Mirror/frr
0
0
Fork 1
mirror of https://github.com/FRRouting/frr.git synced 2025-04-30 13:37:17 +02:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity
frr/mgmtd
History
Donald Sharp 71712f0bf6 mgmtd: Prevent use after free 
ci is picking up this use after free on occasion:

    ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x6030001d94a0
        0 0x7fab994b7f04 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:119
        1 0x7fab994264f6 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace.h:131
        2 0x7fab994264f6 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1058
        3 0x7fab99039bcf in mt_count_free lib/memory.c:78
        4 0x7fab99039bcf in qfree lib/memory.c:130
        5 0x7fab98ff971a in hash_clean lib/hash.c:290
        6 0x56110cdb0e7f in mgmt_txn_hash_destroy mgmtd/mgmt_txn.c:1881
        7 0x56110cdb0e7f in mgmt_txn_destroy mgmtd/mgmt_txn.c:2013
        8 0x56110cd8e5de in mgmt_terminate mgmtd/mgmt.c:91
        9 0x56110cd8e003 in sigint mgmtd/mgmt_main.c:90
        10 0x7fab990bf4b0 in frr_sigevent_process lib/sigevent.c:117
        11 0x7fab990ea7a1 in event_fetch lib/event.c:1740
        12 0x7fab9901a24e in frr_run lib/libfrr.c:1245
        13 0x56110cd8e21f in main mgmtd/mgmt_main.c:290
        14 0x7fab98af9249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        15 0x7fab98af9304 in __libc_start_main_impl ../csu/libc-start.c:360
        16 0x56110cd8dd30 in _start (/usr/lib/frr/mgmtd+0x3ad30)

    0x6030001d94a0 is located 0 bytes inside of 24-byte region [0x6030001d94a0,0x6030001d94b8)
    freed by thread T0 here:
        0 0x7fab994b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
        1 0x7fab99039bf0 in qfree lib/memory.c:131
        2 0x7fab98ff93e1 in hash_release lib/hash.c:227
        3 0x56110cdaabdc in mgmt_txn_unlock mgmtd/mgmt_txn.c:1931
        4 0x56110cdab049 in mgmt_txn_delete mgmtd/mgmt_txn.c:1841
        5 0x56110cdab0ce in mgmt_txn_hash_free mgmtd/mgmt_txn.c:1864
        6 0x7fab98ff970b in hash_clean lib/hash.c:288
        7 0x56110cdb0e7f in mgmt_txn_hash_destroy mgmtd/mgmt_txn.c:1881
        8 0x56110cdb0e7f in mgmt_txn_destroy mgmtd/mgmt_txn.c:2013
        9 0x56110cd8e5de in mgmt_terminate mgmtd/mgmt.c:91
        10 0x56110cd8e003 in sigint mgmtd/mgmt_main.c:90
        11 0x7fab990bf4b0 in frr_sigevent_process lib/sigevent.c:117
        12 0x7fab990ea7a1 in event_fetch lib/event.c:1740
        13 0x7fab9901a24e in frr_run lib/libfrr.c:1245
        14 0x56110cd8e21f in main mgmtd/mgmt_main.c:290
        15 0x7fab98af9249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

    previously allocated by thread T0 here:
        0 0x7fab994b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
        1 0x7fab990392fd in qcalloc lib/memory.c:106
        2 0x7fab98ff8b4f in hash_get lib/hash.c:156
        3 0x56110cdb13ae in mgmt_txn_create_new mgmtd/mgmt_txn.c:1825
        4 0x56110cdb3b4d in mgmt_txn_notify_be_adapter_conn mgmtd/mgmt_txn.c:2212
        5 0x56110cd91178 in mgmt_be_adapter_conn_init mgmtd/mgmt_be_adapter.c:842
        6 0x7fab990ec6de in event_call lib/event.c:2019
        7 0x7fab9901a243 in frr_run lib/libfrr.c:1246
        8 0x56110cd8e21f in main mgmtd/mgmt_main.c:290
        9 0x7fab98af9249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

The only time that mgmt_txn_hash_free is called is in hash_clean.
There are other places that mgmt_txn_unlock/delete are called and
hash_release should be called.  Let's just notice when mgmtd is
being called from the hash_clean and not call hash_release (since
we know it is being released already)

Signed-off-by: Donald Sharp <sharpd@nvidia.com>
(cherry picked from commit 62f35c7bdb)
2025-02-27 20:40:07 +00:00
..
.gitignore mgmtd: Add to .gitignore for mgmtd_testc program 2024-08-10 20:21:27 -04:00
Makefile mgmtd: Bringup MGMTD daemon and datastore module support 2023-03-21 22:08:32 -04:00
mgmt.c lib: add flag to have libyang load internal ietf-yang-library module 2024-10-07 03:32:44 +00:00
mgmt.h *: create a single registry of daemons' default port values 2024-02-01 11:40:02 -05:00
mgmt_be_adapter.c mgmtd: testc: add listen for datastore notifications 2025-01-18 16:14:29 +00:00
mgmt_be_adapter.h mgmtd: add backend xpath map for RPC 2024-04-22 16:36:22 +03:00
mgmt_be_nb.c *: add XREF_SETUP() to libraries and utilites 2024-05-02 23:03:08 +02:00
mgmt_ds.c mgmtd: don't add implicit state data when reading config from file 2024-08-08 00:45:13 +03:00
mgmt_ds.h lib, mgmtd: fix commit history location 2024-01-27 19:02:52 +01:00
mgmt_fe_adapter.c lib: mgmtd: only send notify selectors to backends that provide. 2025-01-18 16:13:54 +00:00
mgmt_fe_adapter.h mgmtd: add notify selectors to filter datastore notifications 2025-01-13 23:40:52 -05:00
mgmt_history.c lib: fix new (incorrect) CLANG SA warnings 2025-01-13 23:40:52 -05:00
mgmt_history.h mgmtd: assert an assertion for coverity 2023-06-06 15:12:58 -04:00
mgmt_main.c lib: introduce global -w option for VRF netns backend 2025-01-15 23:38:27 +02:00
mgmt_memory.c mgmtd: add native RPC processing 2024-04-22 16:36:22 +03:00
mgmt_memory.h mgmtd: add native RPC processing 2024-04-22 16:36:22 +03:00
mgmt_testc.c mgmtd: testc: add listen for datastore notifications 2025-01-18 16:14:29 +00:00
mgmt_txn.c mgmtd: Prevent use after free 2025-02-27 20:40:07 +00:00
mgmt_txn.h mgmtd: add notify selectors to filter datastore notifications 2025-01-13 23:40:52 -05:00
mgmt_vty.c lib: common debug status output 2024-08-27 09:53:02 -04:00
subdir.am *: add XREF_SETUP() to libraries and utilites 2024-05-02 23:03:08 +02:00