DPDK patches and discussions
 help / color / mirror / Atom feed
From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [dpdk-dev] [Bug 823] [asan] ipc: buffer overflow when running test-null.sh
Date: Tue, 05 Oct 2021 08:14:19 +0000	[thread overview]
Message-ID: <bug-823-3@http.bugs.dpdk.org/> (raw)

https://bugs.dpdk.org/show_bug.cgi?id=823

            Bug ID: 823
           Summary: [asan] ipc: buffer overflow when running test-null.sh
           Product: DPDK
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: core
          Assignee: anatoly.burakov@intel.com
          Reporter: david.marchand@redhat.com
                CC: dev@dpdk.org
  Target Milestone: ---

This issue was caught by ASAN.

Reproduced on a fc34 (ignoring the build warning on lib/pipeline that already
has a fix):
$ gcc --version
gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1)
$ rpm -q libasan
libasan-11.2.1-1.fc34.x86_64

$ meson setup build-asan -Dbuildtype=debug -Db_sanitize=address
$ ninja-build -C build-asan -j4
ninja: Entering directory `build-asan'
[528/2988] Compiling C object
lib/librte_pipeline.a.p/pipeline_rte_swx_pipeline.c.o
../lib/pipeline/rte_swx_pipeline.c: In function ‘instr_meter_translate’:
../lib/pipeline/rte_swx_pipeline.c:4646:1: warning: control reaches end of
non-void function [-Wreturn-type]
 4646 | }
      | ^
../lib/pipeline/rte_swx_pipeline.c: In function ‘instr_translate’:
../lib/pipeline/rte_swx_pipeline.c:5941:1: warning: control reaches end of
non-void function [-Wreturn-type]
 5941 | }
      | ^
[2988/2988] Linking target app/test/dpdk-test

$ ./devtools/test-null.sh ./build-asan
...
==2780092==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7f83daafb480 at pc 0x7f83dff364fe bp 0x7f83daafb450 sp 0x7f83daafac00
WRITE of size 24 at 0x7f83daafb480 thread T16777215
    #0 0x7f83dff364fd in __interceptor_sigaltstack.part.0
(/usr/lib64/libasan.so.6+0x524fd)
    #1 0x7f83dffae74d in __sanitizer::UnsetAlternateSignalStack()
(/usr/lib64/libasan.so.6+0xca74d)
    #2 0x7f83dff9ef2c in __asan::AsanThread::Destroy()
(/usr/lib64/libasan.so.6+0xbaf2c)
    #3 0x7f83df610450 in __nptl_deallocate_tsd.part.0
(/usr/lib64/libpthread.so.0+0x8450)
    #4 0x7f83df6112b9 in start_thread (/usr/lib64/libpthread.so.0+0x92b9)
    #5 0x7f83df539352 in clone (/usr/lib64/libc.so.6+0x100352)

Address 0x7f83daafb480 is located in stack of thread T2 at offset 576 in frame
    #0 0x10d9261 in mp_handle ../lib/eal/common/eal_common_proc.c:383

  This frame has 2 object(s):
    [32, 142) 'sa' (line 385)
    [176, 540) 'msg' (line 384) <== Memory access at offset 576 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T2 created by T0 here:
    #0 0x7f83dff3a8d6 in pthread_create (/usr/lib64/libasan.so.6+0x568d6)
    #1 0x10bdba9 in rte_ctrl_thread_create
../lib/eal/common/eal_common_thread.c:228
    #2 0x10da6cd in rte_mp_channel_init ../lib/eal/common/eal_common_proc.c:625
    #3 0x10f18e5 in rte_eal_init ../lib/eal/linux/eal.c:1058
    #4 0x754792 in main ../app/test-pmd/testpmd.c:3880
    #5 0x7f83df460b74 in __libc_start_main (/usr/lib64/libc.so.6+0x27b74)

SUMMARY: AddressSanitizer: stack-buffer-overflow
(/usr/lib64/libasan.so.6+0x524fd) in __interceptor_sigaltstack.part.0
Shadow bytes around the buggy address:
  0x0ff0fb557640: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x0ff0fb557650: 00 00 00 00 00 00 00 00 00 06 f2 f2 f2 f2 00 00
  0x0ff0fb557660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0fb557670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0fb557680: 00 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3
=>0x0ff0fb557690:[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0fb5576a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0fb5576b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0fb5576c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0fb5576d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff0fb5576e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2780092==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

                 reply	other threads:[~2021-10-05  8:14 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-823-3@http.bugs.dpdk.org/ \
    --to=bugzilla@dpdk.org \
    --cc=dev@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).