FS#2288 : uci memory corruption when setting section name

Status Closed
Percent Complete
100%
Task Type Bug Report
Category Base system
Assigned To No-one
Operating System All
Severity Critical
Priority Very Low
Reported Version Trunk
Due in Version Undecided
Due Date Undecided
Private

Attached to Project: OpenWrt/LEDE Project
Opened by Charlemagne Lasse - 17.05.2019
Last edited by Hans Dedecker - 23.05.2019

FS#2288 - uci memory corruption when setting section name

* Happens on every device
* Happens on Every version tested (only tested since LEDE 17.01 till 4c8b4d6efc8302b508d261573351fffb75bd98c2)

Prepare system:

mkdir -p /etc/config
cat > /etc/config/foo << EOF
config general 'general'
    option very 'important'
EOF
uci set foo.bar='asd'
uci set foo.bar='asd'

And then run it either via valgrind

cmake -DCMAKE_INSTALL_PREFIX=/usr . && make
valgrind ./uci show
==2144== Memcheck, a memory error detector
==2144== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2144== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==2144== Command: ./uci show
==2144== 
foo.general=general
foo.general.very='important'
foo.bar=asd
==2144== Invalid read of size 8
==2144==    at 0x10A90C: uci_show_option.constprop.2 (cli.c:239)
==2144==    by 0x10A984: uci_show_section (cli.c:256)
==2144==    by 0x10AC45: uci_show_package (cli.c:268)
==2144==    by 0x10AC45: package_cmd (cli.c:345)
==2144==    by 0x10B3C9: uci_do_package_cmd (cli.c:430)
==2144==    by 0x10B3C9: uci_cmd (cli.c:674)
==2144==    by 0x10A57E: main (cli.c:767)
==2144==  Address 0x4a630a8 is 56 bytes inside a block of size 76 free'd
==2144==    at 0x4837D7B: realloc (vg_replace_malloc.c:826)
==2144==    by 0x4849993: uci_realloc (util.c:49)
==2144==    by 0x4848062: uci_set (list.c:717)
==2144==    by 0x484A2E6: uci_parse_delta_line (delta.c:247)
==2144==    by 0x484A2E6: uci_parse_delta (delta.c:282)
==2144==    by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305)
==2144==    by 0x484A9A7: uci_load_delta (delta.c:330)
==2144==    by 0x484990F: uci_file_load (file.c:916)
==2144==    by 0x4847385: uci_load (libuci.c:216)
==2144==    by 0x484749C: uci_lookup_ptr (list.c:394)
==2144==    by 0x10A9BA: package_cmd (cli.c:312)
==2144==    by 0x10B3C9: uci_do_package_cmd (cli.c:430)
==2144==    by 0x10B3C9: uci_cmd (cli.c:674)
==2144==    by 0x10A57E: main (cli.c:767)
==2144==  Block was alloc'd at
==2144==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==2144==    by 0x484995D: uci_malloc (util.c:39)
==2144==    by 0x48465BF: uci_alloc_generic (list.c:50)
==2144==    by 0x48466BC: uci_alloc_section (list.c:194)
==2144==    by 0x4847F9A: uci_set (list.c:699)
==2144==    by 0x484A2E6: uci_parse_delta_line (delta.c:247)
==2144==    by 0x484A2E6: uci_parse_delta (delta.c:282)
==2144==    by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305)
==2144==    by 0x484A9A7: uci_load_delta (delta.c:330)
==2144==    by 0x484990F: uci_file_load (file.c:916)
==2144==    by 0x4847385: uci_load (libuci.c:216)
==2144==    by 0x484749C: uci_lookup_ptr (list.c:394)
==2144==    by 0x10A9BA: package_cmd (cli.c:312)
==2144== 
==2144== Invalid read of size 8
==2144==    at 0x10A910: uci_show_option.constprop.2 (cli.c:239)
==2144==    by 0x10A984: uci_show_section (cli.c:256)
==2144==    by 0x10AC45: uci_show_package (cli.c:268)
==2144==    by 0x10AC45: package_cmd (cli.c:345)
==2144==    by 0x10B3C9: uci_do_package_cmd (cli.c:430)
==2144==    by 0x10B3C9: uci_cmd (cli.c:674)
==2144==    by 0x10A57E: main (cli.c:767)
==2144==  Address 0x4a630b0 is 64 bytes inside a block of size 76 free'd
==2144==    at 0x4837D7B: realloc (vg_replace_malloc.c:826)
==2144==    by 0x4849993: uci_realloc (util.c:49)
==2144==    by 0x4848062: uci_set (list.c:717)
==2144==    by 0x484A2E6: uci_parse_delta_line (delta.c:247)
==2144==    by 0x484A2E6: uci_parse_delta (delta.c:282)
==2144==    by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305)
==2144==    by 0x484A9A7: uci_load_delta (delta.c:330)
==2144==    by 0x484990F: uci_file_load (file.c:916)
==2144==    by 0x4847385: uci_load (libuci.c:216)
==2144==    by 0x484749C: uci_lookup_ptr (list.c:394)
==2144==    by 0x10A9BA: package_cmd (cli.c:312)
==2144==    by 0x10B3C9: uci_do_package_cmd (cli.c:430)
==2144==    by 0x10B3C9: uci_cmd (cli.c:674)
==2144==    by 0x10A57E: main (cli.c:767)
==2144==  Block was alloc'd at
==2144==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==2144==    by 0x484995D: uci_malloc (util.c:39)
==2144==    by 0x48465BF: uci_alloc_generic (list.c:50)
==2144==    by 0x48466BC: uci_alloc_section (list.c:194)
==2144==    by 0x4847F9A: uci_set (list.c:699)
==2144==    by 0x484A2E6: uci_parse_delta_line (delta.c:247)
==2144==    by 0x484A2E6: uci_parse_delta (delta.c:282)
==2144==    by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305)
==2144==    by 0x484A9A7: uci_load_delta (delta.c:330)
==2144==    by 0x484990F: uci_file_load (file.c:916)
==2144==    by 0x4847385: uci_load (libuci.c:216)
==2144==    by 0x484749C: uci_lookup_ptr (list.c:394)
==2144==    by 0x10A9BA: package_cmd (cli.c:312)
==2144== 
==2144== Invalid read of size 8
==2144==    at 0x10A91D: uci_show_option.constprop.2 (cli.c:239)
==2144==    by 0x10A984: uci_show_section (cli.c:256)
==2144==    by 0x10AC45: uci_show_package (cli.c:268)
==2144==    by 0x10AC45: package_cmd (cli.c:345)
==2144==    by 0x10B3C9: uci_do_package_cmd (cli.c:430)
==2144==    by 0x10B3C9: uci_cmd (cli.c:674)
==2144==    by 0x10A57E: main (cli.c:767)
==2144==  Address 0x4a630e8 is 24 bytes before a block of size 4 alloc'd
==2144==    at 0x483577F: malloc (vg_replace_malloc.c:299)
==2144==    by 0x491BDB9: strdup (strdup.c:42)
==2144==    by 0x48499B4: uci_strdup (util.c:60)
==2144==    by 0x484663E: uci_alloc_generic (list.c:55)
==2144==    by 0x48466BC: uci_alloc_section (list.c:194)
==2144==    by 0x4847F9A: uci_set (list.c:699)
==2144==    by 0x484A2E6: uci_parse_delta_line (delta.c:247)
==2144==    by 0x484A2E6: uci_parse_delta (delta.c:282)
==2144==    by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305)
==2144==    by 0x484A9A7: uci_load_delta (delta.c:330)
==2144==    by 0x484990F: uci_file_load (file.c:916)
==2144==    by 0x4847385: uci_load (libuci.c:216)
==2144==    by 0x484749C: uci_lookup_ptr (list.c:394)
==2144== 
==2144== Invalid read of size 8
==2144==    at 0x10A928: uci_show_option.constprop.2 (cli.c:239)
==2144==    by 0x10A984: uci_show_section (cli.c:256)
==2144==    by 0x10AC45: uci_show_package (cli.c:268)
==2144==    by 0x10AC45: package_cmd (cli.c:345)
==2144==    by 0x10B3C9: uci_do_package_cmd (cli.c:430)
==2144==    by 0x10B3C9: uci_cmd (cli.c:674)
==2144==    by 0x10A57E: main (cli.c:767)
==2144==  Address 0x18 is not stack'd, malloc'd or (recently) free'd
==2144== 
==2144== 
==2144== Process terminating with default action of signal 11 (SIGSEGV)
==2144==  Access not within mapped region at address 0x18
==2144==    at 0x10A928: uci_show_option.constprop.2 (cli.c:239)
==2144==    by 0x10A984: uci_show_section (cli.c:256)
==2144==    by 0x10AC45: uci_show_package (cli.c:268)
==2144==    by 0x10AC45: package_cmd (cli.c:345)
==2144==    by 0x10B3C9: uci_do_package_cmd (cli.c:430)
==2144==    by 0x10B3C9: uci_cmd (cli.c:674)
==2144==    by 0x10A57E: main (cli.c:767)
==2144==  If you believe this happened as a result of a stack
==2144==  overflow in your program's main thread (unlikely but
==2144==  possible), you can try to increase the size of the
==2144==  main thread stack using the --main-stacksize= flag.
==2144==  The main thread stack size used in this run was 8388608.
==2144== 
==2144== HEAP SUMMARY:
==2144==     in use at exit: 961 bytes in 18 blocks
==2144==   total heap usage: 38 allocs, 20 frees, 45,212 bytes allocated
==2144== 
==2144== LEAK SUMMARY:
==2144==    definitely lost: 0 bytes in 0 blocks
==2144==    indirectly lost: 0 bytes in 0 blocks
==2144==      possibly lost: 0 bytes in 0 blocks
==2144==    still reachable: 961 bytes in 18 blocks
==2144==         suppressed: 0 bytes in 0 blocks
==2144== Rerun with --leak-check=full to see details of leaked memory
==2144== 
==2144== For counts of detected and suppressed errors, rerun with: -v
==2144== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
zsh: segmentation fault  sudo valgrind ./uci show

Or with ASAN

<pre>
cmake -DCMAKE_INSTALL_PREFIX=/usr “-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined” && make
./uci show
foo.general=general
foo.general.very=’important’ foo.bar=asd

==2908==ERROR: AddressSanitizer: heap-use-after-free on address 0×607000000288 at pc 0x5635c789848b bp 0x7ffd3393e680 sp 0x7ffd3393e678
READ of size 8 at 0×607000000288 thread T0

  #0 0x5635c789848a in uci_show_option /usr/src/uci/cli.c:239
  #1 0x5635c7898814 in uci_show_section /usr/src/uci/cli.c:256
  #2 0x5635c7899368 in uci_show_package /usr/src/uci/cli.c:268
  #3 0x5635c7899368 in package_cmd /usr/src/uci/cli.c:345
  #4 0x5635c789acb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
  #5 0x5635c789acb5 in uci_cmd /usr/src/uci/cli.c:674
  #6 0x5635c7897bc1 in main /usr/src/uci/cli.c:767
  #7 0x7f8f2f0bc09a in __libc_start_main ../csu/libc-start.c:308
  #8 0x5635c7897c69 in _start (/usr/src/uci/uci+0x9c69)

0×607000000288 is located 56 bytes inside of 76-byte region [0×607000000250,0x60700000029c)
freed by thread T0 here:

  #0 0x7f8f2ff27720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
  #1 0x7f8f2fddf5dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:

  #0 0x7f8f2ff27330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
  #1 0x7f8f2fddf56e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/cli.c:239 in uci_show_option
Shadow bytes around the buggy address:

0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
0x0c0e7fff8030: 00 00 00 00 00 00 00 02 fa fa fa fa fd fd fd fd
0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd

⇒0x0c0e7fff8050: fd[fd]fd fd fa fa fa fa 00 00 00 00 00 00 00 00

0x0c0e7fff8060: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable:           00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb

==2908==ABORTING
</pre>

Closed by Hans Dedecker
23.05.2019 19:57
Reason for closing: Fixed
Additional comments about closing:

Fixed in commit https://git.openw rt.org/?p=project/uci.git;a=commit;h=f19 9b961c2970b63cc83947ad49b327b3f48f05f

Charlemagne Lasse commented on 17.05.2019 09:26

Current uci version 4c8b4d6efc8302b508d261573351fffb75bd98c2 fails its own testsuite due to memory corruptions:

cmake -DCMAKE_INSTALL_PREFIX=/usr "-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined" . && make
cd tests
sh tests.sh
#
# Performing tests
#
test_import
test_export
test_get_parsing
test_get_section_index_parsing
test_get_option
test_get_option_multiline
test_get_section
test_set_parsing
test_set_named_section
test_set_nonexisting_option
test_set_nonexisting_option_multiline
test_set_existing_option
test_set_existing_option_multiline
test_add_section
test_get_parsing
test_get_parsing_multiline_package
test_get_parsing_multiline_section
test_get_parsing_multiline_option
test_batch_set
test_batch_comments
test_revert_section
test_revert_option
test_revert_option_multiline
test_revert_option_long
test_add_list_config
test_add_list_get
test_add_list_show
test_add_list_changes
test_del_list
test_del_list_multiline
test_add_delta
=================================================================
==4803==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f46c3befaa8 bp 0x7ffc90bb9790 sp 0x7ffc90bb9788
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7f46c3befaa7 in uci_list_del /usr/src/uci/uci_internal.h:116
    #1 0x7f46c3befaa7 in uci_free_element /usr/src/uci/list.c:74
    #2 0x7f46c3befe7e in uci_free_section /usr/src/uci/list.c:214
    #3 0x7f46c3bf0374 in uci_free_package /usr/src/uci/list.c:246
    #4 0x7f46c3bf300e in uci_free_context /usr/src/uci/libuci.c:84
    #5 0x55cbf8befc11 in main /usr/src/uci/cli.c:774
    #6 0x7f46c2ee009a in __libc_start_main ../csu/libc-start.c:308
    #7 0x55cbf8befc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f46c3d4b720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f46c3c035dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f46c3d4b330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f46c3c0356e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 00 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4803==ABORTING
=================================================================
==4804==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f958d30baa8 bp 0x7ffc1e2249a0 sp 0x7ffc1e224998
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7f958d30baa7 in uci_list_del /usr/src/uci/uci_internal.h:116
    #1 0x7f958d30baa7 in uci_free_element /usr/src/uci/list.c:74
    #2 0x7f958d30be7e in uci_free_section /usr/src/uci/list.c:214
    #3 0x7f958d30c374 in uci_free_package /usr/src/uci/list.c:246
    #4 0x7f958d30f00e in uci_free_context /usr/src/uci/libuci.c:84
    #5 0x55ddb752fc11 in main /usr/src/uci/cli.c:774
    #6 0x7f958c5fc09a in __libc_start_main ../csu/libc-start.c:308
    #7 0x55ddb752fc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f958d467720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f958d31f5dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f958d467330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f958d31f56e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4804==ABORTING
=================================================================
==4809==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7fc0485e3aa8 bp 0x7ffe4c149460 sp 0x7ffe4c149458
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7fc0485e3aa7 in uci_list_del /usr/src/uci/uci_internal.h:116
    #1 0x7fc0485e3aa7 in uci_free_element /usr/src/uci/list.c:74
    #2 0x7fc0485e3e7e in uci_free_section /usr/src/uci/list.c:214
    #3 0x7fc0485e4374 in uci_free_package /usr/src/uci/list.c:246
    #4 0x7fc0485e6247 in uci_unload /usr/src/uci/list.c:739
    #5 0x557362dbc42a in package_cmd /usr/src/uci/cli.c:364
    #6 0x557362dbdcb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #7 0x557362dbdcb5 in uci_cmd /usr/src/uci/cli.c:674
    #8 0x557362dbabc1 in main /usr/src/uci/cli.c:767
    #9 0x7fc0478d409a in __libc_start_main ../csu/libc-start.c:308
    #10 0x557362dbac69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7fc04873f720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7fc0485f75dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7fc04873f330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7fc0485f756e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4809==ABORTING
ASSERT:
ASSERT:expected:<delta.sec0='sectype'
delta.sec0.li0+='0'
delta.sec0='sectype'
delta.sec0.li0+='1'> but was:<>
=================================================================
==4815==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000228 at pc 0x7f732debbf18 bp 0x7fff452db0f0 sp 0x7fff452db0e8
READ of size 4 at 0x607000000228 thread T0
    #0 0x7f732debbf17 in uci_export_package /usr/src/uci/file.c:611
    #1 0x7f732debfa6f in uci_export /usr/src/uci/file.c:639
    #2 0x558c0b7a4d40 in package_cmd /usr/src/uci/cli.c:333
    #3 0x558c0b7a6cb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #4 0x558c0b7a6cb5 in uci_cmd /usr/src/uci/cli.c:674
    #5 0x558c0b7a3bc1 in main /usr/src/uci/cli.c:767
    #6 0x7f732d1a009a in __libc_start_main ../csu/libc-start.c:308
    #7 0x558c0b7a3c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000228 is located 72 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f732e00b720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f732dec35dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f732e00b330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f732dec356e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/file.c:611 in uci_export_package
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040: fd fd fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4815==ABORTING
ASSERT:
ASSERT:expected:<package delta

config sectype 'sec0'
        list li0 '0'
        list li0 '1'> but was:<>
=================================================================
==4822==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f7e03b29aa8 bp 0x7ffd43cac9b0 sp 0x7ffd43cac9a8
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7f7e03b29aa7 in uci_list_del /usr/src/uci/uci_internal.h:116
    #1 0x7f7e03b29aa7 in uci_free_element /usr/src/uci/list.c:74
    #2 0x7f7e03b29e7e in uci_free_section /usr/src/uci/list.c:214
    #3 0x7f7e03b2a374 in uci_free_package /usr/src/uci/list.c:246
    #4 0x7f7e03b2c247 in uci_unload /usr/src/uci/list.c:739
    #5 0x5601e701e42a in package_cmd /usr/src/uci/cli.c:364
    #6 0x5601e701fcb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #7 0x5601e701fcb5 in uci_cmd /usr/src/uci/cli.c:674
    #8 0x5601e701cbc1 in main /usr/src/uci/cli.c:767
    #9 0x7f7e02e1a09a in __libc_start_main ../csu/libc-start.c:308
    #10 0x5601e701cc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f7e03c85720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f7e03b3d5dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f7e03c85330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f7e03b3d56e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4822==ABORTING
ASSERT:
=================================================================
==4829==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f0b2e338aa8 bp 0x7ffcc0cd2590 sp 0x7ffcc0cd2588
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7f0b2e338aa7 in uci_list_del /usr/src/uci/uci_internal.h:116
    #1 0x7f0b2e338aa7 in uci_free_element /usr/src/uci/list.c:74
    #2 0x7f0b2e338e7e in uci_free_section /usr/src/uci/list.c:214
    #3 0x7f0b2e339374 in uci_free_package /usr/src/uci/list.c:246
    #4 0x7f0b2e34b2cc in uci_file_commit /usr/src/uci/file.c:756
    #5 0x7f0b2e33d199 in uci_commit /usr/src/uci/libuci.c:206
    #6 0x5614d5f24ce1 in package_cmd /usr/src/uci/cli.c:327
    #7 0x5614d5f26cb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #8 0x5614d5f26cb5 in uci_cmd /usr/src/uci/cli.c:674
    #9 0x5614d5f23bc1 in main /usr/src/uci/cli.c:767
    #10 0x7f0b2d62909a in __libc_start_main ../csu/libc-start.c:308
    #11 0x5614d5f23c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f0b2e494720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f0b2e34c5dc in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f0b2e494330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f0b2e34c56e in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:116 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4829==ABORTING
ASSERT:
Files ./references/cli.options.delta.commit.result and ./tests/config/delta differ
ASSERT:
REF:

config sectype 'sec0'
        list li0 '1'
        list li0 '0'

----
TEST:
----
test_changes_tailing_parts
test_changes_missing_value

#
# Test report
#
tests passed:   105  94%
tests failed:     7   6%
tests skipped:    0   0%
tests total:    112 100%

For the LEDE 17.01 version:

cmake -DCMAKE_INSTALL_PREFIX=/usr "-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined" . && make
cd tests
sh tests.sh
#
# Performing tests
#
test_import
test_export
test_get_parsing
test_get_section_index_parsing
test_get_option
test_get_option_multiline
test_get_section
test_set_parsing
test_set_named_section
test_set_nonexisting_option
test_set_nonexisting_option_multiline
test_set_existing_option
test_set_existing_option_multiline
test_add_section
test_get_parsing
test_get_parsing_multiline_package
test_get_parsing_multiline_section
test_get_parsing_multiline_option
test_batch_set
test_batch_comments
test_revert_section
test_revert_option
test_revert_option_multiline
test_revert_option_long
test_add_list_config
test_add_list_get
test_add_list_show
test_add_list_changes
test_del_list
test_del_list_multiline
test_add_delta
=================================================================
==6986==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f2f158c7aa8 bp 0x7ffd548bf4d0 sp 0x7ffd548bf4c8
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7f2f158c7aa7 in uci_list_del /usr/src/uci/uci_internal.h:117
    #1 0x7f2f158c7aa7 in uci_free_element /usr/src/uci/list.c:71
    #2 0x7f2f158c7e7e in uci_free_section /usr/src/uci/list.c:211
    #3 0x7f2f158c884b in uci_free_package /usr/src/uci/list.c:243
    #4 0x7f2f158cafbb in uci_free_context /usr/src/uci/libuci.c:84
    #5 0x55976de7dc11 in main /usr/src/uci/cli.c:774
    #6 0x7f2f14bb809a in __libc_start_main ../csu/libc-start.c:308
    #7 0x55976de7dc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f2f15a23720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f2f158db6db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f2f15a23330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f2f158db66d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 00 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6986==ABORTING
=================================================================
==6987==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f04c082baa8 bp 0x7ffd3b1bbd40 sp 0x7ffd3b1bbd38
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7f04c082baa7 in uci_list_del /usr/src/uci/uci_internal.h:117
    #1 0x7f04c082baa7 in uci_free_element /usr/src/uci/list.c:71
    #2 0x7f04c082be7e in uci_free_section /usr/src/uci/list.c:211
    #3 0x7f04c082c84b in uci_free_package /usr/src/uci/list.c:243
    #4 0x7f04c082efbb in uci_free_context /usr/src/uci/libuci.c:84
    #5 0x564d3a995c11 in main /usr/src/uci/cli.c:774
    #6 0x7f04bfb1c09a in __libc_start_main ../csu/libc-start.c:308
    #7 0x564d3a995c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f04c0987720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f04c083f6db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f04c0987330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f04c083f66d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6987==ABORTING
=================================================================
==6992==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f7e1b765aa8 bp 0x7ffe56967ab0 sp 0x7ffe56967aa8
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7f7e1b765aa7 in uci_list_del /usr/src/uci/uci_internal.h:117
    #1 0x7f7e1b765aa7 in uci_free_element /usr/src/uci/list.c:71
    #2 0x7f7e1b765e7e in uci_free_section /usr/src/uci/list.c:211
    #3 0x7f7e1b76684b in uci_free_package /usr/src/uci/list.c:243
    #4 0x7f7e1b7681f4 in uci_unload /usr/src/uci/list.c:730
    #5 0x56086295d42a in package_cmd /usr/src/uci/cli.c:364
    #6 0x56086295ecb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #7 0x56086295ecb5 in uci_cmd /usr/src/uci/cli.c:674
    #8 0x56086295bbc1 in main /usr/src/uci/cli.c:767
    #9 0x7f7e1aa5609a in __libc_start_main ../csu/libc-start.c:308
    #10 0x56086295bc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f7e1b8c1720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f7e1b7796db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f7e1b8c1330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f7e1b77966d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6992==ABORTING
ASSERT:
ASSERT:expected:<delta.sec0='sectype'
delta.sec0.li0+='0'
delta.sec0='sectype'
delta.sec0.li0+='1'> but was:<>
=================================================================
==6998==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000228 at pc 0x7f0147730eff bp 0x7ffc373bee30 sp 0x7ffc373bee28
READ of size 4 at 0x607000000228 thread T0
    #0 0x7f0147730efe in uci_export_package /usr/src/uci/file.c:614
    #1 0x7f0147734a43 in uci_export /usr/src/uci/file.c:642
    #2 0x55af8e3eed40 in package_cmd /usr/src/uci/cli.c:333
    #3 0x55af8e3f0cb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #4 0x55af8e3f0cb5 in uci_cmd /usr/src/uci/cli.c:674
    #5 0x55af8e3edbc1 in main /usr/src/uci/cli.c:767
    #6 0x7f0146a1509a in __libc_start_main ../csu/libc-start.c:308
    #7 0x55af8e3edc69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000228 is located 72 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f0147880720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f01477386db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f0147880330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f014773866d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/file.c:614 in uci_export_package
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040: fd fd fd fd fd[fd]fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6998==ABORTING
ASSERT:
ASSERT:expected:<package delta

config sectype 'sec0'
        list li0 '0'
        list li0 '1'> but was:<>
=================================================================
==7009==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7faec5bf2aa8 bp 0x7ffd13eaa6a0 sp 0x7ffd13eaa698
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7faec5bf2aa7 in uci_list_del /usr/src/uci/uci_internal.h:117
    #1 0x7faec5bf2aa7 in uci_free_element /usr/src/uci/list.c:71
    #2 0x7faec5bf2e7e in uci_free_section /usr/src/uci/list.c:211
    #3 0x7faec5bf384b in uci_free_package /usr/src/uci/list.c:243
    #4 0x7faec5bf51f4 in uci_unload /usr/src/uci/list.c:730
    #5 0x559243cba42a in package_cmd /usr/src/uci/cli.c:364
    #6 0x559243cbbcb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #7 0x559243cbbcb5 in uci_cmd /usr/src/uci/cli.c:674
    #8 0x559243cb8bc1 in main /usr/src/uci/cli.c:767
    #9 0x7faec4ee309a in __libc_start_main ../csu/libc-start.c:308
    #10 0x559243cb8c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7faec5d4e720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7faec5c066db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7faec5d4e330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7faec5c0666d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7009==ABORTING
ASSERT:
=================================================================
==7016==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f40f610caa8 bp 0x7ffc91771e40 sp 0x7ffc91771e38
WRITE of size 8 at 0x607000000200 thread T0
    #0 0x7f40f610caa7 in uci_list_del /usr/src/uci/uci_internal.h:117
    #1 0x7f40f610caa7 in uci_free_element /usr/src/uci/list.c:71
    #2 0x7f40f610ce7e in uci_free_section /usr/src/uci/list.c:211
    #3 0x7f40f610d84b in uci_free_package /usr/src/uci/list.c:243
    #4 0x7f40f611f3cb in uci_file_commit /usr/src/uci/file.c:760
    #5 0x7f40f6111146 in uci_commit /usr/src/uci/libuci.c:206
    #6 0x55e7aaf01ce1 in package_cmd /usr/src/uci/cli.c:327
    #7 0x55e7aaf03cb5 in uci_do_package_cmd /usr/src/uci/cli.c:430
    #8 0x55e7aaf03cb5 in uci_cmd /usr/src/uci/cli.c:674
    #9 0x55e7aaf00bc1 in main /usr/src/uci/cli.c:767
    #10 0x7f40f53fd09a in __libc_start_main ../csu/libc-start.c:308
    #11 0x55e7aaf00c69 in _start (/usr/src/uci/uci+0x9c69)

0x607000000200 is located 32 bytes inside of 80-byte region [0x6070000001e0,0x607000000230)
freed by thread T0 here:
    #0 0x7f40f6268720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720)
    #1 0x7f40f61206db in uci_realloc /usr/src/uci/util.c:49

previously allocated by thread T0 here:
    #0 0x7f40f6268330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f40f612066d in uci_malloc /usr/src/uci/util.c:39

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/uci_internal.h:117 in uci_list_del
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
=>0x0c0e7fff8040:[fd]fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 05 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7016==ABORTING
ASSERT:
Files ./references/cli.options.delta.commit.result and ./tests/config/delta differ
ASSERT:
REF:

config sectype 'sec0'
        list li0 '1'
        list li0 '0'

----
TEST:
----

#
# Test report
#
tests passed:    93  93%
tests failed:     7   7%
tests skipped:    0   0%
tests total:    100 100%

Some of the shown problems might be related to #2288 but some of them seem to be caused by other things.

Charlemagne Lasse commented on 17.05.2019 10:06

This problem was introduced by

commit 4fb6a564b8eebe01f46766b8238a64d6414ed3ba
Author: Felix Fietkau <nbd@pi.lan>
Date:   Fri Aug 22 22:02:20 2008 +0200

    clean up uci_set

Charlemagne Lasse commented on 20.05.2019 06:38

The patchwork patch fixes the problem. But my valgrind patch was destroyed by your mailing list. I have attached the patch here again.

Reference links:
https://patchwork.ozlabs.org/patch/1101002/

0001-uci-test-use-valgrind-to... (1.4 KiB)

Hans Dedecker commented on 20.05.2019 07:43

The patch was removed form patch work as it failed to apply; see http://lists.infradead.org/pipermail/openwrt-devel/2019-May/017159.html.
Please use git send-email to send patches to the mailing list; only patches send to the mailing list will end in patchwork and will be considered to be applied

Loading...

Keyboard shortcuts

Available keyboard shortcuts

SHIFT+ALT+l Login Dialog / Logout
SHIFT+ALT+a Add new task
SHIFT+ALT+m My searches
SHIFT+ALT+t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
SHIFT+ALT+e ENTER Edit this task
SHIFT+ALT+y Close Task

Task Editing

SHIFT+ALT+s save task