search

CESNET / libyang

YANG data modeling language library
BSD 3-Clause "New" or "Revised" License
364 stars 291 forks source link

heap-use-after-free in test_tree_schema #236

Closed jktjkt closed 7 years ago

jktjkt commented 7 years ago 

2: Test timeout computed to be: 9.99988e+06
2: [==========] Running 23 test(s).
2: [ RUN      ] test_lys_parse_mem
2: libyang[0]: Invalid (mixed names) opening (module_typo) and closing (module) element tags. (path: /module_typo)
2: libyang[0]: Module parsing failed.
2: [       OK ] test_lys_parse_mem
2: [ RUN      ] test_lys_parse_fd
2: libyang[0]: Module "a" in another revision already implemented.
2: libyang[0]: Module "a" parsing failed.
2: =================================================================
2: ==18062==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000009798 at pc 0x7f70199b657e bp 0x7ffc7fb294f0 sp 0x7ffc7fb294e8
2: READ of size 8 at 0x60d000009798 thread T0
2:     #0 0x7f70199b657d in lys_node_unlink /home/jkt/work/prog/libyang/src/tree_schema.c:354:21
2:     #1 0x7f70199bb174 in lys_node_free /home/jkt/work/prog/libyang/src/tree_schema.c:1975:5
2:     #2 0x7f70199d67e4 in lys_augment_free /home/jkt/work/prog/libyang/src/tree_schema.c:1483:13
2:     #3 0x7f70199c4709 in module_free_common /home/jkt/work/prog/libyang/src/tree_schema.c:2122:9
2:     #4 0x7f70199c385f in lys_submodule_free /home/jkt/work/prog/libyang/src/tree_schema.c:2150:5
2:     #5 0x7f70199c45c7 in module_free_common /home/jkt/work/prog/libyang/src/tree_schema.c:2115:13
2:     #6 0x7f70199cd19a in lys_free /home/jkt/work/prog/libyang/src/tree_schema.c:2835:5
2:     #7 0x7f70198f2d94 in yin_read_module /home/jkt/work/prog/libyang/src/parser_yin.c:5995:5
2:     #8 0x7f70199bb43d in lys_parse_mem_ /home/jkt/work/prog/libyang/src/tree_schema.c:863:15
2:     #9 0x7f70199bb1b4 in lys_parse_mem /home/jkt/work/prog/libyang/src/tree_schema.c:880:12
2:     #10 0x50fd6f in test_lys_parse_fd /home/jkt/work/prog/libyang/tests/api/test_tree_schema.c:396:14
2:     #11 0x7f7019d2bd96 in cmocka_run_one_test_or_fixture /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2305
2:     #12 0x7f7019d2c4e7 in cmocka_run_one_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2413
2:     #13 0x7f7019d2c4e7 in _cmocka_run_group_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2518
2:     #14 0x50f9f4 in main /home/jkt/work/prog/libyang/tests/api/test_tree_schema.c:1273:12
2:     #15 0x7f70186d1733 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
2:     #16 0x419cd8 in _start (/home/jkt/work/prog/libyang/build/tests/test_tree_schema+0x419cd8)
2: 
2: 0x60d000009798 is located 56 bytes inside of 136-byte region [0x60d000009760,0x60d0000097e8)
2: freed by thread T0 here:
2:     #0 0x4d4fb0 in free /var/tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47
2:     #1 0x7f70199bb17d in lys_node_free /home/jkt/work/prog/libyang/src/tree_schema.c:1976:5
2:     #2 0x7f70199c3cab in module_free_common /home/jkt/work/prog/libyang/src/tree_schema.c:2078:13
2:     #3 0x7f70199cd19a in lys_free /home/jkt/work/prog/libyang/src/tree_schema.c:2835:5
2:     #4 0x7f70198f2d94 in yin_read_module /home/jkt/work/prog/libyang/src/parser_yin.c:5995:5
2:     #5 0x7f70199bb43d in lys_parse_mem_ /home/jkt/work/prog/libyang/src/tree_schema.c:863:15
2:     #6 0x7f70199bb1b4 in lys_parse_mem /home/jkt/work/prog/libyang/src/tree_schema.c:880:12
2:     #7 0x50fd6f in test_lys_parse_fd /home/jkt/work/prog/libyang/tests/api/test_tree_schema.c:396:14
2:     #8 0x7f7019d2bd96 in cmocka_run_one_test_or_fixture /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2305
2:     #9 0x7f7019d2c4e7 in cmocka_run_one_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2413
2:     #10 0x7f7019d2c4e7 in _cmocka_run_group_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2518
2:     #11 0x50f9f4 in main /home/jkt/work/prog/libyang/tests/api/test_tree_schema.c:1273:12
2:     #12 0x7f70186d1733 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
2:     #13 0x419cd8 in _start (/home/jkt/work/prog/libyang/build/tests/test_tree_schema+0x419cd8)
2: 
2: previously allocated by thread T0 here:
2:     #0 0x4d5525 in calloc /var/tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72
2:     #1 0x7f7019903898 in read_yin_container /home/jkt/work/prog/libyang/src/parser_yin.c:4406:12
2:     #2 0x7f70198f0fc0 in read_sub_module /home/jkt/work/prog/libyang/src/parser_yin.c:5776:20
2:     #3 0x7f70198eab99 in yin_read_submodule /home/jkt/work/prog/libyang/src/parser_yin.c:5869:9
2:     #4 0x7f70199bb5d1 in lys_submodule_parse /home/jkt/work/prog/libyang/src/tree_schema.c:896:18
2:     #5 0x7f70199bca40 in lys_submodule_read /home/jkt/work/prog/libyang/src/tree_schema.c:1043:17
2:     #6 0x7f70198c5bab in lyp_search_file /home/jkt/work/prog/libyang/src/parser.c:420:39
2:     #7 0x7f701985d4a8 in ly_ctx_load_sub_module /home/jkt/work/prog/libyang/src/context.c:470:15
2:     #8 0x7f70198d6fd8 in lyp_check_include /home/jkt/work/prog/libyang/src/parser.c:2274:50
2:     #9 0x7f70198f45b9 in fill_yin_include /home/jkt/work/prog/libyang/src/parser_yin.c:2970:12
2:     #10 0x7f70198ee706 in read_sub_module /home/jkt/work/prog/libyang/src/parser_yin.c:5635:17
2:     #11 0x7f70198eab99 in yin_read_submodule /home/jkt/work/prog/libyang/src/parser_yin.c:5869:9
2:     #12 0x7f70199bb5d1 in lys_submodule_parse /home/jkt/work/prog/libyang/src/tree_schema.c:896:18
2:     #13 0x7f70199bca40 in lys_submodule_read /home/jkt/work/prog/libyang/src/tree_schema.c:1043:17
2:     #14 0x7f70198c5bab in lyp_search_file /home/jkt/work/prog/libyang/src/parser.c:420:39
2:     #15 0x7f701985d4a8 in ly_ctx_load_sub_module /home/jkt/work/prog/libyang/src/context.c:470:15
2:     #16 0x7f70198d6fd8 in lyp_check_include /home/jkt/work/prog/libyang/src/parser.c:2274:50
2:     #17 0x7f70198f45b9 in fill_yin_include /home/jkt/work/prog/libyang/src/parser_yin.c:2970:12
2:     #18 0x7f70198ee706 in read_sub_module /home/jkt/work/prog/libyang/src/parser_yin.c:5635:17
2:     #19 0x7f70198f22d6 in yin_read_module /home/jkt/work/prog/libyang/src/parser_yin.c:5944:9
2:     #20 0x7f70199bb43d in lys_parse_mem_ /home/jkt/work/prog/libyang/src/tree_schema.c:863:15
2:     #21 0x7f70199bb1b4 in lys_parse_mem /home/jkt/work/prog/libyang/src/tree_schema.c:880:12
2:     #22 0x50fd6f in test_lys_parse_fd /home/jkt/work/prog/libyang/tests/api/test_tree_schema.c:396:14
2:     #23 0x7f7019d2bd96 in cmocka_run_one_test_or_fixture /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2305
2:     #24 0x7f7019d2c4e7 in cmocka_run_one_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2413
2:     #25 0x7f7019d2c4e7 in _cmocka_run_group_tests /var/tmp/portage/dev-util/cmocka-1.0.1/work/cmocka-1.0.1/src/cmocka.c:2518
2:     #26 0x50f9f4 in main /home/jkt/work/prog/libyang/tests/api/test_tree_schema.c:1273:12
2:     #27 0x7f70186d1733 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
2:     #28 0x419cd8 in _start (/home/jkt/work/prog/libyang/build/tests/test_tree_schema+0x419cd8)
2: 
2: SUMMARY: AddressSanitizer: heap-use-after-free /home/jkt/work/prog/libyang/src/tree_schema.c:354:21 in lys_node_unlink
2: Shadow bytes around the buggy address:
2:   0x0c1a7fff92a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
2:   0x0c1a7fff92b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
2:   0x0c1a7fff92c0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
2:   0x0c1a7fff92d0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2:   0x0c1a7fff92e0: 00 00 00 fa fa fa fa fa fa fa fa fa fd fd fd fd
2: =>0x0c1a7fff92f0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fa fa fa
2:   0x0c1a7fff9300: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
2:   0x0c1a7fff9310: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
2:   0x0c1a7fff9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2:   0x0c1a7fff9330: 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
2:   0x0c1a7fff9340: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
2: Shadow byte legend (one shadow byte represents 8 application bytes):
2:   Addressable:           00
2:   Partially addressable: 01 02 03 04 05 06 07 
2:   Heap left redzone:       fa
2:   Heap right redzone:      fb
2:   Freed heap region:       fd
2:   Stack left redzone:      f1
2:   Stack mid redzone:       f2
2:   Stack right redzone:     f3
2:   Stack partial redzone:   f4
2:   Stack after return:      f5
2:   Stack use after scope:   f8
2:   Global redzone:          f9
2:   Global init order:       f6
2:   Poisoned by user:        f7
2:   Container overflow:      fc
2:   Array cookie:            ac
2:   Intra object redzone:    bb
2:   ASan internal:           fe
2:   Left alloca redzone:     ca
2:   Right alloca redzone:    cb
2: ==18062==ABORTING
1/1 Test #2: test_tree_schema .................***Failed    0.10 sec

0% tests passed, 1 tests failed out of 1

Total Test time (real) =   0.10 sec

The following tests FAILED:
          2 - test_tree_schema (Failed)
Errors while running CTest```
jktjkt commented 7 years ago

A similarly looking use-after-free happens in test_sec7_15, test_sec7_19_1 and test_sec7_19_5. I recall that I've been seeing them for a longer time (a month, perhaps?), but never investigated.