Skip to content

Use after free in zebra #18047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 tasks done
donaldsharp opened this issue Feb 6, 2025 · 0 comments
Open
2 tasks done

Use after free in zebra #18047

donaldsharp opened this issue Feb 6, 2025 · 0 comments
Labels
triage Needs further investigation

Comments

@donaldsharp
Copy link
Member

Description

static_routing_with_ibgp/test_static_routes_topo2_ibgp.py has a heap after use crash:

ERROR: AddressSanitizer: heap-use-after-free on address 0x6070001052e8 at pc 0x7f6bf7d09ddb bp 0x7ffd3366a000 sp 0x7ffd33669ff0
READ of size 8 at 0x6070001052e8 thread T0
    #0 0x7f6bf7d09dda in _rb_next lib/openbsd-tree.c:455
    #1 0x55f95a307261 in zebra_neigh_rb_head_RB_NEXT zebra/zebra_neigh.h:34
    #2 0x55f95a3082e9 in zebra_neigh_del_all zebra/zebra_neigh.c:162
    #3 0x55f95a121ee7 in zebra_interface_down_update zebra/redistribute.c:571
    #4 0x55f95a0f819d in if_down zebra/interface.c:1017
    #5 0x55f95a0fe168 in zebra_if_dplane_ifp_handling zebra/interface.c:2102
    #6 0x55f95a0ff10c in zebra_if_dplane_result zebra/interface.c:2241
    #7 0x55f95a27ce9c in rib_process_dplane_results zebra/zebra_rib.c:5015
    #8 0x7f6bf7da3ad9 in event_call lib/event.c:1984
    #9 0x7f6bf7c62141 in frr_run lib/libfrr.c:1246
    #10 0x55f95a11ca7f in main zebra/main.c:543
    #11 0x7f6bf7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7f6bf7029e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #13 0x55f95a0dd0b4 in _start (/usr/lib/frr/zebra+0x1a80b4)

0x6070001052e8 is located 56 bytes inside of 80-byte region [0x6070001052b0,0x607000105300)
freed by thread T0 here:
    #0 0x7f6bf82b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7f6bf7c911fb in qfree lib/memory.c:131
    #2 0x55f95a3080bb in zebra_neigh_free zebra/zebra_neigh.c:135
    #3 0x55f95a3081d4 in zebra_neigh_del zebra/zebra_neigh.c:150
    #4 0x55f95a3082ce in zebra_neigh_del_all zebra/zebra_neigh.c:163
    #5 0x55f95a121ee7 in zebra_interface_down_update zebra/redistribute.c:571
    #6 0x55f95a0f819d in if_down zebra/interface.c:1017
    #7 0x55f95a0fe168 in zebra_if_dplane_ifp_handling zebra/interface.c:2102
    #8 0x55f95a0ff10c in zebra_if_dplane_result zebra/interface.c:2241
    #9 0x55f95a27ce9c in rib_process_dplane_results zebra/zebra_rib.c:5015
    #10 0x7f6bf7da3ad9 in event_call lib/event.c:1984
    #11 0x7f6bf7c62141 in frr_run lib/libfrr.c:1246
    #12 0x55f95a11ca7f in main zebra/main.c:543
    #13 0x7f6bf7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7f6bf82b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x7f6bf7c910a9 in qcalloc lib/memory.c:106
    #2 0x55f95a307aa8 in zebra_neigh_new zebra/zebra_neigh.c:80
    #3 0x55f95a3084e4 in zebra_neigh_add zebra/zebra_neigh.c:187
    #4 0x55f95a145094 in netlink_ipneigh_change zebra/rt_netlink.c:4657
    #5 0x55f95a1466a6 in netlink_neigh_change zebra/rt_netlink.c:4876
    #6 0x55f95a10d917 in netlink_information_fetch zebra/kernel_netlink.c:411
    #7 0x55f95a111ca3 in netlink_parse_info zebra/kernel_netlink.c:1148
    #8 0x55f95a10dc5f in kernel_read zebra/kernel_netlink.c:510
    #9 0x7f6bf7da3ad9 in event_call lib/event.c:1984
    #10 0x7f6bf7c62141 in frr_run lib/libfrr.c:1246
    #11 0x55f95a11ca7f in main zebra/main.c:543
    #12 0x7f6bf7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Version

latest master

How to reproduce

run the above test with address sanitizer. Sometimes it should crash

Expected behavior

no use after free

Actual behavior

use after free

Additional context

No response

Checklist

  • I have searched the open issues for this bug.
  • I have not included sensitive information in this report.
@donaldsharp donaldsharp added the triage Needs further investigation label Feb 6, 2025
routingrocks added a commit to routingrocks/frr that referenced this issue Mar 7, 2025
@routingrocks
zebra: Fix neigh delete causing heap-use-after-free error
f804d73 
Issue:
When we call zebra_neigh_del(ifp, &n->ip), it eventully frees
neighbor n  zebra_neigh_free(n). when we call RB_FOREACH_SAFE()
it tries to use the n after its freed.

Fix: not accessing n after its freed.

This fixes:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070001052e8 at pc 0x7f6bf7d09ddb bp 0x7ffd3366a000 sp 0x7ffd33669ff0
READ of size 8 at 0x6070001052e8 thread T0
    #0 0x7f6bf7d09dda in _rb_next lib/openbsd-tree.c:455
    FRRouting#1 0x55f95a307261 in zebra_neigh_rb_head_RB_NEXT zebra/zebra_neigh.h:34
    FRRouting#2 0x55f95a3082e9 in zebra_neigh_del_all zebra/zebra_neigh.c:162
    FRRouting#3 0x55f95a121ee7 in zebra_interface_down_update zebra/redistribute.c:571
    FRRouting#4 0x55f95a0f819d in if_down zebra/interface.c:1017
    FRRouting#5 0x55f95a0fe168 in zebra_if_dplane_ifp_handling zebra/interface.c:2102
    FRRouting#6 0x55f95a0ff10c in zebra_if_dplane_result zebra/interface.c:2241
    FRRouting#7 0x55f95a27ce9c in rib_process_dplane_results zebra/zebra_rib.c:5015
    FRRouting#8 0x7f6bf7da3ad9 in event_call lib/event.c:1984
    FRRouting#9 0x7f6bf7c62141 in frr_run lib/libfrr.c:1246
    FRRouting#10 0x55f95a11ca7f in main zebra/main.c:543
    FRRouting#11 0x7f6bf7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#12 0x7f6bf7029e3f in __libc_start_main_impl ../csu/libc-start.c:392
    FRRouting#13 0x55f95a0dd0b4 in _start (/usr/lib/frr/zebra+0x1a80b4)

Ticket: FRRouting#18047
@routingrocks routingrocks mentioned this issue Mar 7, 2025
Merged
routingrocks added a commit to routingrocks/frr that referenced this issue Mar 11, 2025
@routingrocks
zebra: Fix neigh delete causing heap-use-after-free error
d8ea80d 
Issue:
Not freeing the neighbor n  within the same function can lead to
memory leak.
zebra_neigh_del_all() -> zebra_neigh_del() re lookup and free

Fix: not accessing n after its freed.
Directly free the neighbor entry (n) when its interface index matches
ifp->ifindex.

This fixes:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070001052e8 at pc 0x7f6bf7d09ddb bp 0x7ffd3366a000 sp 0x7ffd33669ff0
READ of size 8 at 0x6070001052e8 thread T0
    #0 0x7f6bf7d09dda in _rb_next lib/openbsd-tree.c:455
    FRRouting#1 0x55f95a307261 in zebra_neigh_rb_head_RB_NEXT zebra/zebra_neigh.h:34
    FRRouting#2 0x55f95a3082e9 in zebra_neigh_del_all zebra/zebra_neigh.c:162
    FRRouting#3 0x55f95a121ee7 in zebra_interface_down_update zebra/redistribute.c:571
    FRRouting#4 0x55f95a0f819d in if_down zebra/interface.c:1017
    FRRouting#5 0x55f95a0fe168 in zebra_if_dplane_ifp_handling zebra/interface.c:2102
    FRRouting#6 0x55f95a0ff10c in zebra_if_dplane_result zebra/interface.c:2241
    FRRouting#7 0x55f95a27ce9c in rib_process_dplane_results zebra/zebra_rib.c:5015
    FRRouting#8 0x7f6bf7da3ad9 in event_call lib/event.c:1984
    FRRouting#9 0x7f6bf7c62141 in frr_run lib/libfrr.c:1246
    FRRouting#10 0x55f95a11ca7f in main zebra/main.c:543
    FRRouting#11 0x7f6bf7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#12 0x7f6bf7029e3f in __libc_start_main_impl ../csu/libc-start.c:392
    FRRouting#13 0x55f95a0dd0b4 in _start (/usr/lib/frr/zebra+0x1a80b4)

Ticket: FRRouting#18047
routingrocks added a commit to routingrocks/frr that referenced this issue Mar 11, 2025
@routingrocks
zebra: Fix neigh delete causing heap-use-after-free error
3060afc 
Issue:
Not freeing the neighbor n  within the same function can lead to
memory leak.
zebra_neigh_del_all() -> zebra_neigh_del() re lookup and free

Fix: not accessing n after its freed.
Directly free the neighbor entry (n) when its interface index matches
ifp->ifindex.

This fixes:
ERROR: AddressSanitizer: heap-use-after-free on address 0x6070001052e8 at pc 0x7f6bf7d09ddb bp 0x7ffd3366a000 sp 0x7ffd33669ff0
READ of size 8 at 0x6070001052e8 thread T0
    #0 0x7f6bf7d09dda in _rb_next lib/openbsd-tree.c:455
    FRRouting#1 0x55f95a307261 in zebra_neigh_rb_head_RB_NEXT zebra/zebra_neigh.h:34
    FRRouting#2 0x55f95a3082e9 in zebra_neigh_del_all zebra/zebra_neigh.c:162
    FRRouting#3 0x55f95a121ee7 in zebra_interface_down_update zebra/redistribute.c:571
    FRRouting#4 0x55f95a0f819d in if_down zebra/interface.c:1017
    FRRouting#5 0x55f95a0fe168 in zebra_if_dplane_ifp_handling zebra/interface.c:2102
    FRRouting#6 0x55f95a0ff10c in zebra_if_dplane_result zebra/interface.c:2241
    FRRouting#7 0x55f95a27ce9c in rib_process_dplane_results zebra/zebra_rib.c:5015
    FRRouting#8 0x7f6bf7da3ad9 in event_call lib/event.c:1984
    FRRouting#9 0x7f6bf7c62141 in frr_run lib/libfrr.c:1246
    FRRouting#10 0x55f95a11ca7f in main zebra/main.c:543
    FRRouting#11 0x7f6bf7029d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    FRRouting#12 0x7f6bf7029e3f in __libc_start_main_impl ../csu/libc-start.c:392
    FRRouting#13 0x55f95a0dd0b4 in _start (/usr/lib/frr/zebra+0x1a80b4)

Ticket: FRRouting#18047

Signed-off-by: Rajesh Varatharaj <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage Needs further investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@donaldsharp