GW ASAN not clear (use after free)

rbouqueau commented 2 months ago

Build gpac with ASAN: configure --enable-sanitizer

gpac -i https://cmafref.akamaized.net/cmaf/live-ull/2006350/akambr/out.mpd dashin:forward=file:algo=none:start_with=min_q -o mabr://225.0.0.1:6000:NCID=RTE -netcap=dst=long.pcap,id=RTE

gpac -i mabr://234.1.1.1:1234:gpac:NCID=RTE -netcap=src=buffer_overflow/buffer_overflow.pcap,id=RTE dashin:forward=file -o http://localhost:8080/do.mpd:rdirs=/tmp/tmp/dash

Result:

[DASH] Error in downloading new segment http://gmcast/service1/https://akamaibroadcasteruseast.akamaized.net/cmaf/live/657078/akasource/1721610001/chunk-stream_1-348014.m4s: Requested URL is not valid or cannot be found
[DVB-FLUTE S1] Object TSI 10 TOI 26 partial received only
^C
Toggle reports (r), print state (s for short, e for extended [+ shift: sticky])
        or exit with fast (Y), full (f) or no (n) session flush ? 
Romain gf_route_service_del object 0x0x521000073100
Romain gf_route_lct_obj_del 0x0x521000073100
Romain      free frags      0x0x507000068ae0
Romain      free            0x0x521000073100
Romain gf_route_service_del object 0x0x52100005b500
Romain gf_route_lct_obj_del 0x0x52100005b500
Romain      free frags      0x0x50700005fcb0
Romain      free            0x0x52100005b500
Romain gf_route_service_del object 0x0x521000071d00
Romain gf_route_lct_obj_del 0x0x521000071d00
Romain      free frags      0x0x507000068530
Romain      free            0x0x521000071d00
Romain gf_route_service_del object 0x0x52100006f500
Romain gf_route_lct_obj_del 0x0x52100006f500
Romain      free frags      0x0x507000065510
Romain      free            0x0x52100006f500
Romain gf_route_service_del object 0x0x52100006f500
Romain gf_route_lct_obj_del 0x0x52100006f500
=================================================================
==67318==ERROR: AddressSanitizer: heap-use-after-free on address 0x52100006f530 at pc 0x7f4fc2bc5570 bp 0x7ffd8dfaf480 sp 0x7ffd8dfaf478
READ of size 8 at 0x52100006f530 thread T0
    #0 0x7f4fc2bc556f in gf_route_lct_obj_del media_tools/route_dmx.c:294
    #1 0x7f4fc2bc5f26 in gf_route_service_del media_tools/route_dmx.c:313
    #2 0x7f4fc2bc6a1c in gf_route_dmx_del media_tools/route_dmx.c:342
    #3 0x7f4fc3d0fcfa in routein_finalize filters/in_route.c:52
    #4 0x7f4fc385ccfd in gf_fs_del filter_core/filter_session.c:784
    #5 0x56367f8edf73 in gpac_main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1677
    #6 0x56367f8ee1de in main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1854
    #7 0x7f4fbdc42c89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f4fbdc42d44 in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x56367f8e4420 in _start (/home/rbouqueau/works/gpac/gpac/bin/gcc/gpac+0x60420) (BuildId: bf6e78c4d81565b8434e11025d7c5de6199fb596)

0x52100006f530 is located 48 bytes inside of 4288-byte region [0x52100006f500,0x5210000705c0)
freed by thread T0 here:
    #0 0x7f4fca0f2868 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f4fc1c4c672 in gf_free utils/alloc.c:165
    #2 0x7f4fc2bc5c7a in gf_route_lct_obj_del media_tools/route_dmx.c:302
    #3 0x7f4fc2bc5f26 in gf_route_service_del media_tools/route_dmx.c:313
    #4 0x7f4fc2bc6a1c in gf_route_dmx_del media_tools/route_dmx.c:342
    #5 0x7f4fc3d0fcfa in routein_finalize filters/in_route.c:52
    #6 0x7f4fc385ccfd in gf_fs_del filter_core/filter_session.c:784
    #7 0x56367f8edf73 in gpac_main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1677
    #8 0x56367f8ee1de in main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1854
    #9 0x7f4fbdc42c89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7f4fca0f3bc7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f4fc1c4c60e in gf_malloc utils/alloc.c:150
    #2 0x7f4fc2bd8c58 in gf_route_dmx_process_dvb_flute_signaling media_tools/route_dmx.c:1176
    #3 0x7f4fc2be3429 in gf_route_dmx_process_object media_tools/route_dmx.c:1622
    #4 0x7f4fc2c0823f in dmx_process_service_dvb_flute media_tools/route_dmx.c:3259
    #5 0x7f4fc2c0aad7 in gf_route_dmx_process media_tools/route_dmx.c:3398
    #6 0x7f4fc3d1b3cf in routein_process filters/in_route.c:522
    #7 0x7f4fc38d3dae in gf_filter_process_task filter_core/filter.c:3171
    #8 0x7f4fc38711ea in gf_fs_thread_proc filter_core/filter_session.c:2171
    #9 0x7f4fc3874cfc in gf_fs_run filter_core/filter_session.c:2478
    #10 0x56367f8ed988 in gpac_main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1598
    #11 0x56367f8ee1de in main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1854
    #12 0x7f4fbdc42c89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free media_tools/route_dmx.c:294 in gf_route_lct_obj_del
Shadow bytes around the buggy address:
  0x52100006f280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52100006f300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52100006f380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52100006f400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52100006f480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x52100006f500: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x52100006f580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x52100006f600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x52100006f680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x52100006f700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x52100006f780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==67318==ABORTING

soheibthriber commented 2 months ago

I though this is a seperate issue but in the receiver side you are using the buffer_overflow.pcap ? couldn't find any leak with the first mentioned command generated pcap is this a seperate issue from #6

rbouqueau commented 2 months ago

Yes this is separate from #6.

What did you try and on which platform?

I tried on Linux using asan (address sanitizer), cf my description. This is not a mem leak but a re-use after free (that seems to be caused by duplicates in a list).

MotionSpell / DVB-MABR-Tool

GW ASAN not clear (use after free) #7