zebra: asan access-after-free in evpn mh code #18415
Description
Description
A recent CI run (https://ci1.netdef.org/browse/FRR-PULLREQ3-7986/artifact/ASAN0D12AMD64/AddressSanitizerError/AddressSanitzer.txt) reported this asan issue. The code involved had no zebra changes (or lib changes), so I think this is present in master.
If I'm reading this correctly, it looks like the evpn code doesn't deal with the possibility that a bridge interface could be freed before its children - the child interface here is de-refing a pointer to its parent bridge.
ERROR: AddressSanitizer: heap-use-after-free on address 0x612000088410 at pc 0x56483c545dcc bp 0x7ffc4a77ee30 sp 0x7ffc4a77ee28
READ of size 4 at 0x612000088410 thread T0
#0 0x56483c545dcb in zebra_evpn_acc_vl_find zebra/zebra_evpn_mh.c:554
#1 0x56483c54690e in zebra_evpn_vl_mbr_deref zebra/zebra_evpn_mh.c:955
#2 0x56483c54c59f in zebra_evpn_if_cleanup zebra/zebra_evpn_mh.c:1180
#3 0x56483c3daa2d in if_zebra_delete_hook zebra/interface.c:226
#4 0x7fa1176027ff in hook_call_if_del lib/if.c:56
#5 0x7fa1176027ff in if_delete_retain lib/if.c:364
#6 0x7fa117603c62 in if_delete lib/if.c:385
#7 0x7fa117604106 in if_terminate lib/if.c:1082
#8 0x7fa1176f7b43 in vrf_terminate_single lib/vrf.c:600
#9 0x7fa1176f7bca in vrf_iterate lib/vrf.c:394
#10 0x7fa1176f82d1 in vrf_terminate lib/vrf.c:609
#11 0x56483c3f0798 in zebra_finalize zebra/main.c:229
#12 0x7fa1176ef709 in event_call lib/event.c:2019
#13 0x7fa11761b23e in frr_run lib/libfrr.c:1247
#14 0x56483c3f10ad in main zebra/main.c:543
#15 0x7fa117246249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#16 0x7fa117246304 in __libc_start_main_impl ../csu/libc-start.c:360
#17 0x56483c3c5890 in _start (/usr/lib/frr/zebra+0x1a7890)
0x612000088410 is located 80 bytes inside of 280-byte region [0x6120000883c0,0x6120000884d8)
freed by thread T0 here:
#0 0x7fa117ab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x7fa11763abeb in qfree lib/memory.c:131
#2 0x7fa117603cf0 in if_delete lib/if.c:396
#3 0x7fa117604106 in if_terminate lib/if.c:1082
#4 0x7fa1176f7b43 in vrf_terminate_single lib/vrf.c:600
#5 0x7fa1176f7c05 in vrf_iterate lib/vrf.c:381
#6 0x7fa1176f82d1 in vrf_terminate lib/vrf.c:609
#7 0x56483c3f0798 in zebra_finalize zebra/main.c:229
#8 0x7fa1176ef709 in event_call lib/event.c:2019
#9 0x7fa11761b23e in frr_run lib/libfrr.c:1247
#10 0x56483c3f10ad in main zebra/main.c:543
#11 0x7fa117246249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7fa117ab83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
#1 0x7fa11763a2f8 in qcalloc lib/memory.c:106
#2 0x7fa117600d85 in if_new lib/if.c:170
#3 0x7fa117600d85 in if_create_name lib/if.c:317
#4 0x7fa117600d85 in if_get_by_name lib/if.c:724
#5 0x56483c3de255 in zebra_if_dplane_ifp_handling zebra/interface.c:1977
#6 0x56483c3de255 in zebra_if_dplane_result zebra/interface.c:2240
#7 0x56483c4df0e0 in rib_process_dplane_results zebra/zebra_rib.c:5025
#8 0x7fa1176ef709 in event_call lib/event.c:2019
#9 0x7fa11761b23e in frr_run lib/libfrr.c:1247
#10 0x56483c3f10ad in main zebra/main.c:543
#11 0x7fa117246249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Version
master
How to reproduce
This was a topotest that has both L2VNI and L3VNI - not sure whether that's common or not?
Expected behavior
don't touch freed memory
Actual behavior
asan report
Additional context
No response
Checklist
- I have searched the open issues for this bug.
- I have not included sensitive information in this report.