18 bugs (UAF) in `nav2_amcl` by setting dynamic parameters

## Bug report

**Required Info:**

- Operating System:
  -  Ubuntu22.04
- ROS2 Version:
  -  humble
- Version or commit hash:
  -  the latest
- DDS implementation:
  -  defaulted

#### Steps to reproduce issue


Launch the navigation2 normally, as following steps:
```sh
#!/bin/bash
export ASAN_OPTIONS=halt_on_error=0:new_delete_type_mismatch=0:detect_leaks=0:log_pah=asan
source install/setup.bash
export TURTLEBOT3_MODEL=waffle
export GAZEBO_MODEL_PATH=$GAZEBO_MODEL_PATH:/opt/ros/humble/share/turtlebot3_gazebo/models
ros2 launch nav2_bringup tb3_simulation_launch.py headless:=True use_rviz:=False use_composition:=False 
```

Learning about how the dynamic-parameter works , I had a try on it . 
```sh
ros2 param set /amcl z_rand 0.5
```

[notice] whatever the value be (0.5 or anyother double value43) , the UAF occurs all the time. 

#### Expected behavior
no crash occurs

#### Actual behavior
The ASAN reporting a **heap-user-after-free** bug to me as following, and the `nav2_amcl` stop its work.

```
=================================================================
==145868==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000aaab0 at pc 0x730fff32b5a4 bp 0x7fff30eba470 sp 0x7fff30eba468
READ of size 8 at 0x6170000aaab0 thread T0
    #0 0x730fff32b5a3 in message_filters::Signal1<sensor_msgs::msg::LaserScan_<std::allocator<void> > >::removeCallback(std::shared_ptr<message_filters::CallbackHelper1<sensor_msgs::msg::LaserScan_<std::allocator<void> > > > const&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x52b5a3) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #1 0x730fff32e80a in std::_Function_handler<void (), std::_Bind<void (message_filters::Signal1<sensor_msgs::msg::LaserScan_<std::allocator<void> > >::* (message_filters::Signal1<sensor_msgs::msg::LaserScan_<std::allocator<void> > >*, std::shared_ptr<message_filters::CallbackHelper1<sensor_msgs::msg::LaserScan_<std::allocator<void> > > >))(std::shared_ptr<message_filters::CallbackHelper1<sensor_msgs::msg::LaserScan_<std::allocator<void> > > > const&)> >::_M_invoke(std::_Any_data const&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x52e80a) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #2 0x730fff3273c0 in tf2_ros::MessageFilter<sensor_msgs::msg::LaserScan_<std::allocator<void> >, tf2_ros::Buffer>::~MessageFilter() (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x5273c0) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #3 0x730fff3281c0 in tf2_ros::MessageFilter<sensor_msgs::msg::LaserScan_<std::allocator<void> >, tf2_ros::Buffer>::~MessageFilter() (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x5281c0) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #4 0x730fff1c36e4 in std::__uniq_ptr_impl<tf2_ros::MessageFilter<sensor_msgs::msg::LaserScan_<std::allocator<void> >, tf2_ros::Buffer>, std::default_delete<tf2_ros::MessageFilter<sensor_msgs::msg::LaserScan_<std::allocator<void> >, tf2_ros::Buffer> > >::reset(tf2_ros::MessageFilter<sensor_msgs::msg::LaserScan_<std::allocator<void> >, tf2_ros::Buffer>*) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x3c36e4) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #5 0x730fff156ee9 in nav2_amcl::AmclNode::initMessageFilters() (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x356ee9) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #6 0x730fff163f1e in nav2_amcl::AmclNode::dynamicParametersCallback(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x363f1e) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #7 0x730fff23743e in std::__invoke_result<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::*&)(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >), nav2_amcl::AmclNode*&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&>::type std::__invoke<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::*&)(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >), nav2_amcl::AmclNode*&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&>(rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::*&)(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >), nav2_amcl::AmclNode*&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x43743e) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #8 0x730fff2372a1 in rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > std::__invoke_impl<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> >, std::_Bind<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::* (nav2_amcl::AmclNode*, std::_Placeholder<1>))(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >)>&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&>(std::__invoke_other, std::_Bind<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::* (nav2_amcl::AmclNode*, std::_Placeholder<1>))(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >)>&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x4372a1) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #9 0x730fff2370d3 in std::_Function_handler<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&), std::_Bind<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::* (nav2_amcl::AmclNode*, std::_Placeholder<1>))(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >)> >::_M_invoke(std::_Any_data const&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x4370d3) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #10 0x7310002601a1  (/opt/ros/humble/lib/librclcpp.so+0x10e1a1) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #11 0x731000264cd1 in rclcpp::node_interfaces::NodeParameters::set_parameters_atomically(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&) (/opt/ros/humble/lib/librclcpp.so+0x112cd1) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #12 0x7310002ddafc  (/opt/ros/humble/lib/librclcpp.so+0x18bafc) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #13 0x73100029b107  (/opt/ros/humble/lib/librclcpp.so+0x149107) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #14 0x7310002a96ae  (/opt/ros/humble/lib/librclcpp.so+0x1576ae) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #15 0x73100023c2a5  (/opt/ros/humble/lib/librclcpp.so+0xea2a5) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #16 0x731000239c89 in rclcpp::Executor::execute_service(std::shared_ptr<rclcpp::ServiceBase>) (/opt/ros/humble/lib/librclcpp.so+0xe7c89) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #17 0x731000239ff5 in rclcpp::Executor::execute_any_executable(rclcpp::AnyExecutable&) (/opt/ros/humble/lib/librclcpp.so+0xe7ff5) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #18 0x7310002418af in rclcpp::executors::SingleThreadedExecutor::spin() (/opt/ros/humble/lib/librclcpp.so+0xef8af) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #19 0x731000241ac4 in rclcpp::spin(std::shared_ptr<rclcpp::node_interfaces::NodeBaseInterface>) (/opt/ros/humble/lib/librclcpp.so+0xefac4) (BuildId: 4cca8a387f3c93d38a0567a8efc7cba9106f5d9a)
    #20 0x5e3a5905f941 in main (/home/***/nav2_humble/install/nav2_amcl/lib/nav2_amcl/amcl+0xe6941) (BuildId: 068ea3ea0211b05161e789e94dd1668c91ef8430)
    #21 0x730ffe429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x730ffe429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #23 0x5e3a58f9f504 in _start (/home/***/nav2_humble/install/nav2_amcl/lib/nav2_amcl/amcl+0x26504) (BuildId: 068ea3ea0211b05161e789e94dd1668c91ef8430)

0x6170000aaab0 is located 48 bytes inside of 680-byte region [0x6170000aaa80,0x6170000aad28)
freed by thread T0 here:
    #0 0x5e3a5905d97d in operator delete(void*) (/home/***/nav2_humble/install/nav2_amcl/lib/nav2_amcl/amcl+0xe497d) (BuildId: 068ea3ea0211b05161e789e94dd1668c91ef8430)
    #1 0x730fff1c3594 in std::__uniq_ptr_impl<message_filters::Subscriber<sensor_msgs::msg::LaserScan_<std::allocator<void> >, rclcpp_lifecycle::LifecycleNode>, std::default_delete<message_filters::Subscriber<sensor_msgs::msg::LaserScan_<std::allocator<void> >, rclcpp_lifecycle::LifecycleNode> > >::reset(message_filters::Subscriber<sensor_msgs::msg::LaserScan_<std::allocator<void> >, rclcpp_lifecycle::LifecycleNode>*) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x3c3594) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #2 0x730fff23743e in std::__invoke_result<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::*&)(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >), nav2_amcl::AmclNode*&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&>::type std::__invoke<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::*&)(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >), nav2_amcl::AmclNode*&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&>(rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::*&)(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >), nav2_amcl::AmclNode*&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x43743e) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #3 0x730fff2372a1 in rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > std::__invoke_impl<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> >, std::_Bind<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::* (nav2_amcl::AmclNode*, std::_Placeholder<1>))(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >)>&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&>(std::__invoke_other, std::_Bind<rcl_interfaces::msg::SetParametersResult_<std::allocator<void> > (nav2_amcl::AmclNode::* (nav2_amcl::AmclNode*, std::_Placeholder<1>))(std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> >)>&, std::vector<rclcpp::Parameter, std::allocator<rclcpp::Parameter> > const&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x4372a1) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)

previously allocated by thread T0 here:
    #0 0x5e3a5905d11d in operator new(unsigned long) (/home/***/nav2_humble/install/nav2_amcl/lib/nav2_amcl/amcl+0xe411d) (BuildId: 068ea3ea0211b05161e789e94dd1668c91ef8430)
    #1 0x730fff1bb3cf in std::__detail::_MakeUniq<message_filters::Subscriber<sensor_msgs::msg::LaserScan_<std::allocator<void> >, rclcpp_lifecycle::LifecycleNode> >::__single_object std::make_unique<message_filters::Subscriber<sensor_msgs::msg::LaserScan_<std::allocator<void> >, rclcpp_lifecycle::LifecycleNode>, std::shared_ptr<nav2_util::LifecycleNode>, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, rmw_qos_profile_s const&, rclcpp::SubscriptionOptionsWithAllocator<std::allocator<void> >&>(std::shared_ptr<nav2_util::LifecycleNode>&&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, rmw_qos_profile_s const&, rclcpp::SubscriptionOptionsWithAllocator<std::allocator<void> >&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x3bb3cf) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #2 0x730fff156acd in nav2_amcl::AmclNode::initMessageFilters() (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x356acd) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #3 0x730fff14c01e in nav2_amcl::AmclNode::on_configure(rclcpp_lifecycle::State const&) (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x34c01e) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548)
    #4 0x731000135b8c  (/opt/ros/humble/lib/librclcpp_lifecycle.so+0x28b8c) (BuildId: e9b8e454bf87aaab775667b79aefcab12c018de9)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/***/nav2_humble/install/nav2_amcl/lib/libamcl_core.so+0x52b5a3) (BuildId: e96a3822dfb41386b5409b544e4bc74088297548) in message_filters::Signal1<sensor_msgs::msg::LaserScan_<std::allocator<void> > >::removeCallback(std::shared_ptr<message_filters::CallbackHelper1<sensor_msgs::msg::LaserScan_<std::allocator<void> > > > const&)
Shadow bytes around the buggy address:
  0x0c2e8000d500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e8000d510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e8000d520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e8000d530: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c2e8000d540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2e8000d550: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c2e8000d560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e8000d570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e8000d580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e8000d590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e8000d5a0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==145868==ABORTING
```

#### Additional information


----



it seems that the callback function for laser_scan_message is stiil executing while dynamic parameter changes, and they have some data race.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

18 bugs (UAF) in `nav2_amcl` by setting dynamic parameters #4379

Bug report

Steps to reproduce issue

Expected behavior

Actual behavior

Additional information

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

18 bugs (UAF) in nav2_amcl by setting dynamic parameters #4379

Description

Bug report

Steps to reproduce issue

Expected behavior

Actual behavior

Additional information

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

18 bugs (UAF) in `nav2_amcl` by setting dynamic parameters #4379