Fund: UAF in RequestServer

Saw this while trying to debug something else. Probably racey, but the repro was running Meta/ladybird.sh run ladybird ladybird.org with ASAN enabled, then closing it before the page loaded.
==32690==ERROR: AddressSanitizer: heap-use-after-free on address 0x5030000062e0 at pc 0x7fc6f20d2221 bp 0x7fc6dccfbfb0 sp 0x7fc6dccfbfa8
READ of size 8 at 0x5030000062e0 thread T3

(...then there was a message about an unrelated memory leak in ImageDecoder,
 which was what I was trying to debug. Though, both might be because of the same
 threading issues. :thonk:)

0x5030000062e0 is located 0 bytes inside of 32-byte region [0x5030000062e0,0x503000006300)
freed by thread T0 here:
    #0 0x5642d221b3fd in operator delete(void*) (/home/sam/Projects/ladybird/Build/ladybird/libexec/RequestServer+0x17b3fd) (BuildId: fb77b57225f9afbf)
    #1 0x5642d22b249d in RequestServer::HttpsRequest::~HttpsRequest() /home/sam/Projects/ladybird/Userland/Services/RequestServer/HttpsRequest.cpp:27:1
    #2 0x5642d222cc23 in operator() /home/sam/Projects/ladybird/AK/DefaultDelete.h:17:9
    #3 0x5642d222cc23 in clear /home/sam/Projects/ladybird/AK/OwnPtr.h:110:9
    #4 0x5642d222cc23 in ~OwnPtr /home/sam/Projects/ladybird/AK/OwnPtr.h:45:9
    #5 0x5642d222cc23 in ~Entry /home/sam/Projects/ladybird/AK/HashMap.h:23:12
    #6 0x5642d222cc23 in ~HashTable /home/sam/Projects/ladybird/AK/HashTable.h:166:43
    #7 0x5642d222cc23 in ~HashMap /home/sam/Projects/ladybird/AK/HashMap.h:21:7
    #8 0x5642d222cc23 in ~MutexProtected /home/sam/Projects/ladybird/Userland/Libraries/LibThreading/MutexProtected.h:16:7
    #9 0x5642d222cc23 in RequestServer::ConnectionFromClient::~ConnectionFromClient() /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.h:26:46
    #10 0x5642d222ce3d in RequestServer::ConnectionFromClient::~ConnectionFromClient() /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.h:26:46
    #11 0x7fc6f1da6ed9 in unref /home/sam/Projects/ladybird/AK/RefCounted.h:65:13
    #12 0x7fc6f1da6ed9 in unref_if_not_null<Core::EventReceiver> /home/sam/Projects/ladybird/AK/NonnullRefPtr.h:32:14
    #13 0x7fc6f1da6ed9 in ~NonnullRefPtr /home/sam/Projects/ladybird/AK/NonnullRefPtr.h:97:9
    #14 0x7fc6f1da6ed9 in ~(lambda at /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventReceiver.cpp:140:27) /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventReceiver.cpp:140:27
    #15 0x7fc6f1da6ed9 in ~CallableWrapper /home/sam/Projects/ladybird/AK/Function.h:175:11
    #16 0x7fc6f1da6ed9 in AK::Function<void ()>::CallableWrapper<Core::EventReceiver::deferred_invoke(AK::Function<void ()>)::$_0>::destroy() /home/sam/Projects/ladybird/AK/Function.h:192:13
    #17 0x7fc6f1d945d8 in clear /home/sam/Projects/ladybird/AK/Function.h
    #18 0x7fc6f1d945d8 in ~Function /home/sam/Projects/ladybird/AK/Function.h:79:9
    #19 0x7fc6f1d945d8 in ~DeferredInvocationEvent /home/sam/Projects/ladybird/Userland/Libraries/LibCore/Event.h:50:7
    #20 0x7fc6f1d945d8 in Core::DeferredInvocationEvent::~DeferredInvocationEvent() /home/sam/Projects/ladybird/Userland/Libraries/LibCore/Event.h:50:7
    #21 0x7fc6f1df0136 in clear /home/sam/Projects/ladybird/AK/NonnullOwnPtr.h:133:9
    #22 0x7fc6f1df0136 in ~NonnullOwnPtr /home/sam/Projects/ladybird/AK/NonnullOwnPtr.h:50:9
    #23 0x7fc6f1df0136 in ~QueuedEvent /home/sam/Projects/ladybird/Userland/Libraries/LibCore/ThreadEventQueue.cpp:31:32
    #24 0x7fc6f1df0136 in clear_with_capacity /home/sam/Projects/ladybird/AK/Vector.h:374:24
    #25 0x7fc6f1df0136 in AK::Vector<Core::ThreadEventQueue::Private::QueuedEvent, 128ul>::clear() /home/sam/Projects/ladybird/AK/Vector.h:363:9
    #26 0x7fc6f1dee007 in ~Vector /home/sam/Projects/ladybird/AK/Vector.h:110:9
    #27 0x7fc6f1dee007 in Core::ThreadEventQueue::process() /home/sam/Projects/ladybird/Userland/Libraries/LibCore/ThreadEventQueue.cpp:134:1
    #28 0x7fc6f1d94fb1 in pump /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventLoopImplementationUnix.cpp:324:40
    #29 0x7fc6f1d94fb1 in Core::EventLoopImplementationUnix::exec() /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventLoopImplementationUnix.cpp:316:9
    #30 0x7fc6f1d91a2d in Core::EventLoop::exec() /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventLoop.cpp:88:20
    #31 0x5642d221d528 in serenity_main(Main::Arguments) /home/sam/Projects/ladybird/Ladybird/RequestServer/main.cpp:66:23
    #32 0x5642d22b6e03 in main /home/sam/Projects/ladybird/Userland/Libraries/LibMain/Main.cpp:39:19
    #33 0x7fc6f155cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T3 here:
    #0 0x5642d221adbd in operator new(unsigned long, std::nothrow_t const&) (/home/sam/Projects/ladybird/Build/ladybird/libexec/RequestServer+0x17adbd) (BuildId: fb77b57225f9afbf)
    #1 0x7fc6f1ccffbb in Core::File::adopt_fd(int, Core::File::OpenMode, Core::File::ShouldCloseFileDescriptor) /home/sam/Projects/ladybird/Userland/Libraries/LibCore/File.cpp:33:17
    #2 0x5642d22a905c in AK::OwnPtr<RequestServer::Request, AK::DefaultDelete<RequestServer::Request>> RequestServer::Detail::start_request<AK::Badge<RequestServer::HttpsProtocol>, AK::ErrorOr<RequestServer::Protocol::Pipe, AK::Error>>(AK::Badge<RequestServer::HttpsProtocol>&&, int, RequestServer::ConnectionFromClient&, AK::ByteString const&, URL::URL const&, HTTP::HeaderMap const&, AK::Span<unsigned char const>, AK::ErrorOr<RequestServer::Protocol::Pipe, AK::Error>&&, Core::ProxyData) /home/sam/Projects/ladybird/Userland/Services/RequestServer/HttpCommon.h:100:26
    #3 0x5642d22a86d6 in RequestServer::HttpsProtocol::start_request(int, RequestServer::ConnectionFromClient&, AK::ByteString const&, URL::URL const&, HTTP::HeaderMap const&, AK::Span<unsigned char const>, Core::ProxyData) /home/sam/Projects/ladybird/Userland/Services/RequestServer/HttpsProtocol.cpp:27:12
    #4 0x5642d221fae2 in operator() /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:127:38
    #5 0x5642d221fae2 in visit<AK::Variant<RequestServer::ConnectionFromClient::StartRequest, RequestServer::ConnectionFromClient::EnsureConnection, AK::Empty>, AK::Variant<RequestServer::ConnectionFromClient::StartRequest, RequestServer::ConnectionFromClient::EnsureConnection, AK::Empty>::Visitor<(lambda at /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:119:9), (lambda at /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:140:9), (lambda at /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:168:9)>, (unsigned char)'\x00'> /home/sam/Projects/ladybird/AK/Variant.h:114:20
    #6 0x5642d221fae2 in visit<(lambda at /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:119:9), (lambda at /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:140:9), (lambda at /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:168:9)> /home/sam/Projects/ladybird/AK/Variant.h:423:16
    #7 0x5642d221fae2 in RequestServer::ConnectionFromClient::worker_do_work(AK::Variant<RequestServer::ConnectionFromClient::StartRequest, RequestServer::ConnectionFromClient::EnsureConnection, AK::Empty>) /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:118:10
    #8 0x5642d2227e88 in operator() /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:36:23
    #9 0x5642d2227e88 in AK::Function<void (RequestServer::ThreadPoolEntry)>::CallableWrapper<RequestServer::$_0>::call(RequestServer::ThreadPoolEntry) /home/sam/Projects/ladybird/AK/Function.h:187:20
    #10 0x5642d226a1ed in AK::Function<void (RequestServer::ThreadPoolEntry)>::operator()(RequestServer::ThreadPoolEntry) const /home/sam/Projects/ladybird/AK/Function.h:120:25
    #11 0x5642d2269d44 in Threading::ThreadPoolLooper<Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>>::next(Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>&, bool) /home/sam/Projects/ladybird/Userland/Libraries/LibThreading/ThreadPool.h:44:9
    #12 0x5642d2269202 in operator() /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:96:48
    #13 0x5642d2269202 in AK::Function<void ()>::CallableWrapper<RequestServer::Looper<Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>>::next(Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>&, bool)::'lambda'()>::call() /home/sam/Projects/ladybird/AK/Function.h:187:20
    #14 0x7fc6f1da8bf6 in AK::Function<void ()>::operator()() const /home/sam/Projects/ladybird/AK/Function.h:120:25
    #15 0x7fc6f1da63b6 in Core::EventReceiver::dispatch_event(Core::Event&, Core::EventReceiver*) /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventReceiver.cpp:162:17
    #16 0x7fc6f1dedcbb in Core::ThreadEventQueue::process() /home/sam/Projects/ladybird/Userland/Libraries/LibCore/ThreadEventQueue.cpp:121:23
    #17 0x7fc6f1d94fb1 in pump /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventLoopImplementationUnix.cpp:324:40
    #18 0x7fc6f1d94fb1 in Core::EventLoopImplementationUnix::exec() /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventLoopImplementationUnix.cpp:316:9
    #19 0x7fc6f1d91a2d in Core::EventLoop::exec() /home/sam/Projects/ladybird/Userland/Libraries/LibCore/EventLoop.cpp:88:20
    #20 0x5642d2268fa6 in RequestServer::Looper<Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>>::next(Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>&, bool) /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:109:16
    #21 0x5642d2268b26 in operator() /home/sam/Projects/ladybird/Userland/Libraries/LibThreading/ThreadPool.h:116:49
    #22 0x5642d2268b26 in AK::Function<long ()>::CallableWrapper<Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>::initialize_workers(unsigned long)::'lambda'()>::call() /home/sam/Projects/ladybird/AK/Function.h:187:20
    #23 0x7fc6f1e373d6 in AK::Function<long ()>::operator()() const /home/sam/Projects/ladybird/AK/Function.h:120:25
    #24 0x7fc6f1e36f60 in operator() /home/sam/Projects/ladybird/Userland/Libraries/LibThreading/Thread.cpp:83:30
    #25 0x7fc6f1e36f60 in Threading::Thread::start()::$_0::__invoke(void*) /home/sam/Projects/ladybird/Userland/Libraries/LibThreading/Thread.cpp:80:9
    #26 0x5642d21db2f8 in asan_thread_start(void*) crtstuff.c

Thread T3 created by T0 here:
    #0 0x5642d21c3231 in pthread_create (/home/sam/Projects/ladybird/Build/ladybird/libexec/RequestServer+0x123231) (BuildId: fb77b57225f9afbf)
    #1 0x7fc6f1e36c19 in Threading::Thread::start() /home/sam/Projects/ladybird/Userland/Libraries/LibThreading/Thread.cpp:76:14
    #2 0x5642d22680e9 in Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>::initialize_workers(unsigned long) /home/sam/Projects/ladybird/Userland/Libraries/LibThreading/ThreadPool.h:129:21
    #3 0x5642d2229666 in Threading::ThreadPool<RequestServer::ThreadPoolEntry, RequestServer::Looper>::ThreadPool(AK::Function<void (RequestServer::ThreadPoolEntry)>, AK::Optional<unsigned long>) /home/sam/Projects/ladybird/Userland/Libraries/LibThreading/ThreadPool.h:72:9
    #4 0x5642d2290421 in __cxx_global_var_init /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp:34:55
    #5 0x5642d2290421 in _GLOBAL__sub_I_ConnectionFromClient.cpp /home/sam/Projects/ladybird/Userland/Services/RequestServer/ConnectionFromClient.cpp
    #6 0x7fc6f155ceba in call_init csu/../csu/libc-start.c:145:3
    #7 0x7fc6f155ceba in __libc_start_main csu/../csu/libc-start.c:379:5

SUMMARY: AddressSanitizer: heap-use-after-free /home/sam/Projects/ladybird/Userland/Libraries/LibCore/NetworkJob.h:61:76 in do_write
Shadow bytes around the buggy address:
  0x503000006000: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00
  0x503000006080: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x503000006100: 00 00 00 fa fa fa fd fd fd fd fa fa fd fd fd fa
  0x503000006180: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa fd fd
  0x503000006200: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x503000006280: fd fd fd fd fa fa fd fd fd fa fa fa[fd]fd fd fd
  0x503000006300: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa fd fd
  0x503000006380: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x503000006400: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
  0x503000006480: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00
  0x503000006500: 00 07 fa fa 00 00 00 07 fa fa 00 00 00 02 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Ladybird/ladybird

UAF in RequestServer

How does funding with Polar work?

Backer

Contributor

Maintainer

Ladybird/ladybird

UAF in RequestServer

How does funding with Polar work?

Backer

Why does "Fund on completion" require GitHub login?

When is the invoice due for "Fund on completion"?

What happens if the issue is never completed?

Do I get any extra benefits by funding?

Do I get progress updates?

Contributor

Do I get a reward?

Is rewards guaranteed?

Maintainer

How can I get funding like this for my open source initiatives?
