execution usdtree example binary with poc file, memory access violation occur by "SdfSchemaBase::GetSpecDefinition"
The USDZ file format supports preview on various devices and can be shared via the web.
zp@DESKTOP-7GAEL6T:~/OpenUSD/build_fuzz/bin$ ./usdtree ./total/11.usdz
/
`--scene [def Xform] (kind = component)
|--Materials [def Scope]
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1652233==ERROR: AddressSanitizer: SEGV on unknown address 0x61f754786288 (pc 0x7f6b0a030e21 bp 0x7ffc93dd8d40 sp 0x7ffc93dd8c40 T0)
==1652233==The signal is caused by a READ memory access.
#0 0x7f6b0a030e21 in pxrInternal_v0_24__pxrReserved__::SdfSchemaBase::GetSpecDefinition(pxrInternal_v0_24__pxrReserved__::SdfSpecType) const /home/zp/OpenUSD/pxr/usd/sdf/schema.h:212:43
#1 0x7f6b0a030e21 in pxrInternal_v0_24__pxrReserved__::SdfLayer::_GetRequiredFieldDef(pxrInternal_v0_24__pxrReserved__::SdfPath const&, pxrInternal_v0_24__pxrReserved__::TfToken const&, pxrInternal_v0_24__pxrReserved__::SdfSpecType) const /home/zp/OpenUSD/pxr/usd/sdf/layer.cpp:3507:30
#2 0x7f6b0a030e21 in pxrInternal_v0_24__pxrReserved__::SdfLayer::HasField(pxrInternal_v0_24__pxrReserved__::SdfPath const&, pxrInternal_v0_24__pxrReserved__::TfToken const&, pxrInternal_v0_24__pxrReserved__::VtValue*) const /home/zp/OpenUSD/pxr/usd/sdf/layer.cpp:3575:9
#3 0x7f6b0a02e7b6 in pxrInternal_v0_24__pxrReserved__::SdfLayer::GetField(pxrInternal_v0_24__pxrReserved__::SdfPath const&, pxrInternal_v0_24__pxrReserved__::TfToken const&) const /home/zp/OpenUSD/pxr/usd/sdf/layer.cpp:3660:5
#4 0x7f6b0a52ff2c in pxrInternal_v0_24__pxrReserved__::SdfSpec::GetField(pxrInternal_v0_24__pxrReserved__::TfToken const&) const /home/zp/OpenUSD/pxr/usd/sdf/spec.cpp:124:35
#5 0x7f6b0a3c79ea in pxrInternal_v0_24__pxrReserved__::Sdf_AccessorHelpers<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec, true>::GetField(pxrInternal_v0_24__pxrReserved__::SdfPrimSpec const*, pxrInternal_v0_24__pxrReserved__::TfToken const&) /home/zp/OpenUSD/pxr/usd/sdf/accessorHelpers.h:208:20
#6 0x7f6b0a3c79ea in pxrInternal_v0_24__pxrReserved__::SdfPrimSpec::GetTypeName() const /home/zp/OpenUSD/pxr/usd/sdf/primSpec.cpp:509:1
#7 0x55961468e988 in (anonymous namespace)::GetTypeName[abi:cxx11](pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> const&) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:103:18
#8 0x55961468e988 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > (anonymous namespace)::GetPrimLabel<pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> >(pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> const&) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:164:34
#9 0x55961468e988 in void (anonymous namespace)::PrintPrim<pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> >((anonymous namespace)::Args const&, pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:217:39
#10 0x55961468ced0 in void (anonymous namespace)::PrintChildren<pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> >((anonymous namespace)::Args const&, pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:268:13
#11 0x55961468d693 in void (anonymous namespace)::PrintChildren<pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> >((anonymous namespace)::Args const&, pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:266:13
#12 0x55961468d526 in void (anonymous namespace)::PrintChildren<pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> >((anonymous namespace)::Args const&, pxrInternal_v0_24__pxrReserved__::SdfHandle<pxrInternal_v0_24__pxrReserved__::SdfPrimSpec> const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:269:13
#13 0x559614676409 in void (anonymous namespace)::PrintTree<pxrInternal_v0_24__pxrReserved__::TfRefPtr<pxrInternal_v0_24__pxrReserved__::SdfLayer> >((anonymous namespace)::Args const&, pxrInternal_v0_24__pxrReserved__::TfRefPtr<pxrInternal_v0_24__pxrReserved__::SdfLayer> const&) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:277:5
#14 0x559614598292 in (anonymous namespace)::PrintTree((anonymous namespace)::Args const&, pxrInternal_v0_24__pxrReserved__::ArResolvedPath const&) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:332:9
#15 0x559614598292 in (anonymous namespace)::USDTree((anonymous namespace)::Args const&) /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:355:9
#16 0x559614598292 in main /home/zp/OpenUSD/pxr/usd/bin/usdtree/usdtree.cpp:385:12
#17 0x7f6b07765d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#18 0x7f6b07765e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
#19 0x5596144bed54 in _start (/home/zp/OpenUSD/build_fuzz/bin/usdtree+0x32d54) (BuildId: 2d44677cfd867e728a02d42a59bcd74b9b577c56)
GAP-dev Reporter
nvidia-jomiller Remediation developer
Summary
execution usdtree example binary with poc file, memory access violation occur by "SdfSchemaBase::GetSpecDefinition"
The USDZ file format supports preview on various devices and can be shared via the web.
Patches
This is fixed with commit 42d00bd, with the fix available in OpenUSD 24.11 and onwards.
Details
PoC
(https://drive.google.com/file/d/1qqvrfaEf73bGZf67V-TRw8g_d-4oger3/view?usp=sharing)
./usdtree ./11.usdz
usdtree is example binary
Impact
arbitrary address read