Skip to content

[BUG] Segmentation Fault in ipc_comp_free during IPC3 Fuzz Testing #9742

New issue
New issue
Open
Open
[BUG] Segmentation Fault in ipc_comp_free during IPC3 Fuzz Testing#9742
Assignees
tmleman
Labels
IPC3P2Critical bugs or normal featuresbugSomething isn't working as expected
Milestone
v2.14
@tmleman

Description

@tmleman
tmleman
opened on Dec 19, 2024

Describe the bug
A segmentation fault occurs in the ipc_comp_free function during IPC3 fuzz testing. The issue is caused by a read memory access to a null pointer. This was detected using AddressSanitizer.

To Reproduce

  1. Run fuzz testing with the provided corpus.
  2. Observe the segmentation fault in the logs.

Reproduction Rate
The issue occurs consistently during fuzz testing.

Expected behavior
The fuzz testing should complete without causing a segmentation fault.

Impact
This issue is a showstopper as it prevents the completion of fuzz testing and affects the stability of the IPC3 configuration.

Environment

  1. Branch name and commit hash.
  2. Name of the platform(s) on which the bug is observed.
    • Platform: native_sim

Screenshots or console output

================== Job 1 exited with exit code 1 ============                                                                                                                                                                                                                           INFO: Running with entropic power schedule (0xFF, 100).                                                                                                                                                                                                                                 INFO:    11411 files found in ./ipc3_fuzz_corpus
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 11411 min: 1b max: 510b total: 1108557b rss: 49Mb
AddressSanitizer:DEADLYSIGNAL
=================================================================
==305587==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x08186fb0 bp 0xe63fae88 sp 0xe63fae50 T7)
==305587==The signal is caused by a READ memory access.
==305587==Hint: address points to the zero page.
    #0 0x8186fb0 in ipc_comp_free /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-helper.c
    #1 0x81783d2 in ipc_glb_tplg_free /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc3/handler.c:1394:8
    #2 0x8177637 in ipc_cmd /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc3/handler.c:1657:9
    #3 0x818b879 in ipc_platform_do_cmd /home/tmleman/work/repos/thesofproject/sof/src/platform/posix/ipc.c:160:2
    #4 0x8185b8c in ipc_do_cmd /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-common.c:361:9
    #5 0x81a934b in task_run /home/tmleman/work/repos/thesofproject/sof/zephyr/include/rtos/task.h:94:9
    #6 0x81a8ebe in edf_work_handler /home/tmleman/work/repos/thesofproject/sof/zephyr/edf_schedule.c:32:16
    #7 0x8260cbf in work_queue_main /home/tmleman/work/repos/thesofproject/zephyr/kernel/work.c:684:3
    #8 0x815aa92 in z_thread_entry /home/tmleman/work/repos/thesofproject/zephyr/lib/os/thread_entry.c:48:2

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/tmleman/work/repos/thesofproject/sof/src/ipc/ipc-helper.c in ipc_comp_free
Thread T7 created by T3 here:
    #0 0x810602c in __interceptor_pthread_create (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x810602c) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)
    #1 0x82716e2 in nct_new_thread /home/tmleman/work/repos/thesofproject/zephyr/scripts/native_simulator/common/src/nct.c:476:2
    #2 0x816e397 in posix_new_thread /home/tmleman/work/repos/thesofproject/zephyr/arch/posix/core/posix_core_nsi.c:48:9
    #3 0x816ddaf in arch_new_thread /home/tmleman/work/repos/thesofproject/zephyr/arch/posix/core/thread.c:55:30
    #4 0x8262e7c in z_setup_new_thread /home/tmleman/work/repos/thesofproject/zephyr/kernel/thread.c:563:2
    #5 0x8263293 in z_impl_k_thread_create /home/tmleman/work/repos/thesofproject/zephyr/kernel/thread.c:658:2
    #6 0x8260777 in k_thread_create /home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/include/generated/zephyr/syscalls/kernel.h:85:9
    #7 0x8260777 in k_work_queue_start /home/tmleman/work/repos/thesofproject/zephyr/kernel/work.c:752:8
    #8 0x81a8c67 in scheduler_init_edf /home/tmleman/work/repos/thesofproject/sof/zephyr/edf_schedule.c:107:2
    #9 0x818d748 in platform_init /home/tmleman/work/repos/thesofproject/sof/src/platform/posix/posix.c:77:2
    #10 0x8177103 in primary_core_init /home/tmleman/work/repos/thesofproject/sof/src/init/init.c:314:6
    #11 0x825cea9 in z_sys_init_run_level /home/tmleman/work/repos/thesofproject/zephyr/kernel/init.c:371:13
    #12 0x825cea9 in bg_thread_main /home/tmleman/work/repos/thesofproject/zephyr/kernel/init.c:519:2
    #13 0x815aa92 in z_thread_entry /home/tmleman/work/repos/thesofproject/zephyr/lib/os/thread_entry.c:48:2

Thread T3 created by T2 here:
    #0 0x810602c in __interceptor_pthread_create (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x810602c) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)
    #1 0x82716e2 in nct_new_thread /home/tmleman/work/repos/thesofproject/zephyr/scripts/native_simulator/common/src/nct.c:476:2
    #2 0x816e397 in posix_new_thread /home/tmleman/work/repos/thesofproject/zephyr/arch/posix/core/posix_core_nsi.c:48:9
    #3 0x816ddaf in arch_new_thread /home/tmleman/work/repos/thesofproject/zephyr/arch/posix/core/thread.c:55:30
    #4 0x8262e7c in z_setup_new_thread /home/tmleman/work/repos/thesofproject/zephyr/kernel/thread.c:563:2
    #5 0x825cd01 in prepare_multithreading /home/tmleman/work/repos/thesofproject/zephyr/kernel/init.c:672:14
    #6 0x825c76d in z_cstart /home/tmleman/work/repos/thesofproject/zephyr/kernel/init.c:795:24
    #7 0x8128e79 in __asan::AsanThread::ThreadStart(unsigned long long) (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x8128e79) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)

Thread T2 created by T0 here:
    #0 0x810602c in __interceptor_pthread_create (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x810602c) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)
    #1 0x82703ce in nce_boot_cpu /home/tmleman/work/repos/thesofproject/zephyr/scripts/native_simulator/common/src/nce.c:209:2
    #2 0x817526a in posix_boot_cpu /home/tmleman/work/repos/thesofproject/zephyr/soc/native/inf_clock/soc.c:126:2
    #3 0x827e336 in nsif_cpu0_boot /home/tmleman/work/repos/thesofproject/zephyr/boards/native/native_sim/nsi_if.c:24:2
    #4 0x8273942 in nsif_cpun_boot /home/tmleman/work/repos/thesofproject/zephyr/scripts/native_simulator/common/src/nsi_cpun_if.c:16:1
    #5 0x827319b in nsi_cpu_auto_boot /home/tmleman/work/repos/thesofproject/zephyr/scripts/native_simulator/common/src/nsi_cpu_ctrl.c:38:4
    #6 0x826fb46 in nsi_init /home/tmleman/work/repos/thesofproject/zephyr/scripts/native_simulator/common/src/main.c:87:2
    #7 0x827e4cc in LLVMFuzzerTestOneInput /home/tmleman/work/repos/thesofproject/sof/src/platform/posix/fuzz.c:30:3
    #8 0x8083da3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned int) (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x8083da3) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)
    #9 0x8084d3d in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x8084d3d) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)
    #10 0x8085261 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x8085261) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)
    #11 0x807325c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned int)) (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x807325c) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)
    #12 0x809cc67 in main (/home/tmleman/work/repos/thesofproject/build-fuzz/zephyr/zephyr.exe+0x809cc67) (BuildId: 75cebb6bc8f6d4675a31c691ba1356e4cb016476)
    #13 0xf0c21518  (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: 559bcd138c06a98975421c680491f5666816aef2)

==305587==ABORTING
MS: 1 ChangeBit-; base unit: 3242021c62b0183ca5022cf0394a277dd444e5ee
0x4,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x17,0x0,0x0,0x0,0xff,0xd9,0x0,0x3,0x30,0x6,0xf6,0x0,0x2c,0x8,0x60,0x8,0x0,0x0,0x0,0x2d,0x2d,0x3c,0x0,0x10,0x30,0x0,0x0,0x29,0x87,0x0,0x0,0x1,0x30,0xff,0xff,0x3,0x0,0x6,0x0,0x0,0x8,0x0,0xfc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x17,0x0,0x0,0xff,0xfe,0x0,0x0,0x3,0x30,0x3,0xf6,0x8,0x60,0x0,0x0,0x0,0x23,0x1,0x0,0x0,0x0,0x60,0x0,0xf6,0x0,0x0,0x1,0x30,0xff,0xff,0x3,0x0,0x41,0x0,0x4,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x17,0x0,0x0,0x0,0xff,0xd9,0x0,0x3,0x30,0x6,0x0,0x0,0x1,0x30,0x60,0x8,0x0,0x0,0x0,0x2d,0x2d,0x3a,0x0,0x10,0x30,0x0,0x0,0x29,0x87,0x0,0x0,0x1,0x30,0xff,0xff,0x3,0x0,0x1,0xf6,0x8,0x0,0xfc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x17,0x0,0x0,0xff,0xfe,0x0,0x0,0x2,0x30,0x3,0x2f,0x8,0x60,0x0,0x0,0x0,0x23,0x1,0x0,0x0,0x0,0x60,0x0,0xf6,0x2,0x0,0x0,0x0,0x87,0x0,0x0,0x1,0x30,0xff,0xff,0x3,0x0,0x41,0x0,0x0,0x3,0x0,0x0,0x11,0x0,                                                                                                                                                                                                                        \004\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\027\000\000\000\377\331\000\0030\006\366\000,\010`\010\000\000\000--<\000\0200\000\000)\207\000\000\0010\377\377\003\000\006\000\000\010\000\374\000\000\000\000\000\000\000\027\000\000\377\376\000\000\0030\003\366\010`\000\000\000#\001\000\000\000`\000\366\000\000\0010\377\377\003\000A\000\004\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\027\000\000\000\377\331\000\0030\006\000\000\0010`\010\000\000\000--:\000\0200\000\000)\207\000\000\0010\377\377\003\000\001\366\010\000\374\000\000\000\000\000\000\000\027\000\000\377\376\000\000\0020\003/\010`\000\000\000#\001\000\000\000`\000\366\002\000\000\000\207\000\000\0010\377\377\003\000A\000\000\003\000\000\021\000
artifact_prefix='./'; Test unit written to ./crash-1a8c95ba333361f3d7fd7465442d2d8eeab398df
Base64: BAAAAAAAAAAAAAAAAAAAABcAAAD/2QADMAb2ACwIYAgAAAAtLTwAEDAAACmHAAABMP//AwAGAAAIAPwAAAAAAAAAFwAA//4AAAMwA/YIYAAAACMBAAAAYAD2AAABMP//AwBBAAQAAAAAAAAAAAAAAAAAAAAXAAAA/9kAAzAGAAABMGAIAAAALS06ABAwAAAphwAAATD//wMAAfYIAPwAAAAAAAAAFwAA//4AAAIwAy8IYAAAACMBAAAAYAD2AgAAAIcAAAEw//8DAEEAAAMAABEA
$ hexdump crash-1a8c95ba333361f3d7fd7465442d2d8eeab398df
0000000 0004 0000 0000 0000 0000 0000 0000 0000
0000010 0017 0000 d9ff 0300 0630 00f6 082c 0860
0000020 0000 2d00 3c2d 1000 0030 2900 0087 0100
0000030 ff30 03ff 0600 0000 0008 00fc 0000 0000
0000040 0000 0017 ff00 00fe 0300 0330 08f6 0060
0000050 0000 0123 0000 6000 f600 0000 3001 ffff
0000060 0003 0041 0004 0000 0000 0000 0000 0000
0000070 0000 0000 0017 0000 d9ff 0300 0630 0000
0000080 3001 0860 0000 2d00 3a2d 1000 0030 2900
0000090 0087 0100 ff30 03ff 0100 08f6 fc00 0000
00000a0 0000 0000 1700 0000 feff 0000 3002 2f03
00000b0 6008 0000 2300 0001 0000 0060 02f6 0000
00000c0 8700 0000 3001 ffff 0003 0041 0300 0000
00000d0 0011
00000d2

Metadata

Metadata

Assignees

Labels

IPC3P2Critical bugs or normal featuresbugSomething isn't working as expected

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions