Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

asan heap-buffer-overflow @src/onnx.c:1771 #39

Open
ClarePhang opened this issue Jan 15, 2025 · 0 comments
Open

asan heap-buffer-overflow @src/onnx.c:1771 #39

ClarePhang opened this issue Jan 15, 2025 · 0 comments

Comments

@ClarePhang
Copy link

ClarePhang commented Jan 15, 2025
edited
Loading

  1. Makefile support asan use patch

5e1459a_support_asan.patch

  1. Build & Run tests with asan failed
LD_PRELOAD=/usr/lib/gcc/x86_64-linux-gnu/11/libasan.so ./tests ../model
=================================================================
==362712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000035a at pc 0x5639aa990a81 bp 0x7fffd7502c50 sp 0x7fffd7502c40
WRITE of size 1 at 0x60200000035a thread T0
    #0 0x5639aa990a80 in onnx_attribute_read_string /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1771
    #1 0x5639aaa00816 in Conv_init /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/default/Conv.c:43
    #2 0x5639aa98d7fb in onnx_graph_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1241
    #3 0x5639aa983b5a in onnx_context_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:100
    #4 0x5639aa983f9d in onnx_context_alloc_from_file /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:143
    #5 0x5639aa97ffd6 in testcase main.c:25
    #6 0x5639aa980c13 in main main.c:132
    #7 0x7f341a3aed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f341a3aee3f in __libc_start_main_impl ../csu/libc-start.c:392
    #9 0x5639aa97fd84 in _start (/home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/tests/output/tests+0x17d84)

0x60200000035a is located 0 bytes to the right of 10-byte region [0x602000000350,0x60200000035a)
allocated by thread T0 here:
    #0 0x7f341a760887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5639aa997d0c in system_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:154
    #2 0x5639aa997da3 in do_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:167
    #3 0x5639aa9a0ead in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2585
    #4 0x5639aa9a17b5 in parse_optional_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2700
    #5 0x5639aa9a276e in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2916
    #6 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #7 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #8 0x5639aa9a1a1f in parse_repeated_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2720
    #9 0x5639aa9a2872 in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2928
    #10 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #11 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #12 0x5639aa9a1a1f in parse_repeated_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2720
    #13 0x5639aa9a2872 in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2928
    #14 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #15 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #16 0x5639aa9a17b5 in parse_optional_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2700
    #17 0x5639aa9a276e in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2916
    #18 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #19 0x5639aa9950b7 in onnx__model_proto__unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.proto3.pb-c.c:223
    #20 0x5639aa9834cb in onnx_context_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:49
    #21 0x5639aa983f9d in onnx_context_alloc_from_file /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:143
    #22 0x5639aa97ffd6 in testcase main.c:25
    #23 0x5639aa980c13 in main main.c:132
    #24 0x7f341a3aed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1771 in onnx_attribute_read_string
Shadow bytes around the buggy address:
  0x0c047fff8010: fa fa 00 fa fa fa 05 fa fa fa 06 fa fa fa 00 fa
  0x0c047fff8020: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 05
  0x0c047fff8030: fa fa 00 fa fa fa 01 fa fa fa 01 fa fa fa 00 00
  0x0c047fff8040: fa fa 00 fa fa fa 07 fa fa fa 00 03 fa fa 00 06
  0x0c047fff8050: fa fa 05 fa fa fa 00 00 fa fa 00 05 fa fa 00 00
=>0x0c047fff8060: fa fa 00 fa fa fa 00 01 fa fa 00[02]fa fa 06 fa
  0x0c047fff8070: fa fa 00 00 fa fa 00 02 fa fa 01 fa fa fa 01 fa
  0x0c047fff8080: fa fa 00 00 fa fa 00 fa fa fa 00 03 fa fa 00 00
  0x0c047fff8090: fa fa 07 fa fa fa 04 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff80a0: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff80b0: fa fa 07 fa fa fa 05 fa fa fa 01 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==362712==ABORTING
  1. Fix @src/onnx.c:1771 heap-buffer-overflow

5e1459a_fix_heap-buffer-overflow.patch

  1. Re-build & Run tests, some test sets failed
LD_PRELOAD=/usr/lib/gcc/x86_64-linux-gnu/11/libasan.so ./tests ../model
[mnist_8](test_data_set_0)                                                              [FAIL]
[mnist_8](test_data_set_1)                                                              [FAIL]
[mnist_8](test_data_set_2)                                                              [FAIL]
[mobilenet_v2_7](test_data_set_0)                                                       [OKAY]
[mobilenet_v2_7](test_data_set_1)                                                       [OKAY]
[mobilenet_v2_7](test_data_set_2)                                                       [OKAY]
[shufflenet_v1_9](test_data_set_0)                                                      [OKAY]
[shufflenet_v1_9](test_data_set_1)                                                      [OKAY]
[shufflenet_v1_9](test_data_set_2)                                                      [OKAY]
[squeezenet_v11_7](test_data_set_0)                                                     [OKAY]
[squeezenet_v11_7](test_data_set_1)                                                     [OKAY]
[squeezenet_v11_7](test_data_set_2)                                                     [OKAY]
[super_resolution_10](test_data_set_0)                                                  [OKAY]
[tinyyolo_v2_8](test_data_set_0)                                                        [FAIL]
[tinyyolo_v2_8](test_data_set_1)                                                        [FAIL]
[tinyyolo_v2_8](test_data_set_2)                                                        [FAIL]

So how to fix?
How to make adjustments 'struct Onnx__AttributeProto'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ClarePhang