Hi all, While testing some OVN changes I noticed a use after free in ovs-vswitchd code. I didn't really get a chance to look into it but I shared below what AddressSanitizer reported when running the OVN system tests (make check-kernel).
For reference, this is with the latest OVS submodule revision in OVN: commit 6f24c2bc769afde0a390ce344de1a7d9c592e5a6 Author: Terry Wilson <[email protected]> Date: Tue Jun 28 09:54:45 2022 -0500 ovsdb: Add Local_Config schema. Both OVS and OVN are compiled with clang and address/UB sanitizers enabled: ./configure CC=clang CFLAGS="-g -O1 -fno-omit-frame-pointer -fno-common -fsanitize=address,undefined" Regards, Dumitru 1: 2 LRs connected via LS, gateway router, SNAT and DNAT -- ovn-northd -- parallelization=yes -- ovn_monitor_all=yes FAILED (system-ovn.at:3) ==657687==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000019d8 at pc 0x0000008672d6 bp 0x7fff5c9cfdb0 sp 0x7fff5c9cfda8 READ of size 8 at 0x60b0000019d8 thread T0 #0 0x8672d5 in resize /root/ovs/lib/hmap.c:113:26 #1 0x866b06 in hmap_expand_at /root/ovs/lib/hmap.c:175:9 #2 0x569668 in hmap_insert_at /root/ovs/./include/openvswitch/hmap.h:309:9 #3 0x56c7f9 in iface_create /root/ovs/vswitchd/bridge.c:2130:5 #4 0x56c181 in bridge_add_ports__ /root/ovs/vswitchd/bridge.c:1170:21 #5 0x559163 in bridge_add_ports /root/ovs/vswitchd/bridge.c:1186:5 #6 0x553697 in bridge_reconfigure /root/ovs/vswitchd/bridge.c:898:9 #7 0x5520ba in bridge_run /root/ovs/vswitchd/bridge.c:3331:9 #8 0x58b1d6 in main /root/ovs/vswitchd/ovs-vswitchd.c:129:9 #9 0x7f320c0c9b74 in __libc_start_main (/lib64/libc.so.6+0x27b74) #10 0x471ebd in _start (/root/ovs/vswitchd/ovs-vswitchd+0x471ebd) 0x60b0000019d8 is located 40 bytes inside of 104-byte region [0x60b0000019b0,0x60b000001a18) freed by thread T0 here: #0 0x517b47 in free (/root/ovs/vswitchd/ovs-vswitchd+0x517b47) #1 0x56ad1e in iface_destroy__ /root/ovs/vswitchd/bridge.c:4686:9 #2 0x558c24 in bridge_delete_or_reconfigure_ports /root/ovs/vswitchd/bridge.c:1140:17 #3 0x553346 in bridge_reconfigure /root/ovs/vswitchd/bridge.c:869:13 #4 0x5520ba in bridge_run /root/ovs/vswitchd/bridge.c:3331:9 #5 0x58b1d6 in main /root/ovs/vswitchd/ovs-vswitchd.c:129:9 #6 0x7f320c0c9b74 in __libc_start_main (/lib64/libc.so.6+0x27b74) previously allocated by thread T0 here: #0 0x517ff7 in calloc (/root/ovs/vswitchd/ovs-vswitchd+0x517ff7) #1 0xbfeb32 in xcalloc__ /root/ovs/lib/util.c:121:31 #2 0xbfeb70 in xzalloc__ /root/ovs/lib/util.c:131:12 #3 0xbfec35 in xzalloc /root/ovs/lib/util.c:165:12 #4 0x56c515 in iface_create /root/ovs/vswitchd/bridge.c:2120:13 #5 0x56c181 in bridge_add_ports__ /root/ovs/vswitchd/bridge.c:1170:21 #6 0x559163 in bridge_add_ports /root/ovs/vswitchd/bridge.c:1186:5 #7 0x553697 in bridge_reconfigure /root/ovs/vswitchd/bridge.c:898:9 #8 0x5520ba in bridge_run /root/ovs/vswitchd/bridge.c:3331:9 #9 0x58b1d6 in main /root/ovs/vswitchd/ovs-vswitchd.c:129:9 #10 0x7f320c0c9b74 in __libc_start_main (/lib64/libc.so.6+0x27b74) _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
