Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSPFd AddressSanitizer: heap-use-after-free #5555

Closed
mwinter-osr opened this issue Dec 18, 2019 · 1 comment · Fixed by #5556
Closed

OSPFd AddressSanitizer: heap-use-after-free #5555

mwinter-osr opened this issue Dec 18, 2019 · 1 comment · Fixed by #5556
Labels
triage Needs further investigation
Milestone
next

Comments

@mwinter-osr
Copy link
Member

Found in FRR master as of 12/16/2019, Git sha 8887295

Issue found while running the Ixia ANVL Compliance Tests for OSPFv2

==26177==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000238d8 at pc 0x7f88f7c4fa93 bp 0x7fff9a641830 sp 0x7fff9a641820
READ of size 8 at 0x6120000238d8 thread T0
    #0 0x7f88f7c4fa92 in if_delete lib/if.c:290
    #1 0x42192e in ospf_vl_if_delete ospfd/ospf_interface.c:912
    #2 0x42192e in ospf_vl_delete ospfd/ospf_interface.c:990
    #3 0x4a6208 in no_ospf_area_vlink ospfd/ospf_vty.c:1227
    #4 0x7f88f7c1553d in cmd_execute_command_real lib/command.c:1073
    #5 0x7f88f7c19b1e in cmd_execute_command lib/command.c:1132
    #6 0x7f88f7c19e8e in cmd_execute lib/command.c:1288
    #7 0x7f88f7cd7523 in vty_command lib/vty.c:516
    #8 0x7f88f7cd79ff in vty_execute lib/vty.c:1285
    #9 0x7f88f7cde4f9 in vtysh_read lib/vty.c:2119
    #10 0x7f88f7ccb845 in thread_call lib/thread.c:1549
    #11 0x7f88f7c5d6a7 in frr_run lib/libfrr.c:1093
    #12 0x412976 in main ospfd/ospf_main.c:221
    #13 0x7f88f73b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x413c78 in _start (/usr/local/master/sbin/ospfd+0x413c78)

0x6120000238d8 is located 24 bytes inside of 304-byte region [0x6120000238c0,0x6120000239f0)
freed by thread T0 here:
    #0 0x7f88f80722ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x4204f4 in ospf_if_free ospfd/ospf_interface.c:364
    #2 0x42190c in ospf_vl_if_delete ospfd/ospf_interface.c:911
    #3 0x42190c in ospf_vl_delete ospfd/ospf_interface.c:990
    #4 0x4a6208 in no_ospf_area_vlink ospfd/ospf_vty.c:1227
    #5 0x7f88f7c1553d in cmd_execute_command_real lib/command.c:1073
    #6 0x7f88f7c19b1e in cmd_execute_command lib/command.c:1132
    #7 0x7f88f7c19e8e in cmd_execute lib/command.c:1288
    #8 0x7f88f7cd7523 in vty_command lib/vty.c:516
    #9 0x7f88f7cd79ff in vty_execute lib/vty.c:1285
    #10 0x7f88f7cde4f9 in vtysh_read lib/vty.c:2119
    #11 0x7f88f7ccb845 in thread_call lib/thread.c:1549
    #12 0x7f88f7c5d6a7 in frr_run lib/libfrr.c:1093
    #13 0x412976 in main ospfd/ospf_main.c:221
    #14 0x7f88f73b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f88f807279a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
    #1 0x7f88f7c66645 in qcalloc lib/memory.c:110
    #2 0x41c7ee in ospf_if_new ospfd/ospf_interface.c:234
    #3 0x420e76 in ospf_vl_new ospfd/ospf_interface.c:871
    #4 0x491805 in ospf_find_vl_data ospfd/ospf_vty.c:941
    #5 0x491805 in ospf_vl_set ospfd/ospf_vty.c:1041
    #6 0x4a6c7f in ospf_area_vlink ospfd/ospf_vty.c:1173
    #7 0x7f88f7c1553d in cmd_execute_command_real lib/command.c:1073
    #8 0x7f88f7c19b1e in cmd_execute_command lib/command.c:1132
    #9 0x7f88f7c19e8e in cmd_execute lib/command.c:1288
    #10 0x7f88f7cd7523 in vty_command lib/vty.c:516
    #11 0x7f88f7cd79ff in vty_execute lib/vty.c:1285
    #12 0x7f88f7cde4f9 in vtysh_read lib/vty.c:2119
    #13 0x7f88f7ccb845 in thread_call lib/thread.c:1549
    #14 0x7f88f7c5d6a7 in frr_run lib/libfrr.c:1093
    #15 0x412976 in main ospfd/ospf_main.c:221
    #16 0x7f88f73b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free lib/if.c:290 if_delete
Shadow bytes around the buggy address:
  0x0c247fffc6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffc6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffc6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffc6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fffc700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c247fffc710: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
  0x0c247fffc720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffc730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c247fffc740: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fffc750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffc760: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26177==ABORTING
@mwinter-osr mwinter-osr added the triage Needs further investigation label Dec 18, 2019
@mwinter-osr mwinter-osr added this to the next milestone Dec 18, 2019
donaldsharp added a commit to donaldsharp/frr that referenced this issue Dec 18, 2019
@donaldsharp
ospfd: Prevent use after free on shutdown
7a004cc 
Address Sanitizer is reporting this issue:

==26177==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000238d8 at pc 0x7f88f7c4fa93 bp 0x7fff9a641830 sp 0x7fff9a641820
READ of size 8 at 0x6120000238d8 thread T0
    #0 0x7f88f7c4fa92 in if_delete lib/if.c:290
    #1 0x42192e in ospf_vl_if_delete ospfd/ospf_interface.c:912
    #2 0x42192e in ospf_vl_delete ospfd/ospf_interface.c:990
    #3 0x4a6208 in no_ospf_area_vlink ospfd/ospf_vty.c:1227
    #4 0x7f88f7c1553d in cmd_execute_command_real lib/command.c:1073
    #5 0x7f88f7c19b1e in cmd_execute_command lib/command.c:1132
    #6 0x7f88f7c19e8e in cmd_execute lib/command.c:1288
    #7 0x7f88f7cd7523 in vty_command lib/vty.c:516
    #8 0x7f88f7cd79ff in vty_execute lib/vty.c:1285
    #9 0x7f88f7cde4f9 in vtysh_read lib/vty.c:2119
    #10 0x7f88f7ccb845 in thread_call lib/thread.c:1549
    #11 0x7f88f7c5d6a7 in frr_run lib/libfrr.c:1093
    #12 0x412976 in main ospfd/ospf_main.c:221
    #13 0x7f88f73b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x413c78 in _start (/usr/local/master/sbin/ospfd+0x413c78)

Effectively we are in a shutdown phase and as part of shutdown we delete the
ospf interface pointer ( ifp->info ).  The interface deletion code
was modified in the past year to pass in the address of operator
to allow us to NULL out the holding pointer.  The catch here
is that we free the oi and then delete the interface passing
in the address of the oi->ifp pointer, causing a use after free.

Fixes: FRRouting#5555
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
@donaldsharp donaldsharp mentioned this issue Dec 18, 2019
Merged
@mwinter-osr
Copy link
Member Author

Confirmed PR 5556 to fix this issue. Thanks

Spantik pushed a commit to Spantik/frr that referenced this issue Jan 20, 2020
@donaldsharp
ospfd: Prevent use after free on shutdown
533f666 
Address Sanitizer is reporting this issue:

==26177==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000238d8 at pc 0x7f88f7c4fa93 bp 0x7fff9a641830 sp 0x7fff9a641820
READ of size 8 at 0x6120000238d8 thread T0
    #0 0x7f88f7c4fa92 in if_delete lib/if.c:290
    FRRouting#1 0x42192e in ospf_vl_if_delete ospfd/ospf_interface.c:912
    FRRouting#2 0x42192e in ospf_vl_delete ospfd/ospf_interface.c:990
    FRRouting#3 0x4a6208 in no_ospf_area_vlink ospfd/ospf_vty.c:1227
    FRRouting#4 0x7f88f7c1553d in cmd_execute_command_real lib/command.c:1073
    FRRouting#5 0x7f88f7c19b1e in cmd_execute_command lib/command.c:1132
    FRRouting#6 0x7f88f7c19e8e in cmd_execute lib/command.c:1288
    FRRouting#7 0x7f88f7cd7523 in vty_command lib/vty.c:516
    FRRouting#8 0x7f88f7cd79ff in vty_execute lib/vty.c:1285
    FRRouting#9 0x7f88f7cde4f9 in vtysh_read lib/vty.c:2119
    FRRouting#10 0x7f88f7ccb845 in thread_call lib/thread.c:1549
    FRRouting#11 0x7f88f7c5d6a7 in frr_run lib/libfrr.c:1093
    FRRouting#12 0x412976 in main ospfd/ospf_main.c:221
    FRRouting#13 0x7f88f73b082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    FRRouting#14 0x413c78 in _start (/usr/local/master/sbin/ospfd+0x413c78)

Effectively we are in a shutdown phase and as part of shutdown we delete the
ospf interface pointer ( ifp->info ).  The interface deletion code
was modified in the past year to pass in the address of operator
to allow us to NULL out the holding pointer.  The catch here
is that we free the oi and then delete the interface passing
in the address of the oi->ifp pointer, causing a use after free.

Fixes: FRRouting#5555
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage Needs further investigation
Projects
None yet
Milestone
next
Development

Successfully merging a pull request may close this issue.

ospfd: Prevent use after free on shutdown donaldsharp/frr
1 participant
@mwinter-osr