Skip to content

Fix concurrent addition of peers when recovering endpoints #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 15, 2025
Merged

Fix concurrent addition of peers when recovering endpoints #70

merged 2 commits into from
Apr 15, 2025

Conversation

amboar
Copy link
Contributor

@amboar amboar commented Apr 15, 2025

No description provided.

amboar added 2 commits April 15, 2025 14:05
@amboar
mctpd: Clean up unused ev_state
594ca18 
From at least systemd 252, sd_event_source_get_enabled() is documented
as allowing NULL for the event parameter. We weren't using the output,
so drop the variable.

Signed-off-by: Andrew Jeffery <[email protected]>
@amboar
mctpd: add_peer: Update userdata pointer for active event sources
498f73e 
Mitigate the issue reported via [1] and highlighted by ASAN:

    ==179005==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f000000c38 at pc 0x55dfaa7fa308 bp 0x7ffe10264420 sp 0x7ffe10264418
    READ of size 8 at 0x61f000000c38 thread T0
        0 0x55dfaa7fa307 in peer_endpoint_recover ../src/mctpd.c:2570
        1 0x7f9a43dadae3  (/lib/x86_64-linux-gnu/libsystemd.so.0+0x78ae3)
        2 0x7f9a43dade04 in sd_event_dispatch (/lib/x86_64-linux-gnu/libsystemd.so.0+0x78e04)
        3 0x7f9a43daf2e7 in sd_event_run (/lib/x86_64-linux-gnu/libsystemd.so.0+0x7a2e7)
        4 0x7f9a43daf506 in sd_event_loop (/lib/x86_64-linux-gnu/libsystemd.so.0+0x7a506)
        5 0x55dfaa80a609 in main ../src/mctpd.c:4547
        6 0x7f9a42c46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        7 0x7f9a42c46304 in __libc_start_main_impl ../csu/libc-start.c:360
        8 0x55dfaa7e38d0 in _start (mctp/build/test-mctpd+0x688d0)

    0x61f000000c38 is located 3000 bytes inside of 3040-byte region [0x61f000000080,0x61f000000c60)
    freed by thread T0 here:
        0 0x7f9a436b78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
        1 0x55dfaa7ef028 in add_peer ../src/mctpd.c:1419
        2 0x55dfaa7f1587 in endpoint_assign_eid ../src/mctpd.c:1601
        3 0x55dfaa7f55a0 in method_setup_endpoint ../src/mctpd.c:2038
        4 0x7f9a43d650ad  (/lib/x86_64-linux-gnu/libsystemd.so.0+0x300ad)

    previously allocated by thread T0 here:
        0 0x7f9a436b78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
        1 0x55dfaa7ef028 in add_peer ../src/mctpd.c:1419
        2 0x55dfaa805741 in add_local_eid ../src/mctpd.c:4052
        3 0x55dfaa80627f in add_interface_local ../src/mctpd.c:4114
        4 0x55dfaa806ffa in setup_nets ../src/mctpd.c:4200
        5 0x55dfaa80a380 in main ../src/mctpd.c:4525
        6 0x7f9a42c46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

    SUMMARY: AddressSanitizer: heap-use-after-free ../src/mctpd.c:2570 in peer_endpoint_recover
    Shadow bytes around the buggy address:
      0x0c3e7fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c3e7fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c3e7fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c3e7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c3e7fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c3e7fff8180: fd fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
      0x0c3e7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3e7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3e7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3e7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3e7fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==179005==ABORTING

Link: CodeConstruct#69 [1]
Fixes: 7ec2f8d ("mctpd: Add support for endpoint recovery")
Signed-off-by: Andrew Jeffery <[email protected]>
@jk-ozlabs jk-ozlabs linked an issue Apr 15, 2025 that may be closed by this pull request
Recovery handler might hold stale address of relocated peers #69
Closed
@jk-ozlabs jk-ozlabs merged commit 498f73e into CodeConstruct:main Apr 15, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Recovery handler might hold stale address of relocated peers
2 participants
@amboar @jk-ozlabs