CESNET / libyang

YANG data modeling language library
BSD 3-Clause "New" or "Revised" License
368 stars 291 forks source link

stack-buffer-underflow in read_sub_module #203

Closed milanlenco closed 7 years ago

milanlenco commented 7 years ago

Jan Kundrát has reported here that clang's AddressSanitizer detected a stack-buffer-underflow inside libyang:

==3503==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffd494fc300 at pc 0x0000004d097c bp 0x7ffd494fc1f0 sp 0x7ffd494fb9a0
WRITE of size 72 at 0x7ffd494fc300 thread T0
    #0 0x4d097b in __asan_memset /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:430
    #1 0x7f412f368c7c in read_sub_module /home/jkt/work/prog/libyang/build/../src/parser_yin.c:5323:5
    #2 0x7f412f36fc86 in yin_read_module /home/jkt/work/prog/libyang/build/../src/parser_yin.c:5933:9
    #3 0x7f412f43862d in lys_parse_mem_ /home/jkt/work/prog/libyang/build/../src/tree_schema.c:863:15
    #4 0x7f412f4383a4 in lys_parse_mem /home/jkt/work/prog/libyang/build/../src/tree_schema.c:880:12
    #5 0x7f412f2dde0e in ly_ctx_new /home/jkt/work/prog/libyang/build/../src/context.c:102:39
    #6 0x52515c in createDataTreeIETFinterfacesModule /home/jkt/work/prog/sysrepo/build/../tests/helpers/test_module_helper.c:376:26
    #7 0x529ef2 in srcfg_test_set_running_datastore /home/jkt/work/prog/sysrepo/build/../tests/sysrepocfg_test.c:218:5
    #8 0x7f41301e9e45 in cmocka_run_one_test_or_fixture /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2310
    #9 0x7f41301ea4b7 in cmocka_run_one_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2395
    #10 0x7f41301ea4b7 in _cmocka_run_group_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2518
    #11 0x527ac9 in main /home/jkt/work/prog/sysrepo/build/../tests/sysrepocfg_test.c:1088:11
    #12 0x7f412e7ec733 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #13 0x42bef8 in _start (/home/jkt/work/prog/sysrepo/build/tests/sysrepocfg_test+0x42bef8)

Address 0x7ffd494fc300 is located in stack of thread T0==3503==AddressSanitizer CHECK failed: /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_thread.cc:314 "((ptr[0] == kCurrentStackFrameMagic)) != (0)" (0x0, 0x0)
    #0 0x4f305b in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_rtl.cc:67
    #1 0x50dd5e in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4f883a in __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, __asan::AsanThread::StackFrameAccess*) /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_thread.cc:314
    #3 0x4ecc20 in __asan::DescribeAddressIfStack(unsigned long, unsigned long) /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_report.cc:461
    #4 0x4ed302 in __asan::DescribeAddress(unsigned long, unsigned long, char const*) /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_report.cc:588
    #5 0x4eddd0 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) [clone .part.19] /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_report.cc:1194
    #6 0x4d099d in __asan_memset /var/tmp/portage/sys-devel/llvm-3.9.0/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:430
    #7 0x7f412f368c7c in read_sub_module /home/jkt/work/prog/libyang/build/../src/parser_yin.c:5323:5
    #8 0x7f412f36fc86 in yin_read_module /home/jkt/work/prog/libyang/build/../src/parser_yin.c:5933:9
    #9 0x7f412f43862d in lys_parse_mem_ /home/jkt/work/prog/libyang/build/../src/tree_schema.c:863:15
    #10 0x7f412f4383a4 in lys_parse_mem /home/jkt/work/prog/libyang/build/../src/tree_schema.c:880:12
    #11 0x7f412f2dde0e in ly_ctx_new /home/jkt/work/prog/libyang/build/../src/context.c:102:39
    #12 0x52515c in createDataTreeIETFinterfacesModule /home/jkt/work/prog/sysrepo/build/../tests/helpers/test_module_helper.c:376:26
    #13 0x529ef2 in srcfg_test_set_running_datastore /home/jkt/work/prog/sysrepo/build/../tests/sysrepocfg_test.c:218:5
    #14 0x7f41301e9e45 in cmocka_run_one_test_or_fixture /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2310
    #15 0x7f41301ea4b7 in cmocka_run_one_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2395
    #16 0x7f41301ea4b7 in _cmocka_run_group_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2518
    #17 0x527ac9 in main /home/jkt/work/prog/sysrepo/build/../tests/sysrepocfg_test.c:1088:11
    #18 0x7f412e7ec733 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #19 0x42bef8 in _start (/home/jkt/work/prog/sysrepo/build/tests/sysrepocfg_test+0x42bef8)

I honestly don't know what buffer underflow means in this context and whether it is an actual issue or just a false positive, therefore I'm just forwarding it as it is.

rkrejci commented 7 years ago

Seems as a false positive to me - compiler probably reserves more space to the (struct lyxml_elem) variables on stack than is the value returned by sizeof, but it shouldn't be an issue since we are always working only with the data within the size returned by sizeof, which are initialized by memset at the mentioned line, seems that there are just some more bytes that are not initialized but also not accessed anywhere (if I'm not wrong :)).