ASAN detected use after free in zero system test
Spotted in https://gitlab.isc.org/isc-projects/bind9/-/jobs/3133245. I don't recall seeing this one before.
==14131==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160026d6298 at pc 0x7feea3e4944f bp 0x7fee99eda670 sp 0x7fee99eda668
READ of size 8 at 0x6160026d6298 thread T4
06-Feb-2023 23:17:32.490 fetch: zzzhip2.example/HIP
06-Feb-2023 23:17:32.490 fetch: zzzhip2.example/HIP
06-Feb-2023 23:17:32.490 fetch: zzzhip2.example/HIP
06-Feb-2023 23:17:32.490 fetch: zzzhip2.example/HIP
#0 0x7feea3e4944e in fcount_decr /builds/isc-projects/bind9/lib/dns/resolver.c:1700:7
#1 0x7feea3e28f2a in fctx_destroy /builds/isc-projects/bind9/lib/dns/resolver.c:4496:2
#2 0x7feea3e24a8e in fetchctx_unref /builds/isc-projects/bind9/lib/dns/resolver.c:7189:1
#3 0x7feea3e29ff5 in fetchctx_detach /builds/isc-projects/bind9/lib/dns/resolver.c:7189:1
#4 0x7feea3e3ec1f in dns_resolver_destroyfetch /builds/isc-projects/bind9/lib/dns/resolver.c:10847:2
#5 0x7feea31e87c4 in fetch_callback /builds/isc-projects/bind9/lib/ns/query.c:6384:2
#6 0x7feea48d5a04 in task_run /builds/isc-projects/bind9/lib/isc/task.c:469:4
#7 0x7feea48d5a04 in task__run /builds/isc-projects/bind9/lib/isc/task.c:287:24
#8 0x7feea4830bc3 in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75:2
#9 0x7feea2afc01a in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68:1
#10 0x7feea2af2868 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384:5
#11 0x7feea4863e77 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:270:6
#12 0x7feea4863e77 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:297:2
#13 0x7feea48f185d in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:202:11
#14 0x7feea27f4ea6 in start_thread nptl/pthread_create.c:477:8
#15 0x7feea259aa2e in __clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x6160026d6298 is located 536 bytes inside of 568-byte region [0x6160026d6080,0x6160026d62b8)
freed by thread T7 here:
#0 0x5566c56ba3c2 in free (/builds/isc-projects/bind9/bin/named/.libs/named+0x1653c2) (BuildId: a62ae17ac70828fe0069dfa7ee77d75f3ac0238d)
#1 0x7feea4871299 in sdallocx /builds/isc-projects/bind9/lib/isc/./jemalloc_shim.h:80:2
#2 0x7feea4871299 in mem_put /builds/isc-projects/bind9/lib/isc/mem.c:328:2
#3 0x7feea487375f in isc__mem_put /builds/isc-projects/bind9/lib/isc/mem.c:686:2
#4 0x7feea3e49163 in fcount_decr /builds/isc-projects/bind9/lib/dns/resolver.c:1711:3
#5 0x7feea3e28f2a in fctx_destroy /builds/isc-projects/bind9/lib/dns/resolver.c:4496:2
#6 0x7feea3e24a8e in fetchctx_unref /builds/isc-projects/bind9/lib/dns/resolver.c:7189:1
#7 0x7feea3e29ff5 in fetchctx_detach /builds/isc-projects/bind9/lib/dns/resolver.c:7189:1
#8 0x7feea3e3ec1f in dns_resolver_destroyfetch /builds/isc-projects/bind9/lib/dns/resolver.c:10847:2
#9 0x7feea31e87c4 in fetch_callback /builds/isc-projects/bind9/lib/ns/query.c:6384:2
#10 0x7feea48d5a04 in task_run /builds/isc-projects/bind9/lib/isc/task.c:469:4
#11 0x7feea48d5a04 in task__run /builds/isc-projects/bind9/lib/isc/task.c:287:24
#12 0x7feea4830bc3 in isc__job_cb /builds/isc-projects/bind9/lib/isc/job.c:75:2
#13 0x7feea2afc01a in uv__run_idle /usr/src/libuv-v1.44.1/src/unix/loop-watcher.c:68:1
#14 0x7feea2af2868 in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:384:5
#15 0x7feea4863e77 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:270:6
#16 0x7feea4863e77 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:297:2
#17 0x7feea48f185d in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:202:11
#18 0x7feea27f4ea6 in start_thread nptl/pthread_create.c:477:8
previously allocated by thread T4 here:
#0 0x5566c56ba66e in malloc (/builds/isc-projects/bind9/bin/named/.libs/named+0x16566e) (BuildId: a62ae17ac70828fe0069dfa7ee77d75f3ac0238d)
#1 0x7feea4871fb4 in mallocx /builds/isc-projects/bind9/lib/isc/./jemalloc_shim.h:65:14
#2 0x7feea4871fb4 in mem_get /builds/isc-projects/bind9/lib/isc/mem.c:306:8
#3 0x7feea4871cce in isc__mem_get /builds/isc-projects/bind9/lib/isc/mem.c:669:8
#4 0x7feea3e5bd9f in fcount_incr /builds/isc-projects/bind9/lib/dns/resolver.c:1653:13
#5 0x7feea3e34d95 in fctx_create /builds/isc-projects/bind9/lib/dns/resolver.c:4827:11
#6 0x7feea3e2d4a3 in get_attached_fctx /builds/isc-projects/bind9/lib/dns/resolver.c:10543:12
#7 0x7feea3e2d4a3 in dns_resolver_createfetch /builds/isc-projects/bind9/lib/dns/resolver.c:10645:12
#8 0x7feea31e5f81 in ns_query_recurse /builds/isc-projects/bind9/lib/ns/query.c:6541:11
#9 0x7feea326f1ab in query_delegation_recurse /builds/isc-projects/bind9/lib/ns/query.c:8971:12
#10 0x7feea32123a4 in query_delegation /builds/isc-projects/bind9/lib/ns/query.c:8917:11
#11 0x7feea320429e in query_gotanswer /builds/isc-projects/bind9/lib/ns/query.c:7698:11
#12 0x7feea31e364e in query_lookup /builds/isc-projects/bind9/lib/ns/query.c:6144:11
#13 0x7feea31d39cb in ns__query_start /builds/isc-projects/bind9/lib/ns/query.c:5830:11
#14 0x7feea31fe213 in query_setup /builds/isc-projects/bind9/lib/ns/query.c:5544:11
#15 0x7feea31fc9e5 in ns_query_start /builds/isc-projects/bind9/lib/ns/query.c:12127:8
#16 0x7feea3197e1b in ns__client_request /builds/isc-projects/bind9/lib/ns/client.c:2239:3
#17 0x7feea47901e3 in isc__nm_async_readcb /builds/isc-projects/bind9/lib/isc/netmgr/netmgr.c:2082:2
#18 0x7feea47895be in isc__nm_readcb /builds/isc-projects/bind9/lib/isc/netmgr/netmgr.c:2055:3
#19 0x7feea47e10e3 in isc__nm_udp_read_cb /builds/isc-projects/bind9/lib/isc/netmgr/udp.c:617:2
#20 0x7feea2b07194 in uv__udp_recvmmsg /usr/src/libuv-v1.44.1/src/unix/udp.c:231:7
#21 0x7feea2b0735d in uv__udp_recvmsg /usr/src/libuv-v1.44.1/src/unix/udp.c:273:15
#22 0x7feea2b06e0a in uv__udp_io /usr/src/libuv-v1.44.1/src/unix/udp.c:178:5
#23 0x7feea2b0dbc2 in uv__io_poll /usr/src/libuv-v1.44.1/src/unix/epoll.c:374:11
#24 0x7feea2af28ad in uv_run /usr/src/libuv-v1.44.1/src/unix/core.c:391:5
#25 0x7feea4863e77 in loop_run /builds/isc-projects/bind9/lib/isc/loop.c:270:6
#26 0x7feea4863e77 in loop_thread /builds/isc-projects/bind9/lib/isc/loop.c:297:2
#27 0x7feea48f185d in isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:202:11
#28 0x7feea27f4ea6 in start_thread nptl/pthread_create.c:477:8
Thread T4 created by T0 here:
#0 0x5566c56a351c in __interceptor_pthread_create (/builds/isc-projects/bind9/bin/named/.libs/named+0x14e51c) (BuildId: a62ae17ac70828fe0069dfa7ee77d75f3ac0238d)
#1 0x7feea48d70ce in isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70:8
#2 0x7feea4862acb in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:475:3
#3 0x5566c57295eb in main /builds/isc-projects/bind9/bin/named/main.c:1513:2
#4 0x7feea24c1d09 in __libc_start_main csu/../csu/libc-start.c:308:16
Thread T7 created by T0 here:
#0 0x5566c56a351c in __interceptor_pthread_create (/builds/isc-projects/bind9/bin/named/.libs/named+0x14e51c) (BuildId: a62ae17ac70828fe0069dfa7ee77d75f3ac0238d)
#1 0x7feea48d70ce in isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70:8
#2 0x7feea4862acb in isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:475:3
#3 0x5566c57295eb in main /builds/isc-projects/bind9/bin/named/main.c:1513:2
#4 0x7feea24c1d09 in __libc_start_main csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /builds/isc-projects/bind9/lib/dns/resolver.c:1700:7 in fcount_decr
Shadow bytes around the buggy address:
0x0c2c804d2c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c804d2c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c804d2c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c804d2c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c804d2c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c804d2c50: fd fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa
0x0c2c804d2c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c804d2c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c804d2c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c804d2c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c804d2ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14131==ABORTING