large-community regex crash

[donaldsharp]

Applying a large-community regex causes bgp to crash when it attempts to a lcom->str value that points at an invalid pointer.

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ffff6af9fe7 in __regexec (preg=0x555556163ce0, string=0x2000000b0010500 <error: Cannot access memory at address 0x2000000b0010500>, nmatch=0, pmatch=0x0, eflags=0)
    at regexec.c:240
#2  0x00005555555fbbd8 in lcommunity_regexp_match (com=0x55558ec088a0, reg=0x555556163ce0) at bgp_clist.c:521
#3  0x00005555555fbdf8 in lcommunity_list_match (lcom=0x55558ec088a0, list=0x555556166840) at bgp_clist.c:638
#4  0x00005555555ebcd6 in route_match_lcommunity (rule=0x555556196dc0, prefix=0x555559e6cd30, type=RMAP_BGP, object=0x7fffffffdfe0) at bgp_routemap.c:796
#5  0x00007ffff7b676f7 in route_map_apply_match (match_list=0x5555561960f8, prefix=0x555559e6cd30, type=RMAP_BGP, object=0x7fffffffdfe0) at routemap.c:1414
#6  0x00007ffff7b677ad in route_map_apply (map=0x5555561808a0, prefix=0x555559e6cd30, type=RMAP_BGP, object=0x7fffffffdfe0) at routemap.c:1445
#7  0x00005555555cbda3 in subgroup_announce_check (ri=0x555592ee6b80, subgrp=0x55558687d4c0, p=0x555559e6cd30, attr=0x7fffffffe240) at bgp_route.c:1492
#8  0x000055555563a1ed in subgroup_announce_table (subgrp=0x55558687d4c0, table=0x555555c973b0) at bgp_updgrp_adv.c:610
#9  0x000055555563a391 in subgroup_announce_route (subgrp=0x55558687d4c0) at bgp_updgrp_adv.c:664
#10 0x00005555556362a4 in peer_af_announce_route (paf=0x55555612f230, combine=1) at bgp_updgrp.c:1864
#11 0x00005555555cfc29 in bgp_announce_route_timer_expired (t=0x7fffffffe500) at bgp_route.c:3022
#12 0x00007ffff7b5afd5 in thread_call (thread=0x7fffffffe500) at thread.c:1201
#13 0x00007ffff7b9b4ee in frr_run (master=0x55555591f000) at libfrr.c:425
#14 0x000055555559b7de in main (argc=3, argv=0x7fffffffe6e8) at bgp_main.c:422

[donaldsharp]

asan as a possible way to test this out? We will work with Nigel to get this installed on the system.

[nkukard]

Below asan output.... (from my branch https://github.com/nkukard/frr/tree/nk3.0)

bgp_attr.c:982:3: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
bgp_attr.c:3100:23: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
bgp_attr.c:2000:16: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
stream.c:430:25: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
bgp_routemap.c:1539:17: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
bgp_routemap.c:1644:26: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

* * * NK: 30-40 mins later * * *

=================================================================
==18620==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030041e34b8 at pc 0x55b6d7b4f348 bp 0x7ffea586dac0 sp 0x7ffea586dab8
READ of size 4 at 0x6030041e34b8 thread T0
    #0 0x55b6d7b4f347  (/usr/lib/frr/bgpd+0x6b3347)
    #1 0x55b6d7b4fcaf in lcommunity_list_match (/usr/lib/frr/bgpd+0x6b3caf)
    #2 0x55b6d7b18138  (/usr/lib/frr/bgpd+0x67c138)
    #3 0x7fbd0b22ea41  (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x290a41)
    #4 0x7fbd0b22eb95 in route_map_apply (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x290b95)
    #5 0x55b6d7aaf426 in subgroup_announce_check (/usr/lib/frr/bgpd+0x613426)
    #6 0x55b6d7c2150f in subgroup_announce_table (/usr/lib/frr/bgpd+0x78550f)
    #7 0x55b6d7c21d4d in subgroup_announce_route (/usr/lib/frr/bgpd+0x785d4d)
    #8 0x55b6d7c10c7e in peer_af_announce_route (/usr/lib/frr/bgpd+0x774c7e)
    #9 0x55b6d7abce09  (/usr/lib/frr/bgpd+0x620e09)
    #10 0x7fbd0b203861 in thread_call (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x265861)
    #11 0x7fbd0b2efd77 in frr_run (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x351d77)
    #12 0x55b6d79f9493 in main (/usr/lib/frr/bgpd+0x55d493)
    #13 0x7fbd093b32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #14 0x55b6d79f7ea9 in _start (/usr/lib/frr/bgpd+0x55bea9)

0x6030041e34b8 is located 8 bytes inside of 32-byte region [0x6030041e34b0,0x6030041e34d0)
freed by thread T0 here:
    #0 0x7fbd0b89ca10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7fbd0b2d0aa4 in qfree (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x332aa4)
    #2 0x55b6d7b5f4da in lcommunity_free (/usr/lib/frr/bgpd+0x6c34da)
    #3 0x55b6d7b60f68 in lcommunity_unintern (/usr/lib/frr/bgpd+0x6c4f68)
    #4 0x55b6d7a82339 in bgp_attr_unintern_sub (/usr/lib/frr/bgpd+0x5e6339)
    #5 0x55b6d7a82d41 in bgp_attr_unintern (/usr/lib/frr/bgpd+0x5e6d41)
    #6 0x55b6d7c209f9 in bgp_adj_out_remove_subgroup (/usr/lib/frr/bgpd+0x7849f9)
    #7 0x55b6d7c20e18 in subgroup_clear_table (/usr/lib/frr/bgpd+0x784e18)
    #8 0x55b6d7c07b72  (/usr/lib/frr/bgpd+0x76bb72)
    #9 0x55b6d7c07ff5  (/usr/lib/frr/bgpd+0x76bff5)
    #10 0x55b6d7c09faf  (/usr/lib/frr/bgpd+0x76dfaf)
    #11 0x55b6d7c0a14d in update_subgroup_check_merge (/usr/lib/frr/bgpd+0x76e14d)
    #12 0x55b6d7c13cb1 in bpacket_queue_advance_peer (/usr/lib/frr/bgpd+0x777cb1)
    #13 0x55b6d7b2e4aa  (/usr/lib/frr/bgpd+0x6924aa)
    #14 0x55b6d7b2f86a in bgp_write (/usr/lib/frr/bgpd+0x69386a)
    #15 0x7fbd0b203861 in thread_call (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x265861)
    #16 0x7fbd0b2efd77 in frr_run (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x351d77)
    #17 0x55b6d79f9493 in main (/usr/lib/frr/bgpd+0x55d493)
    #18 0x7fbd093b32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
    #0 0x7fbd0b89ced0 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1ed0)
    #1 0x7fbd0b2d0934 in qcalloc (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x332934)
    #2 0x55b6d7b60023 in lcommunity_dup (/usr/lib/frr/bgpd+0x6c4023)
    #3 0x55b6d7b1c32f  (/usr/lib/frr/bgpd+0x68032f)
    #4 0x7fbd0b22ed6c in route_map_apply (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x290d6c)
    #5 0x55b6d7aaab2c  (/usr/lib/frr/bgpd+0x60eb2c)
    #6 0x55b6d7ab94ce in bgp_update (/usr/lib/frr/bgpd+0x61d4ce)
    #7 0x55b6d7ac11d7 in bgp_nlri_parse_ip (/usr/lib/frr/bgpd+0x6251d7)
    #8 0x55b6d7b37f15 in bgp_nlri_parse (/usr/lib/frr/bgpd+0x69bf15)
    #9 0x55b6d7b39256  (/usr/lib/frr/bgpd+0x69d256)
    #10 0x55b6d7b3f9ea in bgp_read (/usr/lib/frr/bgpd+0x6a39ea)
    #11 0x7fbd0b203861 in thread_call (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x265861)
    #12 0x7fbd0b2efd77 in frr_run (/usr/lib/x86_64-linux-gnu/libfrr.so.0+0x351d77)
    #13 0x55b6d79f9493 in main (/usr/lib/frr/bgpd+0x55d493)
    #14 0x7fbd093b32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/frr/bgpd+0x6b3347)
Shadow bytes around the buggy address:
  0x0c0680834640: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
  0x0c0680834650: 00 fa fa fa fa fa fa fa fa fa 00 00 00 fa fa fa
  0x0c0680834660: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680834670: fa fa 00 00 04 fa fa fa 00 00 00 fa fa fa fa fa
  0x0c0680834680: fa fa fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
=>0x0c0680834690: 00 00 00 fa fa fa fd[fd]fd fd fa fa fd fd fd fa
  0x0c06808346a0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd
  0x0c06808346b0: fd fd fa fa 00 00 00 fa fa fa fd fd fd fd fa fa
  0x0c06808346c0: 00 00 00 fa fa fa fd fd fd fa fa fa fa fa fa fa
  0x0c06808346d0: fa fa 00 00 07 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c06808346e0: 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18620==ABORTING

[nkukard]

[eqvinox]

the warnings about shifts are correct an we ought to fix that, but they're unlikely to be the origin of the use-after-free.

[donaldsharp]

I am going to cherry-ick 02cd945 into 3.0. Then I will look at the other issues. This will fix the shift issues.

[donaldsharp]

@nkukard let us know if the fix from @eqvinox solves this issue like we think it does

[nkukard]

Confirmed fixed with #1116

[eqvinox]

closing