Closed xcainiao closed 4 months ago
The leaks come from libasan.so.2, according to the trace you provided.
On Monday, 16 April 2018, 8:51 am +0000, xcainiao notifications@github.com wrote:
./flex ../../poc/flex_memory_leaks_in_xstrdup
git log
commit 60b578fdaab4bf8d95203caaa947b476eeb03c10 Author: Simon Sobisch <simonsobisch@web.de> Date: Fri Mar 16 21:53:48 2018 +0100 doc: describe mailing list usage in more detail
compile
./configure CC="gcc" CXX="g++" CFLAGS="-g -fsanitize=address" make
error
==110424==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2 byte(s) in 1 object(s) allocated from: #0 0x7f320858230f in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6230f) #1 0x420712 in xstrdup /home/fuzz/github/flex_o/src/misc.c:231 #2 0x435dd2 in ndinstal /home/fuzz/github/flex_o/src/sym.c:180 #3 0x441ee7 in flexscan scan.l:342 #4 0x43d4c0 in yylex /home/fuzz/github/flex_o/src/yylex.c:51 #5 0x427ca7 in yyparse /home/fuzz/github/flex_o/src/parse.c:1405 #6 0x41edea in readin /home/fuzz/github/flex_o/src/main.c:1490 #7 0x41af93 in flex_main /home/fuzz/github/flex_o/src/main.c:170 #8 0x41b282 in main /home/fuzz/github/flex_o/src/main.c:209 #9 0x7f3207e6d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Direct leak of 1 byte(s) in 1 object(s) allocated from: #0 0x7f320858230f in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6230f) #1 0x420712 in xstrdup /home/fuzz/github/flex_o/src/misc.c:231 #2 0x435dc3 in ndinstal /home/fuzz/github/flex_o/src/sym.c:180 #3 0x441ee7 in flexscan scan.l:342 #4 0x43d4c0 in yylex /home/fuzz/github/flex_o/src/yylex.c:51 #5 0x427ca7 in yyparse /home/fuzz/github/flex_o/src/parse.c:1405 #6 0x41edea in readin /home/fuzz/github/flex_o/src/main.c:1490 #7 0x41af93 in flex_main /home/fuzz/github/flex_o/src/main.c:170 #8 0x41b282 in main /home/fuzz/github/flex_o/src/main.c:209 #9 0x7f3207e6d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: 3 byte(s) leaked in 2 allocation(s). ================================================================= ==110422==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2 byte(s) in 1 object(s) allocated from: #0 0x7f320858230f in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6230f) #1 0x420712 in xstrdup /home/fuzz/github/flex_o/src/misc.c:231 #2 0x435dd2 in ndinstal /home/fuzz/github/flex_o/src/sym.c:180 #3 0x441ee7 in flexscan scan.l:342 #4 0x43d4c0 in yylex /home/fuzz/github/flex_o/src/yylex.c:51 #5 0x427ca7 in yyparse /home/fuzz/github/flex_o/src/parse.c:1405 #6 0x41edea in readin /home/fuzz/github/flex_o/src/main.c:1490 #7 0x41af93 in flex_main /home/fuzz/github/flex_o/src/main.c:170 #8 0x41b282 in main /home/fuzz/github/flex_o/src/main.c:209 #9 0x7f3207e6d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Direct leak of 1 byte(s) in 1 object(s) allocated from: #0 0x7f320858230f in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6230f) #1 0x420712 in xstrdup /home/fuzz/github/flex_o/src/misc.c:231 #2 0x435dc3 in ndinstal /home/fuzz/github/flex_o/src/sym.c:180 #3 0x441ee7 in flexscan scan.l:342 #4 0x43d4c0 in yylex /home/fuzz/github/flex_o/src/yylex.c:51 #5 0x427ca7 in yyparse /home/fuzz/github/flex_o/src/parse.c:1405 #6 0x41edea in readin /home/fuzz/github/flex_o/src/main.c:1490 #7 0x41af93 in flex_main /home/fuzz/github/flex_o/src/main.c:170 #8 0x41b282 in main /home/fuzz/github/flex_o/src/main.c:209 #9 0x7f3207e6d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: 3 byte(s) leaked in 2 allocation(s). ================================================================= ==110421==ERROR: LeakSanitizer: detected memory leaks Direct leak of 2 byte(s) in 1 object(s) allocated from: #0 0x7f320858230f in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6230f) #1 0x420712 in xstrdup /home/fuzz/github/flex_o/src/misc.c:231 #2 0x435dd2 in ndinstal /home/fuzz/github/flex_o/src/sym.c:180 #3 0x441ee7 in flexscan scan.l:342 #4 0x43d4c0 in yylex /home/fuzz/github/flex_o/src/yylex.c:51 #5 0x427ca7 in yyparse /home/fuzz/github/flex_o/src/parse.c:1405 #6 0x41edea in readin /home/fuzz/github/flex_o/src/main.c:1490 #7 0x41af93 in flex_main /home/fuzz/github/flex_o/src/main.c:170 #8 0x41b282 in main /home/fuzz/github/flex_o/src/main.c:209 #9 0x7f3207e6d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Direct leak of 1 byte(s) in 1 object(s) allocated from: #0 0x7f320858230f in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x6230f) #1 0x420712 in xstrdup /home/fuzz/github/flex_o/src/misc.c:231 #2 0x435dc3 in ndinstal /home/fuzz/github/flex_o/src/sym.c:180 #3 0x441ee7 in flexscan scan.l:342 #4 0x43d4c0 in yylex /home/fuzz/github/flex_o/src/yylex.c:51 #5 0x427ca7 in yyparse /home/fuzz/github/flex_o/src/parse.c:1405 #6 0x41edea in readin /home/fuzz/github/flex_o/src/main.c:1490 #7 0x41af93 in flex_main /home/fuzz/github/flex_o/src/main.c:170 #8 0x41b282 in main /home/fuzz/github/flex_o/src/main.c:209 #9 0x7f3207e6d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: 3 byte(s) leaked in 2 allocation(s).
testcase https://github.com/xcainiao/poc/blob/master/flex_memory_leaks_in_xstrdup
-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/westes/flex/issues/340
-- Will Estes westes575@gmail.com
No, this because dont free(s2)
before program exit.
(s2 = strdup(s))
Then please submit a pull request.
On Monday, 16 April 2018, 12:52 pm +0000, xcainiao notifications@github.com wrote:
No, this because dont
free(s2)
before program exit.-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/westes/flex/issues/340#issuecomment-381588550
-- Will Estes westes575@gmail.com
@xcainiao The report only says leaking 1 or 2 bytes, which makes me suspicious. How did you test for such a small leak? BTW, I did find a leak could happen in ndinstal() if the addsym() function it calls returns non-zero.
I found this by fuzzer. Maybe same leaks as below code.
gcc -o strdupxx strdupxx.c -g -fsanitize=address -lm -ldl -lpthread
#include <stdio.h>
void main()
{
char *p1 = "m";
char *p2;
p2 = strdup(p1);
//free(p2);
}
output
==20348==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 2 byte(s) in 1 object(s) allocated from:
#0 0x45daaf in __interceptor_strdup (/home/c/strdupxx+0x45daaf)
#1 0x4ac089 in main /home/c/strdupxx.c:6
#2 0x7fb8013fb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: 2 byte(s) leaked in 1 allocation(s).
@xcainiao I don't need your sample demonstration about strdup() leaking -- I knew what it is. What I was asking is how did you make the leak in Flex specifically? Not everyone will compile flex with AddressSanitizer, and I would be happy if can constantly test for it, in Travis CI or other build servers, so we can avoid similar problems in the future (a large portion of flex code has not been written with neat style or robustness, and I bet you can find more leaks in other places in flex).
@Explorer09
Thank you for your explanation.
I found this use LibFuzzer
.
You can get it from http://llvm.org/docs/LibFuzzer.html.
My simple LibFuzzer test code:
#define filename "./test.poc"
//int main ()
int LLVMFuzzerTestOneInput(char *data, int size)
{
int argc = 2;
char *argv[2];
FILE* temfile = fopen(filename,"w");
fwrite(data, 1, size, temfile);
fclose(temfile);
argv[0] = "./flex";
argv[1] = "./test.poc";
#if defined(ENABLE_NLS) && ENABLE_NLS
#if HAVE_LOCALE_H
setlocale (LC_MESSAGES, "");
setlocale (LC_CTYPE, "");
textdomain (PACKAGE);
bindtextdomain (PACKAGE, LOCALEDIR);
#endif
#endif
return flex_main (argc, argv);
}
./flex ./flex_memory_leaks_in_xstrdup
git log
compile
error
testcase https://github.com/xcainiao/poc/blob/master/flex_memory_leaks_in_xstrdup