0001-fix-use-after-free-during-lws_context_destroy-phase-.patch
Hi,
We have been hunting down a crash during lws_context_destroy(), while a plain HTTP client connection is pre-natal. The crash indicated some kind of heap corruption, caught by glibc's internal checker. The core dump wasn't very helpful, so valgrind and claude helped us track down the actual errant write. It looks like a use-after-free with wsi->http.ah being accessed after _lws_destroy_ah() has freed it.
A proposed patch against 4.5.8 is attached; I'm not sure it's appropriate for main, or the logically correct fix at all, but it does resolve it for us.
The valgrind trace is pretty helpful:
==2946== Invalid write of size 8
==2946== at 0x4A4DC42: __lws_header_table_detach (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:337)
==2946== by 0x4A5225E: rops_destroy_role_h1 (/usr/src/debug/libwebsockets/4.5.8/lib/roles/h1/ops-h1.c:878)
==2946== by 0x4A3AD64: __lws_reset_wsi.part.0 (/usr/src/debug/libwebsockets/4.5.8/lib/core-net/close.c:176)
==2946== by 0x4A3ADFD: __lws_reset_wsi (/usr/src/debug/libwebsockets/4.5.8/lib/core-net/close.c:43)
==2946== by 0x4A3ADFD: __lws_free_wsi.part.0 (/usr/src/debug/libwebsockets/4.5.8/lib/core-net/close.c:257)
==2946== by 0x4A1975A: lws_pt_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:1862)
==2946== by 0x4A19CA2: lws_context_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:2245)
==2946== by 0x4A19CA2: lws_context_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:1942)
==2946== by 0x51179D0: uv__finish_close (/usr/src/debug/libuv/1.51.0/src/unix/core.c:363)
==2946== by 0x51179D0: uv__run_closing_handles (/usr/src/debug/libuv/1.51.0/src/unix/core.c:377)
==2946== by 0x51179D0: uv_run (/usr/src/debug/libuv/1.51.0/src/unix/core.c:475)
... redacted ...
==2946== Address 0x8b4a980 is 752 bytes inside a block of size 928 free'd
==2946== at 0x48469E4: free (/usr/src/debug/valgrind/3.22.0/coregrind/m_replacemalloc/vg_replace_malloc.c:985)
==2946== by 0x4A18E78: _realloc (/usr/src/debug/libwebsockets/4.5.8/lib/core/alloc.c:180)
==2946== by 0x4A4D79B: _lws_destroy_ah (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:79)
==2946== by 0x4A4D79B: _lws_destroy_ah (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:68)
==2946== by 0x4A19C87: lws_context_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:2242)
==2946== by 0x4A19C87: lws_context_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:1942)
==2946== by 0x51179D0: uv__finish_close (/usr/src/debug/libuv/1.51.0/src/unix/core.c:363)
==2946== by 0x51179D0: uv__run_closing_handles (/usr/src/debug/libuv/1.51.0/src/unix/core.c:377)
==2946== by 0x51179D0: uv_run (/usr/src/debug/libuv/1.51.0/src/unix/core.c:475)
... redacted ...
==2946== Block was alloc'd at
==2946== at 0x484AF50: realloc (/usr/src/debug/valgrind/3.22.0/coregrind/m_replacemalloc/vg_replace_malloc.c:1690)
==2946== by 0x4A18E3F: _realloc (/usr/src/debug/libwebsockets/4.5.8/lib/core/alloc.c:151)
==2946== by 0x4A18EB1: lws_zalloc (/usr/src/debug/libwebsockets/4.5.8/lib/core/alloc.c:212)
==2946== by 0x4A4DA5C: _lws_create_ah (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:45)
==2946== by 0x4A4DA5C: lws_header_table_attach (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:257)
==2946== by 0x4A524ED: rops_client_bind_h1 (/usr/src/debug/libwebsockets/4.5.8/lib/roles/h1/ops-h1.c:1019)
==2946== by 0x4A456E0: lws_client_connect_via_info (/usr/src/debug/libwebsockets/4.5.8/lib/core-net/client/connect.c:451)
... redacted ...
==2946== Invalid write of size 8
==2946== at 0x4A4DC5C: __lws_header_table_detach (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:349)
==2946== by 0x4A5225E: rops_destroy_role_h1 (/usr/src/debug/libwebsockets/4.5.8/lib/roles/h1/ops-h1.c:878)
==2946== by 0x4A3AD64: __lws_reset_wsi.part.0 (/usr/src/debug/libwebsockets/4.5.8/lib/core-net/close.c:176)
==2946== by 0x4A3ADFD: __lws_reset_wsi (/usr/src/debug/libwebsockets/4.5.8/lib/core-net/close.c:43)
==2946== by 0x4A3ADFD: __lws_free_wsi.part.0 (/usr/src/debug/libwebsockets/4.5.8/lib/core-net/close.c:257)
==2946== by 0x4A1975A: lws_pt_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:1862)
==2946== by 0x4A19CA2: lws_context_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:2245)
==2946== by 0x4A19CA2: lws_context_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:1942)
==2946== by 0x51179D0: uv__finish_close (/usr/src/debug/libuv/1.51.0/src/unix/core.c:363)
==2946== by 0x51179D0: uv__run_closing_handles (/usr/src/debug/libuv/1.51.0/src/unix/core.c:377)
==2946== by 0x51179D0: uv_run (/usr/src/debug/libuv/1.51.0/src/unix/core.c:475)
... remainder of trace redacted...
==2946== Address 0x8b4a698 is 8 bytes inside a block of size 928 free'd
==2946== at 0x48469E4: free (/usr/src/debug/valgrind/3.22.0/coregrind/m_replacemalloc/vg_replace_malloc.c:985)
==2946== by 0x4A18E78: _realloc (/usr/src/debug/libwebsockets/4.5.8/lib/core/alloc.c:180)
==2946== by 0x4A4D79B: _lws_destroy_ah (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:79)
==2946== by 0x4A4D79B: _lws_destroy_ah (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:68)
==2946== by 0x4A19C87: lws_context_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:2242)
==2946== by 0x4A19C87: lws_context_destroy (/usr/src/debug/libwebsockets/4.5.8/lib/core/context.c:1942)
==2946== by 0x51179D0: uv__finish_close (/usr/src/debug/libuv/1.51.0/src/unix/core.c:363)
==2946== by 0x51179D0: uv__run_closing_handles (/usr/src/debug/libuv/1.51.0/src/unix/core.c:377)
==2946== by 0x51179D0: uv_run (/usr/src/debug/libuv/1.51.0/src/unix/core.c:475)
... remainder of trace redacted ...
==2946== Block was alloc'd at
==2946== at 0x484AF50: realloc (/usr/src/debug/valgrind/3.22.0/coregrind/m_replacemalloc/vg_replace_malloc.c:1690)
==2946== by 0x4A18E3F: _realloc (/usr/src/debug/libwebsockets/4.5.8/lib/core/alloc.c:151)
==2946== by 0x4A18EB1: lws_zalloc (/usr/src/debug/libwebsockets/4.5.8/lib/core/alloc.c:212)
==2946== by 0x4A4DA5C: _lws_create_ah (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:45)
==2946== by 0x4A4DA5C: lws_header_table_attach (/usr/src/debug/libwebsockets/4.5.8/lib/roles/http/parsers.c:257)
==2946== by 0x4A524ED: rops_client_bind_h1 (/usr/src/debug/libwebsockets/4.5.8/lib/roles/h1/ops-h1.c:1019)
==2946== by 0x4A456E0: lws_client_connect_via_info (/usr/src/debug/libwebsockets/4.5.8/lib/core-net/client/connect.c:451)
... remainder of trace redacted ...
Thanks,
Harry
0001-fix-use-after-free-during-lws_context_destroy-phase-.patch
Hi,
We have been hunting down a crash during
lws_context_destroy(), while a plain HTTP client connection is pre-natal. The crash indicated some kind of heap corruption, caught by glibc's internal checker. The core dump wasn't very helpful, so valgrind and claude helped us track down the actual errant write. It looks like a use-after-free withwsi->http.ahbeing accessed after_lws_destroy_ah()has freed it.A proposed patch against 4.5.8 is attached; I'm not sure it's appropriate for main, or the logically correct fix at all, but it does resolve it for us.
The valgrind trace is pretty helpful:
Thanks,
Harry