Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pimd: fix a possible use after free bug when doing pim trace #16929

Merged
merged 1 commit into from
Sep 26, 2024
Merged

pimd: fix a possible use after free bug when doing pim trace #16929

merged 1 commit into from
Sep 26, 2024

Commits on Sep 25, 2024

  1. pimd: fix a possible use after free bug when doing pim trace 

    ```
ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000aecf0 at pc 0x5555557ecdb9 bp 0x7fffffffe350 sp 0x7fffffffe340
READ of size 4 at 0x6160000aecf0 thread T0
    #0 0x5555557ecdb8 in igmp_source_delete pimd/pim_igmpv3.c:340
    FRRouting#1 0x5555557ed475 in igmp_source_delete_expired pimd/pim_igmpv3.c:405
    FRRouting#2 0x5555557de574 in igmp_group_timer pimd/pim_igmp.c:1346
    FRRouting#3 0x7ffff7275421 in event_call lib/event.c:1996
    FRRouting#4 0x7ffff7140797 in frr_run lib/libfrr.c:1237
    FRRouting#5 0x5555557f5840 in main pimd/pim_main.c:166
    FRRouting#6 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308
    FRRouting#7 0x555555686eed in _start (/usr/lib/frr/pimd+0x132eed)

0x6160000aecf0 is located 112 bytes inside of 600-byte region [0x6160000aec80,0x6160000aeed8)
freed by thread T0 here:
    #0 0x7ffff767b40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    FRRouting#1 0x7ffff716ed34 in qfree lib/memory.c:131
    FRRouting#2 0x5555557169ae in pim_channel_oil_free pimd/pim_oil.c:84
    FRRouting#3 0x555555717981 in pim_channel_oil_del pimd/pim_oil.c:199
    FRRouting#4 0x55555573c42c in tib_sg_gm_prune pimd/pim_tib.c:196
    FRRouting#5 0x5555557d6d04 in igmp_source_forward_stop pimd/pim_igmp.c:229
    FRRouting#6 0x5555557d5855 in igmp_anysource_forward_stop pimd/pim_igmp.c:61
    FRRouting#7 0x5555557de539 in igmp_group_timer pimd/pim_igmp.c:1344
    FRRouting#8 0x7ffff7275421 in event_call lib/event.c:1996
    FRRouting#9 0x7ffff7140797 in frr_run lib/libfrr.c:1237
    FRRouting#10 0x5555557f5840 in main pimd/pim_main.c:166
    FRRouting#11 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7ffff767ba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    FRRouting#1 0x7ffff716ebe1 in qcalloc lib/memory.c:106
    FRRouting#2 0x555555716eb7 in pim_channel_oil_add pimd/pim_oil.c:133
    FRRouting#3 0x55555573b2b9 in tib_sg_oil_setup pimd/pim_tib.c:30
    FRRouting#4 0x55555573bdd3 in tib_sg_gm_join pimd/pim_tib.c:119
    FRRouting#5 0x5555557d6788 in igmp_source_forward_start pimd/pim_igmp.c:193
    FRRouting#6 0x5555557d5771 in igmp_anysource_forward_start pimd/pim_igmp.c:51
    FRRouting#7 0x5555557ecaa0 in group_exclude_fwd_anysrc_ifempty pimd/pim_igmpv3.c:310
    FRRouting#8 0x5555557ef937 in toex_incl pimd/pim_igmpv3.c:839
    FRRouting#9 0x5555557f00a2 in igmpv3_report_toex pimd/pim_igmpv3.c:938
    FRRouting#10 0x5555557f543d in igmp_v3_recv_report pimd/pim_igmpv3.c:2000
    FRRouting#11 0x5555557da2b4 in pim_igmp_packet pimd/pim_igmp.c:787
    FRRouting#12 0x5555556ee46a in process_igmp_packet pimd/pim_mroute.c:763
    FRRouting#13 0x5555556ee5f3 in pim_mroute_msg pimd/pim_mroute.c:787
    FRRouting#14 0x5555556eef58 in mroute_read pimd/pim_mroute.c:877
    FRRouting#15 0x7ffff7275421 in event_call lib/event.c:1996
    FRRouting#16 0x7ffff7140797 in frr_run lib/libfrr.c:1237
    FRRouting#17 0x5555557f5840 in main pimd/pim_main.c:166
    FRRouting#18 0x7ffff6a54082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free pimd/pim_igmpv3.c:340 in igmp_source_delete
Shadow bytes around the buggy address:
  0x0c2c8000dd40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8000dd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8000dd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8000dd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8000dd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c8000dd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c2c8000dda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8000ddb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8000ddc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c8000ddd0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c2c8000dde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
```

Signed-off-by: Jafar Al-Gharaibeh <jafar@atcorp.com>
    @Jafaral
    Jafaral committed Sep 25, 2024
    Configuration menu
    Copy the full SHA
    7bd03cf View commit details
    Browse the repository at this point in the history