View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003920 | GNUnet | cadet service | public | 2015-07-27 23:34 | 2018-06-07 00:24 |
Reporter | amatus | Assigned To | Christian Grothoff | ||
Priority | normal | Severity | crash | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Platform | amd64 | OS | Debian | OS Version | jessie |
Product Version | Git master | ||||
Target Version | 0.11.0pre66 | Fixed in Version | 0.11.0pre66 | ||
Summary | 0003920: segfault in path_get_length | ||||
Description | My peer running rev 36117 hit this: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000432ce5 in path_get_length (path=0xdf0adba0df0adba) at cadet_path.c:139 139 cadet_path.c: No such file or directory. (gdb) bt #0 0x0000000000432ce5 in path_get_length (path=0xdf0adba0df0adba) at cadet_path.c:139 #1 0x000000000042feeb in GCP_add_path (peer=0x1db9b30, path=0x1de1390, trusted=1) at gnunet-service-cadet_peer.c:2124 #2 0x0000000000430565 in GCP_add_path_to_all (p=0x1dd5530, confirmed=1) at gnunet-service-cadet_peer.c:2205 #3 0x00000000004177ef in GCC_handle_confirm (cls=0x0, peer=0x7ffdd89f4de4, message=0x7ffdd89f4e04) at gnunet-service-cadet_connection.c:2085 #4 0x00007fd425184a0c in main_notify_handler (cls=0x1d7dfb0, msg=0x7ffdd89f4de0) at core_api.c:967 #5 0x00007fd4255adb7b in receive_task (cls=0x1d7d8a0, tc=0x7ffdd89f4f00) at client.c:618 #6 0x00007fd4255ef909 in run_ready (rs=0x1d90f00, ws=0x1d7ba20) at scheduler.c:587 #7 0x00007fd4255f0214 in GNUNET_SCHEDULER_run (task=0x7fd4255fccef <service_task>, task_cls=0x7ffdd89f5290) at scheduler.c:867 #8 0x00007fd4255fea28 in GNUNET_SERVICE_run (argc=7, argv=0x7ffdd89f5528, service_name=0x43aefa "cadet", options=GNUNET_SERVICE_OPTION_NONE, task=0x433bd9 <run>, task_cls=0x0) at service.c:1503 #9 0x0000000000433f48 in main (argc=7, argv=0x7ffdd89f5528) at gnunet-service-cadet.c:174 (gdb) up #1 0x000000000042feeb in GCP_add_path (peer=0x1db9b30, path=0x1de1390, trusted=1) at gnunet-service-cadet_peer.c:2124 2124 gnunet-service-cadet_peer.c: No such file or directory. (gdb) p *peer $1 = {id = 39, last_contact = {abs_value_us = 1437857245482958}, path_head = 0x1dbd050, path_tail = 0x1e62e10, search_h = 0x1e62b20, search_delayed = 0x0, tunnel = 0x1ddd170, connections = 0x1dac8b0, core_transmit = 0x0, tmt_time = {abs_value_us = 0}, queue_head = 0x0, queue_tail = 0x0, queue_n = 0, hello = 0x0} (gdb) p *peer->path_head $2 = {next = 0x1ef24a0, prev = 0x0, peers = 0x0, length = 0, c = 0x0, path_delete = 0xdf0adba0df00004} (gdb) p *peer->path_head->next $3 = {next = 0xdf0adba0df0adba, prev = 0x41, peers = 0x1ddb130, length = 0, c = 0x0, path_delete = 0x0} | ||||
Tags | No tags attached. | ||||
|
This may be related, captured on an x86 node running rev 36105. ==8022== Invalid read of size 4 ==8022== at 0x806A2A3: path_get_length (cadet_path.c:139) ==8022== by 0x806849F: GCP_add_path (gnunet-service-cadet_peer.c:2124) ==8022== by 0x806893D: GCP_add_path_to_all (gnunet-service-cadet_peer.c:2205) ==8022== by 0x8065A11: search_handler (gnunet-service-cadet_peer.c:1026) ==8022== by 0x8069875: dht_get_id_handler (gnunet-service-cadet_dht.c:192) ==8022== by 0x40D51C5: process_reply (dht_api.c:740) ==8022== by 0x406D092: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:816) ==8022== by 0x40D5D43: service_message_handler (dht_api.c:1016) ==8022== by 0x4059247: receive_task (client.c:618) ==8022== by 0x4094230: run_ready (scheduler.c:587) ==8022== by 0x4094ABE: GNUNET_SCHEDULER_run (scheduler.c:867) ==8022== by 0x40A11EA: GNUNET_SERVICE_run (service.c:1503) ==8022== Address 0x47b9efc is 12 bytes inside a block of size 20 free'd ==8022== at 0x402A3A8: free (vg_replace_malloc.c:473) ==8022== by 0x42CF940: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x42CB720: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x432BA94: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x4324A60: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x432DAD0: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x432E37B: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x430EEFF: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x430E4E4: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x432D06A: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x42C7D9F: gcry_mpi_ec_get_mpi (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x4070F8D: GNUNET_CRYPTO_ecdhe_key_get_public (crypto_ecc.c:286) ==8022== ==8022== Invalid read of size 4 ==8022== at 0x806869C: GCP_add_path (gnunet-service-cadet_peer.c:2122) ==8022== by 0x806893D: GCP_add_path_to_all (gnunet-service-cadet_peer.c:2205) ==8022== by 0x8065A11: search_handler (gnunet-service-cadet_peer.c:1026) ==8022== by 0x8069875: dht_get_id_handler (gnunet-service-cadet_dht.c:192) ==8022== by 0x40D51C5: process_reply (dht_api.c:740) ==8022== by 0x406D092: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:816) ==8022== by 0x40D5D43: service_message_handler (dht_api.c:1016) ==8022== by 0x4059247: receive_task (client.c:618) ==8022== by 0x4094230: run_ready (scheduler.c:587) ==8022== by 0x4094ABE: GNUNET_SCHEDULER_run (scheduler.c:867) ==8022== by 0x40A11EA: GNUNET_SERVICE_run (service.c:1503) ==8022== by 0x806AE78: main (gnunet-service-cadet.c:174) ==8022== Address 0x47b9ef0 is 0 bytes inside a block of size 20 free'd ==8022== at 0x402A3A8: free (vg_replace_malloc.c:473) ==8022== by 0x42CF940: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x42CB720: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x432BA94: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x4324A60: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x432DAD0: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x432E37B: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x430EEFF: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x430E4E4: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x432D06A: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x42C7D9F: gcry_mpi_ec_get_mpi (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3) ==8022== by 0x4070F8D: GNUNET_CRYPTO_ecdhe_key_get_public (crypto_ecc.c:286) ==8022== ==8022== ==8022== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==8022== Access not within mapped region at address 0x14 ==8022== at 0x806A2A3: path_get_length (cadet_path.c:139) ==8022== by 0x806849F: GCP_add_path (gnunet-service-cadet_peer.c:2124) ==8022== by 0x806893D: GCP_add_path_to_all (gnunet-service-cadet_peer.c:2205) ==8022== by 0x8065A11: search_handler (gnunet-service-cadet_peer.c:1026) ==8022== by 0x8069875: dht_get_id_handler (gnunet-service-cadet_dht.c:192) ==8022== by 0x40D51C5: process_reply (dht_api.c:740) ==8022== by 0x406D092: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:816) ==8022== by 0x40D5D43: service_message_handler (dht_api.c:1016) ==8022== by 0x4059247: receive_task (client.c:618) ==8022== by 0x4094230: run_ready (scheduler.c:587) ==8022== by 0x4094ABE: GNUNET_SCHEDULER_run (scheduler.c:867) ==8022== by 0x40A11EA: GNUNET_SERVICE_run (service.c:1503) ==8022== If you believe this happened as a result of a stack ==8022== overflow in your program's main thread (unlikely but ==8022== possible), you can try to increase the size of the ==8022== main thread stack using the --main-stacksize= flag. ==8022== The main thread stack size used in this run was 8388608. ==8022== ==8022== HEAP SUMMARY: ==8022== in use at exit: 754,926 bytes in 7,938 blocks ==8022== total heap usage: 626,955,937 allocs, 626,947,999 frees, 415,194,610,669 bytes allocated ==8022== ==8022== LEAK SUMMARY: ==8022== definitely lost: 0 bytes in 0 blocks ==8022== indirectly lost: 0 bytes in 0 blocks ==8022== possibly lost: 0 bytes in 0 blocks ==8022== still reachable: 754,926 bytes in 7,938 blocks ==8022== suppressed: 0 bytes in 0 blocks ==8022== Rerun with --leak-check=full to see details of leaked memory ==8022== ==8022== For counts of detected and suppressed errors, rerun with: -v ==8022== Use --track-origins=yes to see where uninitialised values come from ==8022== ERROR SUMMARY: 64 errors from 18 contexts (suppressed: 0 from 0) |
|
Looks like memory corruption if a path is being read in memory free'd by libgcrypt. |
|
It could be a use-after-free: 1) cadet frees some memory but still has a pointer to it 2) libgcrypt allocates the memory, uses it, then frees it 3) cadet tries to access the memory using its dangling pointer 4) valgrind tells us cadet tried to access memory freed by libgcrypt |
|
No longer relevant after CADET rewrite. |
Date Modified | Username | Field | Change |
---|---|---|---|
2015-07-27 23:34 | amatus | New Issue | |
2015-07-27 23:34 | amatus | Status | new => assigned |
2015-07-27 23:34 | amatus | Assigned To | => Bart Polot |
2015-07-28 01:01 | amatus | Note Added: 0009492 | |
2015-07-28 01:04 | Bart Polot | Note Added: 0009493 | |
2015-07-28 01:54 | amatus | Note Added: 0009495 | |
2015-07-28 01:55 | amatus | Note Edited: 0009495 | |
2017-02-21 18:31 | Christian Grothoff | Assigned To | Bart Polot => Christian Grothoff |
2017-02-21 18:31 | Christian Grothoff | Status | assigned => resolved |
2017-02-21 18:31 | Christian Grothoff | Resolution | open => fixed |
2017-02-21 18:31 | Christian Grothoff | Fixed in Version | => 0.11.0pre66 |
2017-02-21 18:31 | Christian Grothoff | Note Added: 0011817 | |
2017-02-21 18:31 | Christian Grothoff | Target Version | => 0.11.0pre66 |
2018-06-07 00:24 | Christian Grothoff | Status | resolved => closed |