Heap use-after-free

Desktop / LibreOffice - Stephan Bergmann [redhat.com] - 11 August 2020 06:32 UTC

...as seen during UITest_writer_tests2:

> ==2548829==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0002be9d0 at pc 0x7f42be5ddc7f bp 0x7ffe2d26b090 sp 0x7ffe2d26b088 > READ of size 1 at 0x60b0002be9d0 thread T0 > #0 in cppu::WeakComponentImplHelperBase::release() at cppuhelper/source/implbase.cxx:84:9 > #1 in cppu::PartialWeakComponentImplHelper::release() at include/cppuhelper/compbase.hxx:86:36 > #2 in rtl::Reference::~Reference() at include/rtl/ref.hxx:113:22 > #3 in __run_exit_handlers at /usr/src/debug/glibc-2.31-48-g64246fccaf/stdlib/exit.c:108:8 > #4 in exit at /usr/src/debug/glibc-2.31-48-g64246fccaf/stdlib/exit.c:139:3 > #5 in __libc_start_main at /usr/src/debug/glibc-2.31-48-g64246fccaf/csu/../csu/libc-start.c:342:3 > 0x60b0002be9d0 is located 64 bytes inside of 112-byte region [0x60b0002be990,0x60b0002bea00) > freed by thread T0 here: > #0 in free at /home/sbergman/github.com/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3 > #1 in rtl_freeMemory at sal/rtl/alloc_global.cxx:51:5 > #2 in cppu::WeakComponentImplHelperBase::operator delete(void*) at include/cppuhelper/compbase_ex.hxx:66:11 > #3 in UcbPropertiesManager::~UcbPropertiesManager() at ucb/source/core/ucbprops.cxx:197:1 > #4 in cppu::OWeakObject::release() at cppuhelper/source/weak.cxx:233:9 > #5 in cppu::WeakComponentImplHelperBase::release() at cppuhelper/source/implbase.cxx:86:18 > #6 in cppu::PartialWeakComponentImplHelper::release() at include/cppuhelper/compbase.hxx:86:36 > #7 in rtl::Reference::clear() at include/rtl/ref.hxx:180:19 > #8 in UcbPropertiesManager::dispose() at ucb/source/core/ucbprops.cxx:205:16 > #9 in cppu::WeakComponentImplHelperBase::release() at cppuhelper/source/implbase.cxx:79:13 > #10 in cppu::PartialWeakComponentImplHelper::release() at include/cppuhelper/compbase.hxx:86:36 > #11 in rtl::Reference::~Reference() at include/rtl/ref.hxx:113:22 > #12 in __run_exit_handlers at /usr/src/debug/glibc-2.31-48-g64246fccaf/stdlib/exit.c:108:8

The elaborate g_Instance disposal scheme had been introduced with 3d44c6a49b20415616dab7a2de2820da5efab309 "ucb/core: create instances with uno constructors", but it is unclear to me for what reason.

Change-Id: I768bc3a8674e0e81cf89adae58e4a67d14509985 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100456

0de191e1d201 Heap use-after-free
ucb/source/core/ucbprops.cxx | 18 ++----------------
ucb/source/core/ucbprops.hxx | 11 +++--------
2 files changed, 5 insertions(+), 24 deletions(-)

Upstream: cgit.freedesktop.org


  • Share