Project

General

Profile

Actions
Copy link

Bug #4495

open

Strange buffer overflow / random crash of chronosync::Socket related to ndn::InMemoryStorage

Added by Alex Afanasyev about 6 years ago. Updated about 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Start date:
02/08/2018
Due date:
% Done:

0%

Estimated time:

Description

The following snippet suppose to work without problems

test.cpp:

#include <iostream>
#include <sstream>
#include <unordered_map>
#include <memory>

#include <ndn-cxx/face.hpp>
#include <ndn-cxx/name.hpp>
#include <ndn-cxx/security/key-chain.hpp>

#include <ChronoSync/socket.hpp>

#include <boost/asio.hpp>

int
main()
{
  using namespace ndn;

  KeyChain keychain;
  boost::asio::io_service io;
  Face face(nullptr, io, keychain);

  auto socket3 = std::make_shared<chronosync::Socket>("/test/sync2", "/test/user2",
                            face,
                            [] (const std::vector<chronosync::MissingDataInfo>& info) {
                              std::cerr << "Update" << std::endl;
                            },
                            Name("/hello"),
                            nullptr,
                            ndn::time::seconds(60));

  face.processEvents();
}


g++ -std=c++11 `pkg-config --cflags libndn-cxx` `pkg-config --cflags ChronoSync` test.cpp `pkg-config --libs libndn-cxx` `pkg-config --libs ChronoSync` -fsanitize=address

However, when ndn-cxx compiled --with-sanitizer=address, it results in a stable crash

./a.out

==13619==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000001fe0 at pc 0x00011143d118 bp 0x7ffee0077310 sp 0x7ffee0076ac0
WRITE of size 64 at 0x620000001fe0 thread T0
    #0 0x11143d117 in __asan_memset (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x51117)
    #1 0x10fcfa7f1 in ndn::InMemoryStorage::InMemoryStorage(unsigned long) deque:1094
    #2 0x10fcfa104 in ndn::InMemoryStoragePersistent::InMemoryStoragePersistent() in-memory-storage-persistent.cpp:27
    #3 0x11129a72c in chronosync::Socket::Socket(ndn::Name const&, ndn::Name const&, ndn::Face&, std::__1::function<void (std::__1::vector<chronosync::MissingDataInfo, std::__1::allocator<chronosync::MissingDataInfo> > const&)> const&, ndn::Name const&, std::__1::shared_ptr<ndn::security::v2::Validator>, boost::chrono::duration<long long, boost::ratio<1l, 1000l> > const&) socket.cpp:36
    #4 0x10fb9a9f7 in std::__1::shared_ptr<chronosync::Socket> std::__1::shared_ptr<chronosync::Socket>::make_shared<char const (&) [12], char const (&) [12], ndn::Face&, main::$_0, ndn::Name, std::nullptr_t, boost::chrono::duration<long long, boost::ratio<1l, 1l> > >(char const (&&&) [12], char const (&&&) [12], ndn::Face&&&, main::$_0&&, ndn::Name&&, std::nullptr_t&&, boost::chrono::duration<long long, boost::ratio<1l, 1l> >&&) (ndn-proxy:x86_64+0x1000159f7)
    #5 0x10fb8c57a in main (ndn-proxy:x86_64+0x10000757a)
    #6 0x7fff59c6f114 in start (libdyld.dylib:x86_64+0x1114)

0x620000001fe0 is located 0 bytes to the right of 3936-byte region [0x620000001080,0x620000001fe0)
allocated by thread T0 here:
    #0 0x1114500ab in wrap__Znwm (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x640ab)
    #1 0x10fb98d1f in std::__1::shared_ptr<chronosync::Socket> std::__1::shared_ptr<chronosync::Socket>::make_shared<char const (&) [12], char const (&) [12], ndn::Face&, main::$_0, ndn::Name, std::nullptr_t, boost::chrono::duration<long long, boost::ratio<1l, 1l> > >(char const (&&&) [12], char const (&&&) [12], ndn::Face&&&, main::$_0&&, ndn::Name&&, std::nullptr_t&&, boost::chrono::duration<long long, boost::ratio<1l, 1l> >&&) (ndn-proxy:x86_64+0x100013d1f)
    #2 0x10fb8c57a in main (ndn-proxy:x86_64+0x10000757a)
    #3 0x7fff59c6f114 in start (libdyld.dylib:x86_64+0x1114)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x51117) in __asan_memset
Shadow bytes around the buggy address:
  0x1c40000003a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c40000003b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c40000003c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c40000003d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c40000003e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c40000003f0: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x1c4000000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4000000410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4000000420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4000000430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4000000440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13619==ABORTING
Abort trap: 6

Changing std::deque to std::list/vector, resolves the problem, but I'm really puzzled of what is going on.

Files

Download all files
4495.travis.yml (1.29 KB) 4495.travis.yml .travis.yml to reproduce the bug Junxiao Shi, 02/11/2018 08:52 AM
4495-valgrind.travis.yml (1.22 KB) 4495-valgrind.travis.yml .travis.yml to reproduce the bug with valgrind instead of ASan Junxiao Shi, 02/11/2018 09:46 AM
Actions
Copy link

Also available in: Atom PDF