search

cms-sw / cmssw

CMS Offline Software
http://cms-sw.github.io/
Apache License 2.0
1.08k stars 4.3k forks source link

heap-buffer-overflow, read by 4 bytes, PrimaryVertexValidation::beginJob() #21283

Closed davidlt closed 6 years ago

davidlt commented 6 years ago

CMSSW: CMSSW_10_0_ASAN_X_2017-11-09-2300 SCRAM_ARCH: slc6_amd64_gcc700

It's unit test from Alignment/OfflineValidation, command cmsRun test_all_cfg.py.

12-Nov-2017 07:52:34 CET  Successfully opened file root://xrootd-cms.infn.it//store/relval/CMSSW_9_2_2/RelValTTbar_13/GEN-SIM-RECO/PU25ns_92X_upgrade2017_realistic_v1-v1/10000/ECFEA1BD-BF4D-E711-A404-0CC47A7C345C.root
=================================================================
==10067==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000669e14 at pc 0x7f26fbb81400 bp 0x7ffd0d87bcc0 sp 0x7ffd0d87bcb8
READ of size 4 at 0x602000669e14 thread T0
    #0 0x7f26fbb813ff in PrimaryVertexValidation::beginJob() /mnt/build/davidlt/bench_asan/CMSSW_10_0_ASAN_X_2017-11-09-2300/src/Alignment/OfflineValidation/plugins/PrimaryVertexValidation.cc:1233
    #1 0x7f273d30b6db in edm::one::EDAnalyzerBase::doBeginJob() (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x6b26db)
    #2 0x7f273d218d46 in edm::Worker::beginJob() (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x5bfd46)
    #3 0x7f273d0d29f8 in edm::WorkerManager::beginJob(edm::ProductRegistry const&) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x4799f8)
    #4 0x7f273d13ffae in edm::EventProcessor::beginJob() (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x4e6fae)
    #5 0x412e94 in main::{lambda()#1}::operator()() const (/cvmfs/cms-ib.cern.ch/nweek-02497/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/bin/slc6_amd64_gcc700/cmsRun+0x412e94)
    #6 0x40d322 in main (/cvmfs/cms-ib.cern.ch/nweek-02497/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/bin/slc6_amd64_gcc700/cmsRun+0x40d322)
    #7 0x7f2739b43d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
    #8 0x40da88  (/cvmfs/cms-ib.cern.ch/nweek-02497/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/bin/slc6_amd64_gcc700/cmsRun+0x40da88)

0x602000669e14 is located 0 bytes to the right of 4-byte region [0x602000669e10,0x602000669e14)
allocated by thread T0 here:
    #0 0x7f273d5261c0 in operator new(unsigned long) ../../../../libsanitizer/asan/asan_new_delete.cc:80
    #1 0x7f273cec6575 in void std::vector<unsigned int, std::allocator<unsigned int> >::_M_realloc_insert<unsigned int const&>(__gnu_cxx::__normal_iterator<unsigned int*, std::vector<unsigned int, std::allocator<unsigned int> > >, unsigned int const&) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x26d575)
    #2 0x7f273cb11c39 in edm::decode(std::vector<unsigned int, std::allocator<unsigned int> >&, std::string const&) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreParameterSet.so+0x252c39)
    #3 0x7f273caa2722 in edm::Entry::getVUInt32() const (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreParameterSet.so+0x1e3722)
    #4 0x7f273ca49433 in std::vector<unsigned int, std::allocator<unsigned int> > edm::ParameterSet::getUntrackedParameter<std::vector<unsigned int, std::allocator<unsigned int> > >(char const*, std::vector<unsigned int, std::allocator<unsigned int> > const&) const (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreParameterSet.so+0x18a433)
    #5 0x7f26fbb5b302 in PrimaryVertexValidation::PrimaryVertexValidation(edm::ParameterSet const&) /mnt/build/davidlt/bench_asan/CMSSW_10_0_ASAN_X_2017-11-09-2300/src/Alignment/OfflineValidation/plugins/PrimaryVertexValidation.cc:94
    #6 0x7f26fbc156c1 in std::_MakeUniq<PrimaryVertexValidation>::__single_object std::make_unique<PrimaryVertexValidation, edm::ParameterSet const&>(edm::ParameterSet const&) /cvmfs/cms-ib.cern.ch/nweek-02497/slc6_amd64_gcc700/external/gcc/7.0.0-mmelna/include/c++/7.2.1/bits/unique_ptr.h:825
    #7 0x7f26fbc14f14 in std::unique_ptr<edm::one::EDAnalyzerBase, std::default_delete<edm::one::EDAnalyzerBase> > edm::MakeModuleHelper<edm::one::EDAnalyzerBase>::makeModule<PrimaryVertexValidation>(edm::ParameterSet const&) /cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/src/FWCore/Framework/src/MakeModuleHelper.h:41
    #8 0x7f26fbc149ba in edm::WorkerMaker<PrimaryVertexValidation>::makeModule(edm::ParameterSet const&) const /cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/src/FWCore/Framework/src/WorkerMaker.h:85
    #9 0x7f273d0424e5 in edm::Maker::makeModule(edm::MakeModuleParams const&, edm::signalslot::Signal<void (edm::ModuleDescription const&)>&, edm::signalslot::Signal<void (edm::ModuleDescription const&)>&) const (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x3e94e5)
    #10 0x7f273cf6da8a in edm::Factory::makeModule(edm::MakeModuleParams const&, edm::signalslot::Signal<void (edm::ModuleDescription const&)>&, edm::signalslot::Signal<void (edm::ModuleDescription const&)>&) const (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x314a8a)
    #11 0x7f273d267cab in edm::ModuleRegistry::getModule(edm::MakeModuleParams const&, std::string const&, edm::signalslot::Signal<void (edm::ModuleDescription const&)>&, edm::signalslot::Signal<void (edm::ModuleDescription const&)>&) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x60ecab)
    #12 0x7f273d11d77f in edm::WorkerRegistry::getWorker(edm::WorkerParams const&, std::string const&) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x4c477f)
    #13 0x7f273d0d15e9 in edm::WorkerManager::getWorker(edm::ParameterSet&, edm::ProductRegistry&, edm::PreallocationConfiguration const*, std::shared_ptr<edm::ProcessConfiguration const>, std::string const&) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x4785e9)
    #14 0x7f273cfef1a9 in edm::StreamSchedule::fillWorkers(edm::ParameterSet&, edm::ProductRegistry&, edm::PreallocationConfiguration const*, std::shared_ptr<edm::ProcessConfiguration const>, std::string const&, bool, std::vector<edm::WorkerInPath, std::allocator<edm::WorkerInPath> >&, std::vector<std::string, std::allocator<std::string> > const&) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x3961a9)
    #15 0x7f273cff220f in edm::StreamSchedule::fillTrigPath(edm::ParameterSet&, edm::ProductRegistry&, edm::PreallocationConfiguration const*, std::shared_ptr<edm::ProcessConfiguration const>, int, std::string const&, std::shared_ptr<edm::HLTGlobalStatus>, std::vector<std::string, std::allocator<std::string> > const&) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x39920f)
    #16 0x7f273cfffbc5 in edm::StreamSchedule::StreamSchedule(std::shared_ptr<edm::TriggerResultInserter>, std::vector<edm::propagate_const<std::shared_ptr<edm::PathStatusInserter> >, std::allocator<edm::propagate_const<std::shared_ptr<edm::PathStatusInserter> > > >&, std::vector<edm::propagate_const<std::shared_ptr<edm::EndPathStatusInserter> >, std::allocator<edm::propagate_const<std::shared_ptr<edm::EndPathStatusInserter> > > >&, std::shared_ptr<edm::ModuleRegistry>, edm::ParameterSet&, edm::service::TriggerNamesService const&, edm::PreallocationConfiguration const&, edm::ProductRegistry&, edm::BranchIDListHelper&, edm::ExceptionToActionTable const&, std::shared_ptr<edm::ActivityRegistry>, std::shared_ptr<edm::ProcessConfiguration>, bool, edm::StreamID, edm::ProcessContext const*) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x3a6bc5)
    #17 0x7f273cdec932 in edm::Schedule::Schedule(edm::ParameterSet&, edm::service::TriggerNamesService const&, edm::ProductRegistry&, edm::BranchIDListHelper&, edm::ThinnedAssociationsHelper&, edm::SubProcessParentageHelper const*, edm::ExceptionToActionTable const&, std::shared_ptr<edm::ActivityRegistry>, std::shared_ptr<edm::ProcessConfiguration>, bool, edm::PreallocationConfiguration const&, edm::ProcessContext const*) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x193932)
    #18 0x7f273d2a345f in edm::ScheduleItems::initSchedule(edm::ParameterSet&, bool, edm::PreallocationConfiguration const&, edm::ProcessContext const*) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x64a45f)
    #19 0x7f273d157592 in edm::EventProcessor::init(std::shared_ptr<edm::ProcessDesc>&, edm::ServiceToken const&, edm::serviceregistry::ServiceLegacy) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x4fe592)
    #20 0x7f273d160e6f in edm::EventProcessor::EventProcessor(std::shared_ptr<edm::ProcessDesc>, edm::ServiceToken const&, edm::serviceregistry::ServiceLegacy) (/cvmfs/cms-ib.cern.ch/week1/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/lib/slc6_amd64_gcc700/libFWCoreFramework.so+0x507e6f)
    #21 0x412c3d in main::{lambda()#1}::operator()() const (/cvmfs/cms-ib.cern.ch/nweek-02497/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/bin/slc6_amd64_gcc700/cmsRun+0x412c3d)
    #22 0x40d322 in main (/cvmfs/cms-ib.cern.ch/nweek-02497/slc6_amd64_gcc700/cms/cmssw/CMSSW_10_0_ASAN_X_2017-11-09-2300/bin/slc6_amd64_gcc700/cmsRun+0x40d322)
    #23 0x7f2739b43d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/build/davidlt/bench_asan/CMSSW_10_0_ASAN_X_2017-11-09-2300/src/Alignment/OfflineValidation/plugins/PrimaryVertexValidation.cc:1233 in PrimaryVertexValidation::beginJob()
Shadow bytes around the buggy address:
  0x0c04800c5370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800c5380: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c04800c5390: fa fa fd fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c04800c53a0: fa fa 00 fa fa fa fd fa fa fa 00 00 fa fa 00 00
  0x0c04800c53b0: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fa
=>0x0c04800c53c0: fa fa[04]fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800c53d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800c53e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800c53f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800c5400: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c04800c5410: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10067==ABORTING
cmsbuild commented 6 years ago

A new Issue was created by @davidlt .

@davidlange6, @Dr15Jones, @smuzaffar can you please review it and eventually sign/assign? Thanks.

cms-bot commands are listed here

davidlt commented 6 years ago

The following loop is written wrongly: https://github.com/cms-sw/cmssw/blob/master/Alignment/OfflineValidation/plugins/PrimaryVertexValidation.cc#L1232

We basically are iterating over runControlNumbers_ (std::vector<unsigned int>) and using those values again to access runControlNumbers_. In this particular case we have 1 run, thus runControlNumbers_.size() is 1 then we access runControlNumbers_[1] which is out-of-bounds.

I will prepare PR.

davidlt commented 6 years ago

PR: https://github.com/cms-sw/cmssw/pull/21284