asan heap-buffer-overflow @src/onnx.c:1771

1. Makefile support asan use patch

[5e1459a_support_asan.patch](https://github.com/user-attachments/files/18418646/5e1459a_support_asan.patch)

2. Build & Run tests with asan failed

```shell
LD_PRELOAD=/usr/lib/gcc/x86_64-linux-gnu/11/libasan.so ./tests ../model
=================================================================
==362712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000035a at pc 0x5639aa990a81 bp 0x7fffd7502c50 sp 0x7fffd7502c40
WRITE of size 1 at 0x60200000035a thread T0
    #0 0x5639aa990a80 in onnx_attribute_read_string /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1771
    #1 0x5639aaa00816 in Conv_init /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/default/Conv.c:43
    #2 0x5639aa98d7fb in onnx_graph_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1241
    #3 0x5639aa983b5a in onnx_context_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:100
    #4 0x5639aa983f9d in onnx_context_alloc_from_file /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:143
    #5 0x5639aa97ffd6 in testcase main.c:25
    #6 0x5639aa980c13 in main main.c:132
    #7 0x7f341a3aed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #8 0x7f341a3aee3f in __libc_start_main_impl ../csu/libc-start.c:392
    #9 0x5639aa97fd84 in _start (/home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/tests/output/tests+0x17d84)

0x60200000035a is located 0 bytes to the right of 10-byte region [0x602000000350,0x60200000035a)
allocated by thread T0 here:
    #0 0x7f341a760887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5639aa997d0c in system_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:154
    #2 0x5639aa997da3 in do_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:167
    #3 0x5639aa9a0ead in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2585
    #4 0x5639aa9a17b5 in parse_optional_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2700
    #5 0x5639aa9a276e in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2916
    #6 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #7 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #8 0x5639aa9a1a1f in parse_repeated_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2720
    #9 0x5639aa9a2872 in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2928
    #10 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #11 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #12 0x5639aa9a1a1f in parse_repeated_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2720
    #13 0x5639aa9a2872 in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2928
    #14 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #15 0x5639aa9a10db in parse_required_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2607
    #16 0x5639aa9a17b5 in parse_optional_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2700
    #17 0x5639aa9a276e in parse_member /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:2916
    #18 0x5639aa9a4405 in protobuf_c_message_unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/protobuf-c.c:3290
    #19 0x5639aa9950b7 in onnx__model_proto__unpack /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.proto3.pb-c.c:223
    #20 0x5639aa9834cb in onnx_context_alloc /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:49
    #21 0x5639aa983f9d in onnx_context_alloc_from_file /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:143
    #22 0x5639aa97ffd6 in testcase main.c:25
    #23 0x5639aa980c13 in main main.c:132
    #24 0x7f341a3aed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/clare/clare_oss/embAsr_projects/libkws/third_party/libonnx/fc_base/libonnx-src/src/onnx.c:1771 in onnx_attribute_read_string
Shadow bytes around the buggy address:
  0x0c047fff8010: fa fa 00 fa fa fa 05 fa fa fa 06 fa fa fa 00 fa
  0x0c047fff8020: fa fa 00 fa fa fa 00 00 fa fa 00 fa fa fa 00 05
  0x0c047fff8030: fa fa 00 fa fa fa 01 fa fa fa 01 fa fa fa 00 00
  0x0c047fff8040: fa fa 00 fa fa fa 07 fa fa fa 00 03 fa fa 00 06
  0x0c047fff8050: fa fa 05 fa fa fa 00 00 fa fa 00 05 fa fa 00 00
=>0x0c047fff8060: fa fa 00 fa fa fa 00 01 fa fa 00[02]fa fa 06 fa
  0x0c047fff8070: fa fa 00 00 fa fa 00 02 fa fa 01 fa fa fa 01 fa
  0x0c047fff8080: fa fa 00 00 fa fa 00 fa fa fa 00 03 fa fa 00 00
  0x0c047fff8090: fa fa 07 fa fa fa 04 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff80a0: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 00
  0x0c047fff80b0: fa fa 07 fa fa fa 05 fa fa fa 01 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==362712==ABORTING
```

3. Fix @src/onnx.c:1771 heap-buffer-overflow

[5e1459a_fix_heap-buffer-overflow.patch](https://github.com/user-attachments/files/18418665/5e1459a_fix_heap-buffer-overflow.patch)

4. Re-build & Run tests, some test sets failed

```shell
LD_PRELOAD=/usr/lib/gcc/x86_64-linux-gnu/11/libasan.so ./tests ../model
[mnist_8](test_data_set_0)                                                              [FAIL]
[mnist_8](test_data_set_1)                                                              [FAIL]
[mnist_8](test_data_set_2)                                                              [FAIL]
[mobilenet_v2_7](test_data_set_0)                                                       [OKAY]
[mobilenet_v2_7](test_data_set_1)                                                       [OKAY]
[mobilenet_v2_7](test_data_set_2)                                                       [OKAY]
[shufflenet_v1_9](test_data_set_0)                                                      [OKAY]
[shufflenet_v1_9](test_data_set_1)                                                      [OKAY]
[shufflenet_v1_9](test_data_set_2)                                                      [OKAY]
[squeezenet_v11_7](test_data_set_0)                                                     [OKAY]
[squeezenet_v11_7](test_data_set_1)                                                     [OKAY]
[squeezenet_v11_7](test_data_set_2)                                                     [OKAY]
[super_resolution_10](test_data_set_0)                                                  [OKAY]
[tinyyolo_v2_8](test_data_set_0)                                                        [FAIL]
[tinyyolo_v2_8](test_data_set_1)                                                        [FAIL]
[tinyyolo_v2_8](test_data_set_2)                                                        [FAIL]
```

So how to fix?
How to make adjustments 'struct Onnx__AttributeProto'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

asan heap-buffer-overflow @src/onnx.c:1771 #39

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

asan heap-buffer-overflow @src/onnx.c:1771 #39

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions