Skip to content

regression in f26304db93b0a4846808aad324cd4ce9aaa700c1: heap-use-after-free in submodule handling #2383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jktjkt opened this issue Apr 8, 2025 · 1 comment
Open

regression in f26304db93b0a4846808aad324cd4ce9aaa700c1: heap-use-after-free in submodule handling #2383

jktjkt opened this issue Apr 8, 2025 · 1 comment
Labels
is:bug Bug description. status:completed From the developer perspective, the issue was solved (bug fixed, question answered,...)

Comments

@jktjkt
Copy link
Contributor

jktjkt commented Apr 8, 2025

The test suite of libyang-cpp started failing with commit f26304d, it's triggered by this module with submodules. For a reproducer, just clone that repo and run yanglint:

$ yanglint -f tree ~/work/cesnet/gerrit/CzechLight/libyang-cpp/tests/yang/root-mod.yang 
libyang err : Duplicate identifier "/root-mod:r-s" of data definition/RPC/action/notification statement. (/root-mod:r-s)
=================================================================
==1461424==ERROR: AddressSanitizer: heap-use-after-free on address 0x510000004750 at pc 0x7fe5ad6bfb9a bp 0x7ffe85fd27b0 sp 0x7ffe85fd27a8
READ of size 8 at 0x510000004750 thread T0
    #0 0x7fe5ad6bfb99 in lysp_module_free github/CESNET/libyang/src/tree_schema_free.c:622:5
    #1 0x7fe5ad6d83ac in lysp_include_free_ github/CESNET/libyang/src/tree_schema_free.c:120:9
    #2 0x7fe5ad6bdd1d in lysp_module_free github/CESNET/libyang/src/tree_schema_free.c:623:5
    #3 0x7fe5ad6d0b30 in lys_module_free github/CESNET/libyang/src/tree_schema_free.c:1316:5
    #4 0x7fe5ad6981f5 in lys_unres_glob_revert github/CESNET/libyang/src/tree_schema.c:1139:9
    #5 0x7fe5ad6ae13a in lys_parse github/CESNET/libyang/src/tree_schema.c:2183:9
    #6 0x560ebb54fddd in cmd_add_exec github/CESNET/libyang/tools/lint/cmd_add.c:192:11
    #7 0x560ebb54e79c in fill_context_inputs github/CESNET/libyang/tools/lint/main_ni.c:376:17
    #8 0x560ebb54da8e in fill_context github/CESNET/libyang/tools/lint/main_ni.c:702:9
    #9 0x560ebb54da8e in main_ni github/CESNET/libyang/tools/lint/main_ni.c:736:9
    #10 0x560ebb566ec2 in main github/CESNET/libyang/tools/lint/main.c:51:16
    #11 0x7fe5ace3227d in __libc_start_call_main (/nix/store/maxa3xhmxggrc5v2vc0c3pjb79hjlkp9-glibc-2.40-66/lib/libc.so.6+0x2a27d) (BuildId: ff927b1b82bf859074854af941360cb428b4c739)
    #12 0x7fe5ace32338 in __libc_start_main@GLIBC_2.2.5 (/nix/store/maxa3xhmxggrc5v2vc0c3pjb79hjlkp9-glibc-2.40-66/lib/libc.so.6+0x2a338) (BuildId: ff927b1b82bf859074854af941360cb428b4c739)
    #13 0x560ebb410754 in _start (/home/jkt/work/prog/_build/czechlight-clang19-asan-ubsan/target/bin/yanglint+0x4e754)

0x510000004750 is located 16 bytes inside of 184-byte region [0x510000004740,0x5100000047f8)
freed by thread T0 here:
    #0 0x560ebb500ba8 in free.part.0 asan_malloc_linux.cpp.o
    #1 0x7fe5ad6d83ac in lysp_include_free_ github/CESNET/libyang/src/tree_schema_free.c:120:9
    #2 0x7fe5ad6bdd1d in lysp_module_free github/CESNET/libyang/src/tree_schema_free.c:623:5
    #3 0x7fe5ad6d0b30 in lys_module_free github/CESNET/libyang/src/tree_schema_free.c:1316:5
    #4 0x7fe5ad6981f5 in lys_unres_glob_revert github/CESNET/libyang/src/tree_schema.c:1139:9
    #5 0x7fe5ad6ae13a in lys_parse github/CESNET/libyang/src/tree_schema.c:2183:9
    #6 0x560ebb54fddd in cmd_add_exec github/CESNET/libyang/tools/lint/cmd_add.c:192:11
    #7 0x560ebb54e79c in fill_context_inputs github/CESNET/libyang/tools/lint/main_ni.c:376:17
    #8 0x560ebb54da8e in fill_context github/CESNET/libyang/tools/lint/main_ni.c:702:9
    #9 0x560ebb54da8e in main_ni github/CESNET/libyang/tools/lint/main_ni.c:736:9
    #10 0x560ebb566ec2 in main github/CESNET/libyang/tools/lint/main.c:51:16
    #11 0x7fe5ace3227d in __libc_start_call_main (/nix/store/maxa3xhmxggrc5v2vc0c3pjb79hjlkp9-glibc-2.40-66/lib/libc.so.6+0x2a27d) (BuildId: ff927b1b82bf859074854af941360cb428b4c739)

previously allocated by thread T0 here:
    #0 0x560ebb5024bf in calloc (/home/jkt/work/prog/_build/czechlight-clang19-asan-ubsan/target/bin/yanglint+0x1404bf)
    #1 0x7fe5ad7dc452 in yang_parse_submodule github/CESNET/libyang/src/parser_yang.c:4768:13
    #2 0x7fe5ad6995f5 in lys_parse_submodule github/CESNET/libyang/src/tree_schema.c:1556:14
    #3 0x7fe5ad6eee9c in lys_parse_localfile github/CESNET/libyang/src/tree_schema_common.c:739:15
    #4 0x7fe5ad6e804b in lysp_load_submodules github/CESNET/libyang/src/tree_schema_common.c:1181:17
    #5 0x7fe5ad69c02e in lysp_resolve_import_include github/CESNET/libyang/src/tree_schema.c:1243:5
    #6 0x7fe5ad69e0ce in lys_parse_in github/CESNET/libyang/src/tree_schema.c:2075:5
    #7 0x7fe5ad6ade4f in lys_parse github/CESNET/libyang/src/tree_schema.c:2163:11
    #8 0x560ebb54fddd in cmd_add_exec github/CESNET/libyang/tools/lint/cmd_add.c:192:11
    #9 0x560ebb54e79c in fill_context_inputs github/CESNET/libyang/tools/lint/main_ni.c:376:17
    #10 0x560ebb54da8e in fill_context github/CESNET/libyang/tools/lint/main_ni.c:702:9
    #11 0x560ebb54da8e in main_ni github/CESNET/libyang/tools/lint/main_ni.c:736:9
    #12 0x560ebb566ec2 in main github/CESNET/libyang/tools/lint/main.c:51:16
    #13 0x7fe5ace3227d in __libc_start_call_main (/nix/store/maxa3xhmxggrc5v2vc0c3pjb79hjlkp9-glibc-2.40-66/lib/libc.so.6+0x2a27d) (BuildId: ff927b1b82bf859074854af941360cb428b4c739)

SUMMARY: AddressSanitizer: heap-use-after-free github/CESNET/libyang/src/tree_schema_free.c:622:5 in lysp_module_free
Shadow bytes around the buggy address:
  0x510000004480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x510000004500: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x510000004580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x510000004600: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x510000004680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x510000004700: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
  0x510000004780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x510000004800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x510000004880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x510000004900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x510000004980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1461424==ABORTING
michalvasko added a commit that referenced this issue Apr 9, 2025
@michalvasko
tree schema BUGFIX init loop var
1b53688 
Fixes #2383
@michalvasko
Copy link
Member

Right, thanks, fixed.

@michalvasko michalvasko added is:bug Bug description. status:completed From the developer perspective, the issue was solved (bug fixed, question answered,...) labels Apr 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
is:bug Bug description. status:completed From the developer perspective, the issue was solved (bug fixed, question answered,...)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jktjkt @michalvasko