Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-use-after-free with HTTP3 #12356

Closed
lemourin opened this issue Nov 19, 2023 · 7 comments
Closed

heap-use-after-free with HTTP3 #12356

lemourin opened this issue Nov 19, 2023 · 7 comments
Labels
crash HTTP/3 h3 or quic related

Comments

@lemourin
Copy link
Contributor

I did this

I've built my app with curl + HTTP3 (via quictls + ngtcp2 + nghttp3). On windows (built with MSVC) it crashes 100% of times, on macOS or Android it is very hard to repro the crash (easy to repro with curl 8.4.0). ASAN dump:

NB. the app works fine when built with HTTP2 only

=================================================================
==3448==ERROR: AddressSanitizer: heap-use-after-free on address 0x1209f13a7aa8 at pc 0x7ff7929a4eb3 bp 0x00a6674e9fb0 sp 0x00a6674e9fb8
READ of size 8 at 0x1209f13a7aa8 thread T0
==3448==WARNING: Failed to use and restart external symbolizer!
    #0 0x7ff7929a4eb2 in cb_h3_recv_data C:\src\curl\lib\vquic\curl_ngtcp2.c:1235
    #1 0x7ff7933576f3 in nghttp3_conn_on_data C:\src\vcpkg\buildtrees\nghttp3\src\v1.0.0-b55f3d7380.clean\lib\nghttp3_conn.c:1540
    #2 0x7ff793353e1d in nghttp3_conn_read_bidi C:\src\vcpkg\buildtrees\nghttp3\src\v1.0.0-b55f3d7380.clean\lib\nghttp3_conn.c:1355
    #3 0x7ff79334e16a in nghttp3_conn_read_stream C:\src\vcpkg\buildtrees\nghttp3\src\v1.0.0-b55f3d7380.clean\lib\nghttp3_conn.c:488
    #4 0x7ff7929a2552 in cb_recv_stream_data C:\src\curl\lib\vquic\curl_ngtcp2.c:838
    #5 0x7ff79327cff0 in conn_call_recv_stream_data C:\src\vcpkg\buildtrees\ngtcp2\src\v1.0.1-2d9b978f1f.clean\lib\ngtcp2_conn.c:124
    #6 0x7ff7932ad075 in conn_recv_stream C:\src\vcpkg\buildtrees\ngtcp2\src\v1.0.1-2d9b978f1f.clean\lib\ngtcp2_conn.c:7225
    #7 0x7ff7932a5f28 in conn_recv_pkt C:\src\vcpkg\buildtrees\ngtcp2\src\v1.0.1-2d9b978f1f.clean\lib\ngtcp2_conn.c:9311    #8 0x7ff7932b7605 in conn_recv_cpkt C:\src\vcpkg\buildtrees\ngtcp2\src\v1.0.1-2d9b978f1f.clean\lib\ngtcp2_conn.c:9725
    #9 0x7ff793265117 in ngtcp2_conn_read_pkt_versioned C:\src\vcpkg\buildtrees\ngtcp2\src\v1.0.1-2d9b978f1f.clean\lib\ngtcp2_conn.c:10106
    #10 0x7ff7929a9881 in recv_pkt C:\src\curl\lib\vquic\curl_ngtcp2.c:1990
    #11 0x7ff7929b0e45 in recvfrom_packets C:\src\curl\lib\vquic\vquic.c:518
    #12 0x7ff7929afd14 in vquic_recv_packets C:\src\curl\lib\vquic\vquic.c:544
    #13 0x7ff79299ec0a in cf_progress_ingress C:\src\curl\lib\vquic\curl_ngtcp2.c:2044
    #14 0x7ff7929ae8e9 in cf_ngtcp2_conn_is_alive C:\src\curl\lib\vquic\curl_ngtcp2.c:2741
    #15 0x7ff7928c5533 in Curl_cf_def_conn_is_alive C:\src\curl\lib\cfilters.c:111
    #16 0x7ff7928c5533 in Curl_cf_def_conn_is_alive C:\src\curl\lib\cfilters.c:111
    #17 0x7ff7928c5533 in Curl_cf_def_conn_is_alive C:\src\curl\lib\cfilters.c:111
    #18 0x7ff7928c97fe in Curl_conn_is_alive C:\src\curl\lib\cfilters.c:640
    #19 0x7ff7928b1683 in extract_if_dead C:\src\curl\lib\url.c:807
    #20 0x7ff7928b1897 in call_extract_if_dead C:\src\curl\lib\url.c:845
    #21 0x7ff792899321 in Curl_conncache_foreach C:\src\curl\lib\conncache.c:332
    #22 0x7ff7928b1cf6 in prune_dead_connections C:\src\curl\lib\url.c:874
    #23 0x7ff7928c0b74 in create_conn C:\src\curl\lib\url.c:3649
    #24 0x7ff7928ad0b6 in Curl_connect C:\src\curl\lib\url.c:3915
    #25 0x7ff792878601 in multi_runsingle C:\src\curl\lib\multi.c:1927
    #26 0x7ff79287bb85 in multi_socket C:\src\curl\lib\multi.c:3212
    #27 0x7ff79286cce4 in curl_multi_socket_action C:\src\curl\lib\multi.c:3334
    #28 0x7ff7909fe1c5 in coro::http::`anonymous namespace'::CurlHttpImpl::TimeoutEvent C:\src\coro-http\src\coro\http\curl_http.cc:540
    #29 0x7ff790efd2ee in event_process_active_single_queue C:\src\vcpkg\buildtrees\libevent\src\757b64d6d1-bfa17b9727.clean\event.c:1727
    #30 0x7ff790ef3dfe in event_process_active C:\src\vcpkg\buildtrees\libevent\src\757b64d6d1-bfa17b9727.clean\event.c:1819
    #31 0x7ff790ede5c0 in event_base_loop C:\src\vcpkg\buildtrees\libevent\src\757b64d6d1-bfa17b9727.clean\event.c:2068
    #32 0x7ff7909c4950 in coro::util::EventLoop::EnterLoop C:\src\coro-http\src\coro\util\event_loop.cc:159
    #33 0x7ff78faeb932 in main C:\src\coro-cloudstorage\examples\cloudstorage.cc:100
    #34 0x7ff793503fa8 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #35 0x7ff793503efd in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288    #36 0x7ff793503dbd in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #37 0x7ff79350401d in mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
    #38 0x7ff90a0d257c in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x18001257c)
    #39 0x7ff90ac4aa57 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005aa57)

0x1209f13a7aa8 is located 424 bytes inside of 5136-byte region [0x1209f13a7900,0x1209f13a8d10)
freed by thread T0 here:
    #0 0x7ff78fb1ce15 in free D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\asan\asan_malloc_win_thunk.cpp:69
    #1 0x7ff7928acd7d in Curl_close C:\src\curl\lib\url.c:343
    #2 0x7ff792855983 in curl_easy_cleanup C:\src\curl\lib\easy.c:804
    #3 0x7ff7909f58b6 in coro::http::`anonymous namespace'::CurlHandleDeleter::operator() C:\src\coro-http\src\coro\http\curl_http.cc:81
    #4 0x7ff7909fa079 in std::unique_ptr<void,coro::http::`anonymous namespace'::CurlHandleDeleter>::~unique_ptr<void,coro::http::`anonymous namespace'::CurlHandleDeleter> C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory:3290
    #5 0x7ff7909fabe0 in coro::http::`anonymous namespace'::CurlHandle::~CurlHandle+0x70 (C:\src\coro-cloudstorage\out\build\x64-AddressSanitizer\examples\cloudstorage.exe+0x1411aabe0)
    #6 0x7ff7909fac06 in coro::http::`anonymous namespace'::CurlHandle::`scalar deleting destructor'+0x16 (C:\src\coro-cloudstorage\out\build\x64-AddressSanitizer\examples\cloudstorage.exe+0x1411aac06)
    #7 0x7ff7909fb94e in std::default_delete<coro::http::`anonymous namespace'::CurlHandle>::operator() C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory:3180
    #8 0x7ff7909fba51 in std::unique_ptr<coro::http::`anonymous namespace'::CurlHandle,std::default_delete<coro::http::`anonymous namespace'::CurlHandle> >::~unique_ptr<coro::http::`anonymous namespace'::CurlHandle,std::default_delete<coro::http::`anonymous namespace'::CurlHandle> > C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory:3290
    #9 0x7ff7909fbc9b in coro::http::`anonymous namespace'::CurlHttpBodyGenerator::~CurlHttpBodyGenerator+0x1b (C:\src\coro-cloudstorage\out\build\x64-AddressSanitizer\examples\cloudstorage.exe+0x1411abc9b)
    #10 0x7ff7909ffa39 in coro::http::Response<coro::http::`anonymous namespace'::CurlHttpBodyGenerator>::~Response<coro::http::`anonymous namespace'::CurlHttpBodyGenerator>+0x19 (C:\src\coro-cloudstorage\out\build\x64-AddressSanitizer\examples\cloudstorage.exe+0x1411afa39)
    #11 0x7ff7909ffa76 in coro::http::Response<coro::http::`anonymous namespace'::CurlHttpBodyGenerator>::`scalar deleting destructor'+0x16 (C:\src\coro-cloudstorage\out\build\x64-AddressSanitizer\examples\cloudstorage.exe+0x1411afa76)
    #12 0x7ff7909ff6ee in std::default_delete<coro::http::Response<coro::http::`anonymous namespace'::CurlHttpBodyGenerator> >::operator() C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory:3180    #13 0x7ff7909ff7f1 in std::unique_ptr<coro::http::Response<coro::http::`anonymous namespace'::CurlHttpBodyGenerator>,std::default_delete<coro::http::Response<coro::http::`anonymous namespace'::CurlHttpBodyGenerator> > >::~unique_ptr<coro::http::Response<coro::http::`anonymous namespace'::CurlHttpBodyGenerator>,std::default_delete<coro::http::Response<coro::http::`anonymous namespace'::CurlHttpBodyGenerator> > > C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory:3290
    #14 0x7ff790a00a85 in `coro::http::`anonymous namespace'::ToBody'::`21'::<parameters>::~<parameters>+0x15 (C:\src\coro-cloudstorage\out\build\x64-AddressSanitizer\examples\cloudstorage.exe+0x1411b0a85)
    #15 0x7ff790a0400f in coro::http::`anonymous namespace'::ToBody$_ResumeCoro$1 C:\src\coro-http\src\coro\http\curl_http.cc:654
    #16 0x7ff790a02ec4 in coro::http::`anonymous namespace'::ToBody$_DestroyCoro$3 C:\src\coro-http\src\coro\http\curl_http.cc:15732480
    #17 0x7ff78fb160d8 in std::coroutine_handle<coro::detail::async_generator_promise<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::destroy C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\coroutine:145
    #18 0x7ff78fafec99 in coro::Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::~Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > C:\src\coro-http\src\coro\generator.h:288
    #19 0x7ff78fafee69 in coro::http::Response<coro::Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::~Response<coro::Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >+0x19 (C:\src\coro-cloudstorage\out\build\x64-AddressSanitizer\examples\cloudstorage.exe+0x1402aee69)
    #20 0x7ff7902a534e in coro::cloudstorage::GoogleDrive::GetFileContent$_ResumeCoro$1 C:\src\coro-cloudstorage\src\coro\cloudstorage\providers\google_drive.cc:196
    #21 0x7ff7902a3d96 in coro::cloudstorage::GoogleDrive::GetFileContent$_DestroyCoro$3 C:\src\coro-cloudstorage\src\coro\cloudstorage\providers\google_drive.cc:15732480
    #22 0x7ff78fb160d8 in std::coroutine_handle<coro::detail::async_generator_promise<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::destroy C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\coroutine:145
    #23 0x7ff78fafec99 in coro::Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::~Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > C:\src\coro-http\src\coro\generator.h:288
    #24 0x7ff7900aabf5 in `coro::cloudstorage::util::internal::GetFileContentResponseBody'::`5'::<parameters>::~<parameters>+0x15 (C:\src\coro-cloudstorage\out\build\x64-AddressSanitizer\examples\cloudstorage.exe+0x14085abf5)
    #25 0x7ff7900ab6c6 in coro::cloudstorage::util::internal::GetFileContentResponseBody$_ResumeCoro$1 C:\src\coro-cloudstorage\src\coro\cloudstorage\util\handler_utils.cc:18
    #26 0x7ff7900aac44 in coro::cloudstorage::util::internal::GetFileContentResponseBody$_DestroyCoro$3 C:\src\coro-cloudstorage\src\coro\cloudstorage\util\handler_utils.cc:15732480
    #27 0x7ff78fb160d8 in std::coroutine_handle<coro::detail::async_generator_promise<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >::destroy C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\coroutine:145
    #28 0x7ff78fafec99 in coro::Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >::~Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > C:\src\coro-http\src\coro\generator.h:288

previously allocated by thread T0 here:
    #0 0x7ff78fb1cd9a in calloc D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\asan\asan_malloc_win_thunk.cpp:101
    #1 0x7ff7928aa907 in Curl_open C:\src\curl\lib\url.c:508
    #2 0x7ff7928557f1 in curl_easy_init C:\src\curl\lib\easy.c:368
    #3 0x7ff7909f5ee0 in coro::http::`anonymous namespace'::CurlHandle::CurlHandle C:\src\coro-http\src\coro\http\curl_http.cc:361
    #4 0x7ff790a0c8b6 in std::make_unique<coro::http::`anonymous namespace'::CurlHandle,void * &,event_base * &,coro::http::Request<coro::Generator<std::basic_string<char,std::char_traits<char>,std::allocator<char> > > >,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const * &,coro::stdx::stop_token,coro::http::A0x7b97c9cd::CurlHttpOperation *,0> C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory:3477
    #5 0x7ff7909fc076 in coro::http::`anonymous namespace'::CurlHttpOperation::CurlHttpOperation C:\src\coro-http\src\coro\http\curl_http.cc:488
    #6 0x7ff7909fd953 in coro::http::`anonymous namespace'::CurlHttpImpl::Fetch C:\src\coro-http\src\coro\http\curl_http.cc:643
    #7 0x7ff790a024c6 in coro::http::CurlHttpBase::Fetch$_ResumeCoro$1 C:\src\coro-http\src\coro\http\curl_http.cc:672
    #8 0x7ff78fb1a2fa in std::coroutine_handle<void>::resume C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\coroutine:85
    #9 0x7ff790097a01 in coro::detail::ReturnValue<coro::detail::Task<coro::cloudstorage::util::VersionedItem>::promise_type,coro::cloudstorage::util::VersionedItem>::return_value<coro::cloudstorage::util::VersionedItem> C:\src\coro-http\src\coro\task.h:67
    #10 0x7ff79007a0cd in coro::cloudstorage::util::CloudProviderAccount::GetItemById$_ResumeCoro$1 C:\src\coro-cloudstorage\src\coro\cloudstorage\util\cloud_provider_account.cc:136
    #11 0x7ff78fb1a2fa in std::coroutine_handle<void>::resume C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\coroutine:85
    #12 0x7ff78fbe0f31 in coro::detail::ReturnValue<coro::detail::Task<std::optional<coro::cloudstorage::util::CacheManager::ItemData> >::promise_type,std::optional<coro::cloudstorage::util::CacheManager::ItemData> >::return_value<coro::cloudstorage::util::CacheManager::ItemData> C:\src\coro-http\src\coro\task.h:67
    #13 0x7ff78fb53d42 in coro::cloudstorage::util::CacheManager::Get$_ResumeCoro$1 C:\src\coro-cloudstorage\src\coro\cloudstorage\util\cache_manager.cc:316
    #14 0x7ff78fb1a2fa in std::coroutine_handle<void>::resume C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\coroutine:85
    #15 0x7ff78fbe10d1 in coro::detail::ReturnValue<coro::detail::Task<std::optional<coro::cloudstorage::util::`anonymous namespace'::DbItem> >::promise_type,std::optional<coro::cloudstorage::util::`anonymous namespace'::DbItem> >::return_value<std::optional<coro::cloudstorage::util::`anonymous namespace'::DbItem> > C:\src\coro-http\src\coro\task.h:67
    #16 0x7ff78fb7dcd5 in coro::util::ThreadPool::Do$_ResumeCoro$1<`coro::cloudstorage::util::CacheManager::Get'::`2'::<lambda_1> > C:\src\coro-http\src\coro\util\thread_pool.h:60
    #17 0x7ff78fb1a2fa in std::coroutine_handle<void>::resume C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\coroutine:85
    #18 0x7ff78fb1a3b8 in coro::detail::ReturnValue<coro::detail::Task<void>::promise_type,void>::return_void C:\src\coro-http\src\coro\task.h:76
    #19 0x7ff7909cbb4a in coro::util::ThreadPool::SwitchToEventLoop$_ResumeCoro$1 C:\src\coro-http\src\coro\util\thread_pool.cc:129
    #20 0x7ff78fb1a2fa in std::coroutine_handle<void>::resume C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\coroutine:85
    #21 0x7ff7909caf95 in ``coro::util::ThreadPool::SwitchToEventLoop'::`2'::Awaiter::await_suspend'::`2'::<lambda_1>::operator() C:\src\coro-http\src\coro\util\thread_pool.cc:124
    #22 0x7ff7909cb135 in `coro::util::EventLoop::RunOnEventLoop<``coro::util::ThreadPool::SwitchToEventLoop'::`2'::Awaiter::await_suspend'::`2'::<lambda_1> >'::`2'::<lambda_1>::operator() C:\src\coro-http\src\coro\util\event_loop.h:49
    #23 0x7ff7909cdf32 in std::invoke<`coro::util::EventLoop::RunOnEventLoop<``coro::util::ThreadPool::SwitchToEventLoop'::`2'::Awaiter::await_suspend'::`2'::<lambda_1> >'::`2'::<lambda_1> &> C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\type_traits:1752
    #24 0x7ff7909cb2f5 in coro::stdx::any_detail::handler_traits<void>::small_handler<`coro::util::EventLoop::RunOnEventLoop<``coro::util::ThreadPool::SwitchToEventLoop'::`2'::Awaiter::await_suspend'::`2'::<lambda_1> >'::`2'::<lambda_1> >::call C:\src\coro-http\src\coro\stdx\any_invocable.h:97
    #25 0x7ff7909c8f2b in coro::stdx::any_detail::any_invocable_impl<void,0>::call C:\src\coro-http\src\coro\stdx\any_invocable.h:212
    #26 0x7ff7909c8df2 in coro::stdx::any_invocable<void __cdecl(void)&& >::operator() C:\src\coro-http\src\coro\stdx\any_invocable.h:323
    #27 0x7ff7909c64f4 in `coro::util::EventLoop::RunOnce'::`3'::<lambda_1>::operator() C:\src\coro-http\src\coro\util\event_loop.cc:93
    #28 0x7ff7909c65fc in `coro::util::EventLoop::RunOnce'::`3'::<lambda_1>::<lambda_invoker_cdecl> C:\src\coro-http\src\coro\util\event_loop.cc:94

SUMMARY: AddressSanitizer: heap-use-after-free C:\src\curl\lib\vquic\curl_ngtcp2.c:1235 in cb_h3_recv_data
Shadow bytes around the buggy address:
  0x04072f5f4f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04072f5f4f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04072f5f4f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04072f5f4f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04072f5f4f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x04072f5f4f50: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x04072f5f4f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04072f5f4f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04072f5f4f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04072f5f4f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x04072f5f4fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

If needed I can provide curl debug logs as well.

I expected the following

No crash.

curl/libcurl version

curl head (fa71483) with quictls (openssl-3.1.4+quic), ngtcp2 (v1.0.1), nghttp3 (v1.0.0).

operating system

Windows 11
@bagder bagder added crash HTTP/3 h3 or quic related labels Nov 19, 2023
@bagder
Copy link
Member

bagder commented Nov 19, 2023

/cc @icing

@bagder
Copy link
Member

bagder commented Nov 19, 2023

@lemourin Can you trigger this against a public URL?

@lemourin
Copy link
Contributor Author

Yea: https://commondatastorage.googleapis.com/gtv-videos-bucket/sample/BigBuckBunny.mp4

@bagder
Copy link
Member

bagder commented Nov 20, 2023

I fail to reproduce this in my end on Linux. I tried both 8.4.0 and current master, with SAN builds and just valgrind.

But based on the stack trace, this looks like we get data on a stream that belongs to a transfer we already closed and freed the easy handle for, so we use a dangling pointer.

@icing, do you think this is what happens? If so, we need to add better precautions to prevent this from happening...

@icing
Copy link
Contributor

icing commented Nov 20, 2023
edited

It looks like the easy cleanup is called before the transfer is done. Currently working on a PR.

My read is that easy_cleanup, by first detaching the connection, prevented the DATA_DONE event to be forwarded to all filters. This left streams unclosed which led to connection checks using free'ed easy handles.

icing added a commit to icing/curl that referenced this issue Nov 20, 2023
@icing
HTTP/2, HTTP/3, handle detach of onoing transfers
27d0df4 
- refs curl#12356 where a UAF is reported when closing a connection
  with a stream whose easy handle was cleaned up already
- handle DETACH events same as DONE events in h2/h3 filters
@icing icing mentioned this issue Nov 20, 2023
Closed
@icing
Copy link
Contributor

icing commented Nov 20, 2023

@lemourin would you be able to throw the PR into your app? It seems a condition that cannot be triggered by the curl tool itself.

@lemourin
Copy link
Contributor Author

Seems to be working. Thanks for the quick fix!

@bagder bagder closed this as completed in b06b621 Nov 21, 2023
@icing icing mentioned this issue Dec 15, 2023
Closed
@jay jay mentioned this issue Feb 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crash HTTP/3 h3 or quic related
Milestone
No milestone
Development

No branches or pull requests
3 participants
@icing @bagder @lemourin