Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bgpd: When removing the prefix list drop the pointer #18160

Merged
merged 1 commit into from
Feb 14, 2025
Merged

bgpd: When removing the prefix list drop the pointer #18160

merged 1 commit into from
Feb 14, 2025

Conversation

donaldsharp
Copy link
Member

We are very very rarely seeing this crash:

0 0x7f36ba48e389 in prefix_list_apply_ext lib/plist.c:789
1 0x55eff3fa4126 in subgroup_announce_check bgpd/bgp_route.c:2334
2 0x55eff3fa858e in subgroup_process_announce_selected bgpd/bgp_route.c:3440
3 0x55eff4016488 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:808
4 0x55eff401664e in subgroup_announce_route bgpd/bgp_updgrp_adv.c:861
5 0x55eff40111df in peer_af_announce_route bgpd/bgp_updgrp.c:2223
6 0x55eff3f884cb in bgp_announce_route_timer_expired bgpd/bgp_route.c:5892
7 0x7f36ba4ec239 in event_call lib/event.c:2019
8 0x7f36ba41a22a in frr_run lib/libfrr.c:1295
9 0x55eff3e668b7 in main bgpd/bgp_main.c:557
10 0x7f36b9e2d249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
11 0x7f36b9e2d304 in __libc_start_main_impl ../csu/libc-start.c:360
12 0x55eff3e64a30 in _start (/home/ci/cibuild.1407/frr-source/bgpd/.libs/bgpd+0x2fda30)

0x608000037038 is located 24 bytes inside of 88-byte region [0x608000037020,0x608000037078) freed by thread T0 here:
0 0x7f36ba8b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
1 0x7f36ba439bd7 in qfree lib/memory.c:131
2 0x7f36ba48d3a3 in prefix_list_free lib/plist.c:156
3 0x7f36ba48d3a3 in prefix_list_delete lib/plist.c:247
4 0x7f36ba48fbef in prefix_bgp_orf_remove_all lib/plist.c:1516
5 0x55eff3f679c4 in bgp_route_refresh_receive bgpd/bgp_packet.c:2841
6 0x55eff3f70bab in bgp_process_packet bgpd/bgp_packet.c:4069
7 0x7f36ba4ec239 in event_call lib/event.c:2019
8 0x7f36ba41a22a in frr_run lib/libfrr.c:1295
9 0x55eff3e668b7 in main bgpd/bgp_main.c:557
10 0x7f36b9e2d249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
0 0x7f36ba8b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
1 0x7f36ba4392e4 in qcalloc lib/memory.c:106
2 0x7f36ba48d0de in prefix_list_new lib/plist.c:150
3 0x7f36ba48d0de in prefix_list_insert lib/plist.c:186
4 0x7f36ba48d0de in prefix_list_get lib/plist.c:204
5 0x7f36ba48f9df in prefix_bgp_orf_set lib/plist.c:1479
6 0x55eff3f67ba6 in bgp_route_refresh_receive bgpd/bgp_packet.c:2920
7 0x55eff3f70bab in bgp_process_packet bgpd/bgp_packet.c:4069
8 0x7f36ba4ec239 in event_call lib/event.c:2019
9 0x7f36ba41a22a in frr_run lib/libfrr.c:1295
10 0x55eff3e668b7 in main bgpd/bgp_main.c:557
11 0x7f36b9e2d249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Let's just stop trying to save the pointer around in the peer->orf_plist data structure. There are other design problems but at least lets stop the crash from possibly happening.

Fixes: #18138

@donaldsharp
bgpd: When removing the prefix list drop the pointer
3d43d7b 
We are very very rarely seeing this crash:

    0 0x7f36ba48e389 in prefix_list_apply_ext lib/plist.c:789
    1 0x55eff3fa4126 in subgroup_announce_check bgpd/bgp_route.c:2334
    2 0x55eff3fa858e in subgroup_process_announce_selected bgpd/bgp_route.c:3440
    3 0x55eff4016488 in subgroup_announce_table bgpd/bgp_updgrp_adv.c:808
    4 0x55eff401664e in subgroup_announce_route bgpd/bgp_updgrp_adv.c:861
    5 0x55eff40111df in peer_af_announce_route bgpd/bgp_updgrp.c:2223
    6 0x55eff3f884cb in bgp_announce_route_timer_expired bgpd/bgp_route.c:5892
    7 0x7f36ba4ec239 in event_call lib/event.c:2019
    8 0x7f36ba41a22a in frr_run lib/libfrr.c:1295
    9 0x55eff3e668b7 in main bgpd/bgp_main.c:557
    10 0x7f36b9e2d249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    11 0x7f36b9e2d304 in __libc_start_main_impl ../csu/libc-start.c:360
    12 0x55eff3e64a30 in _start (/home/ci/cibuild.1407/frr-source/bgpd/.libs/bgpd+0x2fda30)
0x608000037038 is located 24 bytes inside of 88-byte region [0x608000037020,0x608000037078)
freed by thread T0 here:
    0 0x7f36ba8b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    1 0x7f36ba439bd7 in qfree lib/memory.c:131
    2 0x7f36ba48d3a3 in prefix_list_free lib/plist.c:156
    3 0x7f36ba48d3a3 in prefix_list_delete lib/plist.c:247
    4 0x7f36ba48fbef in prefix_bgp_orf_remove_all lib/plist.c:1516
    5 0x55eff3f679c4 in bgp_route_refresh_receive bgpd/bgp_packet.c:2841
    6 0x55eff3f70bab in bgp_process_packet bgpd/bgp_packet.c:4069
    7 0x7f36ba4ec239 in event_call lib/event.c:2019
    8 0x7f36ba41a22a in frr_run lib/libfrr.c:1295
    9 0x55eff3e668b7 in main bgpd/bgp_main.c:557
    10 0x7f36b9e2d249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
    0 0x7f36ba8b83b7 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:77
    1 0x7f36ba4392e4 in qcalloc lib/memory.c:106
    2 0x7f36ba48d0de in prefix_list_new lib/plist.c:150
    3 0x7f36ba48d0de in prefix_list_insert lib/plist.c:186
    4 0x7f36ba48d0de in prefix_list_get lib/plist.c:204
    5 0x7f36ba48f9df in prefix_bgp_orf_set lib/plist.c:1479
    6 0x55eff3f67ba6 in bgp_route_refresh_receive bgpd/bgp_packet.c:2920
    7 0x55eff3f70bab in bgp_process_packet bgpd/bgp_packet.c:4069
    8 0x7f36ba4ec239 in event_call lib/event.c:2019
    9 0x7f36ba41a22a in frr_run lib/libfrr.c:1295
    10 0x55eff3e668b7 in main bgpd/bgp_main.c:557
    11 0x7f36b9e2d249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Let's just stop trying to save the pointer around in the peer->orf_plist
data structure.  There are other design problems but at least lets
stop the crash from possibly happening.

Fixes: FRRouting#18138
Signed-off-by: Donald Sharp <[email protected]>
@ton31337
Copy link
Member

@Mergifyio backport dev/10.3 stable/10.2 stable/10.1 stable/10.0 stable/9.1 stable/9.0 stable/8.5 stable/8.4

@mergify Mergify
Copy link

mergify bot commented Feb 14, 2025
edited
Loading

backport dev/10.3 stable/10.2 stable/10.1 stable/10.0 stable/9.1 stable/9.0 stable/8.5 stable/8.4

✅ Backports have been created

@eqvinox eqvinox merged commit 050989d into FRRouting:master Feb 14, 2025
18 checks passed
This was referenced Feb 14, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
donaldsharp added a commit that referenced this pull request Feb 15, 2025
@donaldsharp
Merge pull request #18167 from FRRouting/mergify/bp/stable/10.2/pr-18160
f3249ab 
bgpd: When removing the prefix list drop the pointer (backport #18160)
donaldsharp added a commit that referenced this pull request Feb 15, 2025
@donaldsharp
Merge pull request #18168 from FRRouting/mergify/bp/stable/10.1/pr-18160
b21b43f 
bgpd: When removing the prefix list drop the pointer (backport #18160)
donaldsharp added a commit that referenced this pull request Feb 15, 2025
@donaldsharp
Merge pull request #18169 from FRRouting/mergify/bp/stable/10.0/pr-18160
44cf74d 
bgpd: When removing the prefix list drop the pointer (backport #18160)
donaldsharp added a commit that referenced this pull request Feb 15, 2025
@donaldsharp
Merge pull request #18170 from FRRouting/mergify/bp/stable/9.1/pr-18160
84e46f6 
bgpd: When removing the prefix list drop the pointer (backport #18160)
donaldsharp added a commit that referenced this pull request Feb 15, 2025
@donaldsharp
Merge pull request #18171 from FRRouting/mergify/bp/stable/9.0/pr-18160
2e6f5d6 
bgpd: When removing the prefix list drop the pointer (backport #18160)
donaldsharp added a commit that referenced this pull request Feb 15, 2025
@donaldsharp
Merge pull request #18172 from FRRouting/mergify/bp/stable/8.5/pr-18160
236e9ed 
bgpd: When removing the prefix list drop the pointer (backport #18160)
donaldsharp added a commit that referenced this pull request Feb 15, 2025
@donaldsharp
Merge pull request #18173 from FRRouting/mergify/bp/stable/8.4/pr-18160
9b598c4 
bgpd: When removing the prefix list drop the pointer (backport #18160)
donaldsharp added a commit that referenced this pull request Feb 16, 2025
@donaldsharp
Merge pull request #18166 from FRRouting/mergify/bp/dev/10.3/pr-18160
bb22e8b 
bgpd: When removing the prefix list drop the pointer (backport #18160)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eqvinox eqvinox eqvinox approved these changes

Assignees
No one assigned
Labels
backport bgp bugfix master size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use-After-Free in BGP ORF usage of prefix lists
3 participants
@donaldsharp @ton31337 @eqvinox