- Type: text/x-python, Size: 487 bytes --]

from notmuch2 import Database

def mailto_addrs(msg,header_name):
    hdr = msg.header(header_name)
    return 

def show_msgs(msgs):
  print("show msgs" + str(msgs))
  for msg in msgs:
      print("\t",msg.messageid)
      frm = mailto_addrs(msg,'From')
      rs = show_msgs(msg.replies())
  return 

db = Database(config=Database.CONFIG.SEARCH)
msg=db.find("87fsqijx7u.fsf@metapensiero.it")
threads = db.threads(query="thread:"+msg.threadid)
thread = next (threads)

show_msgs(thread)

[-- Attachment #3: asan.out --]
[-- Type: application/octet-stream, Size: 3820 bytes --]

=================================================================
==571087==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000021b0 at pc 0x7f2500d36671 bp 0x7ffdb9fa8670 sp 0x7ffdb9fa8668
READ of size 8 at 0x6120000021b0 thread T0
    #0 0x7f2500d36670 in notmuch_message_get_message_id lib/message.cc:525
    #1 0x7f2501612b76 in _cffi_f_notmuch_message_get_message_id build/temp.linux-x86_64-3.9/notmuch2._capi.c:3079
    #2 0x524dbc  (/usr/bin/python3.9+0x524dbc)
    #3 0x514653 in _PyEval_EvalFrameDefault (/usr/bin/python3.9+0x514653)
    #4 0x525912 in _PyFunction_Vectorcall (/usr/bin/python3.9+0x525912)
    #5 0x5342b2  (/usr/bin/python3.9+0x5342b2)
    #6 0x523f57 in _PyObject_GenericGetAttrWithDict (/usr/bin/python3.9+0x523f57)
    #7 0x50f634 in _PyEval_EvalFrameDefault (/usr/bin/python3.9+0x50f634)
    #8 0x525912 in _PyFunction_Vectorcall (/usr/bin/python3.9+0x525912)
    #9 0x50f71e in _PyEval_EvalFrameDefault (/usr/bin/python3.9+0x50f71e)
    #10 0x525912 in _PyFunction_Vectorcall (/usr/bin/python3.9+0x525912)
    #11 0x50f71e in _PyEval_EvalFrameDefault (/usr/bin/python3.9+0x50f71e)
    #12 0x50deb0  (/usr/bin/python3.9+0x50deb0)
    #13 0x50dc26 in _PyEval_EvalCodeWithName (/usr/bin/python3.9+0x50dc26)
    #14 0x50dbd2 in PyEval_EvalCode (/usr/bin/python3.9+0x50dbd2)
    #15 0x629bc6  (/usr/bin/python3.9+0x629bc6)
    #16 0x626b6f  (/usr/bin/python3.9+0x626b6f)
    #17 0x6295e8  (/usr/bin/python3.9+0x6295e8)
    #18 0x629262 in PyRun_SimpleFileExFlags (/usr/bin/python3.9+0x629262)
    #19 0x620d61 in Py_RunMain (/usr/bin/python3.9+0x620d61)
    #20 0x608bf8 in Py_BytesMain (/usr/bin/python3.9+0x608bf8)
    #21 0x7f25046e07ec in __libc_start_main ../csu/libc-start.c:332
    #22 0x608af9 in _start (/usr/bin/python3.9+0x608af9)

0x6120000021b0 is located 112 bytes inside of 272-byte region [0x612000002140,0x612000002250)
freed by thread T0 here:
    #0 0x7f2504cfb4d7 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7f2501411353 in _tc_free_internal ../../talloc.c:1222

previously allocated by thread T0 here:
    #0 0x7f2504cfb7cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f25014137ef in __talloc_with_prefix ../../talloc.c:783

SUMMARY: AddressSanitizer: heap-use-after-free lib/message.cc:525 in notmuch_message_get_message_id
Shadow bytes around the buggy address:
  0x0c247fff83e0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c247fff83f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8410: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c247fff8420: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fff8430: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c247fff8440: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c247fff8450: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8470: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c247fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==571087==ABORTING

[-- Attachment #4: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2022-01-12  0:55 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-02 13:51 use after free in python notmuch2 bindings David Bremner
2022-01-07 13:06 ` David Bremner
2022-01-08 14:03   ` [PATCH 1/2] test: add known broken tests for recursive traversal of replies David Bremner
2022-01-08 14:03     ` [PATCH 2/2] python-cffi: returned OwnedMessage objects from Message.replies David Bremner
2022-01-08 18:59       ` Floris Bruynooghe
2022-01-09 13:26         ` David Bremner
2022-01-11 22:02           ` Floris Bruynooghe
2022-01-12  0:55             ` David Bremner
2022-01-09 13:27     ` [PATCH 1/2] test: add known broken tests for recursive traversal of replies David Bremner

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).