Skip to content

Instantly share code, notes, and snippets.

@gavv

gavv/bad_free.md

Last active June 10, 2019 16:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gavv/f9989e8892b4c17428777b5db1057519 to your computer and use it in GitHub Desktop.
Save gavv/f9989e8892b4c17428777b5db1057519 to your computer and use it in GitHub Desktop.
Download ZIP
OpenFEC LDPC bugs
Raw
bad_free.md

  1. Build OpenFEC in release mode.

  2. Build of_ldpc_full_repair.c in debug mode with sanitizers enabled:

$ gcc -o of_ldpc_full_repair_debug of_ldpc_full_repair.c -I... -L... -l...\
  -ggdb -fno-omit-frame-pointer -fsanitize=address
  1. Check that it's working:
$ ./of_ldpc_full_repair_debug 100  
encoding done
decoding done
  1. Check on bad payload size, e.g. 13:
$ ./of_ldpc_full_repair_debug 13 
encoding done
=================================================================
==1070==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x602000000750 in thread T0
    #0 0x7f79c8aeff50 in __interceptor_free /var/tmp/portage/sys-devel/gcc-8.3.0-r1/work/gcc-8.3.0/libsanitizer/asan/asan_malloc_linux.cc:66
    #1 0x55ed53ae5a9d in of_linear_binary_code_finish_decoding_with_ml (/home/victor/stash/of_ldpc_full_repair_debug+0xaa9d)
    #2 0x55ed53adde41 in full_repair /home/victor/stash/of_ldpc_full_repair.c:75
    #3 0x55ed53ade321 in main /home/victor/stash/of_ldpc_full_repair.c:112
    #4 0x7f79c870be5a in __libc_start_main ../csu/libc-start.c:308
    #5 0x55ed53add319 in _start (/home/victor/stash/of_ldpc_full_repair_debug+0x2319)

0x602000000750 is located 0 bytes inside of 13-byte region [0x602000000750,0x60200000075d)
allocated by thread T0 here:
    #0 0x7f79c8af0310 in __interceptor_malloc /var/tmp/portage/sys-devel/gcc-8.3.0-r1/work/gcc-8.3.0/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x55ed53ae5b97 in of_linear_binary_code_simplify_linear_system_with_a_symbol (/home/victor/stash/of_ldpc_full_repair_debug+0xab97)

SUMMARY: AddressSanitizer: bad-free /var/tmp/portage/sys-devel/gcc-8.3.0-r1/work/gcc-8.3.0/libsanitizer/asan/asan_malloc_linux.cc:66 in __interceptor_free
==1070==ABORTING
  1. Other payload types that led to the same error:
13
14
15
29
30
31
45
46
47
Raw
segfault.md

  1. Build OpenFEC in release mode.

  2. Build of_ldpc_full_repair.c in release mode:

$ gcc -o of_ldpc_full_repair_debug of_ldpc_full_repair.c -I... -L... -l...\
  -O2
  1. Check that it's working:
$ ./of_ldpc_full_repair_release 100  
encoding done
decoding done
  1. Check on bad payload size, e.g. 69:
$ ./of_ldpc_full_repair_release 69   
encoding done
zsh: segmentation fault  ./of_ldpc_full_repair_release 69
  1. Other payload types that led to the same error:
21
22
23
37
38
39
53
54
55
69
70
71
85
86
87
  1. Run under valgrind:
$ valgrind ./of_ldpc_full_repair_release 69                                                 
==2169== Memcheck, a memory error detector
==2169== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2169== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==2169== Command: ./of_ldpc_full_repair_release 69
==2169== 
encoding done
==2169== Invalid read of size 1
==2169==    at 0x1139F7: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4beca08 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1139FD: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec3d8 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x113A02: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec618 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x113A08: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec4f8 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x113D0A: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec588 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x113D0E: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4beca98 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1137AE: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec7c8 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1137B4: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec858 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1137BA: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4becbb8 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1137C0: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4becc48 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1137C6: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4beca08 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1137CB: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec2b8 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1137D1: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec3d8 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
==2169== Invalid read of size 1
==2169==    at 0x1137D7: of_add_to_multiple_symbols (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1117A6: of_linear_binary_code_solve_dense_system (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x110C2F: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==  Address 0x4bec618 is 3 bytes after a block of size 69 alloc'd
==2169==    at 0x483577F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2169==    by 0x110EE7: of_linear_binary_code_simplify_linear_system_with_a_symbol (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x1107C6: of_linear_binary_code_finish_decoding_with_ml (in /home/victor/stash/of_ldpc_full_repair_release)
==2169==    by 0x109454: main (in /home/victor/stash/of_ldpc_full_repair_release)
==2169== 
decoding done
==2169== 
==2169== HEAP SUMMARY:
==2169==     in use at exit: 0 bytes in 0 blocks
==2169==   total heap usage: 109 allocs, 109 frees, 137,622 bytes allocated
==2169== 
==2169== All heap blocks were freed -- no leaks are possible
==2169== 
==2169== For counts of detected and suppressed errors, rerun with: -v
==2169== ERROR SUMMARY: 140 errors from 14 contexts (suppressed: 0 from 0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment