Actions
Bug #2151
closed
FaceManager/TestFireInterestFilter heap buffer overflow
Start date:
Due date:
% Done:
100%
Estimated time:
Description
On a 64-bit Ubuntu 14.10 virtual machine, while running NFD unit tests.
==22476==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000105ec8 at pc 0x9df843 bp 0x7fff1d354ae0 sp 0x7fff1d354ad0
READ of size 8 at 0x612000105ec8 thread T0
#0 0x9df842 in std::__shared_ptr<ndn::Buffer const, (__gnu_cxx::_Lock_policy)2>::operator bool() const /usr/include/c++/4.9/bits/shared_ptr_base.h:1056
#1 0x9df842 in ndn::Block::hasValue() const ../src/encoding/block.hpp:329
#2 0x9df842 in ndn::Block::value_size() const ../src/encoding/block.hpp:473
#3 0x9df842 in ndn::name::Component::compare(ndn::name::Component const&) const ../src/name-component.cpp:314
#4 0x7dfc8c in ndn::name::Component::operator<(ndn::name::Component const&) const /usr/local/include/ndn-cxx/name-component.hpp:550
#5 0x7dfc8c in std::less<ndn::name::Component>::operator()(ndn::name::Component const&, ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_function.h:371
#6 0x7dfc8c in std::_Rb_tree<ndn::name::Component, std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> >, std::_Select1st<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > >, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::_M_lower_bound(std::_Rb_tree_node<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > const*, std::_Rb_tree_node<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > const*, ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_tree.h:1277
#7 0x7dfd13 in std::_Rb_tree<ndn::name::Component, std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> >, std::_Select1st<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > >, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::find(ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_tree.h:1926
#8 0x7ccf42 in std::map<ndn::name::Component, std::function<void (nfd::FaceManager*, ndn::Interest const&)>, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::find(ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_map.h:875
#9 0x7ccf42 in nfd::FaceManager::onFaceRequest(ndn::Interest const&) ../daemon/mgmt/face-manager.cpp:868
#10 0x7d7d4b in boost::_mfi::mf1<void, nfd::FaceManager, ndn::Interest const&>::operator()(nfd::FaceManager*, ndn::Interest const&) const /usr/include/boost/bind/mem_fn_template.hpp:165
#11 0x7d7d4b in operator()<boost::_mfi::mf1<void, nfd::FaceManager, const ndn::Interest&>, boost::_bi::list2<const ndn::Name&, const ndn::Interest&> > /usr/include/boost/bind/bind.hpp:313
#12 0x7d7d4b in operator()<ndn::Name, ndn::Interest> /usr/include/boost/bind/bind_template.hpp:102
#13 0x7d7d4b in std::_Function_handler<void (ndn::Name const&, ndn::Interest const&), boost::_bi::bind_t<void, boost::_mfi::mf1<void, nfd::FaceManager, ndn::Interest const&>, boost::_bi::list2<boost::_bi::value<nfd::FaceManager*>, boost::arg<2> > > >::_M_invoke(std::_Any_data const&, ndn::Name const&, ndn::Interest const&) /usr/include/c++/4.9/functional:2039
#14 0x7ff6d7 in std::function<void (ndn::Name const&, ndn::Interest const&)>::operator()(ndn::Name const&, ndn::Interest const&) const /usr/include/c++/4.9/functional:2439
#15 0x7fe714 in nfd::InternalFace::processInterest(std::shared_ptr<ndn::Interest const> const&) ../daemon/mgmt/internal-face.cpp:97
#16 0x8009c5 in operator()<std::shared_ptr<const ndn::Interest>&, void> /usr/include/c++/4.9/functional:569
#17 0x8009c5 in __call<void, 0ul, 1ul> /usr/include/c++/4.9/functional:1264
#18 0x8009c5 in operator()<, void> /usr/include/c++/4.9/functional:1323
#19 0x8009c5 in asio_handler_invoke<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)> > /usr/include/boost/asio/handler_invoke_hook.hpp:69
#20 0x8009c5 in invoke<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)>, std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)> > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
#21 0x8009c5 in boost::asio::detail::completion_handler<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(std::shared_ptr<ndn::Interest const> const&)> (nfd::InternalFace*, std::shared_ptr<ndn::Interest const>)> >::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/completion_handler.hpp:68
#22 0x59030f in boost::asio::detail::task_io_service_operation::complete(boost::asio::detail::task_io_service&, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/task_io_service_operation.hpp:38
#23 0x59030f in boost::asio::detail::task_io_service::do_run_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:384
#24 0x59030f in boost::asio::detail::task_io_service::run_one(boost::system::error_code&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:177
#25 0x571055 in boost::asio::io_service::run_one() /usr/include/boost/asio/impl/io_service.ipp:72
#26 0x571055 in nfd::tests::MgmtFaceManager::TestFireInterestFilter::test_method() ../tests/daemon/mgmt/face-manager.cpp:821
#27 0x57ec3e in TestFireInterestFilter_invoker ../tests/daemon/mgmt/face-manager.cpp:812
#28 0x4401f8 in invoke<void (*)()> /usr/include/boost/test/utils/callback.hpp:56
#29 0x4401f8 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
#30 0x7f7d38f415a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
#31 0x7f7d38f1c865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
#32 0x7f7d38f1d0a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
#33 0x7f7d38f416a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
#34 0x7f7d38f2b2f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
#35 0x7f7d38f5a2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#36 0x7f7d38f5a2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#37 0x7f7d38f26819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
#38 0x7f7d38f3f283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
#39 0x8db84f in main /usr/include/boost/test/unit_test.hpp:59
#40 0x7f7d370cdec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#41 0x43b4a8 (/home/davide/NFD/build/unit-tests-daemon+0x43b4a8)
0x612000105ec8 is located 0 bytes to the right of 264-byte region [0x612000105dc0,0x612000105ec8)
allocated by thread T0 here:
#0 0x7f7d395e013f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5813f)
#1 0x443c69 in __gnu_cxx::new_allocator<ndn::Block>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
#2 0x443c69 in std::allocator_traits<std::allocator<ndn::Block> >::allocate(std::allocator<ndn::Block>&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:357
#3 0x443c69 in std::_Vector_base<ndn::Block, std::allocator<ndn::Block> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#4 0x443c69 in std::_Vector_base<ndn::Block, std::allocator<ndn::Block> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
#5 0x443c69 in _Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
#6 0x443c69 in vector /usr/include/c++/4.9/bits/stl_vector.h:320
#7 0x443c69 in ndn::Block::Block(ndn::Block const&) ../src/security/../encoding/block.hpp:46
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/c++/4.9/bits/shared_ptr_base.h:1056 std::__shared_ptr<ndn::Buffer const, (__gnu_cxx::_Lock_policy)2>::operator bool() const
Shadow bytes around the buggy address:
0x0c2480018b80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2480018b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480018ba0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2480018bb0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2480018bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2480018bd0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x0c2480018be0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2480018bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2480018c00: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c2480018c10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2480018c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==22476==ABORTING
ndn-cxx is at 4e9b069bb844545d7e352b98821c5a11520f1b58. NFD is at 56a21bf34a7dacbc65afd347e0049efe628764b1. I'm not sure if the bug is in ndn-cxx or in NFD.
Updated by Alex Afanasyev about 10 years ago
Can you show commands to reproduce this output? Are you running in valgrind or something?
Updated by Davide Pesavento about 10 years ago
Ah sorry, I thought you were familiar with AddressSanitizer (https://code.google.com/p/address-sanitizer/). It's in gcc upstream since 4.8. It's the same idea as valgrind, just with a different approach (compile-time vs. dynamic binary instrumentation) and implementation, plus ASan is much faster.
Basically you just build your code with -fsanitize=address, both in CXXFLAGS and LINKFLAGS, and run it normally. Building with debug symbols is also recommended, for obvious reasons.
Updated by Junxiao Shi almost 10 years ago
- Subject changed from Heap buffer overflow in ndn::Block::hasValue during FaceManager unit tests to FaceManager/TestFireInterestFilter test case: heap buffer overflow
- Category set to Management
- Assignee set to Anonymous
- Target version set to v0.3
I can reproduce this Bug on Ubuntu 14.04 with valgrind.
The quoted error in original report is in TestFireInterestFilter test case.
There is also a similar error in MalformedCommmand test case.
I'm assigning this Bug to the author of these test cases.
Updated by Anonymous almost 10 years ago
- Status changed from In Progress to Code review
- % Done changed from 0 to 70
Updated by Junxiao Shi almost 10 years ago
- Status changed from Code review to Closed
- % Done changed from 70 to 100
Updated by Davide Pesavento over 9 years ago
- Blocks Task #2589: CI: enable AddressSanitizer for unit tests added
Updated by Davide Pesavento about 9 years ago
- Subject changed from FaceManager/TestFireInterestFilter test case: heap buffer overflow to FaceManager/TestFireInterestFilter heap buffer overflow
Actions