New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#2288 - uci memory corruption when setting section name #6074
Comments
charlemagnelasse: Current uci version 4c8b4d6efc8302b508d261573351fffb75bd98c2 fails its own testsuite due to memory corruptions:
cmake -DCMAKE_INSTALL_PREFIX=/usr "-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined" . && make
cd tests
sh tests.sh
#
# Performing tests
#
test_import
test_export
test_get_parsing
test_get_section_index_parsing
test_get_option
test_get_option_multiline
test_get_section
test_set_parsing
test_set_named_section
test_set_nonexisting_option
test_set_nonexisting_option_multiline
test_set_existing_option
test_set_existing_option_multiline
test_add_section
test_get_parsing
test_get_parsing_multiline_package
test_get_parsing_multiline_section
test_get_parsing_multiline_option
test_batch_set
test_batch_comments
test_revert_section
test_revert_option
test_revert_option_multiline
test_revert_option_long
test_add_list_config
test_add_list_get
test_add_list_show
test_add_list_changes
test_del_list
test_del_list_multiline
test_add_delta
=================================================================
==4803==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f46c3befaa8 bp 0x7ffc90bb9790 sp 0x7ffc90bb9788
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7f46c3befaa7 in uci_list_del /usr/src/uci/uci_internal.h:116
#1 0x7f46c3befaa7 in uci_free_element /usr/src/uci/list.c:74
#2 0x7f46c3befe7e in uci_free_section /usr/src/uci/list.c:214
#3 0x7f46c3bf0374 in uci_free_package /usr/src/uci/list.c:246
#4 0x7f46c3bf300e in uci_free_context /usr/src/uci/libuci.c:84
#5 0x55cbf8befc11 in main /usr/src/uci/cli.c:774
#6 0x7f46c2ee009a in __libc_start_main ../csu/libc-start.c:308
#7 0x55cbf8befc69 in _start (/usr/src/uci/uci+0x9c69)
For the LEDE 17.01 version:
cmake -DCMAKE_INSTALL_PREFIX=/usr "-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined" . && make
cd tests
sh tests.sh
#
# Performing tests
#
test_import
test_export
test_get_parsing
test_get_section_index_parsing
test_get_option
test_get_option_multiline
test_get_section
test_set_parsing
test_set_named_section
test_set_nonexisting_option
test_set_nonexisting_option_multiline
test_set_existing_option
test_set_existing_option_multiline
test_add_section
test_get_parsing
test_get_parsing_multiline_package
test_get_parsing_multiline_section
test_get_parsing_multiline_option
test_batch_set
test_batch_comments
test_revert_section
test_revert_option
test_revert_option_multiline
test_revert_option_long
test_add_list_config
test_add_list_get
test_add_list_show
test_add_list_changes
test_del_list
test_del_list_multiline
test_add_delta
=================================================================
==6986==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000200 at pc 0x7f2f158c7aa8 bp 0x7ffd548bf4d0 sp 0x7ffd548bf4c8
WRITE of size 8 at 0x607000000200 thread T0
#0 0x7f2f158c7aa7 in uci_list_del /usr/src/uci/uci_internal.h:117
#1 0x7f2f158c7aa7 in uci_free_element /usr/src/uci/list.c:71
#2 0x7f2f158c7e7e in uci_free_section /usr/src/uci/list.c:211
#3 0x7f2f158c884b in uci_free_package /usr/src/uci/list.c:243
#4 0x7f2f158cafbb in uci_free_context /usr/src/uci/libuci.c:84
#5 0x55976de7dc11 in main /usr/src/uci/cli.c:774
#6 0x7f2f14bb809a in __libc_start_main ../csu/libc-start.c:308
#7 0x55976de7dc69 in _start (/usr/src/uci/uci+0x9c69)
Some of the shown problems might be related to #2288 but some of them seem to be caused by other things. |
charlemagnelasse: This problem was introduced by
commit 4fb6a564b8eebe01f46766b8238a64d6414ed3ba
Author: Felix Fietkau
Date: Fri Aug 22 22:02:20 2008 +0200
|
charlemagnelasse: The patchwork patch fixes the problem. But my valgrind patch was destroyed by your mailing list. I have attached the patch here again. |
dedeckeh: The patch was removed form patch work as it failed to apply; see http://lists.infradead.org/pipermail/openwrt-devel/2019-May/017159.html. |
charlemagnelasse:
Prepare system:
mkdir -p /etc/config cat > /etc/config/foo << EOF config general 'general' option very 'important' EOF uci set foo.bar='asd' uci set foo.bar='asd'
And then run it either via valgrind
cmake -DCMAKE_INSTALL_PREFIX=/usr . && make valgrind ./uci show ==2144== Memcheck, a memory error detector ==2144== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2144== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==2144== Command: ./uci show ==2144== foo.general=general foo.general.very='important' foo.bar=asd ==2144== Invalid read of size 8 ==2144== at 0x10A90C: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630a8 is 56 bytes inside a block of size 76 free'd ==2144== at 0x4837D7B: realloc (vg_replace_malloc.c:826) ==2144== by 0x4849993: uci_realloc (util.c:49) ==2144== by 0x4848062: uci_set (list.c:717) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Block was alloc'd at ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x484995D: uci_malloc (util.c:39) ==2144== by 0x48465BF: uci_alloc_generic (list.c:50) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A910: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630b0 is 64 bytes inside a block of size 76 free'd ==2144== at 0x4837D7B: realloc (vg_replace_malloc.c:826) ==2144== by 0x4849993: uci_realloc (util.c:49) ==2144== by 0x4848062: uci_set (list.c:717) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Block was alloc'd at ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x484995D: uci_malloc (util.c:39) ==2144== by 0x48465BF: uci_alloc_generic (list.c:50) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A91D: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630e8 is 24 bytes before a block of size 4 alloc'd ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x491BDB9: strdup (strdup.c:42) ==2144== by 0x48499B4: uci_strdup (util.c:60) ==2144== by 0x484663E: uci_alloc_generic (list.c:55) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A928: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x18 is not stack'd, malloc'd or (recently) free'd ==2144== ==2144== ==2144== Process terminating with default action of signal 11 (SIGSEGV) ==2144== Access not within mapped region at address 0x18 ==2144== at 0x10A928: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== If you believe this happened as a result of a stack ==2144== overflow in your program's main thread (unlikely but ==2144== possible), you can try to increase the size of the ==2144== main thread stack using the --main-stacksize= flag. ==2144== The main thread stack size used in this run was 8388608. ==2144== ==2144== HEAP SUMMARY: ==2144== in use at exit: 961 bytes in 18 blocks ==2144== total heap usage: 38 allocs, 20 frees, 45,212 bytes allocated ==2144== ==2144== LEAK SUMMARY: ==2144== definitely lost: 0 bytes in 0 blocks ==2144== indirectly lost: 0 bytes in 0 blocks ==2144== possibly lost: 0 bytes in 0 blocks ==2144== still reachable: 961 bytes in 18 blocks ==2144== suppressed: 0 bytes in 0 blocks ==2144== Rerun with --leak-check=full to see details of leaked memory ==2144== ==2144== For counts of detected and suppressed errors, rerun with: -v ==2144== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0) zsh: segmentation fault sudo valgrind ./uci show
Or with ASAN
The text was updated successfully, but these errors were encountered: