Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EIGRP has some bad reads when being shutdown #3065

Closed
donaldsharp opened this issue Sep 21, 2018 · 1 comment
Closed

EIGRP has some bad reads when being shutdown #3065

donaldsharp opened this issue Sep 21, 2018 · 1 comment
Labels
bug eigrp

Comments

@donaldsharp
Copy link
Member

donaldsharp commented Sep 21, 2018
edited by qlyoung
Loading 

r4: eigrpd triggered an exception by AddressSanitizer
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000001d38 at pc 0x55f4bd18b27a bp 0x7ffd5d6cd8d0 sp 0x7ffd5d6cd8c0
READ of size 4 at 0x60b000001d38 thread T0
    #0 0x55f4bd18b279 in eigrp_zebra_route_add eigrpd/eigrp_zebra.c:381
    #1 0x55f4bd1813c0 in eigrp_update_routing_table eigrpd/eigrp_topology.c:494
    #2 0x55f4bd18d2cf in eigrp_fsm_event_keep_state eigrpd/eigrp_fsm.c:508
    #3 0x55f4bd18ea6e in eigrp_fsm_event eigrpd/eigrp_fsm.c:425
    #4 0x55f4bd1818d9 in eigrp_topology_neighbor_down eigrpd/eigrp_topology.c:533
    #5 0x55f4bd175f94 in eigrp_nbr_delete eigrpd/eigrp_neighbor.c:182
    #6 0x55f4bd18bde9 in eigrp_finish_final eigrpd/eigrpd.c:273
    #7 0x55f4bd18bf95 in eigrp_finish eigrpd/eigrpd.c:249
    #8 0x55f4bd18c14d in eigrp_terminate eigrpd/eigrpd.c:242
    #9 0x55f4bd16ebe0 in sigint eigrpd/eigrp_main.c:103
    #10 0x55f4bd1d8f02 in quagga_sigevent_process lib/sigevent.c:105
    #11 0x55f4bd1ee30e in thread_fetch lib/thread.c:1404
    #12 0x55f4bd1b64bd in frr_run lib/libfrr.c:957
    #13 0x55f4bd16bb5c in main eigrpd/eigrp_main.c:219
    #14 0x7f00479b4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #15 0x55f4bd16eae9 in _start (/usr/lib/frr/eigrpd+0x71ae9)

0x60b000001d38 is located 24 bytes inside of 104-byte region [0x60b000001d20,0x60b000001d88)
freed by thread T0 here:
    #0 0x7f0048a667b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x55f4bd18bde9 in eigrp_finish_final eigrpd/eigrpd.c:273
    #2 0x55f4bd18bf95 in eigrp_finish eigrpd/eigrpd.c:249
    #3 0x55f4bd18c14d in eigrp_terminate eigrpd/eigrpd.c:242
    #4 0x55f4bd16ebe0 in sigint eigrpd/eigrp_main.c:103
    #5 0x55f4bd1d8f02 in quagga_sigevent_process lib/sigevent.c:105
    #6 0x55f4bd1ee30e in thread_fetch lib/thread.c:1404
    #7 0x55f4bd1b64bd in frr_run lib/libfrr.c:957
    #8 0x55f4bd16bb5c in main eigrpd/eigrp_main.c:219
    #9 0x7f00479b4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7f0048a66d38 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x55f4bd1bd3ec in qcalloc lib/memory.c:111
    #2 0x55f4bd175a46 in eigrp_nbr_new eigrpd/eigrp_neighbor.c:63
    #3 0x55f4bd175bc4 in eigrp_nbr_add eigrpd/eigrp_neighbor.c:87
    #4 0x55f4bd175bc4 in eigrp_nbr_get eigrpd/eigrp_neighbor.c:110
    #5 0x55f4bd172b09 in eigrp_hello_receive eigrpd/eigrp_hello.c:326
    #6 0x55f4bd17b978 in eigrp_read eigrpd/eigrp_packet.c:674
    #7 0x55f4bd1ef542 in thread_call lib/thread.c:1580
    #8 0x55f4bd1b64ca in frr_run lib/libfrr.c:958
    #9 0x55f4bd16bb5c in main eigrpd/eigrp_main.c:219
    #10 0x7f00479b4b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free eigrpd/eigrp_zebra.c:381 in eigrp_zebra_route_add
Shadow bytes around the buggy address:
  0x0c167fff8350: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c167fff8360: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c167fff8370: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c167fff8380: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c167fff8390: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c167fff83a0: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c167fff83b0: fd fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c167fff83c0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c167fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
r4: Daemon eigrpd killed by AddressSanitizerr2: eigrpd triggered an exception by AddressSanitizer
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000001d38 at pc 0x55b2fa48427a bp 0x7ffe87aab2b0 sp 0x7ffe87aab2a0
READ of size 4 at 0x60b000001d38 thread T0
    #0 0x55b2fa484279 in eigrp_zebra_route_add eigrpd/eigrp_zebra.c:381
    #1 0x55b2fa47a3c0 in eigrp_update_routing_table eigrpd/eigrp_topology.c:494
    #2 0x55b2fa4862cf in eigrp_fsm_event_keep_state eigrpd/eigrp_fsm.c:508
    #3 0x55b2fa487a6e in eigrp_fsm_event eigrpd/eigrp_fsm.c:425
    #4 0x55b2fa47a8d9 in eigrp_topology_neighbor_down eigrpd/eigrp_topology.c:533
    #5 0x55b2fa46ef94 in eigrp_nbr_delete eigrpd/eigrp_neighbor.c:182
    #6 0x55b2fa484de9 in eigrp_finish_final eigrpd/eigrpd.c:273
    #7 0x55b2fa484f95 in eigrp_finish eigrpd/eigrpd.c:249
    #8 0x55b2fa48514d in eigrp_terminate eigrpd/eigrpd.c:242
    #9 0x55b2fa467be0 in sigint eigrpd/eigrp_main.c:103
    #10 0x55b2fa4d1f02 in quagga_sigevent_process lib/sigevent.c:105
    #11 0x55b2fa4e730e in thread_fetch lib/thread.c:1404
    #12 0x55b2fa4af4bd in frr_run lib/libfrr.c:957
    #13 0x55b2fa464b5c in main eigrpd/eigrp_main.c:219
    #14 0x7f6cea732b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #15 0x55b2fa467ae9 in _start (/usr/lib/frr/eigrpd+0x71ae9)

0x60b000001d38 is located 24 bytes inside of 104-byte region [0x60b000001d20,0x60b000001d88)
freed by thread T0 here:
    #0 0x7f6ceb7e47b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x55b2fa484de9 in eigrp_finish_final eigrpd/eigrpd.c:273
    #2 0x55b2fa484f95 in eigrp_finish eigrpd/eigrpd.c:249
    #3 0x55b2fa48514d in eigrp_terminate eigrpd/eigrpd.c:242
    #4 0x55b2fa467be0 in sigint eigrpd/eigrp_main.c:103
    #5 0x55b2fa4d1f02 in quagga_sigevent_process lib/sigevent.c:105
    #6 0x55b2fa4e730e in thread_fetch lib/thread.c:1404
    #7 0x55b2fa4af4bd in frr_run lib/libfrr.c:957
    #8 0x55b2fa464b5c in main eigrpd/eigrp_main.c:219
    #9 0x7f6cea732b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7f6ceb7e4d38 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x55b2fa4b63ec in qcalloc lib/memory.c:111
    #2 0x55b2fa46ea46 in eigrp_nbr_new eigrpd/eigrp_neighbor.c:63
    #3 0x55b2fa46ebc4 in eigrp_nbr_add eigrpd/eigrp_neighbor.c:87
    #4 0x55b2fa46ebc4 in eigrp_nbr_get eigrpd/eigrp_neighbor.c:110
    #5 0x55b2fa46bb09 in eigrp_hello_receive eigrpd/eigrp_hello.c:326
    #6 0x55b2fa474978 in eigrp_read eigrpd/eigrp_packet.c:674
    #7 0x55b2fa4e8542 in thread_call lib/thread.c:1580
    #8 0x55b2fa4af4ca in frr_run lib/libfrr.c:958
    #9 0x55b2fa464b5c in main eigrpd/eigrp_main.c:219
    #10 0x7f6cea732b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free eigrpd/eigrp_zebra.c:381 in eigrp_zebra_route_add
Shadow bytes around the buggy address:
  0x0c167fff8350: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c167fff8360: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c167fff8370: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c167fff8380: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c167fff8390: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c167fff83a0: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c167fff83b0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
r2: Daemon eigrpd killed by AddressSanitizerr3: eigrpd triggered an exception by AddressSanitizer
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000001d38 at pc 0x560794ece27a bp 0x7ffcf777bb00 sp 0x7ffcf777baf0
READ of size 4 at 0x60b000001d38 thread T0
    #0 0x560794ece279 in eigrp_zebra_route_add eigrpd/eigrp_zebra.c:381
    #1 0x560794ec43c0 in eigrp_update_routing_table eigrpd/eigrp_topology.c:494
    #2 0x560794ed02cf in eigrp_fsm_event_keep_state eigrpd/eigrp_fsm.c:508
    #3 0x560794ed1a6e in eigrp_fsm_event eigrpd/eigrp_fsm.c:425
    #4 0x560794ec48d9 in eigrp_topology_neighbor_down eigrpd/eigrp_topology.c:533
    #5 0x560794eb8f94 in eigrp_nbr_delete eigrpd/eigrp_neighbor.c:182
    #6 0x560794ecede9 in eigrp_finish_final eigrpd/eigrpd.c:273
    #7 0x560794ecef95 in eigrp_finish eigrpd/eigrpd.c:249
    #8 0x560794ecf14d in eigrp_terminate eigrpd/eigrpd.c:242
    #9 0x560794eb1be0 in sigint eigrpd/eigrp_main.c:103
    #10 0x560794f1bf02 in quagga_sigevent_process lib/sigevent.c:105
    #11 0x560794f3130e in thread_fetch lib/thread.c:1404
    #12 0x560794ef94bd in frr_run lib/libfrr.c:957
    #13 0x560794eaeb5c in main eigrpd/eigrp_main.c:219
    #14 0x7f9a8f941b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #15 0x560794eb1ae9 in _start (/usr/lib/frr/eigrpd+0x71ae9)

0x60b000001d38 is located 24 bytes inside of 104-byte region [0x60b000001d20,0x60b000001d88)
freed by thread T0 here:
    #0 0x7f9a909f37b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x560794ecede9 in eigrp_finish_final eigrpd/eigrpd.c:273
    #2 0x560794ecef95 in eigrp_finish eigrpd/eigrpd.c:249
    #3 0x560794ecf14d in eigrp_terminate eigrpd/eigrpd.c:242
    #4 0x560794eb1be0 in sigint eigrpd/eigrp_main.c:103
    #5 0x560794f1bf02 in quagga_sigevent_process lib/sigevent.c:105
    #6 0x560794f3130e in thread_fetch lib/thread.c:1404
    #7 0x560794ef94bd in frr_run lib/libfrr.c:957
    #8 0x560794eaeb5c in main eigrpd/eigrp_main.c:219
    #9 0x7f9a8f941b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7f9a909f3d38 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded38)
    #1 0x560794f003ec in qcalloc lib/memory.c:111
    #2 0x560794eb8a46 in eigrp_nbr_new eigrpd/eigrp_neighbor.c:63
    #3 0x560794eb8bc4 in eigrp_nbr_add eigrpd/eigrp_neighbor.c:87
    #4 0x560794eb8bc4 in eigrp_nbr_get eigrpd/eigrp_neighbor.c:110
    #5 0x560794eb5b09 in eigrp_hello_receive eigrpd/eigrp_hello.c:326
    #6 0x560794ebe978 in eigrp_read eigrpd/eigrp_packet.c:674
    #7 0x560794f32542 in thread_call lib/thread.c:1580
    #8 0x560794ef94ca in frr_run lib/libfrr.c:958
    #9 0x560794eaeb5c in main eigrpd/eigrp_main.c:219
    #10 0x7f9a8f941b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free eigrpd/eigrp_zebra.c:381 in eigrp_zebra_route_add
Shadow bytes around the buggy address:
  0x0c167fff8350: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c167fff8360: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c167fff8370: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c167fff8380: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c167fff8390: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c167fff83a0: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c167fff83b0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
r3: Daemon eigrpd killed by AddressSanitizer2018-09-21 07:31:42,726 INFO: stopping "sw1"
2018-09-21 07:31:42,726 INFO: stopping "sw3"
2018-09-21 07:31:42,726 INFO: stopping "sw2"
2018-09-21 07:31:42,726 INFO: stopping "sw4"
2018-09-21 07:31:42,726 ERROR: assert failed at "test_pim/test_memory_leak": 
r4: Daemon eigrpd killed by AddressSanitizer
r2: Daemon eigrpd killed by AddressSanitizer
r3: Daemon eigrpd killed by AddressSanitizer
@qlyoung qlyoung added the bug label Sep 24, 2018
@qlyoung qlyoung added the eigrp label Jan 31, 2019
@rzalamena
Copy link
Member

topotest will complain if address sanitizer finds something, so I think it is safe to close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug eigrp
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rzalamena @qlyoung @donaldsharp