[ovs-dev] [ovn] use-after-free bug in extend-table

Ben Pfaff blp at ovn.org
Sat Feb 8 21:56:36 UTC 2020


When I run the testsuite with Address Sanitizer, I get several failures
due to a use-after-free error in the extend-table code.  The simplest
one is test 29.  It can be simplified to just:

        echo 'ct_lb(192.168.1.2:80, 192.168.1.3:80);' | tests/ovstest test-ovn parse-actions

which produces the appended output when run under Address Sanitizer.

I tried to track this down but I got lost in the tangles of all the data
structures in extend-table.

-8<--------------------------cut here-------------------------->8--

ct_lb(192.168.1.2:80, 192.168.1.3:80);
    encodes as group:1
    uses group: id(1), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2:80),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3:80),commit,table=19,zone=NXM_NX_REG13[0..15]))
    has prereqs ip
=================================================================
==1989915==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000bf8 at pc 0x00000076228f bp 0x7ffc00cb83d0 sp 0x7ffc00cb83c0
WRITE of size 8 at 0x604000000bf8 thread T0
    #0 0x76228e in ovs_list_remove /home/bpfaff/nicira/ovs/include/openvswitch/list.h:215
    #1 0x76228e in ovn_extend_table_info_destroy ../lib/extend-table.c:58
    #2 0x7631ba in ovn_extend_table_clear ../lib/extend-table.c:189
    #3 0x7634b3 in ovn_extend_table_destroy ../lib/extend-table.c:196
    #4 0x410cbb in test_parse_actions ../tests/test-ovn.c:1403
    #5 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
    #6 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623
    #7 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626
    #8 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
    #9 0x409305 in main ../tests/ovstest.c:133
    #10 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
    #11 0x40b15d in _start (/home/bpfaff/nicira/ovn/_build/tests/ovstest+0x40b15d)

0x604000000bf8 is located 40 bytes inside of 48-byte region [0x604000000bd0,0x604000000c00)
freed by thread T0 here:
    #0 0x7f9ff2b2085f in __interceptor_free (/lib64/libasan.so.5+0x10d85f)
    #1 0x763328 in ovn_extend_table_clear ../lib/extend-table.c:177
    #2 0x7634b3 in ovn_extend_table_destroy ../lib/extend-table.c:196
    #3 0x410cbb in test_parse_actions ../tests/test-ovn.c:1403
    #4 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
    #5 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623
    #6 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626
    #7 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
    #8 0x409305 in main ../tests/ovstest.c:133
    #9 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)

previously allocated by thread T0 here:
    #0 0x7f9ff2b20c58 in __interceptor_malloc (/lib64/libasan.so.5+0x10dc58)
    #1 0x51a1b4 in xmalloc ../lib/util.c:138
    #2 0x762959 in ovn_extend_table_add_desired_to_lflow ../lib/extend-table.c:107
    #3 0x762959 in ovn_extend_info_add_lflow_ref ../lib/extend-table.c:150
    #4 0x762959 in ovn_extend_info_add_lflow_ref ../lib/extend-table.c:138
    #5 0x7648d6 in ovn_extend_table_assign_id ../lib/extend-table.c:326
    #6 0x74384d in encode_CT_LB ../lib/actions.c:1085
    #7 0x74384d in ovnact_encode ../lib/actions.c:3400
    #8 0x74384d in ovnacts_encode ../lib/actions.c:3418
    #9 0x4104fc in test_parse_actions ../tests/test-ovn.c:1342
    #10 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
    #11 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623
    #12 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626
    #13 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
    #14 0x409305 in main ../tests/ovstest.c:133
    #15 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)

SUMMARY: AddressSanitizer: heap-use-after-free /home/bpfaff/nicira/ovs/include/openvswitch/list.h:215 in ovs_list_remove
Shadow bytes around the buggy address:
  0x0c087fff8120: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8140: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8150: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8160: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
=>0x0c087fff8170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd[fd]
  0x0c087fff8180: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c087fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1989915==ABORTING


More information about the dev mailing list