[dpdk-dev] [Bug 867] [asan] mbuf: use-after-free in mbuf_autotest

bugzilla Fri, 29 Oct 2021 04:51:39 -0700

https://bugs.dpdk.org/show_bug.cgi?id=867


            Bug ID: 867
           Summary: [asan] mbuf: use-after-free in mbuf_autotest
           Product: DPDK
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: core
          Assignee: dev@dpdk.org
          Reporter: david.march...@redhat.com
  Target Milestone: ---

Using series https://patchwork.dpdk.org/project/dpdk/list/?series=19821,
calling mbuf_autotest shows:

41/97 DPDK:fast-tests / mbuf_autotest         FAIL     1.07 s (exit status 1)

--- command ---
DPDK_TEST='mbuf_autotest' /home/runner/work/dpdk/dpdk/build/app/test/dpdk-test
--file-prefix=mbuf_autotest
--- stdout ---
RTE>>mbuf_autotest
Test mbuf dynamic fields and flags
Reserved fields:
Reserved flags:
Free space in mbuf (0 = occupied, value = free zone alignment):
  0000: 00 00 00 00 00 00 00 00
  0008: 00 00 00 00 00 00 00 00
  0010: 00 00 00 00 00 00 00 00
...
PANIC in rte_mbuf_sanity_check():
bad ref cnt
15: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x42ff5a]]
14: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f94e0223bf7]]
13: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x516ce2]]
12:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(cmdline_in+0x9d)
[0x7f94e6cf382d]]
11:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(rdline_char_in+0xf2b)
[0x7f94e6cfb7ab]]
10:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(+0x5468)
[0x7f94e6cf3468]]
9:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(cmdline_parse+0x3c9)
[0x7f94e6cf65c9]]
8: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x4d7601]]
7: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9b2841]]
6: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9bfe72]]
5: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9c7432]]
4:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_mbuf.so.22(rte_mbuf_sanity_check+0x269)
[0x7f94e7b84089]]
3:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(__rte_panic+0x13d)
[0x7f94e8fefd0d]]
2:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(rte_dump_stack+0xcd)
[0x7f94e9059b7d]]
1: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test(backtrace+0x5b)
[0x46728b]]
PANIC in rte_mbuf_sanity_check():
bad ref cnt
15: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x42ff5a]]
14: [/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f94e0223bf7]]
13: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x516ce2]]
12:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(cmdline_in+0x9d)
[0x7f94e6cf382d]]
11:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(rdline_char_in+0xf2b)
[0x7f94e6cfb7ab]]
10:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(+0x5468)
[0x7f94e6cf3468]]
9:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_cmdline.so.22(cmdline_parse+0x3c9)
[0x7f94e6cf65c9]]
8: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x4d7601]]
7: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9b2841]]
6: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9bff47]]
5: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test() [0x9c7432]]
4:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_mbuf.so.22(rte_mbuf_sanity_check+0x269)
[0x7f94e7b84089]]
3:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(__rte_panic+0x13d)
[0x7f94e8fefd0d]]
2:
[/home/runner/work/dpdk/dpdk/build/app/test/../../lib/librte_eal.so.22(rte_dump_stack+0xcd)
[0x7f94e9059b7d]]
1: [/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test(backtrace+0x5b)
[0x46728b]]
=================================================================
==26477==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f90d842a9d0
at pc 0x0000009b89a8 bp 0x7ffc2cfe8b50 sp 0x7ffc2cfe8b48
READ of size 2 at 0x7f90d842a9d0 thread T0
    #0 0x9b89a7 in rte_mbuf_ext_refcnt_read
/home/runner/work/dpdk/dpdk/build/../lib/mbuf/rte_mbuf.h:431:9
    #1 0x9b89a7 in test_pktmbuf_ext_shinfo_init_helper
/home/runner/work/dpdk/dpdk/build/../app/test/test_mbuf.c:2409:6
    #2 0x9b89a7 in test_mbuf
/home/runner/work/dpdk/dpdk/build/../app/test/test_mbuf.c:2950:6
    #3 0x4d7600 in cmd_autotest_parsed
/home/runner/work/dpdk/dpdk/build/../app/test/commands.c:71:10
    #4 0x7f94e6cf65c8 in cmdline_parse
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_parse.c:290:3
    #5 0x7f94e6cf3467 in cmdline_valid_buffer
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:26:8
    #6 0x7f94e6cfb7aa in rdline_char_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_rdline.c:446:5
    #7 0x7f94e6cf382c in cmdline_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:148:9
    #8 0x516ce1 in main
/home/runner/work/dpdk/dpdk/build/../app/test/test.c:214:8
    #9 0x7f94e0223bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x42ff59 in _start
(/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test+0x42ff59)

Address 0x7f90d842a9d0 is a wild pointer.
SUMMARY: AddressSanitizer: heap-use-after-free
/home/runner/work/dpdk/dpdk/build/../lib/mbuf/rte_mbuf.h:431:9 in
rte_mbuf_ext_refcnt_read
Shadow bytes around the buggy address:
  0x0ff29b07d4e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff29b07d4f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff29b07d500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff29b07d510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff29b07d520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff29b07d530: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0ff29b07d540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff29b07d550: 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 00 fa
  0x0ff29b07d560: fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff29b07d570: 00 00 00 00 00 00 fa fa 00 00 00 00 00 00 00 00
  0x0ff29b07d580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==26477==ABORTING
-------

-- 
You are receiving this mail because:
You are the assignee for the bug.

[dpdk-dev] [Bug 867] [asan] mbuf: use-after-free in mbuf_autotest

Reply via email to