108636 – test_optpass has use after free bug, failing with memory testing tools like address sanitizer

Bug 108636 - test_optpass has use after free bug, failing with memory testing tools like address sanitizer

Summary: test_optpass has use after free bug, failing with memory testing tools like a...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mesa
Classification:	Unclassified
Component:	glsl-compiler (show other bugs)
Version:	git
Hardware:	Other All

Importance:	medium minor
Assignee:	mesa-dev
QA Contact:	Intel 3D Bugs Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-11-02 14:32 UTC by Hanno Böck
Modified:	2018-11-12 05:54 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
patch to fix use after free in test_optpass. (627 bytes, patch) 2018-11-02 14:32 UTC, Hanno Böck	Details \| Splinter Review
stack trace from asan (3.33 KB, text/plain) 2018-11-02 14:32 UTC, Hanno Böck	Details
View All

Description Hanno Böck 2018-11-02 14:32:17 UTC

Created attachment 142340 [details] [review]
patch to fix use after free in test_optpass.

When compiling mesa with address sanitizer (-fsanitize=address) and running the test suite a use after free bug is exposed in test_optpass.cpp.

This is the code:

   ralloc_free(state);
   ralloc_free(shader);

   return state->error;

This is obviously not correct. First state is free'd and then state->error is used as the return value.

Given this is only a test this is not severe, yet it still should be fixed so mesa can easily be tested with address sanitizer or other memory safety check tools.

See attached patch (works on both git and 18.2.4), I'm saving state->error to a variable and then returning that.

Comment 1 Hanno Böck 2018-11-02 14:32:30 UTC

Created attachment 142341 [details]
stack trace from asan

Comment 2 Tapani Pälli 2018-11-05 05:55:15 UTC

Patch looks correct to me. Please send this to mesa-dev mailing list with 'git-send-email'. See git log for examples how commit messages should be written.

Comment 3 Hanno Böck 2018-11-07 08:26:42 UTC

Sent:
https://lists.freedesktop.org/archives/mesa-dev/2018-November/208807.html

Comment 4 Tapani Pälli 2018-11-12 05:54:37 UTC

--- 8< ---
commit 8dc2085baf954e7d52159797fe3051a554df3f6d
Author: Hanno Böck <hanno@hboeck.de>
Date:   Wed Nov 7 09:01:42 2018 +0100

    glsl/test: Fix use after free in test_optpass.
    
    The variable state is free'd and afterwards state->error is used
    as the return value, resulting in a use after free bug detected
    by memory safety tools like address sanitizer.
    
    Signed-off-by: Hanno Böck <hanno@hboeck.de>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108636
    Reviewed-by: Eric Engestrom <eric.engestrom@intel.com>
    Reviewed-by: Tapani Pälli <tapani.palli@intel.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.