openfast icon indicating copy to clipboard operation
openfast copied to clipboard
verified publisher icon OpenFAST

Fix heap buffer overflow in nc_def_var of openfast-cpp

Open marchdf opened this issue 1 year ago • 4 comments

Feature or improvement description Fixes a heap-buffer-overflow error. nc_def_var size should take the value of the size of the dim array. The size of ptRefDataDims is 1 so the nc_def_var should take a 1. Feels like all of these nc_def_var should really be using *Dims.size() But that would lead to a larger diff.

Diagnosis

(lldb) bt
* thread #1, name = 'naluX', stop reason = Heap buffer overflow
  * frame #0: 0x00005555563e2dc0 naluX`::AsanDie() at asan_rtl.cpp:44
    frame #1: 0x00005555563fc79c naluX`__sanitizer::Die() at sanitizer_termination.cpp:55:7
    frame #2: 0x00005555563dda6f naluX`::~ScopedInErrorReport() at asan_report.cpp:192:7
    frame #3: 0x00005555563e0abd naluX`::ReportGenericError() at asan_report.cpp:497:1
    frame #4: 0x00005555563d7df2 naluX`::___interceptor_memcpy() at sanitizer_common_interceptors_memintrinsics.inc:115:5
    frame #5: 0x00007ffff7c61903 libnetcdf.so.19`new_NC_var + 259
    frame #6: 0x00007ffff7c61746 libnetcdf.so.19`NC3_def_var + 214
    frame #7: 0x00007ffff7c12657 libnetcdf.so.19`nc_def_var + 71
    frame #8: 0x00007ffff4bdf089 libopenfastcpplib.so`fast::OpenFAST::prepareOutputFile(this=0x000052000000d650, iTurbLoc=0) at OpenFAST.cpp:455:16
    frame #9: 0x00007ffff4beca22 libopenfastcpplib.so`fast::OpenFAST::solution0(this=0x000052000000d650, writeFiles=true) at OpenFAST.cpp:954:17
    frame #10: 0x0000555557cde9e6 naluX`sierra::nalu::ActuatorBulkFAST::interpolate_velocities_to_fast()::$_0::operator()(this=0x00007fffe796dea0) const at ActuatorBulkFAST.C:271:44
    frame #11: 0x0000555557cde995 naluX`void std::__invoke_impl<void, sierra::nalu::ActuatorBulkFAST::interpolate_velocities_to_fast()::$_0&>((null)=__invoke_other @ 0x00007fffffff237f, __f=0x00007fffe796dea0) at invoke.h:61:14
    frame #12: 0x0000555557cde945 naluX`std::enable_if<is_invocable_r_v<void, sierra::nalu::ActuatorBulkFAST::interpolate_velocities_to_fast()::$_0&>, void>::type std::__invoke_r<void, sierra::nalu::ActuatorBulkFAST::interpolate_velocities_to_fast()::$_0&>(__fn=0x00007fffe796dea0) at invoke.h:111:2
    frame #13: 0x0000555557cde80d naluX`std::_Function_handler<void (), sierra::nalu::ActuatorBulkFAST::interpolate_velocities_to_fast()::$_0>::_M_invoke(__functor=0x00007fffe796dea0) at std_function.h:290:9
    frame #14: 0x0000555557ce95a3 naluX`std::function<void ()>::operator()(this=0x00007fffe796dea0) const at std_function.h:591:9
    frame #15: 0x0000555557ce0c9b naluX`sierra::nalu::squash_fast_output(func=function<void ()> @ 0x00007fffe796dea0) at ActuatorBulkFAST.h:82:3
    frame #16: 0x0000555557cdbe20 naluX`sierra::nalu::ActuatorBulkFAST::interpolate_velocities_to_fast(this=0x000052000000d080) at ActuatorBulkFAST.C:271:7
    frame #17: 0x0000555557d1788e naluX`sierra::nalu::ActuatorLineFastNGP::operator()(this=0x00005070000833b0) at ActuatorExecutorsFASTNgp.C:45:12
    frame #18: 0x0000555557bf9f6a naluX`sierra::nalu::ActuatorModel::execute(this=0x00005070000608f0, timer=0x000051c000003c90) at ActuatorModel.C:169:13
    frame #19: 0x0000555557bf6347 naluX`sierra::nalu::AeroContainer::execute(this=0x00005070000608f0, actTimer=0x000051c000003c90) at AeroContainer.C:118:20
    frame #20: 0x0000555556c02794 naluX`sierra::nalu::Realm::advance_time_step(this=0x000051c000003880) at Realm.C:1955:18
    frame #21: 0x000055555644d280 naluX`sierra::nalu::TimeIntegrator::integrate_realm(this=0x000050f000017bf0) at TimeIntegrator.C:389:16
    frame #22: 0x000055555644596f naluX`sierra::nalu::Simulation::run(this=0x00007fffe7f00fa0) at Simulation.C:216:20
    frame #23: 0x000055555641ae23 naluX`main(argc=5, argv=0x00007fffffff3688) at nalu.C:198:9
    frame #24: 0x00007fffeca2e7e5 libc.so.6`__libc_start_main + 229
    frame #25: 0x000055555633c92e naluX`_start + 46
(lldb) frame s 8
frame #8: 0x00007ffff4bdf089 libopenfastcpplib.so`fast::OpenFAST::prepareOutputFile(this=0x000052000000d650, iTurbLoc=0) at OpenFAST.cpp:455:16
   452          ncOutVarIDs_["bld_ld"] = tmpVarID;
   453          ierr = nc_def_var(ncid, "bld_ld_loc", NC_DOUBLE, 4, bldDataDims.data(), &tmpVarID);
   454          ncOutVarIDs_["bld_ld_loc"] = tmpVarID;
-> 455          ierr = nc_def_var(ncid, "hub_ref_pos", NC_DOUBLE, 2, ptRefDataDims.data(), &tmpVarID);
   456          ncOutVarIDs_["hub_ref_pos"] = tmpVarID;
   457          ierr = nc_def_var(ncid, "hub_disp", NC_DOUBLE, 2, ptDataDims.data(), &tmpVarID);
   458          ncOutVarIDs_["hub_disp"] = tmpVarID;

Related issue, if one exists

Impacted areas of the software

openfast-cpp

marchdf avatar Sep 27 '24 19:09 marchdf

It should be noted that the turbineData[iTurbLoc].sType == EXTLOADS pathway had the right sizes for those vars. So it was only failing for turbineData[iTurbLoc].sType == EXTINFLOW path.

marchdf avatar Sep 27 '24 20:09 marchdf

At first glance, there appears to be some inconsistencies in this section of code. I would excpect hub_disp (line 457), hub_vel (line 459), and hubrotvel (line 461) will also need this change. Similarly for the nacelle section below.

andrew-platt avatar Sep 30 '24 21:09 andrew-platt

I am not sure why the test is failing...

marchdf avatar Sep 30 '24 21:09 marchdf

There is a segmentation fault with the 5MW_Land_DLL_WTurb_cpp case.

Screenshot 2024-10-01 at 10 01 06 AM

andrew-platt avatar Oct 01 '24 16:10 andrew-platt

My simulation ran to completion so I guess this fixes all the remaining issues with this pathway (at least for this configuration). Thanks for you help. This can be merged whenever you want from my standpoint.

marchdf avatar Oct 25 '24 16:10 marchdf