Skip to content

asan heap-buffer-overflow @src/onnx.c:1771 #39

New issue
New issue
Open
Open
asan heap-buffer-overflow @src/onnx.c:1771#39
@ClarePhang

Description

@ClarePhang
ClarePhang
opened on Jan 15, 2025
  1. Makefile support asan use patch

5e1459a_support_asan.patch

  1. Build & Run tests with asan failed
LD_PRELOAD=/usr/lib/gcc/x86_64-linux-gnu/11/libasan.so ./tests ../model
=================================================================
==362712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000035a at pc 0x5639aa990a81 bp 0x7fffd7502c50 sp 0x7fffd7502c40
WRITE of size 1 at 0x60200000035a thread T0
    #0 0x5639aa990a80 in onnx_attribute_read_string /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1771
    #1 0x5639aaa00816 in Conv_init /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/default/Conv.c:43
    #2 0x5639aa98d7fb in onnx_graph_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1241
    #3 0x5639aa983b5a in onnx_context_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:100
    #4 0x5639aa983f9d in onnx_context_alloc_from_file /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:143
    #5 0x5639aa97ffd6 in testcase main.c:25
    #6 0x5639aa980c13 in main main.c:132
    #7 0x7f341a3aed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f341a3aee3f in __libc_start_main_impl ../csu/libc-start.c:392
    #9 0x5639aa97fd84 in _start (/home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/tests/output/tests+0x17d84)

0x60200000035a is located 0 bytes to the right of 10-byte region [0x602000000350,0x60200000035a)
allocated by thread T0 here:
    #0 0x7f341a760887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5639aa997d0c in system_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:154
    #2 0x5639aa997da3 in do_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:167
    #3 0x5639aa9a0ead in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2585
    #4 0x5639aa9a17b5 in parse_optional_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2700
    #5 0x5639aa9a276e in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2916
    #6 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #7 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #8 0x5639aa9a1a1f in parse_repeated_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2720
    #9 0x5639aa9a2872 in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2928
    #10 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #11 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #12 0x5639aa9a1a1f in parse_repeated_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2720
    #13 0x5639aa9a2872 in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2928
    #14 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #15 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #16 0x5639aa9a17b5 in parse_optional_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2700
    #17 0x5639aa9a276e in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2916
    #18 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #19 0x5639aa9950b7 in onnx__model_proto__unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.proto3.pb-c.c:223
    #20 0x5639aa9834cb in onnx_context_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:49
    #21 0x5639aa983f9d in onnx_context_alloc_from_file /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:143
    #22 0x5639aa97ffd6 in testcase main.c:25
    #23 0x5639aa980c13 in main main.c:132
    #24 0x7f341a3aed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1771 in onnx_attribute_read_string
Shadow bytes around the buggy address:
  0x0c047fff8010: fa fa 00 fa fa fa 05 fa fa fa 06 fa fa fa 00 fa
  0x0c047fff8020: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 05
  0x0c047fff8030: fa fa 00 fa fa fa 01 fa fa fa 01 fa fa fa 00 00
  0x0c047fff8040: fa fa 00 fa fa fa 07 fa fa fa 00 03 fa fa 00 06
  0x0c047fff8050: fa fa 05 fa fa fa 00 00 fa fa 00 05 fa fa 00 00
=>0x0c047fff8060: fa fa 00 fa fa fa 00 01 fa fa 00[02]fa fa 06 fa
  0x0c047fff8070: fa fa 00 00 fa fa 00 02 fa fa 01 fa fa fa 01 fa
  0x0c047fff8080: fa fa 00 00 fa fa 00 fa fa fa 00 03 fa fa 00 00
  0x0c047fff8090: fa fa 07 fa fa fa 04 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff80a0: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff80b0: fa fa 07 fa fa fa 05 fa fa fa 01 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==362712==ABORTING
  1. Fix @src/onnx.c:1771 heap-buffer-overflow

5e1459a_fix_heap-buffer-overflow.patch

  1. Re-build & Run tests, some test sets failed
LD_PRELOAD=/usr/lib/gcc/x86_64-linux-gnu/11/libasan.so ./tests ../model
[mnist_8](test_data_set_0)                                                              [FAIL]
[mnist_8](test_data_set_1)                                                              [FAIL]
[mnist_8](test_data_set_2)                                                              [FAIL]
[mobilenet_v2_7](test_data_set_0)                                                       [OKAY]
[mobilenet_v2_7](test_data_set_1)                                                       [OKAY]
[mobilenet_v2_7](test_data_set_2)                                                       [OKAY]
[shufflenet_v1_9](test_data_set_0)                                                      [OKAY]
[shufflenet_v1_9](test_data_set_1)                                                      [OKAY]
[shufflenet_v1_9](test_data_set_2)                                                      [OKAY]
[squeezenet_v11_7](test_data_set_0)                                                     [OKAY]
[squeezenet_v11_7](test_data_set_1)                                                     [OKAY]
[squeezenet_v11_7](test_data_set_2)                                                     [OKAY]
[super_resolution_10](test_data_set_0)                                                  [OKAY]
[tinyyolo_v2_8](test_data_set_0)                                                        [FAIL]
[tinyyolo_v2_8](test_data_set_1)                                                        [FAIL]
[tinyyolo_v2_8](test_data_set_2)                                                        [FAIL]

So how to fix?
How to make adjustments 'struct Onnx__AttributeProto'

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions