Project

General

Profile

Actions
Copy link

Bug #3787

closed

Rib::erase use-after-free

Added by Davide Pesavento over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Davide Pesavento
Category:
RIB
Target version:
v0.5
Start date:
Due date:
% Done:

100%

Estimated time:

Description

Triggered by Rib/TestRibManager/CommandAuthorization test case.

From http://jenkins.named-data.net/job/NFD/4374/OS=Ubuntu-16.04-64bit/consoleText

Entering test case "CommandAuthorization<N3nfd3rib5tests3Rib14TestRibManager29UnauthorizedRibManagerFixtureE>"
../tests/manager-common-fixture.cpp(38): info: check this->addIdentity(m_identityName) passed
1415684132.000000 INFO: [RibManager] Start monitoring face create/destroy events
../tests/rib/rib-manager.t.cpp(106): info: check params.getName() == "/localhost/nfd/rib" || params.getName() == "/localhop/nfd/rib" passed
=================================================================
==14509==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000cda30 at pc 0x00000052f08b bp 0x7ffeb1e1ee10 sp 0x7ffeb1e1ee00
READ of size 8 at 0x6070000cda30 thread T0
    #0 0x52f08a in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:174
    #1 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
    #2 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
    #3 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:299
    #4 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:338
    #5 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:338
    #6 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
    #7 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
    #8 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #9 0x7f5e4a164cb0  (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
    #10 0x7f5e4a144995 in boost::execution_monitor::catch_signals(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4a995)
    #11 0x7f5e4a1451b2 in boost::execution_monitor::execute(boost::unit_test::callback0<int> const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4b1b2)
    #12 0x7f5e4a164de1 in boost::unit_test::unit_test_monitor_t::execute_and_translate(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6ade1)
    #13 0x7f5e4a14c09d in boost::unit_test::framework_impl::visit(boost::unit_test::test_case const&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x5209d)
    #14 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #15 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #16 0x7f5e4a1824ca in boost::unit_test::traverse_test_tree(boost::unit_test::test_suite const&, boost::unit_test::test_tree_visitor&) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x884ca)
    #17 0x7f5e4a1479f5 in boost::unit_test::framework::run(unsigned long, bool) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x4d9f5)
    #18 0x7f5e4a163286 in boost::unit_test::unit_test_main(bool (*)(), int, char**) (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x69286)
    #19 0x5beecd in main ../tests/main.cpp:112
    #20 0x7f5e494b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #21 0x422358 in _start (build/unit-tests-rib+0x422358)

0x6070000cda30 is located 16 bytes inside of 72-byte region [0x6070000cda20,0x6070000cda68)
freed by thread T0 here:
    #0 0x7f5e4b7f9b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
    #1 0x4fc528 in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::erase(std::_List_const_iterator<nfd::rib::Route>) (build/unit-tests-rib+0x4fc528)
    #2 0x4f9f08 in nfd::rib::RibEntry::eraseRoute(std::_List_iterator<nfd::rib::Route>) ../rib/rib-entry.cpp:125
    #3 0x52f03c in nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:170
    #4 0x4a20dc in nfd::rib::tests::RibManagerFixture::clearRib() ../tests/rib/rib-manager.t.cpp:138
    #5 0x4a20dc in nfd::rib::tests::RibManagerFixture::RibManagerFixture(nfd::rib::tests::ConfigurationStatus const&, bool) ../tests/rib/rib-manager.t.cpp:93
    #6 0x4a735e in nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture::UnauthorizedRibManagerFixture() ../tests/rib/rib-manager.t.cpp:299
    #7 0x4a735e in nfd::rib::tests::Rib::TestRibManager::CommandAuthorization<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::CommandAuthorization() ../tests/rib/rib-manager.t.cpp:338
    #8 0x4a735e in void nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker::run<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>(boost::type<nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>*) ../tests/rib/rib-manager.t.cpp:338
    #9 0x4a78e7 in boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>::operator()() /usr/include/boost/test/unit_test_suite_impl.hpp:357
    #10 0x4a78e7 in boost::unit_test::ut_detail::unused boost::unit_test::ut_detail::invoker<boost::unit_test::ut_detail::unused>::invoke<boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >(boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture>&) /usr/include/boost/test/utils/callback.hpp:56
    #11 0x4a78e7 in boost::unit_test::ut_detail::callback0_impl_t<boost::unit_test::ut_detail::unused, boost::unit_test::ut_detail::test_case_template_invoker<nfd::rib::tests::Rib::TestRibManager::CommandAuthorization_invoker, nfd::rib::tests::Rib::TestRibManager::UnauthorizedRibManagerFixture> >::invoke() /usr/include/boost/test/utils/callback.hpp:89
    #12 0x7f5e4a164cb0  (/usr/lib/x86_64-linux-gnu/libboost_unit_test_framework.so.1.58.0+0x6acb0)
    #13 0x6030001d8adf  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7f5e4b7f9532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x4fae0b in __gnu_cxx::new_allocator<std::_List_node<nfd::rib::Route> >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x4fae0b in std::__cxx11::_List_base<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_get_node() /usr/include/c++/5/bits/stl_list.h:392
    #3 0x4fae0b in std::_List_node<nfd::rib::Route>* std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_create_node<nfd::rib::Route const&>(nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:571
    #4 0x4fae0b in void std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::_M_insert<nfd::rib::Route const&>(std::_List_iterator<nfd::rib::Route>, nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:1763
    #5 0x4fae0b in std::__cxx11::list<nfd::rib::Route, std::allocator<nfd::rib::Route> >::push_back(nfd::rib::Route const&) /usr/include/c++/5/bits/stl_list.h:1089
    #6 0x4fae0b in nfd::rib::RibEntry::insertRoute(nfd::rib::Route const&) ../rib/rib-entry.cpp:59
    #7 0x53278a in nfd::rib::Rib::insert(ndn::Name const&, nfd::rib::Route const&) ../rib/rib.cpp:127
    #8 0x502ceb in nfd::rib::RibManager::onCommandPrefixAddNextHopSuccess(ndn::Name const&, ndn::nfd::ControlParameters const&) ../rib/rib-manager.cpp:441
    #9 0x516893 in void std::_Mem_fn_base<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&), true>::operator()<ndn::Name const&, ndn::nfd::ControlParameters const&, void>(nfd::rib::RibManager*, ndn::Name const&, ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:600
    #10 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::__call<void, ndn::nfd::ControlParameters const&, 0ul, 1ul, 2ul>(std::tuple<ndn::nfd::ControlParameters const&>&&, std::_Index_tuple<0ul, 1ul, 2ul>) /usr/include/c++/5/functional:1074
    #11 0x516893 in void std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)>::operator()<ndn::nfd::ControlParameters const&, void>(ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1133
    #12 0x516893 in std::_Function_handler<void (ndn::nfd::ControlParameters const&), std::_Bind<std::_Mem_fn<void (nfd::rib::RibManager::*)(ndn::Name const&, ndn::nfd::ControlParameters const&)> (nfd::rib::RibManager*, std::reference_wrapper<ndn::Name const>, std::_Placeholder<1>)> >::_M_invoke(std::_Any_data const&, ndn::nfd::ControlParameters const&) /usr/include/c++/5/functional:1871
    #13 0x7f5e4b3415c8 in std::function<void (ndn::nfd::ControlParameters const&)>::operator()(ndn::nfd::ControlParameters const&) const /usr/include/c++/5/functional:2267
    #14 0x7f5e4b3415c8 in ndn::nfd::Controller::processValidatedCommandResponse(ndn::Data const&, std::shared_ptr<ndn::nfd::ControlCommand> const&, std::function<void (ndn::nfd::ControlParameters const&)> const&, std::function<void (ndn::mgmt::ControlResponse const&)> const&) ../src/mgmt/nfd/controller.cpp:129

SUMMARY: AddressSanitizer: heap-use-after-free ../rib/rib.cpp:174 nfd::rib::Rib::erase(ndn::Name const&, nfd::rib::Route const&)
Shadow bytes around the buggy address:
  0x0c0e80011af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80011b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80011b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80011b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80011b30: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 01 fa
=>0x0c0e80011b40: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fa fa fa
  0x0c0e80011b50: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0e80011b60: fd fd fd fd fd fd fd fd fd fd fa fa fa fa 00 00
  0x0c0e80011b70: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0e80011b80: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e80011b90: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==14509==ABORTING

Related issues 1 (0 open1 closed)

Blocks NFD - Task #2589: CI: enable AddressSanitizer for unit testsClosedDavide Pesavento

Actions
Actions
Copy link

Also available in: Atom PDF