Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASAN stack-use-after-scope in soci::use with rvalues (Version: [1.12.0-rc1]) #4675

Closed
StefanVK opened this issue Aug 27, 2023 · 0 comments
Closed

ASAN stack-use-after-scope in soci::use with rvalues (Version: [1.12.0-rc1]) #4675

StefanVK opened this issue Aug 27, 2023 · 0 comments

Comments

@StefanVK
Copy link
Contributor

StefanVK commented Aug 27, 2023
edited
Loading

Issue Description

We have stack-use-after-scope bugs since we're using ravlues with soci::use

Steps to Reproduce

Build rippled with -Dsan=address, start a fresh Ledger server and trigger e.g. peer_reservations_add from a second instance. You may need to use a rather recent compiler for asan to catch most stack-use-after-scope errors.

mkdir build
cd build
conan install .. --output-folder . --build missing --settings build_type=Debug -o reporting=True
cmake -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake -DCMAKE_BUILD_TYPE=Debug -Dsan=address -Dreporting=ON -DCMAKE_C_COMPILER=clang-15 -DCMAKE_CXX_COMPILER=clang++-15 -DCMAKE_EXPORT_COMPILE_COMMANDS=ON ..
cmake --build . -j 12
./rippled-reporting --start -a
./rippled-reporting peer_reservations_add n9Mxf6qD4J55XeLSCEpqaePW4GjoCR5U1ZeGZGJUCNe3bQa4yQbG

Actual Result

ASAN detects stack use after scope which at least for insertPeerReservation and deletePeerReservation means we are accessing a std::string which already has been deleted. In updateLedgerDBs this may be more of an academic issue. But for the peer reservations we could actually get the nodeId overwritten by a different thread while we're reading it since the actual string content is on the heap.

Environment

My Dockerfile:

FROM ubuntu:22.04
RUN apt-get update
RUN apt-get -y upgrade
RUN apt-get -y install git scons ninja-build clang
RUN DEBIAN_FRONTEND=noninteractive apt-get -yq install pkg-config
RUN apt-get -y install protobuf-compiler libprotobuf-dev libssl-dev libboost-all-dev python-is-python3 cmake clang-15 clangd-15 g++ pip dotnet-runtime-6.0 curl clang-format-11
RUN rm /usr/bin/clang && rm /usr/bin/clang++ && ln -s /usr/bin/clangd-15 /usr/bin/clangd && ln -s /usr/bin/clang-15 /usr/bin/clang && ln -s /usr/bin/clang++-15 /usr/bin/clang++ && ln -s /usr/bin/clang-format-11 /usr/bin/clang-format
ENV CC=clang  
ENV CXX=clang++
RUN pip install conan==1.60.2 && conan profile new default --detect && conan profile update settings.compiler.cppstd=20 default && conan profile update settings.compiler.libcxx=libstdc++11 default

git rev-parse HEAD
300b7e078a4bc511f30b74509d416e5081ec3650

Supporting Files

See also https://github.com/SOCI/soci/blob/master/docs/binding.md#object-lifetime-and-immutability and SOCI/soci#1070

server log with ASAN error
My rippled.cfg equals rippled-example.cfg and validators.txt equals validators-example.txt
@StefanVK StefanVK mentioned this issue Aug 27, 2023
Merged
7 tasks
florent-uzio pushed a commit to florent-uzio/rippled that referenced this issue Oct 6, 2023
@StefanVK @florent-uzio
fix: asan stack-use-after-scope in soci::use with rvalues (XRPLF#4676)
87ce581 
Address a stack-use-after-scope issue when using rvalues with
`soci::use`. Replace rvalues with lvalues to ensure the scope extends
beyond the end of the expression.

The issue arises from `soci` taking a reference to the rvalue without
copying its value or extending its lifetime. `soci` references rvalues
in `soci::use_container` and then the address in `soci_use_type`. For
types like `int`, memory access post-lifetime is unlikely to cause
issues. However, for `std::string`, the backing heap memory can be freed
and potentially reused, leading to a potential segmentation fault.

This was detected on x86_64 using clang-15 with asan. asan confirms
resolution of the issue.

Fix XRPLF#4675
@alloynetworks alloynetworks mentioned this issue Mar 17, 2024
Open
sophiax851 pushed a commit to sophiax851/rippled that referenced this issue Jun 12, 2024
@StefanVK @sophiax851
fix: asan stack-use-after-scope in soci::use with rvalues (XRPLF#4676)
b6721ab 
Address a stack-use-after-scope issue when using rvalues with
`soci::use`. Replace rvalues with lvalues to ensure the scope extends
beyond the end of the expression.

The issue arises from `soci` taking a reference to the rvalue without
copying its value or extending its lifetime. `soci` references rvalues
in `soci::use_container` and then the address in `soci_use_type`. For
types like `int`, memory access post-lifetime is unlikely to cause
issues. However, for `std::string`, the backing heap memory can be freed
and potentially reused, leading to a potential segmentation fault.

This was detected on x86_64 using clang-15 with asan. asan confirms
resolution of the issue.

Fix XRPLF#4675
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@StefanVK