heap-use-after-free caused by checking for duplicate "http" configurations
Checking for duplicate http
clauses in configuration files leads to heap use after free.
=================================================================
==1833==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300002b420 at pc 0x7fbcc0f4c4f2 bp 0x7ffdd9e9a170 sp 0x7ffdd9e99920
READ of size 1 at 0x60300002b420 thread T0
#0 0x7fbcc0f4c4f1 (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xb64f1)
#1 0x7fbcc0b2dacd in isc_symtab_define /builds/isc-projects/bind9/lib/isc/symtab.c:221
#2 0x7fbcbe556dfc in bind9_check_httpserver /builds/isc-projects/bind9/lib/bind9/check.c:2046
#3 0x7fbcbe556dfc in bind9_check_httpservers /builds/isc-projects/bind9/lib/bind9/check.c:2111
#4 0x7fbcbe556dfc in bind9_check_namedconf /builds/isc-projects/bind9/lib/bind9/check.c:5692
#5 0x55798af6ceb7 in main /builds/isc-projects/bind9/bin/check/named-checkconf.c:726
#6 0x7fbcbd83e09a in __libc_start_main ../csu/libc-start.c:308
#7 0x55798af697c9 in _start (/builds/isc-projects/bind9/bin/check/.libs/named-checkconf+0xa7c9)
0x60300002b420 is located 0 bytes inside of 18-byte region [0x60300002b420,0x60300002b432)
freed by thread T0 here:
#0 0x7fbcc0f7efb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
#1 0x7fbcc0ac2ca6 in sdallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:39
#2 0x7fbcc0ac2ca6 in mem_put /builds/isc-projects/bind9/lib/isc/mem.c:361
#3 0x7fbcc0ac2ca6 in isc__mem_free /builds/isc-projects/bind9/lib/isc/mem.c:977
#4 0x7fbcbe556e22 in bind9_check_httpserver /builds/isc-projects/bind9/lib/bind9/check.c:2066
#5 0x7fbcbe556e22 in bind9_check_httpservers /builds/isc-projects/bind9/lib/bind9/check.c:2111
#6 0x7fbcbe556e22 in bind9_check_namedconf /builds/isc-projects/bind9/lib/bind9/check.c:5692
#7 0x55798af6ceb7 in main /builds/isc-projects/bind9/bin/check/named-checkconf.c:726
#8 0x7fbcbd83e09a in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here:
#0 0x7fbcc0f7f330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7fbcc0ac1020 in mallocx /builds/isc-projects/bind9/lib/isc/jemalloc_shim.h:29
#2 0x7fbcc0ac1020 in mem_get /builds/isc-projects/bind9/lib/isc/mem.c:341
#3 0x7fbcc0ac1020 in isc__mem_allocate /builds/isc-projects/bind9/lib/isc/mem.c:886
#4 0x7fbcc0ac429b in isc__mem_strdup /builds/isc-projects/bind9/lib/isc/mem.c:996
#5 0x7fbcbe556d8b in bind9_check_httpserver /builds/isc-projects/bind9/lib/bind9/check.c:2039
#6 0x7fbcbe556d8b in bind9_check_httpservers /builds/isc-projects/bind9/lib/bind9/check.c:2111
#7 0x7fbcbe556d8b in bind9_check_namedconf /builds/isc-projects/bind9/lib/bind9/check.c:5692
#8 0x55798af6ceb7 in main /builds/isc-projects/bind9/bin/check/named-checkconf.c:726
#9 0x7fbcbd83e09a in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xb64f1)
Shadow bytes around the buggy address:
0x0c067fffd630: 00 00 00 fa fa fa 00 00 02 fa fa fa 00 00 00 fa
0x0c067fffd640: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
0x0c067fffd650: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
0x0c067fffd660: 00 00 02 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x0c067fffd670: fa fa 00 00 00 00 fa fa 00 00 02 fa fa fa 00 00
=>0x0c067fffd680: 00 fa fa fa[fd]fd fd fa fa fa 00 00 02 fa fa fa
0x0c067fffd690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffd6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1833==ABORTING
The problem was found by accident while working on a similar code in !5444 (merged)
Edited by Artem Boldariev