Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IPv4 Fragmentation] Address sanitizer reports a heap-use-after-free #246

Closed
danielinux opened this issue Mar 31, 2015 · 0 comments
Closed

[IPv4 Fragmentation] Address sanitizer reports a heap-use-after-free #246

danielinux opened this issue Mar 31, 2015 · 0 comments
Assignees
@laurensmiers
Labels
bug
Milestone
Release 1.5

Comments

@danielinux
Copy link
Contributor

How to reproduce:
compile dev branch test enabling ADDRESS_SANITIZER

make test ADDRESS_SANITIZER=1

run a updecho server:

./build/test/picoapp.elf --vde pic0:/tmp/pic0.ctl:10.40.0.8:255.255.0.0::: -a udpecho:10.40.0.8:6667

run a UDP client:

./build/test/picoapp.elf --vde pic0:/tmp/pic0.ctl:10.40.0.9:255.255.0.0::: -a udpclient:10.40.0.8:6667:6667:1400:100:10:

Result (on the client):

=================================================================
==23677==ERROR: AddressSanitizer: heap-use-after-free on address 0xb4003e5a at pc 0x80791f2 bp 0xbfb80fa8 sp 0xbfb80f9c
READ of size 4 at 0xb4003e5a thread T0
    #0 0x80791f1 in pico_ipv4_process_in modules/pico_ipv4.c:718
    #1 0x80c3597 in proto_loop_in stack/pico_protocol.c:60
    #2 0x80c3710 in proto_loop stack/pico_protocol.c:86
    #3 0x80c3adf in pico_protocol_generic_loop stack/pico_protocol.c:134
    #4 0x80c3c61 in pico_protocol_network_loop stack/pico_protocol.c:157
    #5 0x80d9fcf in pico_stack_tick stack/pico_stack.c:968
    #6 0x80e22aa in main test/picoapp.c:649
    #7 0xb708da62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
    #8 0x8049470 (/home/dan/picotcp/build/test/picoapp.elf+0x8049470)

0xb4003e5a is located 26 bytes inside of 190-byte region [0xb4003e40,0xb4003efe)
freed by thread T0 here:
    #0 0xb72d34c4 in free (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e4c4)
    #1 0x80c2344 in pico_frame_discard stack/pico_frame.c:32
    #2 0x8077c2b in fragmented_check_is_lastfrag modules/pico_ipv4.c:488
    #3 0x80783c7 in pico_ipv4_fragmented_check modules/pico_ipv4.c:533
    #4 0x8079137 in pico_ipv4_process_in modules/pico_ipv4.c:713
    #5 0x80c3597 in proto_loop_in stack/pico_protocol.c:60
    #6 0x80c3710 in proto_loop stack/pico_protocol.c:86
    #7 0x80c3adf in pico_protocol_generic_loop stack/pico_protocol.c:134
    #8 0x80c3c61 in pico_protocol_network_loop stack/pico_protocol.c:157
    #9 0x80d9fcf in pico_stack_tick stack/pico_stack.c:968
    #10 0x80e22aa in main test/picoapp.c:649
    #11 0xb708da62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)

previously allocated by thread T0 here:
    #0 0xb72d3812 in __interceptor_calloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e812)
    #1 0x80c2683 in pico_frame_do_alloc stack/pico_frame.c:71
    #2 0x80c29b7 in pico_frame_alloc stack/pico_frame.c:109
    #3 0x80d7385 in pico_stack_recv stack/pico_stack.c:676
    #4 0x80547c7 in pico_vde_poll modules/pico_dev_vde.c:57
    #5 0x80c1626 in check_dev_serve_polling stack/pico_device.c:217
    #6 0x80c1b40 in devloop stack/pico_device.c:288
    #7 0x80c1c6c in pico_devices_loop stack/pico_device.c:336
    #8 0x80d9f7d in pico_stack_tick stack/pico_stack.c:962
    #9 0x80e22aa in main test/picoapp.c:649
    #10 0xb708da62 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)

SUMMARY: AddressSanitizer: heap-use-after-free modules/pico_ipv4.c:718 pico_ipv4_process_in
Shadow bytes around the buggy address:
  0x36800770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
  0x36800780: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x36800790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
  0x368007a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x368007b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
=>0x368007c0: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
  0x368007d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x368007e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x368007f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36800800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36800810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==23677==ABORTING
@danielinux danielinux added the bug label Mar 31, 2015
@ludolinux ludolinux self-assigned this Apr 14, 2015
@danielinux danielinux added this to the Release 1.5 milestone May 29, 2015
@danielinux danielinux assigned laurensmiers and unassigned ludolinux Jun 10, 2015
@laurensmiers laurensmiers mentioned this issue Jun 18, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@laurensmiers laurensmiers

Labels
bug
Projects
None yet
Milestone
Release 1.5
Development

No branches or pull requests
3 participants
@danielinux @laurensmiers @ludolinux