Actions
Bug #2151
closed
FaceManager/TestFireInterestFilter heap buffer overflow
Start date:
Due date:
% Done:
100%
Estimated time:
Description
On a 64-bit Ubuntu 14.10 virtual machine, while running NFD unit tests.
==22476==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000105ec8 at pc 0x9df843 bp 0x7fff1d354ae0 sp 0x7fff1d354ad0
READ of size 8 at 0x612000105ec8 thread T0
#0 0x9df842 in std::__shared_ptr<ndn::Buffer const, (__gnu_cxx::_Lock_policy)2>::operator bool() const /usr/include/c++/4.9/bits/shared_ptr_base.h:1056
#1 0x9df842 in ndn::Block::hasValue() const ../src/encoding/block.hpp:329
#2 0x9df842 in ndn::Block::value_size() const ../src/encoding/block.hpp:473
#3 0x9df842 in ndn::name::Component::compare(ndn::name::Component const&) const ../src/name-component.cpp:314
#4 0x7dfc8c in ndn::name::Component::operator<(ndn::name::Component const&) const /usr/local/include/ndn-cxx/name-component.hpp:550
#5 0x7dfc8c in std::less<ndn::name::Component>::operator()(ndn::name::Component const&, ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_function.h:371
#6 0x7dfc8c in std::_Rb_tree<ndn::name::Component, std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> >, std::_Select1st<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > >, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::_M_lower_bound(std::_Rb_tree_node<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > const*, std::_Rb_tree_node<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > const*, ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_tree.h:1277
#7 0x7dfd13 in std::_Rb_tree<ndn::name::Component, std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> >, std::_Select1st<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > >, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::find(ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_tree.h:1926
#8 0x7ccf42 in std::map<ndn::name::Component, std::function<void (nfd::FaceManager*, ndn::Interest const&)>, std::less<ndn::name::Component>, std::allocator<std::pair<ndn::name::Component const, std::function<void (nfd::FaceManager*, ndn::Interest const&)> > > >::find(ndn::name::Component const&) const /usr/include/c++/4.9/bits/stl_map.h:875
#9 0x7ccf42 in nfd::FaceManager::onFaceRequest(ndn::Interest const&) ../daemon/mgmt/face-manager.cpp:868
#10 0x7d7d4b in boost::_mfi::mf1<void, nfd::FaceManager, ndn::Interest const&>::operator()(nfd::FaceManager*, ndn::Interest const&) const /usr/include/boost/bind/mem_fn_template.hpp:165
#11 0x7d7d4b in operator()<boost::_mfi::mf1<void, nfd::FaceManager, const ndn::Interest&>, boost::_bi::list2<const ndn::Name&, const ndn::Interest&> > /usr/include/boost/bind/bind.hpp:313
#12 0x7d7d4b in operator()<ndn::Name, ndn::Interest> /usr/include/boost/bind/bind_template.hpp:102
#13 0x7d7d4b in std::_Function_handler<void (ndn::Name const&, ndn::Interest const&), boost::_bi::bind_t<void, boost::_mfi::mf1<void, nfd::FaceManager, ndn::Interest const&>, boost::_bi::list2<boost::_bi::value<nfd::FaceManager*>, boost::arg<2> > > >::_M_invoke(std::_Any_data const&, ndn::Name const&, ndn::Interest const&) /usr/include/c++/4.9/functional:2039
#14 0x7ff6d7 in std::function<void (ndn::Name const&, ndn::Interest const&)>::operator()(ndn::Name const&, ndn::Interest const&) const /usr/include/c++/4.9/functional:2439
#15 0x7fe714 in nfd::InternalFace::processInterest(std::shared_ptr<ndn::Interest const> const&) ../daemon/mgmt/internal-face.cpp:97
#16 0x8009c5 in operator()<std::shared_ptr<const ndn::Interest>&, void> /usr/include/c++/4.9/functional:569
#17 0x8009c5 in __call<void, 0ul, 1ul> /usr/include/c++/4.9/functional:1264
#18 0x8009c5 in operator()<, void> /usr/include/c++/4.9/functional:1323
#19 0x8009c5 in asio_handler_invoke<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)> > /usr/include/boost/asio/handler_invoke_hook.hpp:69
#20 0x8009c5 in invoke<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)>, std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(const std::shared_ptr<const ndn::Interest>&)>(nfd::InternalFace*, std::shared_ptr<const ndn::Interest>)> > /usr/include/boost/asio/detail/handler_invoke_helpers.hpp:37
#21 0x8009c5 in boost::asio::detail::completion_handler<std::_Bind<std::_Mem_fn<void (nfd::InternalFace::*)(std::shared_ptr<ndn::Interest const> const&)> (nfd::InternalFace*, std::shared_ptr<ndn::Interest const>)> >::do_complete(boost::asio::detail::task_io_service*, boost::asio::detail::task_io_service_operation*, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/completion_handler.hpp:68
#22 0x59030f in boost::asio::detail::task_io_service_operation::complete(boost::asio::detail::task_io_service&, boost::system::error_code const&, unsigned long) /usr/include/boost/asio/detail/task_io_service_operation.hpp:38
#23 0x59030f in boost::asio::detail::task_io_service::do_run_one(boost::asio::detail::scoped_lock<boost::asio::detail::posix_mutex>&, boost::asio::detail::task_io_service_thread_info&, boost::system::error_code const&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:384
#24 0x59030f in boost::asio::detail::task_io_service::run_one(boost::system::error_code&) /usr/include/boost/asio/detail/impl/task_io_service.ipp:177
#25 0x571055 in boost::asio::io_service::run_one() /usr/include/boost/asio/impl/io_service.ipp:72
#26 0x571055 in nfd::tests::MgmtFaceManager::TestFireInterestFilter::test_method() ../tests/daemon/mgmt/face-manager.cpp:821
#27 0x57ec3e in TestFireInterestFilter_invoker ../tests/daemon/mgmt/face-manager.cpp:812
#28 0x4401f8 in invoke<void (*)()> /usr/include/boost/test/utils/callback.hpp:56
#29 0x4401f8 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, void (*)()>::invoke() /usr/include/boost/test/utils/callback.hpp:89
#30 0x7f7d38f415a0 (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x685a0)
#31 0x7f7d38f1c865 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x43865)
#32 0x7f7d38f1d0a2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x440a2)
#33 0x7f7d38f416a1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x686a1)
#34 0x7f7d38f2b2f3 in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x522f3)
#35 0x7f7d38f5a2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#36 0x7f7d38f5a2d2 in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x812d2)
#37 0x7f7d38f26819 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x4d819)
#38 0x7f7d38f3f283 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.55.0+0x66283)
#39 0x8db84f in main /usr/include/boost/test/unit_test.hpp:59
#40 0x7f7d370cdec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#41 0x43b4a8 (/home/davide/NFD/build/unit-tests-daemon+0x43b4a8)
0x612000105ec8 is located 0 bytes to the right of 264-byte region [0x612000105dc0,0x612000105ec8)
allocated by thread T0 here:
#0 0x7f7d395e013f in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5813f)
#1 0x443c69 in __gnu_cxx::new_allocator<ndn::Block>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
#2 0x443c69 in std::allocator_traits<std::allocator<ndn::Block> >::allocate(std::allocator<ndn::Block>&, unsigned long) /usr/include/c++/4.9/bits/alloc_traits.h:357
#3 0x443c69 in std::_Vector_base<ndn::Block, std::allocator<ndn::Block> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#4 0x443c69 in std::_Vector_base<ndn::Block, std::allocator<ndn::Block> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
#5 0x443c69 in _Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
#6 0x443c69 in vector /usr/include/c++/4.9/bits/stl_vector.h:320
#7 0x443c69 in ndn::Block::Block(ndn::Block const&) ../src/security/../encoding/block.hpp:46
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/include/c++/4.9/bits/shared_ptr_base.h:1056 std::__shared_ptr<ndn::Buffer const, (__gnu_cxx::_Lock_policy)2>::operator bool() const
Shadow bytes around the buggy address:
0x0c2480018b80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2480018b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2480018ba0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2480018bb0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2480018bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2480018bd0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x0c2480018be0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2480018bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2480018c00: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c2480018c10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2480018c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==22476==ABORTING
ndn-cxx is at 4e9b069bb844545d7e352b98821c5a11520f1b58. NFD is at 56a21bf34a7dacbc65afd347e0049efe628764b1. I'm not sure if the bug is in ndn-cxx or in NFD.
Updated by Alex Afanasyev over 9 years ago
Can you show commands to reproduce this output? Are you running in valgrind or something?
Updated by Davide Pesavento over 9 years ago
Ah sorry, I thought you were familiar with AddressSanitizer (https://code.google.com/p/address-sanitizer/). It's in gcc upstream since 4.8. It's the same idea as valgrind, just with a different approach (compile-time vs. dynamic binary instrumentation) and implementation, plus ASan is much faster.
Basically you just build your code with -fsanitize=address, both in CXXFLAGS and LINKFLAGS, and run it normally. Building with debug symbols is also recommended, for obvious reasons.
Updated by Junxiao Shi over 9 years ago
- Subject changed from Heap buffer overflow in ndn::Block::hasValue during FaceManager unit tests to FaceManager/TestFireInterestFilter test case: heap buffer overflow
- Category set to Management
- Assignee set to Anonymous
- Target version set to v0.3
I can reproduce this Bug on Ubuntu 14.04 with valgrind.
The quoted error in original report is in TestFireInterestFilter test case.
There is also a similar error in MalformedCommmand test case.
I'm assigning this Bug to the author of these test cases.
Updated by Anonymous over 9 years ago
- Status changed from In Progress to Code review
- % Done changed from 0 to 70
Updated by Junxiao Shi over 9 years ago
- Status changed from Code review to Closed
- % Done changed from 70 to 100
Updated by Davide Pesavento about 9 years ago
- Blocks Task #2589: CI: enable AddressSanitizer for unit tests added
Updated by Davide Pesavento over 8 years ago
- Subject changed from FaceManager/TestFireInterestFilter test case: heap buffer overflow to FaceManager/TestFireInterestFilter heap buffer overflow
Actions