Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory leak detected during fuzzing #354

Closed
markwo opened this issue Aug 21, 2019 · 3 comments
Closed

Memory leak detected during fuzzing #354

markwo opened this issue Aug 21, 2019 · 3 comments

Comments

@markwo
Copy link

markwo commented Aug 21, 2019

This may be related to #255 but still repros with the current code in master. LeakSanitizer detects a leak with the atatched repro file (including a PCAP of the fuzzed messages as well). This may not be useful to you until the fuzzer code is available for you to repro locally?

=================================================================
==105704==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 256 byte(s) in 1 object(s) allocated from:
    #0 0x55e618e2823d in malloc third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x55e618e94470 in m_gethdr third_party/usrsctp/usrsctplib/user_mbuf.c:165:9
    #2 0x55e618e94cbf in m_getm2 third_party/usrsctp/usrsctplib/user_mbuf.c:313:9
    #3 0x55e618f0aae7 in sctp_arethere_unrecognized_parameters third_party/usrsctp/usrsctplib/netinet/sctp_output.c:5564:15
    #4 0x55e618f0b94c in sctp_send_initiate_ack third_party/usrsctp/usrsctplib/netinet/sctp_output.c:5980:11
    #5 0x55e618ea700c in sctp_handle_init third_party/usrsctp/usrsctplib/netinet/sctp_input.c:224:3
    #6 0x55e618ea4d3e in sctp_process_control third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5039:4
    #7 0x55e618ec5cbe in sctp_common_input_processing third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5886:10
    #8 0x55e618e60d17 in usrsctp_conninput third_party/usrsctp/usrsctplib/user_socket.c:3478:2
    #9 0x55e618e4da5a in usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0::operator()(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) const third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:152:46
    #10 0x55e618e4d921 in decltype(std::__u::forward<usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&>(fp)(std::__u::forward<std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(fp0))) std::__u::__invoke<usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >&&) third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/type_traits:3530:1
    #11 0x55e618e42590 in usrsctp_fuzzer::MessageSocket::ReceiveData(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:103:5
    #12 0x55e618e4fe91 in usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2::operator()(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) const third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:410:19
    #13 0x55e618e4fcc1 in decltype(std::__u::forward<usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&>(fp)(std::__u::forward<std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(fp0))) std::__u::__invoke<usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >&&) third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/type_traits:3530:1
    #14 0x55e618e429b5 in usrsctp_fuzzer::MessageSocket::ProcessNextWriteInQueue() third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:119:3
    #15 0x55e618e44dbc in usrsctp_fuzzer::SctpFuzzer::PumpMessages() third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:719:22
    #16 0x55e618e468c4 in LLVMFuzzerTestOneInput third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:757:8
    #17 0x55e619012326 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:554:15
    #18 0x55e618ffc439 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #19 0x55e61900167e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
    #20 0x55e61901ae82 in main third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #21 0x7ff1f3cccbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc)
    #22 0x55e618d90768 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108

Indirect leak of 2048 byte(s) in 1 object(s) allocated from:
    #0 0x55e618e2823d in malloc third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x55e618e948fa in m_clget third_party/usrsctp/usrsctplib/user_mbuf.c:257:15
    #2 0x55e618e94cca in m_getm2 third_party/usrsctp/usrsctplib/user_mbuf.c:314:4
    #3 0x55e618f0aae7 in sctp_arethere_unrecognized_parameters third_party/usrsctp/usrsctplib/netinet/sctp_output.c:5564:15
    #4 0x55e618f0b94c in sctp_send_initiate_ack third_party/usrsctp/usrsctplib/netinet/sctp_output.c:5980:11
    #5 0x55e618ea700c in sctp_handle_init third_party/usrsctp/usrsctplib/netinet/sctp_input.c:224:3
    #6 0x55e618ea4d3e in sctp_process_control third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5039:4
    #7 0x55e618ec5cbe in sctp_common_input_processing third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5886:10
    #8 0x55e618e60d17 in usrsctp_conninput third_party/usrsctp/usrsctplib/user_socket.c:3478:2
    #9 0x55e618e4da5a in usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0::operator()(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) const third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:152:46
    #10 0x55e618e4d921 in decltype(std::__u::forward<usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&>(fp)(std::__u::forward<std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(fp0))) std::__u::__invoke<usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >&&) third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/type_traits:3530:1
    #11 0x55e618e42590 in usrsctp_fuzzer::MessageSocket::ReceiveData(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:103:5
    #12 0x55e618e4fe91 in usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2::operator()(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) const third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:410:19
    #13 0x55e618e4fcc1 in decltype(std::__u::forward<usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&>(fp)(std::__u::forward<std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(fp0))) std::__u::__invoke<usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >&&) third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/type_traits:3530:1
    #14 0x55e618e429b5 in usrsctp_fuzzer::MessageSocket::ProcessNextWriteInQueue() third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:119:3
    #15 0x55e618e44dbc in usrsctp_fuzzer::SctpFuzzer::PumpMessages() third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:719:22
    #16 0x55e618e468c4 in LLVMFuzzerTestOneInput third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:757:8
    #17 0x55e619012326 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:554:15
    #18 0x55e618ffc439 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #19 0x55e61900167e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
    #20 0x55e61901ae82 in main third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #21 0x7ff1f3cccbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc)
    #22 0x55e618d90768 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108

Indirect leak of 4 byte(s) in 1 object(s) allocated from:
    #0 0x55e618e2823d in malloc third_party/llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x55e618e9497a in clust_constructor_dup third_party/usrsctp/usrsctplib/user_mbuf.c:220:11
    #2 0x55e618e94cca in m_getm2 third_party/usrsctp/usrsctplib/user_mbuf.c:314:4
    #3 0x55e618f0aae7 in sctp_arethere_unrecognized_parameters third_party/usrsctp/usrsctplib/netinet/sctp_output.c:5564:15
    #4 0x55e618f0b94c in sctp_send_initiate_ack third_party/usrsctp/usrsctplib/netinet/sctp_output.c:5980:11
    #5 0x55e618ea700c in sctp_handle_init third_party/usrsctp/usrsctplib/netinet/sctp_input.c:224:3
    #6 0x55e618ea4d3e in sctp_process_control third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5039:4
    #7 0x55e618ec5cbe in sctp_common_input_processing third_party/usrsctp/usrsctplib/netinet/sctp_input.c:5886:10
    #8 0x55e618e60d17 in usrsctp_conninput third_party/usrsctp/usrsctplib/user_socket.c:3478:2
    #9 0x55e618e4da5a in usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0::operator()(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) const third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:152:46
    #10 0x55e618e4d921 in decltype(std::__u::forward<usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&>(fp)(std::__u::forward<std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(fp0))) std::__u::__invoke<usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(usrsctp_fuzzer::SctpSocket::SctpSocket()::$_0&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >&&) third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/type_traits:3530:1
    #11 0x55e618e42590 in usrsctp_fuzzer::MessageSocket::ReceiveData(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:103:5
    #12 0x55e618e4fe91 in usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2::operator()(std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >) const third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:410:19
    #13 0x55e618e4fcc1 in decltype(std::__u::forward<usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&>(fp)(std::__u::forward<std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(fp0))) std::__u::__invoke<usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> > >(usrsctp_fuzzer::SctpFuzzer::SetUp()::$_2&, std::__u::unique_ptr<RawBuffer, std::__u::default_delete<RawBuffer> >&&) third_party/crosstool/v18/stable/toolchain/bin/../include/c++/v1/type_traits:3530:1
    #14 0x55e618e429b5 in usrsctp_fuzzer::MessageSocket::ProcessNextWriteInQueue() third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:119:3
    #15 0x55e618e44dbc in usrsctp_fuzzer::SctpFuzzer::PumpMessages() third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:719:22
    #16 0x55e618e468c4 in LLVMFuzzerTestOneInput third_party/usrsctp/fuzzer/usrsctp_fuzzer.cc:757:8
    #17 0x55e619012326 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:554:15
    #18 0x55e618ffc439 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:292:6
    #19 0x55e61900167e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:775:9
    #20 0x55e61901ae82 in main third_party/llvm/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #21 0x7ff1f3cccbbc in __libc_start_main (/usr/grte/v4/lib64/libc.so.6+0x38bbc)
    #22 0x55e618d90768 in _start /usr/grte/v4/debug-src/src/csu/../sysdeps/x86_64/start.S:108

SUMMARY: AddressSanitizer: 2308 byte(s) leaked in 3 allocation(s).
@markwo
Copy link
Author

markwo commented Aug 21, 2019

Actually, I missed this recent commit: c82439d
Will check if the issue still reproduces with the current code.

@tuexen
Copy link
Member

tuexen commented Aug 22, 2019

@markwo Please retest and report whether the problem still exists or not.

@markwo
Copy link
Author

markwo commented Aug 22, 2019

Does not repro when testing against the latest code, closing.

@markwo markwo closed this as completed Aug 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tuexen @markwo