uci memory corruption when setting section name
Username: Charlemagne Lasse
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=2288
-
Happens on every device
-
Happens on Every version tested (only tested since LEDE 17.01 till 4c8b4d6efc8302b508d261573351fffb75bd98c2)
Prepare system:
mkdir -p /etc/config cat > /etc/config/foo << EOF config general 'general' option very 'important' EOF uci set foo.bar='asd' uci set foo.bar='asd'
And then run it either via valgrind
cmake -DCMAKE_INSTALL_PREFIX=/usr . && make valgrind ./uci show ==2144== Memcheck, a memory error detector ==2144== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2144== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==2144== Command: ./uci show ==2144== foo.general=general foo.general.very='important' foo.bar=asd ==2144== Invalid read of size 8 ==2144== at 0x10A90C: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630a8 is 56 bytes inside a block of size 76 free'd ==2144== at 0x4837D7B: realloc (vg_replace_malloc.c:826) ==2144== by 0x4849993: uci_realloc (util.c:49) ==2144== by 0x4848062: uci_set (list.c:717) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Block was alloc'd at ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x484995D: uci_malloc (util.c:39) ==2144== by 0x48465BF: uci_alloc_generic (list.c:50) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A910: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630b0 is 64 bytes inside a block of size 76 free'd ==2144== at 0x4837D7B: realloc (vg_replace_malloc.c:826) ==2144== by 0x4849993: uci_realloc (util.c:49) ==2144== by 0x4848062: uci_set (list.c:717) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Block was alloc'd at ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x484995D: uci_malloc (util.c:39) ==2144== by 0x48465BF: uci_alloc_generic (list.c:50) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== by 0x10A9BA: package_cmd (cli.c:312) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A91D: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x4a630e8 is 24 bytes before a block of size 4 alloc'd ==2144== at 0x483577F: malloc (vg_replace_malloc.c:299) ==2144== by 0x491BDB9: strdup (strdup.c:42) ==2144== by 0x48499B4: uci_strdup (util.c:60) ==2144== by 0x484663E: uci_alloc_generic (list.c:55) ==2144== by 0x48466BC: uci_alloc_section (list.c:194) ==2144== by 0x4847F9A: uci_set (list.c:699) ==2144== by 0x484A2E6: uci_parse_delta_line (delta.c:247) ==2144== by 0x484A2E6: uci_parse_delta (delta.c:282) ==2144== by 0x484A3F6: uci_load_delta_file.constprop.3 (delta.c:305) ==2144== by 0x484A9A7: uci_load_delta (delta.c:330) ==2144== by 0x484990F: uci_file_load (file.c:916) ==2144== by 0x4847385: uci_load (libuci.c:216) ==2144== by 0x484749C: uci_lookup_ptr (list.c:394) ==2144== ==2144== Invalid read of size 8 ==2144== at 0x10A928: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== Address 0x18 is not stack'd, malloc'd or (recently) free'd ==2144== ==2144== ==2144== Process terminating with default action of signal 11 (SIGSEGV) ==2144== Access not within mapped region at address 0x18 ==2144== at 0x10A928: uci_show_option.constprop.2 (cli.c:239) ==2144== by 0x10A984: uci_show_section (cli.c:256) ==2144== by 0x10AC45: uci_show_package (cli.c:268) ==2144== by 0x10AC45: package_cmd (cli.c:345) ==2144== by 0x10B3C9: uci_do_package_cmd (cli.c:430) ==2144== by 0x10B3C9: uci_cmd (cli.c:674) ==2144== by 0x10A57E: main (cli.c:767) ==2144== If you believe this happened as a result of a stack ==2144== overflow in your program's main thread (unlikely but ==2144== possible), you can try to increase the size of the ==2144== main thread stack using the --main-stacksize= flag. ==2144== The main thread stack size used in this run was 8388608. ==2144== ==2144== HEAP SUMMARY: ==2144== in use at exit: 961 bytes in 18 blocks ==2144== total heap usage: 38 allocs, 20 frees, 45,212 bytes allocated ==2144== ==2144== LEAK SUMMARY: ==2144== definitely lost: 0 bytes in 0 blocks ==2144== indirectly lost: 0 bytes in 0 blocks ==2144== possibly lost: 0 bytes in 0 blocks ==2144== still reachable: 961 bytes in 18 blocks ==2144== suppressed: 0 bytes in 0 blocks ==2144== Rerun with --leak-check=full to see details of leaked memory ==2144== ==2144== For counts of detected and suppressed errors, rerun with: -v ==2144== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0) zsh: segmentation fault sudo valgrind ./uci show
Or with ASAN
cmake -DCMAKE_INSTALL_PREFIX=/usr “-DCMAKE_C_FLAGS=-fsanitize=address -fsanitize=undefined” && make ./uci show foo.general=general foo.general.very=’important’ foo.bar=asd ==2908==ERROR: AddressSanitizer: heap-use-after-free on address 0×607000000288 at pc 0x5635c789848b bp 0x7ffd3393e680 sp 0x7ffd3393e678 READ of size 8 at 0×607000000288 thread T0 #0 0x5635c789848a in uci_show_option /usr/src/uci/cli.c:239 #1 0x5635c7898814 in uci_show_section /usr/src/uci/cli.c:256 #2 0x5635c7899368 in uci_show_package /usr/src/uci/cli.c:268 #3 0x5635c7899368 in package_cmd /usr/src/uci/cli.c:345 #4 0x5635c789acb5 in uci_do_package_cmd /usr/src/uci/cli.c:430 #5 0x5635c789acb5 in uci_cmd /usr/src/uci/cli.c:674 #6 0x5635c7897bc1 in main /usr/src/uci/cli.c:767 #7 0x7f8f2f0bc09a in __libc_start_main ../csu/libc-start.c:308 #8 0x5635c7897c69 in _start (/usr/src/uci/uci+0x9c69) 0×607000000288 is located 56 bytes inside of 76-byte region [0×607000000250,0x60700000029c) freed by thread T0 here: #0 0x7f8f2ff27720 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9720) #1 0x7f8f2fddf5dc in uci_realloc /usr/src/uci/util.c:49 previously allocated by thread T0 here: #0 0x7f8f2ff27330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330) #1 0x7f8f2fddf56e in uci_malloc /usr/src/uci/util.c:39 SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/uci/cli.c:239 in uci_show_option Shadow bytes around the buggy address: 0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 0x0c0e7fff8030: 00 00 00 00 00 00 00 02 fa fa fa fa fd fd fd fd 0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd ⇒0x0c0e7fff8050: fd[fd]fd fd fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0e7fff8060: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2908==ABORTING