Use after free in function _handleEvent()

Issue #764 resolved
Hanno Böck
created an issue

I'm running a test system where everything is compiled with the memory safety check system Address Sanitizer (part of gcc, with -fsanitize=address in CFLAGS).

I occasionally get crashes from monit indicating asan has detected a use after free error, I'll paste a stack trace below. I have tried to analyze it, but I'm unfamiliar with the code, so I didn't get very far. Depending on how exactly this is triggered this could be a security issue.

Stack trace:

=================================================================
==31663==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700000c213 at pc 0x4323ee bp 0x7ffcd9b620a0 sp 0x7ffcd9b62090
WRITE of size 1 at 0x60700000c213 thread T0
    #0 0x4323ed in _handleEvent src/event.c:388
    #1 0x4323ed in Event_post src/event.c:462
    #2 0x4607fc in _checkTimeout src/validate.c:1183
    #3 0x4607fc in validate src/validate.c:1289
    #4 0x40efe7 in do_default src/monit.c:586
    #5 0x40efe7 in do_action src/monit.c:414
    #6 0x40efe7 in main src/monit.c:173
    #7 0x7ff1b4e1afcf in __libc_start_main (/lib64/libc.so.6+0x20fcf)
    #8 0x410369 in _start (/usr/bin/monit+0x410369)

0x60700000c213 is located 35 bytes inside of 80-byte region [0x60700000c1f0,0x60700000c240)
freed by thread T0 here:
    #0 0x7ff1b67b54e1 in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/libasan.so.1+0x574e1)
    #1 0x43874b in gc_event src/gc.c:156

previously allocated by thread T0 here:
    #0 0x7ff1b67b58d9 in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/libasan.so.1+0x578d9)
    #1 0x4aeb7b in Mem_calloc src/system/Mem.c:64

Comments (2)

  1. Tildeslash repo owner

    Fixed: Issue #764: Monit may crash if "unmonitor" or "stop" action was triggered by some test: the _handleAction() will call Util_monitorUnset() which frees the service events list, including the current event which triggered the action. The reset of the state_change flag (which is not necessary) then dereferenced a freed event.

    → <<cset 5827927c4623>>

  2. Log in to comment