Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GW ASAN not clear (use after free) #7

Open
rbouqueau opened this issue Aug 2, 2024 · 2 comments
Open

GW ASAN not clear (use after free) #7

rbouqueau opened this issue Aug 2, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@rbouqueau
Copy link
Member

Build gpac with ASAN: configure --enable-sanitizer

gpac -i https://cmafref.akamaized.net/cmaf/live-ull/2006350/akambr/out.mpd dashin:forward=file:algo=none:start_with=min_q -o mabr://225.0.0.1:6000:NCID=RTE -netcap=dst=long.pcap,id=RTE

gpac -i mabr://234.1.1.1:1234:gpac:NCID=RTE -netcap=src=buffer_overflow/buffer_overflow.pcap,id=RTE dashin:forward=file -o http://localhost:8080/do.mpd:rdirs=/tmp/tmp/dash

Result:

[DASH] Error in downloading new segment http://gmcast/service1/https://akamaibroadcasteruseast.akamaized.net/cmaf/live/657078/akasource/1721610001/chunk-stream_1-348014.m4s: Requested URL is not valid or cannot be found
[DVB-FLUTE S1] Object TSI 10 TOI 26 partial received only
^C
Toggle reports (r), print state (s for short, e for extended [+ shift: sticky])
        or exit with fast (Y), full (f) or no (n) session flush ? 
Romain gf_route_service_del object 0x0x521000073100
Romain gf_route_lct_obj_del 0x0x521000073100
Romain      free frags      0x0x507000068ae0
Romain      free            0x0x521000073100
Romain gf_route_service_del object 0x0x52100005b500
Romain gf_route_lct_obj_del 0x0x52100005b500
Romain      free frags      0x0x50700005fcb0
Romain      free            0x0x52100005b500
Romain gf_route_service_del object 0x0x521000071d00
Romain gf_route_lct_obj_del 0x0x521000071d00
Romain      free frags      0x0x507000068530
Romain      free            0x0x521000071d00
Romain gf_route_service_del object 0x0x52100006f500
Romain gf_route_lct_obj_del 0x0x52100006f500
Romain      free frags      0x0x507000065510
Romain      free            0x0x52100006f500
Romain gf_route_service_del object 0x0x52100006f500
Romain gf_route_lct_obj_del 0x0x52100006f500
=================================================================
==67318==ERROR: AddressSanitizer: heap-use-after-free on address 0x52100006f530 at pc 0x7f4fc2bc5570 bp 0x7ffd8dfaf480 sp 0x7ffd8dfaf478
READ of size 8 at 0x52100006f530 thread T0
    #0 0x7f4fc2bc556f in gf_route_lct_obj_del media_tools/route_dmx.c:294
    #1 0x7f4fc2bc5f26 in gf_route_service_del media_tools/route_dmx.c:313
    #2 0x7f4fc2bc6a1c in gf_route_dmx_del media_tools/route_dmx.c:342
    #3 0x7f4fc3d0fcfa in routein_finalize filters/in_route.c:52
    #4 0x7f4fc385ccfd in gf_fs_del filter_core/filter_session.c:784
    #5 0x56367f8edf73 in gpac_main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1677
    #6 0x56367f8ee1de in main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1854
    #7 0x7f4fbdc42c89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f4fbdc42d44 in __libc_start_main_impl ../csu/libc-start.c:360
    #9 0x56367f8e4420 in _start (/home/rbouqueau/works/gpac/gpac/bin/gcc/gpac+0x60420) (BuildId: bf6e78c4d81565b8434e11025d7c5de6199fb596)

0x52100006f530 is located 48 bytes inside of 4288-byte region [0x52100006f500,0x5210000705c0)
freed by thread T0 here:
    #0 0x7f4fca0f2868 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f4fc1c4c672 in gf_free utils/alloc.c:165
    #2 0x7f4fc2bc5c7a in gf_route_lct_obj_del media_tools/route_dmx.c:302
    #3 0x7f4fc2bc5f26 in gf_route_service_del media_tools/route_dmx.c:313
    #4 0x7f4fc2bc6a1c in gf_route_dmx_del media_tools/route_dmx.c:342
    #5 0x7f4fc3d0fcfa in routein_finalize filters/in_route.c:52
    #6 0x7f4fc385ccfd in gf_fs_del filter_core/filter_session.c:784
    #7 0x56367f8edf73 in gpac_main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1677
    #8 0x56367f8ee1de in main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1854
    #9 0x7f4fbdc42c89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7f4fca0f3bc7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f4fc1c4c60e in gf_malloc utils/alloc.c:150
    #2 0x7f4fc2bd8c58 in gf_route_dmx_process_dvb_flute_signaling media_tools/route_dmx.c:1176
    #3 0x7f4fc2be3429 in gf_route_dmx_process_object media_tools/route_dmx.c:1622
    #4 0x7f4fc2c0823f in dmx_process_service_dvb_flute media_tools/route_dmx.c:3259
    #5 0x7f4fc2c0aad7 in gf_route_dmx_process media_tools/route_dmx.c:3398
    #6 0x7f4fc3d1b3cf in routein_process filters/in_route.c:522
    #7 0x7f4fc38d3dae in gf_filter_process_task filter_core/filter.c:3171
    #8 0x7f4fc38711ea in gf_fs_thread_proc filter_core/filter_session.c:2171
    #9 0x7f4fc3874cfc in gf_fs_run filter_core/filter_session.c:2478
    #10 0x56367f8ed988 in gpac_main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1598
    #11 0x56367f8ee1de in main /home/rbouqueau/works/gpac/gpac/applications/gpac/gpac.c:1854
    #12 0x7f4fbdc42c89 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free media_tools/route_dmx.c:294 in gf_route_lct_obj_del
Shadow bytes around the buggy address:
  0x52100006f280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52100006f300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52100006f380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52100006f400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x52100006f480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x52100006f500: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x52100006f580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x52100006f600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x52100006f680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x52100006f700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x52100006f780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==67318==ABORTING
@rbouqueau rbouqueau changed the title GW ASAN not clear (memory access GW ASAN not clear (use after free) Aug 19, 2024
@soheibthriber
Copy link
Collaborator

soheibthriber commented Aug 20, 2024
edited
Loading

I though this is a seperate issue but in the receiver side you are using the buffer_overflow.pcap ? couldn't find any leak with the first mentioned command generated pcap
is this a seperate issue from #6

@rbouqueau
Copy link
Member Author

Yes this is separate from #6.

What did you try and on which platform?

I tried on Linux using asan (address sanitizer), cf my description. This is not a mem leak but a re-use after free (that seems to be caused by duplicates in a list).

@rbouqueau rbouqueau added the bug Something isn't working label Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbouqueau @soheibthriber