From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [dpdk-dev] [Bug 867] [asan] mbuf: use-after-free in mbuf_autotest
Date: Fri, 29 Oct 2021 11:51:29 +0000 [thread overview]
Message-ID: <bug-867-3@http.bugs.dpdk.org/> (raw)
https://bugs.dpdk.org/show_bug.cgi?id=867
Bug ID: 867
Summary: [asan] mbuf: use-after-free in mbuf_autotest
Product: DPDK
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: core
Assignee: dev@dpdk.org
Reporter: david.marchand@redhat.com
Target Milestone: ---
Using series https://patchwork.dpdk.org/project/dpdk/list/?series=19821,
calling mbuf_autotest shows:
41/97 DPDK:fast-tests / mbuf_autotest FAIL 1.07 s (exit status 1)
--- command ---
DPDK_TEST='mbuf_autotest' /home/runner/work/dpdk/dpdk/build/app/test/dpdk-test
--file-prefix=mbuf_autotest
--- stdout ---
RTE>>mbuf_autotest
Test mbuf dynamic fields and flags
Reserved fields:
Reserved flags:
Free space in mbuf (0 = occupied, value = free zone alignment):
0000: 00 00 00 00 00 00 00 00
0008: 00 00 00 00 00 00 00 00
0010: 00 00 00 00 00 00 00 00
...
PANIC in rte_mbuf_sanity_check():
bad ref cnt
15: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x42ff5a]]
14: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f94e0223bf7]]
13: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x516ce2]]
12:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(cmdline_in+0x9d)
[0x7f94e6cf382d]]
11:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(rdline_char_in+0xf2b)
[0x7f94e6cfb7ab]]
10:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(+0x5468)
[0x7f94e6cf3468]]
9:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(cmdline_parse+0x3c9)
[0x7f94e6cf65c9]]
8: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x4d7601]]
7: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9b2841]]
6: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9bfe72]]
5: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9c7432]]
4:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_mbuf.so.22(rte_mbuf_sanity_check+0x269)
[0x7f94e7b84089]]
3:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(__rte_panic+0x13d)
[0x7f94e8fefd0d]]
2:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(rte_dump_stack+0xcd)
[0x7f94e9059b7d]]
1: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test(backtrace+0x5b)
[0x46728b]]
PANIC in rte_mbuf_sanity_check():
bad ref cnt
15: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x42ff5a]]
14: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f94e0223bf7]]
13: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x516ce2]]
12:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(cmdline_in+0x9d)
[0x7f94e6cf382d]]
11:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(rdline_char_in+0xf2b)
[0x7f94e6cfb7ab]]
10:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(+0x5468)
[0x7f94e6cf3468]]
9:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(cmdline_parse+0x3c9)
[0x7f94e6cf65c9]]
8: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x4d7601]]
7: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9b2841]]
6: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9bff47]]
5: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9c7432]]
4:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_mbuf.so.22(rte_mbuf_sanity_check+0x269)
[0x7f94e7b84089]]
3:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(__rte_panic+0x13d)
[0x7f94e8fefd0d]]
2:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(rte_dump_stack+0xcd)
[0x7f94e9059b7d]]
1: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test(backtrace+0x5b)
[0x46728b]]
=================================================================
==26477==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f90d842a9d0
at pc 0x0000009b89a8 bp 0x7ffc2cfe8b50 sp 0x7ffc2cfe8b48
READ of size 2 at 0x7f90d842a9d0 thread T0
#0 0x9b89a7 in rte_mbuf_ext_refcnt_read
/home/runner/work/dpdk/dpdk/build/../lib/mbuf/rte_mbuf.h:431:9
#1 0x9b89a7 in test_pktmbuf_ext_shinfo_init_helper
/home/runner/work/dpdk/dpdk/build/../app/test/test_mbuf.c:2409:6
#2 0x9b89a7 in test_mbuf
/home/runner/work/dpdk/dpdk/build/../app/test/test_mbuf.c:2950:6
#3 0x4d7600 in cmd_autotest_parsed
/home/runner/work/dpdk/dpdk/build/../app/test/commands.c:71:10
#4 0x7f94e6cf65c8 in cmdline_parse
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_parse.c:290:3
#5 0x7f94e6cf3467 in cmdline_valid_buffer
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:26:8
#6 0x7f94e6cfb7aa in rdline_char_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_rdline.c:446:5
#7 0x7f94e6cf382c in cmdline_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:148:9
#8 0x516ce1 in main
/home/runner/work/dpdk/dpdk/build/../app/test/test.c:214:8
#9 0x7f94e0223bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#10 0x42ff59 in _start
(/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test+0x42ff59)
Address 0x7f90d842a9d0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-use-after-free
/home/runner/work/dpdk/dpdk/build/../lib/mbuf/rte_mbuf.h:431:9 in
rte_mbuf_ext_refcnt_read
Shadow bytes around the buggy address:
0x0ff29b07d4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff29b07d4f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff29b07d500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff29b07d510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff29b07d520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff29b07d530: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0ff29b07d540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff29b07d550: 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 00 fa
0x0ff29b07d560: fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff29b07d570: 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 00 00
0x0ff29b07d580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==26477==ABORTING
-------
--
You are receiving this mail because:
You are the assignee for the bug.
next reply other threads:[~2021-10-29 11:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-29 11:51 bugzilla [this message]
2021-11-04 10:20 ` [dpdk-dev] [Bug 867] [asan] mbuf: use-after-free in mbuf_autotest bugzilla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-867-3@http.bugs.dpdk.org/ \
--to=bugzilla@dpdk.org \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.