Re: [systemd-devel] [PATCH] test-dhcp6-client: Fix option length
Hi, I now pushed your patch along with another one, very similar, with a fix for the second problem. test-dhcp6-client now runs fine under asan. test-network doesn't, but that's another story. Zbyszek On Fri, Aug 29, 2014 at 02:58:54PM +0200, Zbigniew Jędrzejewski-Szmek wrote: > On Fri, Aug 29, 2014 at 09:20:46AM +0300, Patrik Flykt wrote: > > The whole DHCPv6 test message length was incorrectly used as the length > > of DHCPv6 options causing the following bad memory access: > > > > $ build/test-dhcp6-client > > Assertion 'interface_index >= -1' failed at > > ../src/libsystemd-network/sd-dhcp6-client.c:129, function > > sd_dhcp6_client_set_index(). Ignoring. > > = > > ==29135==ERROR: AddressSanitizer: global-buffer-overflow on address > > 0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460 > > READ of size 1 at 0x7fe204aa9148 thread T0 > > #0 0x7fe204a5958e in option_parse_hdr > > ../src/libsystemd-network/dhcp6-option.c:145 > > #1 0x7fe204a59884 in dhcp6_option_parse > > ../src/libsystemd-network/dhcp6-option.c:165 > > #2 0x7fe204a4eb9c in test_advertise_option > > ../src/libsystemd-network/test-dhcp6-client.c:227 > > #3 0x7fe204a51c58 in main > > ../src/libsystemd-network/test-dhcp6-client.c:584 > > #4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df) > > #5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b) > > > > 0x7fe204aa9148 is located 2 bytes to the right of global variable > > 'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' > > (0x7fe204aa9080) of size 198 > > 0x7fe204aa9148 is located 56 bytes to the left of global variable > > 'msg_reply' from '../src/libsystemd-network/test-dhcp6-client.c' > > (0x7fe204aa9180) of size 173 > > SUMMARY: AddressSanitizer: global-buffer-overflow > > ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr > > --- > > > > This seems to be the cause of the bad memory access, please test. > Hm, I thiink it helps, but there's another one: > > $ build/test-dhcp6-client > Assertion 'interface_index >= -1' failed at > ../src/libsystemd-network/sd-dhcp6-client.c:129, function > sd_dhcp6_client_set_index(). Ignoring. > DHCPv6 CLIENT: Sent SOLICIT > DHCPv6 CLIENT: Next retransmission in 1.049185s > = > ==29571==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x61109708 at pc 0x7fd00190458f bp 0x7fff287de8d0 sp 0x7fff287de8c0 > READ of size 1 at 0x61109708 thread T0 > #0 0x7fd00190458e in option_parse_hdr > ../src/libsystemd-network/dhcp6-option.c:145 > #1 0x7fd001904884 in dhcp6_option_parse > ../src/libsystemd-network/dhcp6-option.c:165 > #2 0x7fd0019008ff in client_parse_message > ../src/libsystemd-network/sd-dhcp6-client.c:582 > #3 0x7fd001901078 in client_receive_advertise > ../src/libsystemd-network/sd-dhcp6-client.c:732 > #4 0x7fd001901822 in client_receive_message > ../src/libsystemd-network/sd-dhcp6-client.c:809 > #5 0x7fd001918c77 in source_dispatch > ../src/libsystemd/sd-event/sd-event.c:2035 > #6 0x7fd00191b7f1 in sd_event_dispatch > ../src/libsystemd/sd-event/sd-event.c:2384 > #7 0x7fd00191bad4 in sd_event_run > ../src/libsystemd/sd-event/sd-event.c:2413 > #8 0x7fd00191bc1d in sd_event_loop > ../src/libsystemd/sd-event/sd-event.c:2428 > #9 0x7fd0018fca81 in test_client_solicit > ../src/libsystemd-network/test-dhcp6-client.c:562 > #10 0x7fd0018fcc65 in main > ../src/libsystemd-network/test-dhcp6-client.c:585 > #11 0x7fd040df in __libc_start_main (/lib64/libc.so.6+0x200df) > #12 0x7fd0018f7c5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b) > > 0x61109708 is located 2 bytes to the right of 198-byte region > [0x61109640,0x61109706) > allocated by thread T0 here: > #0 0x7fd000827cf5 in calloc (/lib64/libasan.so.1+0x57cf5) > #1 0x7fd00190152b in client_receive_message > ../src/libsystemd-network/sd-dhcp6-client.c:769 > #2 0x7fd001918c77 in source_dispatch > ../src/libsystemd/sd-event/sd-event.c:2035 > #3 0x7fd00191b7f1 in sd_event_dispatch > ../src/libsystemd/sd-event/sd-event.c:2384 > #4 0x7fd00191bad4 in sd_event_run > ../src/libsystemd/sd-event/sd-event.c:2413 > #5 0x7fd00191bc1d in sd_event_loop > ../src/libsystemd/sd-event/sd-event.c:2428 > #6 0x7fd0018fca81 in test_client_solicit > ../src/libsystemd-network/test-dhcp6-client.c:562 > #7 0x7fd0018fcc65 in main > ../src/libsystemd-network/test-dhcp6-client.c:585 > #8 0x7fd040df in __libc_start_main (/lib64/libc.so.6+0x200df) > > SUMMARY: AddressSanitizer: heap-buffer-overflow > ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr > Shadow bytes around the buggy address: > 0x0c227fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c227fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >
Re: [systemd-devel] [PATCH] test-dhcp6-client: Fix option length
On Fri, Aug 29, 2014 at 09:20:46AM +0300, Patrik Flykt wrote: > The whole DHCPv6 test message length was incorrectly used as the length > of DHCPv6 options causing the following bad memory access: > > $ build/test-dhcp6-client > Assertion 'interface_index >= -1' failed at > ../src/libsystemd-network/sd-dhcp6-client.c:129, function > sd_dhcp6_client_set_index(). Ignoring. > = > ==29135==ERROR: AddressSanitizer: global-buffer-overflow on address > 0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460 > READ of size 1 at 0x7fe204aa9148 thread T0 > #0 0x7fe204a5958e in option_parse_hdr > ../src/libsystemd-network/dhcp6-option.c:145 > #1 0x7fe204a59884 in dhcp6_option_parse > ../src/libsystemd-network/dhcp6-option.c:165 > #2 0x7fe204a4eb9c in test_advertise_option > ../src/libsystemd-network/test-dhcp6-client.c:227 > #3 0x7fe204a51c58 in main > ../src/libsystemd-network/test-dhcp6-client.c:584 > #4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df) > #5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b) > > 0x7fe204aa9148 is located 2 bytes to the right of global variable > 'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' > (0x7fe204aa9080) of size 198 > 0x7fe204aa9148 is located 56 bytes to the left of global variable 'msg_reply' > from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9180) of size > 173 > SUMMARY: AddressSanitizer: global-buffer-overflow > ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr > --- > > This seems to be the cause of the bad memory access, please test. Hm, I thiink it helps, but there's another one: $ build/test-dhcp6-client Assertion 'interface_index >= -1' failed at ../src/libsystemd-network/sd-dhcp6-client.c:129, function sd_dhcp6_client_set_index(). Ignoring. DHCPv6 CLIENT: Sent SOLICIT DHCPv6 CLIENT: Next retransmission in 1.049185s = ==29571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61109708 at pc 0x7fd00190458f bp 0x7fff287de8d0 sp 0x7fff287de8c0 READ of size 1 at 0x61109708 thread T0 #0 0x7fd00190458e in option_parse_hdr ../src/libsystemd-network/dhcp6-option.c:145 #1 0x7fd001904884 in dhcp6_option_parse ../src/libsystemd-network/dhcp6-option.c:165 #2 0x7fd0019008ff in client_parse_message ../src/libsystemd-network/sd-dhcp6-client.c:582 #3 0x7fd001901078 in client_receive_advertise ../src/libsystemd-network/sd-dhcp6-client.c:732 #4 0x7fd001901822 in client_receive_message ../src/libsystemd-network/sd-dhcp6-client.c:809 #5 0x7fd001918c77 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:2035 #6 0x7fd00191b7f1 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:2384 #7 0x7fd00191bad4 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:2413 #8 0x7fd00191bc1d in sd_event_loop ../src/libsystemd/sd-event/sd-event.c:2428 #9 0x7fd0018fca81 in test_client_solicit ../src/libsystemd-network/test-dhcp6-client.c:562 #10 0x7fd0018fcc65 in main ../src/libsystemd-network/test-dhcp6-client.c:585 #11 0x7fd040df in __libc_start_main (/lib64/libc.so.6+0x200df) #12 0x7fd0018f7c5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b) 0x61109708 is located 2 bytes to the right of 198-byte region [0x61109640,0x61109706) allocated by thread T0 here: #0 0x7fd000827cf5 in calloc (/lib64/libasan.so.1+0x57cf5) #1 0x7fd00190152b in client_receive_message ../src/libsystemd-network/sd-dhcp6-client.c:769 #2 0x7fd001918c77 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:2035 #3 0x7fd00191b7f1 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:2384 #4 0x7fd00191bad4 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:2413 #5 0x7fd00191bc1d in sd_event_loop ../src/libsystemd/sd-event/sd-event.c:2428 #6 0x7fd0018fca81 in test_client_solicit ../src/libsystemd-network/test-dhcp6-client.c:562 #7 0x7fd0018fcc65 in main ../src/libsystemd-network/test-dhcp6-client.c:585 #8 0x7fd040df in __libc_start_main (/lib64/libc.so.6+0x200df) SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr Shadow bytes around the buggy address: 0x0c227fff9290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff92d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff92e0: 06[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9300: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff9320:
[systemd-devel] [PATCH] test-dhcp6-client: Fix option length
The whole DHCPv6 test message length was incorrectly used as the length of DHCPv6 options causing the following bad memory access: $ build/test-dhcp6-client Assertion 'interface_index >= -1' failed at ../src/libsystemd-network/sd-dhcp6-client.c:129, function sd_dhcp6_client_set_index(). Ignoring. = ==29135==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe204aa9148 at pc 0x7fe204a5958f bp 0x7fff3e47d470 sp 0x7fff3e47d460 READ of size 1 at 0x7fe204aa9148 thread T0 #0 0x7fe204a5958e in option_parse_hdr ../src/libsystemd-network/dhcp6-option.c:145 #1 0x7fe204a59884 in dhcp6_option_parse ../src/libsystemd-network/dhcp6-option.c:165 #2 0x7fe204a4eb9c in test_advertise_option ../src/libsystemd-network/test-dhcp6-client.c:227 #3 0x7fe204a51c58 in main ../src/libsystemd-network/test-dhcp6-client.c:584 #4 0x7fe2031590df in __libc_start_main (/lib64/libc.so.6+0x200df) #5 0x7fe204a4cc5b (/home/test/systemd/build/test-dhcp6-client+0x25c5b) 0x7fe204aa9148 is located 2 bytes to the right of global variable 'msg_advertise' from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9080) of size 198 0x7fe204aa9148 is located 56 bytes to the left of global variable 'msg_reply' from '../src/libsystemd-network/test-dhcp6-client.c' (0x7fe204aa9180) of size 173 SUMMARY: AddressSanitizer: global-buffer-overflow ../src/libsystemd-network/dhcp6-option.c:145 option_parse_hdr --- This seems to be the cause of the bad memory access, please test. Cheers, Patrik src/libsystemd-network/test-dhcp6-client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c index 96c68e1..259db33 100644 --- a/src/libsystemd-network/test-dhcp6-client.c +++ b/src/libsystemd-network/test-dhcp6-client.c @@ -207,7 +207,7 @@ static int test_advertise_option(sd_event *e) { DHCP6Message *advertise = (DHCP6Message *)msg_advertise; uint8_t *optval, *opt = &msg_advertise[sizeof(DHCP6Message)]; uint16_t optcode; -size_t optlen, len = sizeof(msg_advertise); +size_t optlen, len = sizeof(msg_advertise) - sizeof(DHCP6Message); be32_t val; uint8_t preference = 255; struct in6_addr addr; -- 1.9.1 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel