`test-umount` has started to fail under `asan` #8504

evverx · 2018-03-20T13:16:25Z

Something that was merged recently seems to cause asan to report a memory leak:

$ git describe
v238-161-ged358dbd0

$ ./build/test-umount
...

=================================================================
==16164==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x7ff801df4c40 in realloc (/lib64/libasan.so.4+0xdec40)
    #1 0x7ff800e6fd7c in _IO_vfscanf_internal (/lib64/libc.so.6+0x66d7c)
    #2 0x7ff800e82adc in _IO_vsscanf (/lib64/libc.so.6+0x79adc)

SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).

The backtrace isn't very useful. Probably the output of valgrind is more helpful:

==22905==
==22905== HEAP SUMMARY:
==22905==     in use at exit: 16 bytes in 1 blocks
==22905==   total heap usage: 1,488 allocs, 1,487 frees, 128,428 bytes allocated
==22905==
==22905== 16 bytes in 1 blocks are definitely lost in loss record 1 of 1
==22905==    at 0x4C31C15: realloc (vg_replace_malloc.c:785)
==22905==    by 0x55C5D7C: _IO_vfscanf (in /usr/lib64/libc-2.26.so)
==22905==    by 0x55D8ADC: vsscanf (in /usr/lib64/libc-2.26.so)
==22905==    by 0x55D25B3: sscanf (in /usr/lib64/libc-2.26.so)
==22905==    by 0x53236D0: mnt_table_parse_stream (in /usr/lib64/libmount.so.1.1.0)
==22905==    by 0x53249B6: mnt_table_parse_file (in /usr/lib64/libmount.so.1.1.0)
==22905==    by 0x10D171: swap_list_get (umount.c:194)
==22905==    by 0x10B06E: test_swap_list (test-umount.c:34)
==22905==    by 0x10B24B: main (test-umount.c:56)
==22905==
==22905== LEAK SUMMARY:
==22905==    definitely lost: 16 bytes in 1 blocks
==22905==    indirectly lost: 0 bytes in 0 blocks
==22905==      possibly lost: 0 bytes in 0 blocks
==22905==    still reachable: 0 bytes in 0 blocks
==22905==         suppressed: 0 bytes in 0 blocks
==22905==
==22905== For counts of detected and suppressed errors, rerun with: -v
==22905== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

The text was updated successfully, but these errors were encountered:

evverx · 2018-03-20T13:17:48Z

I've just found util-linux/util-linux#596, which seems to have been fixed. I'm closing the issue. Sorry for the noise.

The fuzzer is supposed to cover `mnt_table_parse_stream`, which is used by systemd to parse /proc/self/mountinfo. The systemd project has run into memory leaks there at least twice: systemd/systemd#12252 (comment) systemd/systemd#8504 so it seems to be a good idea to continuously fuzz that particular function. The patch can be tested locally by installing clang and running ./tools/oss-fuzz.sh. Currently the fuzzer is failing with ``` ================================================================= ==96638==ERROR: LeakSanitizer: detected memory leaks Direct leak of 216 byte(s) in 1 object(s) allocated from: #0 0x50cd77 in calloc (/home/vagrant/util-linux/out/test_mount_fuzz+0x50cd77) #1 0x58716a in mnt_new_fs /home/vagrant/util-linux/libmount/src/fs.c:36:25 #2 0x54f224 in __table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:728:9 #3 0x54eed8 in mnt_table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:804:8 #4 0x5448b2 in LLVMFuzzerTestOneInput /home/vagrant/util-linux/libmount/src/fuzz.c:19:16 util-linux#5 0x44cc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44cc88) util-linux#6 0x44d8b0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44d8b0) util-linux#7 0x44e270 in fuzzer::Fuzzer::MutateAndTestOne() (/home/vagrant/util-linux/out/test_mount_fuzz+0x44e270) util-linux#8 0x450617 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/vagrant/util-linux/out/test_mount_fuzz+0x450617) util-linux#9 0x43adbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/util-linux/out/test_mount_fuzz+0x43adbb) util-linux#10 0x42ad46 in main (/home/vagrant/util-linux/out/test_mount_fuzz+0x42ad46) util-linux#11 0x7fa084f621a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) SUMMARY: AddressSanitizer: 216 byte(s) leaked in 1 allocation(s). INFO: to ignore leaks on libFuzzer side use -detect_leaks=0. ``` Once the bug is fixed and the OSS-Fuzz counterpart is merged it should be possible to turn on CIFuzz to make sure the fuzz target can be built and run for some time without crashing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/

The fuzzer is supposed to cover `mnt_table_parse_stream`, which is used by systemd to parse /proc/self/mountinfo. The systemd project has run into memory leaks there at least twice: systemd/systemd#12252 (comment) systemd/systemd#8504 so it seems to be a good idea to continuously fuzz that particular function. The patch can be tested locally by installing clang and running ./tools/oss-fuzz.sh. Currently the fuzzer is failing with ``` ================================================================= ==96638==ERROR: LeakSanitizer: detected memory leaks Direct leak of 216 byte(s) in 1 object(s) allocated from: #0 0x50cd77 in calloc (/home/vagrant/util-linux/out/test_mount_fuzz+0x50cd77) #1 0x58716a in mnt_new_fs /home/vagrant/util-linux/libmount/src/fs.c:36:25 #2 0x54f224 in __table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:728:9 #3 0x54eed8 in mnt_table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:804:8 #4 0x5448b2 in LLVMFuzzerTestOneInput /home/vagrant/util-linux/libmount/src/fuzz.c:19:16 util-linux#5 0x44cc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44cc88) util-linux#6 0x44d8b0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44d8b0) util-linux#7 0x44e270 in fuzzer::Fuzzer::MutateAndTestOne() (/home/vagrant/util-linux/out/test_mount_fuzz+0x44e270) util-linux#8 0x450617 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/vagrant/util-linux/out/test_mount_fuzz+0x450617) util-linux#9 0x43adbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/util-linux/out/test_mount_fuzz+0x43adbb) util-linux#10 0x42ad46 in main (/home/vagrant/util-linux/out/test_mount_fuzz+0x42ad46) util-linux#11 0x7fa084f621a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) SUMMARY: AddressSanitizer: 216 byte(s) leaked in 1 allocation(s). INFO: to ignore leaks on libFuzzer side use -detect_leaks=0. ``` Once the bug is fixed and the OSS-Fuzz counterpart is merged it should be possible to turn on CIFuzz to make sure the fuzz target can be built and run for some time without crashing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>

evverx closed this as completed Mar 20, 2018

evverx added the not-our-bug label Mar 20, 2018

evverx mentioned this issue Apr 13, 2019

Don't unescape paths from libmount #12252

Merged

evverx mentioned this issue Jun 25, 2020

add a fuzzer for mnt_table_parse_stream util-linux/util-linux#1068

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`test-umount` has started to fail under `asan` #8504

`test-umount` has started to fail under `asan` #8504

evverx commented Mar 20, 2018

evverx commented Mar 20, 2018 •

edited

Loading

test-umount has started to fail under asan #8504

test-umount has started to fail under asan #8504

Comments

evverx commented Mar 20, 2018

evverx commented Mar 20, 2018 • edited Loading

`test-umount` has started to fail under `asan` #8504

`test-umount` has started to fail under `asan` #8504

evverx commented Mar 20, 2018 •

edited

Loading