Opened 8 years ago
Closed 8 years ago
#51201 closed defect (fixed)
nano crashes when opening multiple files: use-after-free
| Reported by: | jeremyhu (Jeremy Huddleston Sequoia) | Owned by: | jeremyhu (Jeremy Huddleston Sequoia) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.3.4 |
| Keywords: | Cc: | ||
| Port: | nano |
Description
Using nano to open many files at once often causes the process to crash.
Building with ASan reveals that this is a use-after-free.
The issue seems to be that nano is feeing memory that it doesn't own, so the next time dirname(3) goes to use its buffer, nano crashes.
Process: nano [10512]
Path: /opt/local/bin/nano
Identifier: nano
Version: 0
Code Type: X86-64 (Native)
Parent Process: bash [4236]
Responsible: Terminal [601]
User ID: 501
Date/Time: 2016-04-21 20:33:52.998 -0700
OS Version: Mac OS X 10.11.5 (15F25)
Report Version: 11
Anonymous UUID: 1F70FDBA-936B-7CCF-17FE-84A1852F1452
Sleep/Wake UUID: 28E1E682-A8AE-48E8-AEBC-1DCC31235440
Time Awake Since Boot: 56000 seconds
Time Since Wake: 700 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Application Specific Information:
=================================================================
==10512==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000400180 at pc 0x00010fb1654a bp 0x7fff50317860 sp 0x7fff50317020
WRITE of size 13 at 0x619000400180 thread T0
#0 0x10fb16549 in wrap_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x42549)
#1 0x7fff9c576266 in dirname (libsystem_c.dylib+0x26266)
#2 0x10f8faa62 in has_valid_path files.c:46
#3 0x10f8fe51b in open_buffer files.c:452
#4 0x10f934cdc in main nano.c:2574
#5 0x7fff8acc05ac in start (libdyld.dylib+0x35ac)
#6 0x26 (<unknown module>)
0x619000400180 is located 0 bytes inside of 1024-byte region [0x619000400180,0x619000400580)
freed by thread T0 here:
#0 0x10fb1e1c9 in wrap_free (libclang_rt.asan_osx_dynamic.dylib+0x4a1c9)
#1 0x10f8fac72 in has_valid_path files.c:62
#2 0x10f8fe51b in open_buffer files.c:452
#3 0x10f934cdc in main nano.c:2574
#4 0x7fff8acc05ac in start (libdyld.dylib+0x35ac)
#5 0x26 (<unknown module>)
previously allocated by thread T0 here:
#0 0x10fb1e000 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x4a000)
#1 0x7fff9c576199 in dirname (libsystem_c.dylib+0x26199)
#2 0x10f8faa62 in has_valid_path files.c:46
#3 0x10f8fe51b in open_buffer files.c:452
#4 0x10f934cdc in main nano.c:2574
#5 0x7fff8acc05ac in start (libdyld.dylib+0x35ac)
#6 0x26 (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib+0x42549) in wrap_memcpy
Shadow bytes around the buggy address:
0x1c320007ffe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c320007fff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200080000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200080010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200080020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c3200080030:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200080040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200080050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200080060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200080070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200080080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10512==ABORTING
abort() called
Global Trace Buffer (reverse chronological seconds):
18446744068.605698 libclang_rt.asan_osx_dynamic.dylib 0x000000010fb34757 Consult syslog for more information.
18446744068.605705 libclang_rt.asan_osx_dynamic.dylib 0x000000010fb346de Address Sanitizer reported a failure.
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fff8d315f06 __pthread_kill + 10
1 libsystem_pthread.dylib 0x00007fff86bfc4ec pthread_kill + 90 (pthread.c:1249)
2 libsystem_c.dylib 0x00007fff9c5ae6e7 abort + 129
3 libclang_rt.asan_osx_dynamic.dylib 0x000000010fb3e426 __sanitizer::Abort() + 6
4 libclang_rt.asan_osx_dynamic.dylib 0x000000010fb16577 wrap_memcpy + 1623
5 libsystem_c.dylib 0x00007fff9c576267 dirname + 240
6 nano 0x000000010f8faa63 has_valid_path + 339 (files.c:46)
7 nano 0x000000010f8fe51c open_buffer + 1068 (files.c:452)
8 nano 0x000000010f934cdd main + 14077 (nano.c:2574)
9 libdyld.dylib 0x00007fff8acc05ad start + 1
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000006 rcx: 0x00007fff503165c8 rdx: 0x0000000000000000
rdi: 0x000000000000050f rsi: 0x0000000000000006 rbp: 0x00007fff503165f0 rsp: 0x00007fff503165c8
r8: 0x000000010fff7c53 r9: 0x0000000000000012 r10: 0x0000000008000000 r11: 0x0000000000000206
r12: 0x000000010fb4c67e r13: 0x00007fff50316fb0 r14: 0x00007fff76102000 r15: 0x000000010fda60a0
rip: 0x00007fff8d315f06 rfl: 0x0000000000000206 cr2: 0x00007fff7a51e008
Logical CPU: 0
Error Code: 0x02000148
Trap Number: 133
Binary Images:
0x10f8e7000 - 0x10f9a0ff7 +nano (0) <E06CEF76-F178-3094-A470-9FC42817F9EB> /opt/local/bin/nano
0x10f9e2000 - 0x10f9eaff3 +libintl.8.dylib (0) <923E20D2-F8BE-3A24-88D8-59834B8F7CA5> /opt/local/lib/libintl.8.dylib
0x10f9f5000 - 0x10fa11fff +libz.1.dylib (0) <AC3687FA-B3A3-37F5-9152-EABA1C013A0C> /opt/local/lib/libz.1.dylib
0x10fa1c000 - 0x10fa33ff7 +libmagic.1.dylib (0) <6FADBBE1-BB34-36BB-80CE-DAD234D17D89> /opt/local/lib/libmagic.1.dylib
0x10fa3f000 - 0x10fa9efff +libncurses.6.dylib (0) <42688968-AAEA-3474-BD55-9652A6A286FD> /opt/local/lib/libncurses.6.dylib
0x10fad4000 - 0x10fb62ff7 +libclang_rt.asan_osx_dynamic.dylib (0) <2FD61E39-48A1-3B98-B3E1-D7C7C245A993> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
0x110840000 - 0x11094efff +libiconv.2.dylib (0) <6941818D-37C9-3B88-BCA6-6D1E04A65F91> /opt/local/lib/libiconv.2.dylib
0x7fff628ec000 - 0x7fff6292325f dyld (360.22) <A468D85E-D8D6-3461-8C99-49D3B9ACFC63> /usr/lib/dyld
0x7fff86b5f000 - 0x7fff86b63fff libcache.dylib (75) <9548AAE9-2AB7-3525-9ECE-A2A7C4688447> /usr/lib/system/libcache.dylib
0x7fff86bf6000 - 0x7fff86bffff7 libsystem_pthread.dylib (138.10.4) <3DD1EF4C-1D1B-3ABF-8CC6-B3B1CEEE9559> /usr/lib/system/libsystem_pthread.dylib
0x7fff87f92000 - 0x7fff87f97ff7 libmacho.dylib (875.1) <318264FA-58F1-39D8-8285-1F6254EE410E> /usr/lib/system/libmacho.dylib
0x7fff885fe000 - 0x7fff88601fff libsystem_sandbox.dylib (460.50.4) <150A9D3D-F69E-32F7-8C7B-8E72CAAFF7E4> /usr/lib/system/libsystem_sandbox.dylib
0x7fff8968c000 - 0x7fff89694fff libcopyfile.dylib (127) <A48637BC-F3F2-34F2-BB68-4C65FD012832> /usr/lib/system/libcopyfile.dylib
0x7fff8983e000 - 0x7fff89a4bfff libicucore.A.dylib (551.51.3) <5BC80F94-C90D-3175-BD96-FF1DC222EC9C> /usr/lib/libicucore.A.dylib
0x7fff8a879000 - 0x7fff8a8bfff7 libauto.dylib (186) <999E610F-41FC-32A3-ADCA-5EC049B65DFB> /usr/lib/libauto.dylib
0x7fff8acbd000 - 0x7fff8acc0ffb libdyld.dylib (360.22) <CC088C2A-D407-33E7-A6B6-B06E0D4AD999> /usr/lib/system/libdyld.dylib
0x7fff8bc28000 - 0x7fff8bc28ff7 libkeymgr.dylib (28) <8371CE54-5FDD-3CE9-B3DF-E98C761B6FE0> /usr/lib/system/libkeymgr.dylib
0x7fff8c80e000 - 0x7fff8c813ff3 libunwind.dylib (35.3) <F6EB48E5-4D12-359A-AB54-C937FBBE9043> /usr/lib/system/libunwind.dylib
0x7fff8c814000 - 0x7fff8c816ff7 libsystem_configuration.dylib (802.40.13) <3DEB7DF9-6804-37E1-BC83-0166882FF0FF> /usr/lib/system/libsystem_configuration.dylib
0x7fff8d2ff000 - 0x7fff8d31dff7 libsystem_kernel.dylib (3248.50.21) <78E54D59-D2B0-3F54-9A4A-0A68D671F253> /usr/lib/system/libsystem_kernel.dylib
0x7fff8d8ce000 - 0x7fff8dd44fff com.apple.CoreFoundation (6.9 - 1258.1) <943A1383-DA6A-3DC0-ABCD-D9AEB3D0D34D> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x7fff8f4a8000 - 0x7fff8f4b3ff7 libcommonCrypto.dylib (60075.50.1) <93732261-34B4-3914-B7A2-90A81A182DBA> /usr/lib/system/libcommonCrypto.dylib
0x7fff8f7ef000 - 0x7fff8f7f7fff libsystem_networkextension.dylib (385.40.36) <66095DC7-6539-38F2-95EE-458F15F6D014> /usr/lib/system/libsystem_networkextension.dylib
0x7fff8f7f8000 - 0x7fff8f821ff7 libxpc.dylib (765.50.8) <54D1328E-054E-3DAA-89E2-375722F9D18F> /usr/lib/system/libxpc.dylib
0x7fff8f822000 - 0x7fff8f839ff7 libsystem_coretls.dylib (83.40.5) <C90DAE38-4082-381C-A185-2A6A8B677628> /usr/lib/system/libsystem_coretls.dylib
0x7fff8f954000 - 0x7fff8f97dfff libc++abi.dylib (125) <DCCC8177-3D09-35BC-9784-2A04FEC4C71B> /usr/lib/libc++abi.dylib
0x7fff8fab4000 - 0x7fff8fac5ff7 libz.1.dylib (61.20.1) <B3EBB42F-48E3-3287-9F0D-308E04D407AC> /usr/lib/libz.1.dylib
0x7fff903b1000 - 0x7fff903cdff7 libsystem_malloc.dylib (67.40.1) <5748E8B2-F81C-34C6-8B13-456213127678> /usr/lib/system/libsystem_malloc.dylib
0x7fff9061d000 - 0x7fff90625fef libsystem_platform.dylib (74.40.2) <29A905EF-6777-3C33-82B0-6C3A88C4BA15> /usr/lib/system/libsystem_platform.dylib
0x7fff9068e000 - 0x7fff906bbfff libdispatch.dylib (501.40.12) <C7499857-61A5-3D7D-A5EA-65DCC8C3DF92> /usr/lib/system/libdispatch.dylib
0x7fff919db000 - 0x7fff919dbff7 libunc.dylib (29) <DDB1E947-C775-33B8-B461-63E5EB698F0E> /usr/lib/system/libunc.dylib
0x7fff9209c000 - 0x7fff920a3ff7 libcompiler_rt.dylib (62) <A13ECF69-F59F-38AE-8609-7B731450FBCD> /usr/lib/system/libcompiler_rt.dylib
0x7fff92764000 - 0x7fff9278dfff libsystem_info.dylib (477.50.4) <FAA9226D-64DE-3769-A6D8-6CABA4B7FF4D> /usr/lib/system/libsystem_info.dylib
0x7fff9278e000 - 0x7fff9278fffb libSystem.B.dylib (1226.10.1) <C5D09FE1-CC70-383E-AC27-18602F2EDEC4> /usr/lib/libSystem.B.dylib
0x7fff93717000 - 0x7fff93718fff libDiagnosticMessagesClient.dylib (100) <4243B6B4-21E9-355B-9C5A-95A216233B96> /usr/lib/libDiagnosticMessagesClient.dylib
0x7fff94209000 - 0x7fff9425cff7 libc++.1.dylib (120.1) <8FC3D139-8055-3498-9AC5-6467CB7F4D14> /usr/lib/libc++.1.dylib
0x7fff94ebb000 - 0x7fff94ec3ffb libsystem_dnssd.dylib (625.50.5) <4D10E12B-59B5-386F-82DA-326F18028F0A> /usr/lib/system/libsystem_dnssd.dylib
0x7fff95116000 - 0x7fff95127ff7 libsystem_trace.dylib (201.10.3) <F00E92E4-DBDA-3749-B5B3-0C3FBBABA1CB> /usr/lib/system/libsystem_trace.dylib
0x7fff958c9000 - 0x7fff95940feb libcorecrypto.dylib (335.50.1) <B5C05FD7-A540-345A-87BF-8E41848A3C17> /usr/lib/system/libcorecrypto.dylib
0x7fff95ec2000 - 0x7fff95ecbff3 libsystem_notify.dylib (150.40.1) <D48BDE34-0F7E-34CA-A0FF-C578E39987CC> /usr/lib/system/libsystem_notify.dylib
0x7fff9608e000 - 0x7fff96090fff libsystem_coreservices.dylib (19.2) <1B3F5AFC-FFCD-3ECB-8B9A-5538366FB20D> /usr/lib/system/libsystem_coreservices.dylib
0x7fff96276000 - 0x7fff96277ffb libremovefile.dylib (41) <552EF39E-14D7-363E-9059-4565AC2F894E> /usr/lib/system/libremovefile.dylib
0x7fff969ec000 - 0x7fff96d4ef3f libobjc.A.dylib (680) <7489D2D6-1EFD-3414-B18D-2AECCCC90286> /usr/lib/libobjc.A.dylib
0x7fff98beb000 - 0x7fff98bedff7 libquarantine.dylib (80) <0F4169F0-0C84-3A25-B3AE-E47B3586D908> /usr/lib/system/libquarantine.dylib
0x7fff995d6000 - 0x7fff995d6ff7 liblaunch.dylib (765.50.8) <834ED605-5114-3641-AA4D-ECF31B801C50> /usr/lib/system/liblaunch.dylib
0x7fff9b0a4000 - 0x7fff9b10aff7 libsystem_network.dylib (583.50.1) <B52DAB73-92DC-3DA7-B9F4-B899D66445C1> /usr/lib/system/libsystem_network.dylib
0x7fff9b9e3000 - 0x7fff9ba12ffb libsystem_m.dylib (3105) <08E1A4B2-6448-3DFE-A58C-ACC7335BE7E4> /usr/lib/system/libsystem_m.dylib
0x7fff9bad1000 - 0x7fff9bae8ff7 libsystem_asl.dylib (323.50.1) <41F8E11F-1BD0-3F1D-BA3A-AA1577ED98A9> /usr/lib/system/libsystem_asl.dylib
0x7fff9bfec000 - 0x7fff9bfedfff libsystem_blocks.dylib (65) <1244D9D5-F6AA-35BB-B307-86851C24B8E5> /usr/lib/system/libsystem_blocks.dylib
0x7fff9c52f000 - 0x7fff9c530fff libsystem_secinit.dylib (20) <32B1A8C6-DC84-3F4F-B8CE-9A52B47C3E6B> /usr/lib/system/libsystem_secinit.dylib
0x7fff9c550000 - 0x7fff9c5ddfff libsystem_c.dylib (1082.50.1) <B552D565-B798-3B9B-AE63-F623B42A5F01> /usr/lib/system/libsystem_c.dylib
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 1
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 31953
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=109.0M resident=0K(0%) swapped_out_or_unallocated=109.0M(100%)
Writable regions: Total=14.0T written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=14.0T(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Activity Tracing 2048K 2
Kernel Alloc Once 4K 2
MALLOC 4K 2
Performance tool data 6.0T 171 not counted in TOTAL below
Performance tool data (reserved) 14.0T 55 reserved VM address space (unallocated)
STACK GUARD 56.0M 2
Stack 8192K 2
VM_ALLOCATE 4K 2
__DATA 15.6M 60
__LINKEDIT 92.0M 10
__TEXT 17.0M 52
__UNICODE 552K 2
shared memory 12K 4
=========== ======= =======
TOTAL 191.2M 129
TOTAL, minus reserved VM space 16777202.0T 129
Model: MacBookPro11,5, BootROM MBP114.0172.B09, 4 processors, Intel Core i7, 2.8 GHz, 16 GB, SMC 2.30f2
Graphics: AMD Radeon R9 M370X, AMD Radeon R9 M370X, PCIe, 2048 MB
Graphics: Intel Iris Pro, Intel Iris Pro, Built-In
Memory Module: BANK 0/DIMM0, 8 GB, DDR3, 1600 MHz, 0x802C, 0x31364B544631473634485A2D314736453120
Memory Module: BANK 1/DIMM0, 8 GB, DDR3, 1600 MHz, 0x802C, 0x31364B544631473634485A2D314736453120
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x152), Broadcom BCM43xx 1.0 (7.21.95.175.1a6)
Bluetooth: Version 4.4.5f3 17904, 3 services, 27 devices, 1 incoming serial ports
Network Service: Wi-Fi, AirPort, en0
Serial ATA Device: APPLE SSD SM1024G, 1 TB
USB Device: USB 3.0 Bus
USB Device: Apple Internal Keyboard / Trackpad
USB Device: Bluetooth USB Host Controller
Thunderbolt Bus: MacBook Pro, Apple Inc., 27.1
Change History (1)
comment:1 Changed 8 years ago by jeremyhu (Jeremy Huddleston Sequoia)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
r147973