Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

misc_tests fails on 1.7.18 under Windows #860

Open
blmaier opened this issue May 21, 2024 · 4 comments
Open

misc_tests fails on 1.7.18 under Windows #860

blmaier opened this issue May 21, 2024 · 4 comments

Comments

@blmaier
Copy link

blmaier commented May 21, 2024
edited
Loading

The Meson WrapDB project runs cJSON tests with Windows and VisualStudio. On release 1.7.18, misc_tests crashes with SIGinvalid only on the Windows target (mesonbuild/wrapdb#1520). I would guess it's related to this commit that adds an intentional use-after-free.
@Alanscut
Copy link
Collaborator

Similar failure was reported with valgrind on linux.
Did you turn on any memory check like valgrind or sanitizers?

@dirkmueller
Copy link

This happens without valgrind as well, for any libc implementation that is poisoning the memory that has been freed to make exploitation of use-after-free infeasible.

@AdamMajer
Copy link

Use-after-free is implementation specific behaviour and should not be relied upon. How well this works will depend on star alignment and mood of the magic smoke in the CPU. (ie. where in the allocated chunk the ptr actually exists and what malloc/free actually does internally)

I don't believe it's feasible to salvage it. And you can't just use realloc() on invalid pointer either.

The test should be reverted.

FWIW, the test is failing in a VM on openSUSE Leap 15.5 but not with Leap 15.5 in a container with kernel from Tumbleweed. Why? Because undefined behaviour.

Finally, this setting of pointer internally to 0 inside of a deleted struct to protect against double-free is questionable because you pass a pointer (not a pointer to pointer) in the delete function and the original one cannot be set to 0. This is actually what probably matters most. Modifying the test a little to delete all allocations and removing the use-after-free bits,

diff --git a/tests/misc_tests.c b/tests/misc_tests.c
index 94dd91a..68d89c6 100644
--- a/tests/misc_tests.c
+++ b/tests/misc_tests.c
@@ -741,11 +741,10 @@ static void deallocated_pointers_should_be_set_to_null(void)
     cJSON *root = cJSON_CreateObject();
 
     cJSON_Delete(string);
-    free(string->valuestring);
 
     cJSON_AddObjectToObject(root, "object");
     cJSON_Delete(root->child);
-    free(root->child->string);
+    cJSON_Delete(root);
 #endif
 }

is a double-free and crash.

If the API was cJSON_Delete(&root->child), then we could avoid the double free.

@Alanscut
Copy link
Collaborator

I think it would be a better choice to revert this test.

Alanscut added a commit to Alanscut/cJSON that referenced this issue Jun 19, 2024
@Alanscut
Revert "feat: add tests for DaveGamble#842" to fix test failures
a6206ae 
This reverts commit 5b502cd.

Related to DaveGamble#860
@Alanscut Alanscut mentioned this issue Jun 19, 2024
Merged
Alanscut added a commit that referenced this issue Jun 19, 2024
@Alanscut
Revert "feat: add tests for #842" to fix test failures
424ce4c 
This reverts commit 5b502cd.

Related to #860
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dirkmueller @AdamMajer @blmaier @Alanscut