[ovs-dev] [ovn] use-after-free bug in extend-table
Ben Pfaff
blp at ovn.org
Sat Feb 8 21:56:36 UTC 2020
When I run the testsuite with Address Sanitizer, I get several failures
due to a use-after-free error in the extend-table code. The simplest
one is test 29. It can be simplified to just:
echo 'ct_lb(192.168.1.2:80, 192.168.1.3:80);' | tests/ovstest test-ovn parse-actions
which produces the appended output when run under Address Sanitizer.
I tried to track this down but I got lost in the tangles of all the data
structures in extend-table.
-8<--------------------------cut here-------------------------->8--
ct_lb(192.168.1.2:80, 192.168.1.3:80);
encodes as group:1
uses group: id(1), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2:80),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3:80),commit,table=19,zone=NXM_NX_REG13[0..15]))
has prereqs ip
=================================================================
==1989915==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000bf8 at pc 0x00000076228f bp 0x7ffc00cb83d0 sp 0x7ffc00cb83c0
WRITE of size 8 at 0x604000000bf8 thread T0
#0 0x76228e in ovs_list_remove /home/bpfaff/nicira/ovs/include/openvswitch/list.h:215
#1 0x76228e in ovn_extend_table_info_destroy ../lib/extend-table.c:58
#2 0x7631ba in ovn_extend_table_clear ../lib/extend-table.c:189
#3 0x7634b3 in ovn_extend_table_destroy ../lib/extend-table.c:196
#4 0x410cbb in test_parse_actions ../tests/test-ovn.c:1403
#5 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
#6 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623
#7 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626
#8 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
#9 0x409305 in main ../tests/ovstest.c:133
#10 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#11 0x40b15d in _start (/home/bpfaff/nicira/ovn/_build/tests/ovstest+0x40b15d)
0x604000000bf8 is located 40 bytes inside of 48-byte region [0x604000000bd0,0x604000000c00)
freed by thread T0 here:
#0 0x7f9ff2b2085f in __interceptor_free (/lib64/libasan.so.5+0x10d85f)
#1 0x763328 in ovn_extend_table_clear ../lib/extend-table.c:177
#2 0x7634b3 in ovn_extend_table_destroy ../lib/extend-table.c:196
#3 0x410cbb in test_parse_actions ../tests/test-ovn.c:1403
#4 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
#5 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623
#6 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626
#7 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
#8 0x409305 in main ../tests/ovstest.c:133
#9 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
previously allocated by thread T0 here:
#0 0x7f9ff2b20c58 in __interceptor_malloc (/lib64/libasan.so.5+0x10dc58)
#1 0x51a1b4 in xmalloc ../lib/util.c:138
#2 0x762959 in ovn_extend_table_add_desired_to_lflow ../lib/extend-table.c:107
#3 0x762959 in ovn_extend_info_add_lflow_ref ../lib/extend-table.c:150
#4 0x762959 in ovn_extend_info_add_lflow_ref ../lib/extend-table.c:138
#5 0x7648d6 in ovn_extend_table_assign_id ../lib/extend-table.c:326
#6 0x74384d in encode_CT_LB ../lib/actions.c:1085
#7 0x74384d in ovnact_encode ../lib/actions.c:3400
#8 0x74384d in ovnacts_encode ../lib/actions.c:3418
#9 0x4104fc in test_parse_actions ../tests/test-ovn.c:1342
#10 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
#11 0x40c375 in test_ovn_main ../tests/test-ovn.c:1623
#12 0x40c375 in ovstest_wrapper_test_ovn_main__ ../tests/test-ovn.c:1626
#13 0x4244b3 in ovs_cmdl_run_command__ ../lib/command-line.c:247
#14 0x409305 in main ../tests/ovstest.c:133
#15 0x7f9ff223e1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
SUMMARY: AddressSanitizer: heap-use-after-free /home/bpfaff/nicira/ovs/include/openvswitch/list.h:215 in ovs_list_remove
Shadow bytes around the buggy address:
0x0c087fff8120: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8140: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8150: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8160: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
=>0x0c087fff8170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd[fd]
0x0c087fff8180: fa fa fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c087fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1989915==ABORTING
More information about the dev
mailing list