Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2288 - uci memory corruption when setting section name #6074

Closed
openwrt-bot opened this issue May 17, 2019 · 4 comments
Closed

FS#2288 - uci memory corruption when setting section name #6074

openwrt-bot opened this issue May 17, 2019 · 4 comments
Labels

Comments

@openwrt-bot
Copy link

@openwrt-bot openwrt-bot commented May 17, 2019

charlemagnelasse:

  • Happens on every device
  • Happens on Every version tested (only tested since LEDE 17.01 till 4c8b4d6efc8302b508d261573351fffb75bd98c2)

Prepare system:

mkdir -p /etc/config cat > /etc/config/foo << EOF config general 'general' option very 'important' EOF uci set foo.bar='asd' uci set foo.bar='asd'

And then run it either via valgrind

cmake -DCMAKE_INSTALL_PREFIX=/usr . && make valgrind ./uci show ==2144== Memcheck, a memory error detector ==2144== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2144== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==2144== Command: ./uci show ==2144== foo.general=general foo.general.very='important' foo.bar=asd ==2144== Invalid read of size 8 ==2144== at 0x10A90C: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630a8 is 56 bytes inside a block of size 76 free'd ==2144== at 0x4837D7B: realloc (vg_replace_malloc.c:826) ==2144== by 0x4849993: uci_realloc (util.c:49) ==2144== by 0x4848062: uci_set (list.c:717) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Block was alloc'd at ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x484995D: uci_malloc (util.c:39) ==2144== by 0x48465BF: uci_alloc_generic (list.c:50) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A910: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630b0 is 64 bytes inside a block of size 76 free'd ==2144== at 0x4837D7B: realloc (vg_replace_malloc.c:826) ==2144== by 0x4849993: uci_realloc (util.c:49) ==2144== by 0x4848062: uci_set (list.c:717) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Block was alloc'd at ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x484995D: uci_malloc (util.c:39) ==2144== by 0x48465BF: uci_alloc_generic (list.c:50) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A91D: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630e8 is 24 bytes before a block of size 4 alloc'd ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x491BDB9: strdup (strdup.c:42) ==2144== by 0x48499B4: uci_strdup (util.c:60) ==2144== by 0x484663E: uci_alloc_generic (list.c:55) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A928: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x18 is not stack'd, malloc'd or (recently) free'd ==2144== ==2144== ==2144== Process terminating with default action of signal 11 (SIGSEGV) ==2144== Access not within mapped region at address 0x18 ==2144== at 0x10A928: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== If you believe this happened as a result of a stack ==2144== overflow in your program's main thread (unlikely but ==2144== possible), you can try to increase the size of the ==2144== main thread stack using the --main-stacksize= flag. ==2144== The main thread stack size used in this run was 8388608. ==2144== ==2144== HEAP SUMMARY: ==2144== in use at exit: 961 bytes in 18 blocks ==2144== total heap usage: 38 allocs, 20 frees, 45,212 bytes allocated ==2144== ==2144== LEAK SUMMARY: ==2144== definitely lost: 0 bytes in 0 blocks ==2144== indirectly lost: 0 bytes in 0 blocks ==2144== possibly lost: 0 bytes in 0 blocks ==2144== still reachable: 961 bytes in 18 blocks ==2144== suppressed: 0 bytes in 0 blocks ==2144== Rerun with --leak-check=full to see details of leaked memory ==2144== ==2144== For counts of detected and suppressed errors, rerun with: -v ==2144== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0) zsh: segmentation fault sudo valgrind ./uci show

Or with ASAN

cmake -DCMAKE_INSTALL_PREFIX=/usr "-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined" && make
./uci show         
foo.general=general
foo.general.very='important'
foo.bar=asd
=================================================================
==2908==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000288 at pc 0x5635c789848b bp 0x7ffd3393e680 sp 0x7ffd3393e678
READ of size 8 at 0x607000000288 thread T0
    #0 0x5635c789848a in uci_show_option /usr/src/uci/cli.c:239
    #1 0x5635c7898814 in uci_show_section /usr/src/uci/cli.c:256
    #2 0x5635c7899368 in uci_show_package /usr/src/uci/cli.c:268
    #3 0x5635c7899368 in package_cmd /usr/src/uci/cli.c:345
    #4 0x5635c789acb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #5 0x5635c789acb5 in uci_cmd /usr/src/uci/cli.c:674
    #6 0x5635c7897bc1 in main /usr/src/uci/cli.c:767
    #7 0x7f8f2f0bc09a in __libc_start_main ../csu/libc-start.c:308
    #8 0x5635c7897c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000288 is located 56 bytes inside of 76-byte region [0x607000000250,0x60700000029c)
freed by thread T0 here:
    #0 0x7f8f2ff27720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f8f2fddf5dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f8f2ff27330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f8f2fddf56e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/cli.c:239 in uci_show_option
Shadow bytes around the buggy address:
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 00 02 fa fa fa fa fd fd fd fd
  0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
=>0x0c0e7fff8050: fd[fd]fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2908==ABORTING
@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented May 17, 2019

charlemagnelasse:

Current uci version 4c8b4d6efc8302b508d261573351fffb75bd98c2 fails its own testsuite due to memory corruptions:

cmake -DCMAKE_INSTALL_PREFIX=/usr "-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined" . && make cd tests sh tests.sh # # Performing tests # test_import test_export test_get_parsing test_get_section_index_parsing test_get_option test_get_option_multiline test_get_section test_set_parsing test_set_named_section test_set_nonexisting_option test_set_nonexisting_option_multiline test_set_existing_option test_set_existing_option_multiline test_add_section test_get_parsing test_get_parsing_multiline_package test_get_parsing_multiline_section test_get_parsing_multiline_option test_batch_set test_batch_comments test_revert_section test_revert_option test_revert_option_multiline test_revert_option_long test_add_list_config test_add_list_get test_add_list_show test_add_list_changes test_del_list test_del_list_multiline test_add_delta ================================================================= ==4803==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f46c3befaa8 bp 0x7ffc90bb9790 sp 0x7ffc90bb9788 WRITE of size 8 at 0x607000000200 thread T0 #0 0x7f46c3befaa7 in uci_list_del /usr/src/uci/uci_internal.h:116 #1 0x7f46c3befaa7 in uci_free_element /usr/src/uci/list.c:74 #2 0x7f46c3befe7e in uci_free_section /usr/src/uci/list.c:214 #3 0x7f46c3bf0374 in uci_free_package /usr/src/uci/list.c:246 #4 0x7f46c3bf300e in uci_free_context /usr/src/uci/libuci.c:84 #5 0x55cbf8befc11 in main /usr/src/uci/cli.c:774 #6 0x7f46c2ee009a in __libc_start_main ../csu/libc-start.c:308 #7 0x55cbf8befc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f46c3d4b720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f46c3c035dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f46c3d4b330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f46c3c0356e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 00 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4803==ABORTING

==4804==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f958d30baa8 bp 0x7ffc1e2249a0 sp 0x7ffc1e224998
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7f958d30baa7 in uci_list_del /usr/src/uci/uci_internal.h:116
#1 0x7f958d30baa7 in uci_free_element /usr/src/uci/list.c:74
#2 0x7f958d30be7e in uci_free_section /usr/src/uci/list.c:214
#3 0x7f958d30c374 in uci_free_package /usr/src/uci/list.c:246
#4 0x7f958d30f00e in uci_free_context /usr/src/uci/libuci.c:84
#5 0x55ddb752fc11 in main /usr/src/uci/cli.c:774
#6 0x7f958c5fc09a in __libc_start_main ../csu/libc-start.c:308
#7 0x55ddb752fc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f958d467720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f958d31f5dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f958d467330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f958d31f56e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4804==ABORTING

==4809==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7fc0485e3aa8 bp 0x7ffe4c149460 sp 0x7ffe4c149458
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7fc0485e3aa7 in uci_list_del /usr/src/uci/uci_internal.h:116
#1 0x7fc0485e3aa7 in uci_free_element /usr/src/uci/list.c:74
#2 0x7fc0485e3e7e in uci_free_section /usr/src/uci/list.c:214
#3 0x7fc0485e4374 in uci_free_package /usr/src/uci/list.c:246
#4 0x7fc0485e6247 in uci_unload /usr/src/uci/list.c:739
#5 0x557362dbc42a in package_cmd /usr/src/uci/cli.c:364
#6 0x557362dbdcb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
#7 0x557362dbdcb5 in uci_cmd /usr/src/uci/cli.c:674
#8 0x557362dbabc1 in main /usr/src/uci/cli.c:767
#9 0x7fc0478d409a in __libc_start_main ../csu/libc-start.c:308
#10 0x557362dbac69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7fc04873f720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7fc0485f75dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7fc04873f330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7fc0485f756e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4809==ABORTING
ASSERT:
ASSERT:expected:<delta.sec0='sectype'
delta.sec0.li0+='0'
delta.sec0='sectype'
delta.sec0.li0+='1'> but was:<>

==4815==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000228 at pc 0x7f732debbf18 bp 0x7fff452db0f0 sp 0x7fff452db0e8
READ of size 4 at 0x607000000228 thread T0
#0 0x7f732debbf17 in uci_export_package /usr/src/uci/file.c:611
#1 0x7f732debfa6f in uci_export /usr/src/uci/file.c:639
#2 0x558c0b7a4d40 in package_cmd /usr/src/uci/cli.c:333
#3 0x558c0b7a6cb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
#4 0x558c0b7a6cb5 in uci_cmd /usr/src/uci/cli.c:674
#5 0x558c0b7a3bc1 in main /usr/src/uci/cli.c:767
#6 0x7f732d1a009a in __libc_start_main ../csu/libc-start.c:308
#7 0x558c0b7a3c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000228 is located 72 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f732e00b720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f732dec35dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f732e00b330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f732dec356e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/file.c:611 in uci_export_package
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040: fd fd fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4815==ABORTING
ASSERT:
ASSERT:expected:<package delta

config sectype 'sec0'
list li0 '0'
list li0 '1'> but was:<>

==4822==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f7e03b29aa8 bp 0x7ffd43cac9b0 sp 0x7ffd43cac9a8
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7f7e03b29aa7 in uci_list_del /usr/src/uci/uci_internal.h:116
#1 0x7f7e03b29aa7 in uci_free_element /usr/src/uci/list.c:74
#2 0x7f7e03b29e7e in uci_free_section /usr/src/uci/list.c:214
#3 0x7f7e03b2a374 in uci_free_package /usr/src/uci/list.c:246
#4 0x7f7e03b2c247 in uci_unload /usr/src/uci/list.c:739
#5 0x5601e701e42a in package_cmd /usr/src/uci/cli.c:364
#6 0x5601e701fcb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
#7 0x5601e701fcb5 in uci_cmd /usr/src/uci/cli.c:674
#8 0x5601e701cbc1 in main /usr/src/uci/cli.c:767
#9 0x7f7e02e1a09a in __libc_start_main ../csu/libc-start.c:308
#10 0x5601e701cc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f7e03c85720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f7e03b3d5dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f7e03c85330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f7e03b3d56e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4822==ABORTING
ASSERT:

==4829==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f0b2e338aa8 bp 0x7ffcc0cd2590 sp 0x7ffcc0cd2588
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7f0b2e338aa7 in uci_list_del /usr/src/uci/uci_internal.h:116
#1 0x7f0b2e338aa7 in uci_free_element /usr/src/uci/list.c:74
#2 0x7f0b2e338e7e in uci_free_section /usr/src/uci/list.c:214
#3 0x7f0b2e339374 in uci_free_package /usr/src/uci/list.c:246
#4 0x7f0b2e34b2cc in uci_file_commit /usr/src/uci/file.c:756
#5 0x7f0b2e33d199 in uci_commit /usr/src/uci/libuci.c:206
#6 0x5614d5f24ce1 in package_cmd /usr/src/uci/cli.c:327
#7 0x5614d5f26cb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
#8 0x5614d5f26cb5 in uci_cmd /usr/src/uci/cli.c:674
#9 0x5614d5f23bc1 in main /usr/src/uci/cli.c:767
#10 0x7f0b2d62909a in __libc_start_main ../csu/libc-start.c:308
#11 0x5614d5f23c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f0b2e494720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f0b2e34c5dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f0b2e494330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f0b2e34c56e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4829==ABORTING
ASSERT:
Files ./references/cli.options.delta.commit.result and ./tests/config/delta differ
ASSERT:
REF:

config sectype 'sec0'
list li0 '1'
list li0 '0'


TEST:

test_changes_tailing_parts
test_changes_missing_value

Test report

tests passed: 105 94%
tests failed: 7 6%
tests skipped: 0 0%
tests total: 112 100%

For the LEDE 17.01 version:

cmake -DCMAKE_INSTALL_PREFIX=/usr "-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined" . && make cd tests sh tests.sh # # Performing tests # test_import test_export test_get_parsing test_get_section_index_parsing test_get_option test_get_option_multiline test_get_section test_set_parsing test_set_named_section test_set_nonexisting_option test_set_nonexisting_option_multiline test_set_existing_option test_set_existing_option_multiline test_add_section test_get_parsing test_get_parsing_multiline_package test_get_parsing_multiline_section test_get_parsing_multiline_option test_batch_set test_batch_comments test_revert_section test_revert_option test_revert_option_multiline test_revert_option_long test_add_list_config test_add_list_get test_add_list_show test_add_list_changes test_del_list test_del_list_multiline test_add_delta ================================================================= ==6986==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f2f158c7aa8 bp 0x7ffd548bf4d0 sp 0x7ffd548bf4c8 WRITE of size 8 at 0x607000000200 thread T0 #0 0x7f2f158c7aa7 in uci_list_del /usr/src/uci/uci_internal.h:117 #1 0x7f2f158c7aa7 in uci_free_element /usr/src/uci/list.c:71 #2 0x7f2f158c7e7e in uci_free_section /usr/src/uci/list.c:211 #3 0x7f2f158c884b in uci_free_package /usr/src/uci/list.c:243 #4 0x7f2f158cafbb in uci_free_context /usr/src/uci/libuci.c:84 #5 0x55976de7dc11 in main /usr/src/uci/cli.c:774 #6 0x7f2f14bb809a in __libc_start_main ../csu/libc-start.c:308 #7 0x55976de7dc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f2f15a23720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f2f158db6db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f2f15a23330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f2f158db66d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 00 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6986==ABORTING

==6987==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f04c082baa8 bp 0x7ffd3b1bbd40 sp 0x7ffd3b1bbd38
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7f04c082baa7 in uci_list_del /usr/src/uci/uci_internal.h:117
#1 0x7f04c082baa7 in uci_free_element /usr/src/uci/list.c:71
#2 0x7f04c082be7e in uci_free_section /usr/src/uci/list.c:211
#3 0x7f04c082c84b in uci_free_package /usr/src/uci/list.c:243
#4 0x7f04c082efbb in uci_free_context /usr/src/uci/libuci.c:84
#5 0x564d3a995c11 in main /usr/src/uci/cli.c:774
#6 0x7f04bfb1c09a in __libc_start_main ../csu/libc-start.c:308
#7 0x564d3a995c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f04c0987720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f04c083f6db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f04c0987330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f04c083f66d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6987==ABORTING

==6992==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f7e1b765aa8 bp 0x7ffe56967ab0 sp 0x7ffe56967aa8
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7f7e1b765aa7 in uci_list_del /usr/src/uci/uci_internal.h:117
#1 0x7f7e1b765aa7 in uci_free_element /usr/src/uci/list.c:71
#2 0x7f7e1b765e7e in uci_free_section /usr/src/uci/list.c:211
#3 0x7f7e1b76684b in uci_free_package /usr/src/uci/list.c:243
#4 0x7f7e1b7681f4 in uci_unload /usr/src/uci/list.c:730
#5 0x56086295d42a in package_cmd /usr/src/uci/cli.c:364
#6 0x56086295ecb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
#7 0x56086295ecb5 in uci_cmd /usr/src/uci/cli.c:674
#8 0x56086295bbc1 in main /usr/src/uci/cli.c:767
#9 0x7f7e1aa5609a in __libc_start_main ../csu/libc-start.c:308
#10 0x56086295bc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f7e1b8c1720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f7e1b7796db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f7e1b8c1330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f7e1b77966d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6992==ABORTING
ASSERT:
ASSERT:expected:<delta.sec0='sectype'
delta.sec0.li0+='0'
delta.sec0='sectype'
delta.sec0.li0+='1'> but was:<>

==6998==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000228 at pc 0x7f0147730eff bp 0x7ffc373bee30 sp 0x7ffc373bee28
READ of size 4 at 0x607000000228 thread T0
#0 0x7f0147730efe in uci_export_package /usr/src/uci/file.c:614
#1 0x7f0147734a43 in uci_export /usr/src/uci/file.c:642
#2 0x55af8e3eed40 in package_cmd /usr/src/uci/cli.c:333
#3 0x55af8e3f0cb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
#4 0x55af8e3f0cb5 in uci_cmd /usr/src/uci/cli.c:674
#5 0x55af8e3edbc1 in main /usr/src/uci/cli.c:767
#6 0x7f0146a1509a in __libc_start_main ../csu/libc-start.c:308
#7 0x55af8e3edc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000228 is located 72 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f0147880720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f01477386db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f0147880330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f014773866d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/file.c:614 in uci_export_package
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040: fd fd fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6998==ABORTING
ASSERT:
ASSERT:expected:<package delta

config sectype 'sec0'
list li0 '0'
list li0 '1'> but was:<>

==7009==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7faec5bf2aa8 bp 0x7ffd13eaa6a0 sp 0x7ffd13eaa698
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7faec5bf2aa7 in uci_list_del /usr/src/uci/uci_internal.h:117
#1 0x7faec5bf2aa7 in uci_free_element /usr/src/uci/list.c:71
#2 0x7faec5bf2e7e in uci_free_section /usr/src/uci/list.c:211
#3 0x7faec5bf384b in uci_free_package /usr/src/uci/list.c:243
#4 0x7faec5bf51f4 in uci_unload /usr/src/uci/list.c:730
#5 0x559243cba42a in package_cmd /usr/src/uci/cli.c:364
#6 0x559243cbbcb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
#7 0x559243cbbcb5 in uci_cmd /usr/src/uci/cli.c:674
#8 0x559243cb8bc1 in main /usr/src/uci/cli.c:767
#9 0x7faec4ee309a in __libc_start_main ../csu/libc-start.c:308
#10 0x559243cb8c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7faec5d4e720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7faec5c066db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7faec5d4e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7faec5c0666d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7009==ABORTING
ASSERT:

==7016==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f40f610caa8 bp 0x7ffc91771e40 sp 0x7ffc91771e38
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7f40f610caa7 in uci_list_del /usr/src/uci/uci_internal.h:117
#1 0x7f40f610caa7 in uci_free_element /usr/src/uci/list.c:71
#2 0x7f40f610ce7e in uci_free_section /usr/src/uci/list.c:211
#3 0x7f40f610d84b in uci_free_package /usr/src/uci/list.c:243
#4 0x7f40f611f3cb in uci_file_commit /usr/src/uci/file.c:760
#5 0x7f40f6111146 in uci_commit /usr/src/uci/libuci.c:206
#6 0x55e7aaf01ce1 in package_cmd /usr/src/uci/cli.c:327
#7 0x55e7aaf03cb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
#8 0x55e7aaf03cb5 in uci_cmd /usr/src/uci/cli.c:674
#9 0x55e7aaf00bc1 in main /usr/src/uci/cli.c:767
#10 0x7f40f53fd09a in __libc_start_main ../csu/libc-start.c:308
#11 0x55e7aaf00c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
#0 0x7f40f6268720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
#1 0x7f40f61206db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
#0 0x7f40f6268330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x7f40f612066d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7016==ABORTING
ASSERT:
Files ./references/cli.options.delta.commit.result and ./tests/config/delta differ
ASSERT:
REF:

config sectype 'sec0'
list li0 '1'
list li0 '0'


TEST:

Test report

tests passed: 93 93%
tests failed: 7 7%
tests skipped: 0 0%
tests total: 100 100%

Some of the shown problems might be related to #2288 but some of them seem to be caused by other things.

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented May 17, 2019

charlemagnelasse:

This problem was introduced by

commit 4fb6a564b8eebe01f46766b8238a64d6414ed3ba Author: Felix Fietkau Date: Fri Aug 22 22:02:20 2008 +0200
clean up uci_set

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented May 20, 2019

charlemagnelasse:

The patchwork patch fixes the problem. But my valgrind patch was destroyed by your mailing list. I have attached the patch here again.

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented May 20, 2019

dedeckeh:

The patch was removed form patch work as it failed to apply; see http://lists.infradead.org/pipermail/openwrt-devel/2019-May/017159.html.
Please use git send-email to send patches to the mailing list; only patches send to the mailing list will end in patchwork and will be considered to be applied

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant