From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [dpdk-dev] [Bug 823] [asan] ipc: buffer overflow when running test-null.sh
Date: Tue, 05 Oct 2021 08:14:19 +0000 [thread overview]
Message-ID: <bug-823-3@http.bugs.dpdk.org/> (raw)
https://bugs.dpdk.org/show_bug.cgi?id=823
Bug ID: 823
Summary: [asan] ipc: buffer overflow when running test-null.sh
Product: DPDK
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: core
Assignee: anatoly.burakov@intel.com
Reporter: david.marchand@redhat.com
CC: dev@dpdk.org
Target Milestone: ---
This issue was caught by ASAN.
Reproduced on a fc34 (ignoring the build warning on lib/pipeline that already
has a fix):
$ gcc --version
gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1)
$ rpm -q libasan
libasan-11.2.1-1.fc34.x86_64
$ meson setup build-asan -Dbuildtype=debug -Db_sanitize=address
$ ninja-build -C build-asan -j4
ninja: Entering directory `build-asan'
[528/2988] Compiling C object
lib/librte_pipeline.a.p/pipeline_rte_swx_pipeline.c.o
../lib/pipeline/rte_swx_pipeline.c: In function ‘instr_meter_translate’:
../lib/pipeline/rte_swx_pipeline.c:4646:1: warning: control reaches end of
non-void function [-Wreturn-type]
4646 | }
| ^
../lib/pipeline/rte_swx_pipeline.c: In function ‘instr_translate’:
../lib/pipeline/rte_swx_pipeline.c:5941:1: warning: control reaches end of
non-void function [-Wreturn-type]
5941 | }
| ^
[2988/2988] Linking target app/test/dpdk-test
$ ./devtools/test-null.sh ./build-asan
...
==2780092==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7f83daafb480 at pc 0x7f83dff364fe bp 0x7f83daafb450 sp 0x7f83daafac00
WRITE of size 24 at 0x7f83daafb480 thread T16777215
#0 0x7f83dff364fd in __interceptor_sigaltstack.part.0
(/usr/lib64/libasan.so.6+0x524fd)
#1 0x7f83dffae74d in __sanitizer::UnsetAlternateSignalStack()
(/usr/lib64/libasan.so.6+0xca74d)
#2 0x7f83dff9ef2c in __asan::AsanThread::Destroy()
(/usr/lib64/libasan.so.6+0xbaf2c)
#3 0x7f83df610450 in __nptl_deallocate_tsd.part.0
(/usr/lib64/libpthread.so.0+0x8450)
#4 0x7f83df6112b9 in start_thread (/usr/lib64/libpthread.so.0+0x92b9)
#5 0x7f83df539352 in clone (/usr/lib64/libc.so.6+0x100352)
Address 0x7f83daafb480 is located in stack of thread T2 at offset 576 in frame
#0 0x10d9261 in mp_handle ../lib/eal/common/eal_common_proc.c:383
This frame has 2 object(s):
[32, 142) 'sa' (line 385)
[176, 540) 'msg' (line 384) <== Memory access at offset 576 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T2 created by T0 here:
#0 0x7f83dff3a8d6 in pthread_create (/usr/lib64/libasan.so.6+0x568d6)
#1 0x10bdba9 in rte_ctrl_thread_create
../lib/eal/common/eal_common_thread.c:228
#2 0x10da6cd in rte_mp_channel_init ../lib/eal/common/eal_common_proc.c:625
#3 0x10f18e5 in rte_eal_init ../lib/eal/linux/eal.c:1058
#4 0x754792 in main ../app/test-pmd/testpmd.c:3880
#5 0x7f83df460b74 in __libc_start_main (/usr/lib64/libc.so.6+0x27b74)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/usr/lib64/libasan.so.6+0x524fd) in __interceptor_sigaltstack.part.0
Shadow bytes around the buggy address:
0x0ff0fb557640: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x0ff0fb557650: 00 00 00 00 00 00 00 00 00 06 f2 f2 f2 f2 00 00
0x0ff0fb557660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0fb557670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0fb557680: 00 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3
=>0x0ff0fb557690:[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0fb5576a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0fb5576b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0fb5576c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0fb5576d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff0fb5576e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2780092==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.
reply other threads:[~2021-10-05 8:14 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-823-3@http.bugs.dpdk.org/ \
--to=bugzilla@dpdk.org \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.