BGPd: member access within null pointer of type 'struct lysc_node_action'

[MPFuzz]

Description

There is a bug in bgpd, i.e., member access within null pointer of type 'struct lysc_node_action'

lib/yang.c:253:3: runtime error: member access within null pointer of type 'struct lysc_node_action'
    #0 0x7fc6025ac167 in yang_snodes_iterate lib/yang.c:253
    #1 0x7fc6023f919b in nb_init lib/northbound.c:2721
    #2 0x7fc60231d815 in frr_init lib/libfrr.c:823
    #3 0x557985445180 in main bgpd/bgp_main.c:513
    #4 0x7fc600bcc082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x55798543f67d in _start (/home/ubuntu/experiments/frr-crashreplay/bgpd/.libs/bgpd+0xdab67d)

BGP: Received signal 6 at 1725594545 (si_addr 0x20, PC 0x7fc600beb00b); aborting...
BGP: /lib/x86_64-linux-gnu/libasan.so.5(+0x6cd40) [0x7fc60318bd40]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(zlog_backtrace_sigsafe+0x236) [0x7fc60235e8e0]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(zlog_signal+0x4ac) [0x7fc60235e149]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(+0xabde87) [0x7fc6024d8e87]
BGP: /lib/x86_64-linux-gnu/libpthread.so.0(+0x14420) [0x7fc600dae420]
BGP: /lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcb) [0x7fc600beb00b]
BGP: /lib/x86_64-linux-gnu/libc.so.6(abort+0x12b) [0x7fc600bca859]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(+0x1d592) [0x7fc600dda592]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(+0x28c6c) [0x7fc600de5c6c]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(+0x8419) [0x7fc600dc5419]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(+0xba21) [0x7fc600dc8a21]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(__ubsan_handle_type_mismatch_v1+0x25) [0x7fc600dc9d45]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(yang_snodes_iterate+0x4c2) [0x7fc6025ac168]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(nb_init+0x87b) [0x7fc6023f919c]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(frr_init+0x1a2d) [0x7fc60231d816]
BGP: /home/ubuntu/experiments/frr-crashreplay/bgpd/.libs/bgpd(main+0x54b) [0x557985445181]
BGP: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7fc600bcc083]
BGP: /home/ubuntu/experiments/frr-crashreplay/bgpd/.libs/bgpd(_start+0x2e) [0x55798543f67e]
BGP: no thread information available
core_handler: showing active allocations in memory group libfrr
core_handler: memstats:  Host config                   :      5 * (variably sized)
core_handler: memstats:  Command Tokens                :    999 *         72
core_handler: memstats:  Command Token Text            :    798 * (variably sized)
core_handler: memstats:  Command Token Help            :    798 * (variably sized)
core_handler: memstats:  Command Argument Name         :    204 * (variably sized)
core_handler: memstats:  Scripting                     :     14 * (variably sized)
core_handler: memstats:  Graph                         :      9 *          8
core_handler: memstats:  Graph Node                    :   1189 *         32
core_handler: memstats:  Hash                          :     22 * (variably sized)
core_handler: memstats:  Hash Bucket                   :    252 *         24
core_handler: memstats:  Hash Index                    :     11 * (variably sized)
core_handler: memstats:  Link List                     :      6 *         40
core_handler: memstats:  Link Node                     :     15 *         24
core_handler: memstats:  Northbound Node               :     58 *       1208
core_handler: memstats:  Privilege information         :      2 * (variably sized)
core_handler: memstats:  Thread master                 :      4 * (variably sized)
core_handler: memstats:  Thread Poll Info              :      2 *     800000
core_handler: memstats:  Vector                        :   2397 *         24
core_handler: memstats:  Vector index                  :   2397 * (variably sized)
core_handler: memstats:  YANG module                   :      5 *         48
core_handler: showing active allocations in memory group Native message allocations
core_handler: showing active allocations in memory group logging subsystem
core_handler: showing active allocations in memory group bgpd
core_handler: showing active allocations in memory group rfapi
Aborted

Version

commit 340d51fc3a9c88b4db38c685cf87ab9970db060a

How to reproduce

1. Build

./bootstrap.sh && \
    ./configure \
       --prefix=/usr \
       --sysconfdir=/etc \
       --localstatedir=/var \
       --sbindir=${WORKDIR}/frr/bin \
       --enable-static \
       --enable-dev-build \
       --enable-address-sanitizer \
       --enable-undefined-sanitizer \
       --enable-mgmtd-test-be-client \
       --enable-rpki \
       --enable-sharpd \
       --enable-multipath=64 \
       --enable-user=root \
       --enable-group=root \
       --enable-config-rollbacks \
       --enable-grpc \
       --enable-snmp=agentx \
       --enable-scripting \
       --with-pkg-extra-version=-my-manual-build && \
    make -j4

2. Run
   Run zebra and mgmtd separately as background program, using commands ./mgmtd/mgmtd --limit-fds 100000 and ./zebra/zebra --limit-fds 100000

Then, run bgpd

 ./bgpd/bgpd --limit-fds 100000 -p 179 -f /etc/bgpd.conf -l 127.0.0.1

bgpd.conf:

log stdout debugging

!debug bgp events
!debug bgp filters
!debug bgp fsm
debug bgp keepalives
debug bgp neighbor-events
debug bgp updates

router bgp 65001
  bgp router-id 10.0.255.6
  neighbor 10.0.255.5 remote-as 64512
  neighbor 10.0.255.5 timers 1 3

  !neighbor 10.0.255.5 extended-optional-parameters
  neighbor 10.0.255.5 graceful-restart
  neighbor 10.0.255.5 route-reflector-client
  neighbor 10.0.255.5 addpath-tx-all-paths
  neighbor 10.0.255.5 nexthop-unchanged
  neighbor 10.0.255.5 capability dynamic
  neighbor 10.0.255.5 graceful-shutdown
  neighbor 10.0.255.5 capability orf prefix-list
  neighbor 10.0.255.5 route-target filter
  neighbor 10.0.255.5 capability additional-paths send

  address-family ipv4 unicast
    neighbor 10.0.255.5 activate
    neighbor 10.0.255.5 route-map EXPORT out
    neighbor 10.0.255.5 route-map IMPORT in
  exit-address-family

route-map EXPORT permit 10
  match interface eth1
!
route-map EXPORT deny 100
!
route-map IMPORT permit 10
!

line vty
!

Expected behavior

No crash

Actual behavior

Crash

Additional context

No response

Checklist

• I have searched the open issues for this bug.
• I have not included sensitive information in this report.

[ton31337]

Do you run mgmtd, zebra separately also (like bgpd)?

[MPFuzz]

@ton31337 I've run zebra and mgmtd separately as background program, using commands ./mgmtd/mgmtd --limit-fds 100000 and ./zebra/zebra --limit-fds 100000. The issue mentioned above still occurs.

[ton31337]

Is this happening only with sanitizers enabled?

[MPFuzz]

Is this happening only with sanitizers enabled?

Yes

[donaldsharp]

#16074

[MPFuzz]

Thanks for the fix!

[MPFuzz]

@ton31337 Hi. Recently I've been learning frr and mainly focusing on debugging bgpd. But, I found that the daemon is very slow, especially for the startup. I'm not sure whether I turn on some features that are not directly to bgpd, e.g., configure in the building time or the bgpd.conf (my recent enables are as above). Could you please give me some advice about turning off some unnecessary features? Thanks.

[donaldsharp]

@MPFuzz sounds like you are trying to do fuzzing stuff. There is already a framework for bgp to do this. Please look at the fuzz branch. It's a bit out of date but you can update it to latest master with out much work imo. In any event this is not the correct place to have this sort of discussion in an unrelated issue. Please feel free to either join us in our slack and start asking questions or open a relevant discussion for this.

[MPFuzz]

@donaldsharp Sorry. I will join for discussion. Look forward to merging this pr to master so that I can do more fuzzing!