- Status Closed
- Percent Complete
- Task Type Bug Report
- Category Base system
- Assigned To No-one
- Operating System All
- Severity Critical
- Priority Very Low
- Reported Version Trunk
- Due in Version Undecided
-
Due Date
Undecided
- Private
Opened by Charlemagne Lasse - 17.05.2019
Last edited by Hans Dedecker - 23.05.2019
FS#2288 - uci memory corruption when setting section name
* Happens on every device
* Happens on Every version tested (only tested since LEDE 17.01 till 4c8b4d6efc8302b508d261573351fffb75bd98c2)
Prepare system:
mkdir -p /etc/config cat > /etc/config/foo << EOF config general 'general' option very 'important' EOF uci set foo.bar='asd' uci set foo.bar='asd'
And then run it either via valgrind
cmake -DCMAKE_INSTALL_PREFIX=/usr . && make valgrind ./uci show ==2144== Memcheck, a memory error detector ==2144== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2144== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==2144== Command: ./uci show ==2144== foo.general=general foo.general.very='important' foo.bar=asd ==2144== Invalid read of size 8 ==2144== at 0x10A90C: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630a8 is 56 bytes inside a block of size 76 free'd ==2144== at 0x4837D7B: realloc (vg_replace_malloc.c:826) ==2144== by 0x4849993: uci_realloc (util.c:49) ==2144== by 0x4848062: uci_set (list.c:717) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Block was alloc'd at ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x484995D: uci_malloc (util.c:39) ==2144== by 0x48465BF: uci_alloc_generic (list.c:50) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A910: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630b0 is 64 bytes inside a block of size 76 free'd ==2144== at 0x4837D7B: realloc (vg_replace_malloc.c:826) ==2144== by 0x4849993: uci_realloc (util.c:49) ==2144== by 0x4848062: uci_set (list.c:717) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Block was alloc'd at ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x484995D: uci_malloc (util.c:39) ==2144== by 0x48465BF: uci_alloc_generic (list.c:50) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A91D: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630e8 is 24 bytes before a block of size 4 alloc'd ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x491BDB9: strdup (strdup.c:42) ==2144== by 0x48499B4: uci_strdup (util.c:60) ==2144== by 0x484663E: uci_alloc_generic (list.c:55) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A928: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x18 is not stack'd, malloc'd or (recently) free'd ==2144== ==2144== ==2144== Process terminating with default action of signal 11 (SIGSEGV) ==2144== Access not within mapped region at address 0x18 ==2144== at 0x10A928: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== If you believe this happened as a result of a stack ==2144== overflow in your program's main thread (unlikely but ==2144== possible), you can try to increase the size of the ==2144== main thread stack using the --main-stacksize= flag. ==2144== The main thread stack size used in this run was 8388608. ==2144== ==2144== HEAP SUMMARY: ==2144== in use at exit: 961 bytes in 18 blocks ==2144== total heap usage: 38 allocs, 20 frees, 45,212 bytes allocated ==2144== ==2144== LEAK SUMMARY: ==2144== definitely lost: 0 bytes in 0 blocks ==2144== indirectly lost: 0 bytes in 0 blocks ==2144== possibly lost: 0 bytes in 0 blocks ==2144== still reachable: 961 bytes in 18 blocks ==2144== suppressed: 0 bytes in 0 blocks ==2144== Rerun with --leak-check=full to see details of leaked memory ==2144== ==2144== For counts of detected and suppressed errors, rerun with: -v ==2144== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0) zsh: segmentation fault sudo valgrind ./uci show
Or with ASAN
<pre>
cmake -DCMAKE_INSTALL_PREFIX=/usr “-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined” && make
./uci show
foo.general=general
foo.general.very=’important’ foo.bar=asd
==2908==ERROR: AddressSanitizer: heap-use-after-free on address 0×607000000288 at pc 0x5635c789848b bp 0x7ffd3393e680 sp 0x7ffd3393e678
READ of size 8 at 0×607000000288 thread T0
#0 0x5635c789848a in uci_show_option /usr/src/uci/cli.c:239 #1 0x5635c7898814 in uci_show_section /usr/src/uci/cli.c:256 #2 0x5635c7899368 in uci_show_package /usr/src/uci/cli.c:268 #3 0x5635c7899368 in package_cmd /usr/src/uci/cli.c:345 #4 0x5635c789acb5 in uci_do_package_cmd /usr/src/uci/cli.c:430 #5 0x5635c789acb5 in uci_cmd /usr/src/uci/cli.c:674 #6 0x5635c7897bc1 in main /usr/src/uci/cli.c:767 #7 0x7f8f2f0bc09a in __libc_start_main ../csu/libc-start.c:308 #8 0x5635c7897c69 in _start (/usr/src/uci/uci+0x9c69)
0×607000000288 is located 56 bytes inside of 76-byte region [0×607000000250,0x60700000029c)
freed by thread T0 here:
#0 0x7f8f2ff27720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720) #1 0x7f8f2fddf5dc in uci_realloc /usr/src/uci/util.c:49
previously allocated by thread T0 here:
#0 0x7f8f2ff27330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7f8f2fddf56e in uci_malloc /usr/src/uci/util.c:39
SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/cli.c:239 in uci_show_option
Shadow bytes around the buggy address:
0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 0x0c0e7fff8030: 00 00 00 00 00 00 00 02 fa fa fa fa fd fd fd fd 0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
⇒0x0c0e7fff8050: fd[fd]fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff8060: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
==2908==ABORTING
</pre>
23.05.2019 19:57
Reason for closing: Fixed
Additional comments about closing:
Fixed in commit https://git.openw rt.org/?p=project/uci.git;a=commit;h=f19 9b961c2970b63cc83947ad49b327b3f48f05f
Current uci version 4c8b4d6efc8302b508d261573351fffb75bd98c2 fails its own testsuite due to memory corruptions:
For the LEDE 17.01 version:
Some of the shown problems might be related to #2288 but some of them seem to be caused by other things.
This problem was introduced by
The patchwork patch fixes the problem. But my valgrind patch was destroyed by your mailing list. I have attached the patch here again.
https://patchwork.ozlabs.org/patch/1101002/
The patch was removed form patch work as it failed to apply; see http://lists.infradead.org/pipermail/openwrt-devel/2019-May/017159.html.
Please use git send-email to send patches to the mailing list; only patches send to the mailing list will end in patchwork and will be considered to be applied