Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LeakSanitizer: detected memory leaks #255

Closed
weinrank opened this issue Aug 29, 2018 · 5 comments
Closed

LeakSanitizer: detected memory leaks #255

weinrank opened this issue Aug 29, 2018 · 5 comments

Comments

@weinrank
Copy link
Contributor

General information

System: Ubuntu 18.04
Fuzzer: fuzzer_unconnected

Linux wks1 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Output

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x51c330 in __interceptor_malloc (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x51c330)
    #1 0x8fd4d8 in m_gethdr /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:165:9
    #2 0x8fd4d8 in m_getm2 /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:313
    #3 0x608724 in sctp_arethere_unrecognized_parameters /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_output.c:5564:15
    #4 0x60a436 in sctp_send_initiate_ack /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_output.c:5980:11
    #5 0x5a1d45 in sctp_handle_init /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:224:3
    #6 0x5a1d45 in sctp_process_control /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:5033
    #7 0x583e6a in sctp_common_input_processing /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:5896:10
    #8 0x573568 in usrsctp_conninput /home/weinrank/Github/usrsctp/usrsctplib/user_socket.c:3485:2
    #9 0x55501b in LLVMFuzzerTestOneInput /home/weinrank/Github/usrsctp/programs/fuzzer_unconnected.c:233:2
    #10 0x438c47 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x438c47)
    #11 0x4290da in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x4290da)
    #12 0x4340a0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x4340a0)
    #13 0x426da2 in main (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x426da2)
    #14 0x7fb790ac2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Indirect leak of 2048 byte(s) in 1 object(s) allocated from:
    #0 0x51c330 in __interceptor_malloc (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x51c330)
    #1 0x8fc726 in m_clget /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:257:15
    #2 0x8fd50e in m_getm2 /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:314:4
    #3 0x608724 in sctp_arethere_unrecognized_parameters /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_output.c:5564:15
    #4 0x60a436 in sctp_send_initiate_ack /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_output.c:5980:11
    #5 0x5a1d45 in sctp_handle_init /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:224:3
    #6 0x5a1d45 in sctp_process_control /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:5033
    #7 0x583e6a in sctp_common_input_processing /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:5896:10
    #8 0x573568 in usrsctp_conninput /home/weinrank/Github/usrsctp/usrsctplib/user_socket.c:3485:2
    #9 0x55501b in LLVMFuzzerTestOneInput /home/weinrank/Github/usrsctp/programs/fuzzer_unconnected.c:233:2
    #10 0x438c47 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x438c47)
    #11 0x4290da in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x4290da)
    #12 0x4340a0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x4340a0)
    #13 0x426da2 in main (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x426da2)
    #14 0x7fb790ac2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x51c330 in __interceptor_malloc (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x51c330)
    #1 0x8fc759 in clust_constructor_dup /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:220:11
    #2 0x8fc759 in m_clget /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:285
    #3 0x8fd50e in m_getm2 /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:314:4
    #4 0x608724 in sctp_arethere_unrecognized_parameters /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_output.c:5564:15
    #5 0x60a436 in sctp_send_initiate_ack /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_output.c:5980:11
    #6 0x5a1d45 in sctp_handle_init /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:224:3
    #7 0x5a1d45 in sctp_process_control /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:5033
    #8 0x583e6a in sctp_common_input_processing /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:5896:10
    #9 0x573568 in usrsctp_conninput /home/weinrank/Github/usrsctp/usrsctplib/user_socket.c:3485:2
    #10 0x55501b in LLVMFuzzerTestOneInput /home/weinrank/Github/usrsctp/programs/fuzzer_unconnected.c:233:2
    #11 0x438c47 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x438c47)
    #12 0x4290da in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x4290da)
    #13 0x4340a0 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x4340a0)
    #14 0x426da2 in main (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x426da2)
    #15 0x7fb790ac2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: 2308 byte(s) leaked in 3 allocation(s).

INFO: a leak has been found in the initial corpus.

INFO: to ignore leaks on libFuzzer side use -detect_leaks=0.

File causing the leak (have many more)

leak-041ce8668c15f8d61e27794d0f33c9ed1dece303.zip
@weinrank
Copy link
Contributor Author

Verified using valgrind without any sanitizers/fuzzers:

➜  programs git:(fuzzer-integration-upcall) ✗ valgrind --leak-check=full ./fuzzer_unconnected leak-041ce8668c15f8d61e27794d0f33c9ed1dece303
==11587== Memcheck, a memory error detector
==11587== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==11587== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==11587== Command: ./fuzzer_unconnected leak-041ce8668c15f8d61e27794d0f33c9ed1dece303
==11587== 
vrf_id 0x0: adding address: AF_CONN address: 0x1
SCTP: add HMAC id 1 to list
SCTP: added chunk 193 (0xc1) to Auth list
SCTP: added chunk 128 (0x80) to Auth list
Bind called port: 5001
Addr: AF_CONN address: 0x1
Main hash to bind at head:0x56f4c08, bound port:5001 - in tcp_pool=0
Ok laddr->ifa:0x56fad80 is possible, stcb:(nil) inp:0x56fb0c0
stcb is (nil)
Ok, Common input processing called, m:0x5726340 iphlen:0 offset:12 length:4086 stcb:(nil)
sctp_process_control: iphlen=0, offset=12, length=4086 stcb:(nil)
Its an INIT of len:4074 vtag:0
sctp_process_control: processing a chunk type=1, len=4074
SCTP_INIT
sctp_handle_init: handling INIT tcb:(nil)
sctp_handle_init: sending INIT-ACK
Check for unrecognized param's
Hit default param d2ee
report op err
move on
Hit default param 2700
stop proc
==11587== 
==11587== HEAP SUMMARY:
==11587==     in use at exit: 2,308 bytes in 3 blocks
==11587==   total heap usage: 290 allocs, 287 frees, 342,781 bytes allocated
==11587== 
==11587== 2,308 (256 direct, 2,052 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 3
==11587==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11587==    by 0x4EA3281: m_gethdr (user_mbuf.c:165)
==11587==    by 0x4EA3281: m_getm2 (user_mbuf.c:313)
==11587==    by 0x4E6D6D6: sctp_arethere_unrecognized_parameters (sctp_output.c:5564)
==11587==    by 0x4E6DDE8: sctp_send_initiate_ack (sctp_output.c:5980)
==11587==    by 0x4E664E2: sctp_handle_init (sctp_input.c:224)
==11587==    by 0x4E664E2: sctp_process_control (sctp_input.c:5033)
==11587==    by 0x4E5FDE6: sctp_common_input_processing (sctp_input.c:5896)
==11587==    by 0x4EAAF78: usrsctp_conninput (user_socket.c:3485)
==11587==    by 0x4012E8: main (fuzzer_unconnected.c:236)
==11587== 
==11587== LEAK SUMMARY:
==11587==    definitely lost: 256 bytes in 1 blocks
==11587==    indirectly lost: 2,052 bytes in 2 blocks
==11587==      possibly lost: 0 bytes in 0 blocks
==11587==    still reachable: 0 bytes in 0 blocks
==11587==         suppressed: 0 bytes in 0 blocks
==11587== 
==11587== For counts of detected and suppressed errors, rerun with: -v
==11587== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

@tuexen
Copy link
Member

tuexen commented Jun 28, 2019

@weinrank Can you retest this with the current version?

@tuexen
Copy link
Member

tuexen commented Jul 27, 2019

@weinrank Ping.

@weinrank
Copy link
Contributor Author

Part of the problem still exists.

➜  programs git:(fuzzer-integration-upcall) ./fuzzer_unconnected leak-041ce8668c15f8d61e27794d0f33c9ed1dece303
testing file: leak-041ce8668c15f8d61e27794d0f33c9ed1dece303
[0.000] vrf_id 0x0: adding address: [0.000] AF_CONN address: 0x1
[0.000] SCTP: add HMAC id 1 to list
[0.000] SCTP: added chunk 193 (0xc1) to Auth list
[0.000] SCTP: added chunk 128 (0x80) to Auth list
[0.000] Bind called port: 5001
[0.000] Addr: [0.000] AF_CONN address: 0x1
[0.000] Main hash to bind at head:0x625000000998, bound port:5001 - in tcp_pool=0
[0.000] Ok laddr->ifa:0x60b000000930 is possible, [0.000] stcb:(nil) inp:0x619000000580
[0.000] stcb is (nil)
[0.000] Ok, Common input processing called, m:0x611000001d00 iphlen:0 offset:12 length:4086 stcb:(nil)
[0.000] sctp_process_control: iphlen=0, offset=12, length=4086 stcb:(nil)
[0.000] Its an INIT of len:4074 vtag:0
[0.000] sctp_process_control: processing a chunk type=1, len=4074
[0.000] SCTP_INIT
[0.000] sctp_handle_init: handling INIT tcb:(nil)
[0.000] sctp_handle_init: sending INIT-ACK
[0.000] Check for unrecognized param's
[0.000] Hit default param d2ee
[0.000] report op err
[0.000] move on
[0.000] Hit default param 2700
[0.000] stop proc

=================================================================
==14485==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x4c6de3 in malloc (/home/weinrank/Github/usrsctp/build/programs/fuzzer_unconnected+0x4c6de3)
    #1 0x7fc26aa764c3 in m_get /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:125:9
    #2 0x7fc26aa764c3 in m_copyback /home/weinrank/Github/usrsctp/usrsctplib/user_mbuf.c:1328
    #3 0x7fc26a7a7900 in sctp_arethere_unrecognized_parameters /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_output.c:5604:6
    #4 0x7fc26a7a9b2b in sctp_send_initiate_ack /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_output.c:5991:11
    #5 0x7fc26a74377f in sctp_handle_init /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:225:3
    #6 0x7fc26a74377f in sctp_process_control /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:5034
    #7 0x7fc26a7299db in sctp_common_input_processing /home/weinrank/Github/usrsctp/usrsctplib/netinet/sctp_input.c:5904:10
    #8 0x7fc26aaa0a6f in usrsctp_conninput /home/weinrank/Github/usrsctp/usrsctplib/user_socket.c:3491:2
    #9 0x4f6893 in LLVMFuzzerTestOneInput /home/weinrank/Github/usrsctp/programs/fuzzer_unconnected.c:149:2
    #10 0x4f6893 in test_input_file /home/weinrank/Github/usrsctp/programs/fuzzer_unconnected.c:181
    #11 0x4f6b5f in main /home/weinrank/Github/usrsctp/programs/fuzzer_unconnected.c:234:3
    #12 0x7fc269f4ab6a in __libc_start_main /build/glibc-KRRWSm/glibc-2.29/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: 256 byte(s) leaked in 1 allocation(s).

➜  programs git:(fuzzer-integration-upcall) valgrind --leak-check=full ./fuzzer_unconnected leak-041ce8668c15f8d61e27794d0f33c9ed1dece303
==15205== Memcheck, a memory error detector
==15205== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==15205== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==15205== Command: ./fuzzer_unconnected leak-041ce8668c15f8d61e27794d0f33c9ed1dece303
==15205==
testing file: leak-041ce8668c15f8d61e27794d0f33c9ed1dece303
[0.000] vrf_id 0x0: adding address: [0.004] AF_CONN address: 0x1
[0.031] SCTP: add HMAC id 1 to list
[0.032] SCTP: added chunk 193 (0xc1) to Auth list
[0.033] SCTP: added chunk 128 (0x80) to Auth list
[0.039] Bind called port: 5001
[0.039] Addr: [0.039] AF_CONN address: 0x1
[0.042] Main hash to bind at head:0x4b2d048, bound port:5001 - in tcp_pool=0
[0.055] Ok laddr->ifa:0x4b48e30 is possible, [0.056] stcb:(nil) inp:0x4b49170
[0.058] stcb is (nil)
[0.059] Ok, Common input processing called, m:0x4b608b0 iphlen:0 offset:12 length:4086 stcb:(nil)
[0.060] sctp_process_control: iphlen=0, offset=12, length=4086 stcb:(nil)
[0.060] Its an INIT of len:4074 vtag:0
[0.061] sctp_process_control: processing a chunk type=1, len=4074
[0.063] SCTP_INIT
[0.063] sctp_handle_init: handling INIT tcb:(nil)
[0.065] sctp_handle_init: sending INIT-ACK
[0.066] Check for unrecognized param's
[0.067] Hit default param d2ee
[0.067] report op err
[0.071] move on
[0.072] Hit default param 2700
[0.072] stop proc
[0.118] recv_function_udp: Exiting SCTP/UDP/IP4 rcv[0.141] recv_function_udp6: Exiting SCTP/UDP/IP6 rcv==15205==
==15205== HEAP SUMMARY:
==15205==     in use at exit: 256 bytes in 1 blocks
==15205==   total heap usage: 319 allocs, 318 frees, 360,337 bytes allocated
==15205==
==15205== 256 bytes in 1 blocks are definitely lost in loss record 1 of 1
==15205==    at 0x483874F: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==15205==    by 0x48B00D2: m_get (usrsctplib/user_mbuf.c:125)
==15205==    by 0x48B00D2: m_copyback (usrsctplib/user_mbuf.c:1328)
==15205==    by 0x4878B0C: sctp_arethere_unrecognized_parameters (usrsctplib/netinet/sctp_output.c:5604)
==15205==    by 0x48790E1: sctp_send_initiate_ack (usrsctplib/netinet/sctp_output.c:5991)
==15205==    by 0x4871777: sctp_handle_init (usrsctplib/netinet/sctp_input.c:225)
==15205==    by 0x4871777: sctp_process_control (usrsctplib/netinet/sctp_input.c:5034)
==15205==    by 0x486B6A0: sctp_common_input_processing (usrsctplib/netinet/sctp_input.c:5904)
==15205==    by 0x48B6528: usrsctp_conninput (usrsctplib/user_socket.c:3491)
==15205==    by 0x40169E: LLVMFuzzerTestOneInput (programs/fuzzer_unconnected.c:149)
==15205==    by 0x40169E: test_input_file (programs/fuzzer_unconnected.c:181)
==15205==    by 0x401757: main (programs/fuzzer_unconnected.c:234)
==15205==
==15205== LEAK SUMMARY:
==15205==    definitely lost: 256 bytes in 1 blocks
==15205==    indirectly lost: 0 bytes in 0 blocks
==15205==      possibly lost: 0 bytes in 0 blocks
==15205==    still reachable: 0 bytes in 0 blocks
==15205==         suppressed: 0 bytes in 0 blocks
==15205==
==15205== For counts of detected and suppressed errors, rerun with: -v
==15205== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

@tuexen
Copy link
Member

tuexen commented Jul 29, 2019
edited
Loading

Is it reproducible with the input file you provided a link to?

@tuexen tuexen closed this as completed in c82439d Aug 1, 2019
@benjwright benjwright mentioned this issue Aug 21, 2019
Closed
@markwo markwo mentioned this issue Aug 21, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tuexen @weinrank