search

stcorp / coda

The Common Data Access toolset
http://stcorp.github.io/coda/doc/html/index.html
BSD 3-Clause "New" or "Revised" License
39 stars 17 forks source link

coda_recognize_file_fuzzer: Direct-leak in coda_bin_open #58

Closed schwehr closed 4 years ago

schwehr commented 4 years ago 
==23560==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 80 byte(s) in 1 object(s) allocated from:
    #0 0x55cc130cab9d in malloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x55cc13112de8 in coda_bin_open third_party/stcorp_coda/libcoda/coda-bin.c:237:40
    #2 0x55cc131ce447 in open_file third_party/stcorp_coda/libcoda/coda-product.c:532:9
    #3 0x55cc131cde0a in coda_recognize_file third_party/stcorp_coda/libcoda/coda-product.c:594:9
    #4 0x55cc130e3c91 in LLVMFuzzerTestOneInput third_party/stcorp_coda/fuzz/coda_recognize_file_fuzzer.cc:19:3

Indirect leak of 36 byte(s) in 1 object(s) allocated from:
    #0 0x55cc130b6c41 in strdup third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:452:3
    #1 0x55cc13112eb3 in coda_bin_open third_party/stcorp_coda/libcoda/coda-bin.c:264:30
    #2 0x55cc131ce447 in open_file third_party/stcorp_coda/libcoda/coda-product.c:532:9
    #3 0x55cc131cde0a in coda_recognize_file third_party/stcorp_coda/libcoda/coda-product.c:594:9
    #4 0x55cc130e3c91 in LLVMFuzzerTestOneInput third_party/stcorp_coda/fuzz/coda_recognize_file_fuzzer.cc:19:3

SUMMARY: AddressSanitizer: 116 byte(s) leaked in 2 allocation(s).

testcase-6241787911340032.zip

svniemeijer commented 4 years ago

I can't reproduce this. The error for the testcase is raised in coda-hdf4.c line 503, but the 'bin' product is already closed on line 497.

When I run things through valgrind I only get leaks in the HDF4 library:

$ valgrind --leak-check=full codacheck testcase-6241787911340032 
==26724== Memcheck, a memory error detector
==26724== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==26724== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==26724== Command: codacheck testcase-6241787911340032
==26724== 
testcase-6241787911340032
  ERROR: [HDF4] Error opening file

==26724== 
==26724== HEAP SUMMARY:
==26724==     in use at exit: 186,584 bytes in 6 blocks
==26724==   total heap usage: 99,096 allocs, 99,090 frees, 13,941,809 bytes allocated
==26724== 
==26724== 40 bytes in 1 blocks are definitely lost in loss record 1 of 6
==26724==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==26724==    by 0x53C0F65: tbbtdmake (in /home/sander/local/lib/libdf.so.0.0.0)
==26724==    by 0x53AB0A9: HTPstart (in /home/sander/local/lib/libdf.so.0.0.0)
==26724==    by 0x53A909D: Hopen (in /home/sander/local/lib/libdf.so.0.0.0)
==26724==    by 0x4EBAEB6: coda_hdf4_reopen (coda-hdf4.c:502)
==26724==    by 0x4E971AF: reopen_with_backend (coda-product.c:375)
==26724==    by 0x4E971AF: open_file (coda-product.c:550)
==26724==    by 0x4E972B5: coda_recognize_file (coda-product.c:594)
==26724==    by 0x40166D: check_file (codacheck.c:124)
==26724==    by 0x4013FB: main (codacheck.c:326)
==26724== 
==26724== 2,048 bytes in 1 blocks are definitely lost in loss record 4 of 6
==26724==    at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==26724==    by 0x537056E: HAinit_group (in /home/sander/local/lib/libdf.so.0.0.0)
==26724==    by 0x53AB0BC: HTPstart (in /home/sander/local/lib/libdf.so.0.0.0)
==26724==    by 0x53A909D: Hopen (in /home/sander/local/lib/libdf.so.0.0.0)
==26724==    by 0x4EBAEB6: coda_hdf4_reopen (coda-hdf4.c:502)
==26724==    by 0x4E971AF: reopen_with_backend (coda-product.c:375)
==26724==    by 0x4E971AF: open_file (coda-product.c:550)
==26724==    by 0x4E972B5: coda_recognize_file (coda-product.c:594)
==26724==    by 0x40166D: check_file (codacheck.c:124)
==26724==    by 0x4013FB: main (codacheck.c:326)
==26724== 
==26724== 184,368 (48 direct, 184,320 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 6
==26724==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==26724==    by 0x53AB05B: HTPstart (in /home/sander/local/lib/libdf.so.0.0.0)
==26724==    by 0x53A909D: Hopen (in /home/sander/local/lib/libdf.so.0.0.0)
==26724==    by 0x4EBAEB6: coda_hdf4_reopen (coda-hdf4.c:502)
==26724==    by 0x4E971AF: reopen_with_backend (coda-product.c:375)
==26724==    by 0x4E971AF: open_file (coda-product.c:550)
==26724==    by 0x4E972B5: coda_recognize_file (coda-product.c:594)
==26724==    by 0x40166D: check_file (codacheck.c:124)
==26724==    by 0x4013FB: main (codacheck.c:326)
==26724== 
==26724== LEAK SUMMARY:
==26724==    definitely lost: 2,136 bytes in 3 blocks
==26724==    indirectly lost: 184,320 bytes in 1 blocks
==26724==      possibly lost: 0 bytes in 0 blocks
==26724==    still reachable: 128 bytes in 2 blocks
==26724==         suppressed: 0 bytes in 0 blocks
==26724== Reachable blocks (those to which a pointer was found) are not shown.
==26724== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==26724== 
==26724== For counts of detected and suppressed errors, rerun with: -v
==26724== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
schwehr commented 4 years ago

I will take a look to see if I can figure out what is going wrong. We don't have hdf4 enabled, so that is one possible reason it doesn't reproduce in other environments.

svniemeijer commented 4 years ago

Ah ok. That explains it. I was able to find the cause of the memory leak now. Fixed in fd19bcce24f45a3cd45c6abf38d5cd43fc8d5eb0

schwehr commented 4 years ago

Verified