View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003502 | GNUnet | util library | public | 2014-07-15 00:15 | 2018-06-07 00:25 |
| Reporter | Bart Polot | Assigned To | Matthias Wachs | ||
| Priority | normal | Severity | crash | Reproducibility | unable to reproduce |
| Status | closed | Resolution | fixed | ||
| Product Version | Git master | ||||
| Target Version | 0.11.0pre66 | ||||
| Summary | 0003502: Transport crash due to use after free. | ||||
| Description | At least that's what it looks like: Core was generated by `/tmp/gnunet/lib//gnunet/libexec/gnunet-service-transport -c /home/bart/.config/'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f0ad191485e in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007f0ad191485e in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6 #1 0x00007f0ad2b9cb05 in process_requests () at resolver_api.c:667 #2 0x00007f0ad2b9ce0d in reconnect_task (cls=0x0, tc=0x7fff52654e20) at resolver_api.c:712 #3 0x00007f0ad2b9f076 in run_ready (rs=0x113e510, ws=0x1151ff0) at scheduler.c:595 #4 0x00007f0ad2b9f91d in GNUNET_SCHEDULER_run (task=0x7f0ad2babc62 <service_task>, task_cls=0x7fff526551a0) at scheduler.c:817 #5 0x00007f0ad2bada1d in GNUNET_SERVICE_run (argc=3, argv=0x7fff52655428, service_name=0x424eec "transport", options=GNUNET_SERVICE_OPTION_NONE, task=0x40778a <run>, task_cls=0x0) at service.c:1498 #6 0x0000000000407f3b in main (argc=3, argv=0x7fff52655428) at gnunet-service-transport.c:1181 | ||||
| Additional Information | Just running a peer in the public network, tcp and udp enable, behind the usual triple NAT... | ||||
| Tags | No tags attached. | ||||
|
|
(gdb) bt full #0 0x00007f0ad191485e in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6 No symbol table info available. #1 0x00007f0ad2b9cb05 in process_requests () at resolver_api.c:667 msg = 0x7fff52644db0 buf = "\255\306\000\004\r\360\255\272\r\360\255\272\272\255\360\r\272\255\360\r\272\255\360\r\272\255\360\r\004\000\005\070\060\000http_client\000d:84ed]:1080\000http_client\000t\000\356\373\203udp\000\000\n\000\004\375Г{\341\"\000\000\000\000\254\030\200\003\b&tcp\000\000\f\000\004\375Г{\341\"\000\000\000\000\254\030\200\003\b&\000\000V\271\000\000\000\000\203\237\302H\b&\000\000udp\000\000\n\000\004\375ϊ\224V\271\000\000\000\000\203\237\302H\b&\000\000\000\000\060ǖ\001\000\000\000\000\032", '\000' <repeats 15 times>, "\260MeR\377\177\000\000\034n>\323\n\177\000\000"... rh = 0x1aa3780 __FUNCTION__ = "process_requests" #2 0x00007f0ad2b9ce0d in reconnect_task (cls=0x0, tc=0x7fff52654e20) at resolver_api.c:712 __FUNCTION__ = "reconnect_task" #3 0x00007f0ad2b9f076 in run_ready (rs=0x113e510, ws=0x1151ff0) at scheduler.c:595 p = GNUNET_SCHEDULER_PRIORITY_DEFAULT pos = 0x1aa2f70 tc = {reason = GNUNET_SCHEDULER_REASON_TIMEOUT, read_ready = 0x113e510, write_ready = 0x1151ff0} __FUNCTION__ = "run_ready" #4 0x00007f0ad2b9f91d in GNUNET_SCHEDULER_run (task=0x7f0ad2babc62 <service_task>, task_cls=0x7fff526551a0) at scheduler.c:817 rs = 0x113e510 ws = 0x1151ff0 timeout = {rel_value_us = 1215} ret = 0 shc_int = 0x1152210 shc_term = 0x11522d0 shc_quit = 0x1152450 shc_hup = 0x1152510 shc_pipe = 0x1152390 last_tr = 4692019 busy_wait_warning = 0 pr = 0x113e4f0 c = 0 '\000' __FUNCTION__ = "GNUNET_SCHEDULER_run" #5 0x00007f0ad2bada1d in GNUNET_SERVICE_run (argc=3, argv=0x7fff52655428, service_name=0x424eec "transport", options=GNUNET_SERVICE_OPTION_NONE, task=0x40778a <run>, task_cls=0x0) at service.c:1498 err = 0 ret = 3 cfg_fn = 0x113c700 "~/.config/gnunet.conf" opt_cfg_fn = 0x113c850 "/home/bart/.config/gnunet.conf" loglev = 0x0 logfile = 0x0 do_daemonize = 0 i = 4224906 skew_offset = 139684478904080 skew_variance = 140734575760240 clock_offset = 4208704 sctx = {cfg = 0x113c720, server = 0x1152870, addrs = 0x0, service_name = 0x424eec "transport", task = 0x40778a <run>, task_cls = 0x0, v4_denied = 0x0, v6_denied = 0x0, v4_allowed = 0x114ea80, v6_allowed = 0x11515a0, my_handlers = 0x1152900, addrlens = 0x0, lsocks = 0x11502f0, shutdown_task = 4, timeout = {rel_value_us = 18446744073709551615}, ret = 1, ready_confirm_fd = -1, require_found = 1, match_uid = 0, match_gid = 1, options = GNUNET_SERVICE_OPTION_NONE} cfg = 0x113c720 xdg = 0x0 service_options = {{shortName = 99 'c', name = 0x7f0ad2bbb9ad "config", argumentHelp = 0x7f0ad2bbb9b4 "FILENAME", description = 0x7f0ad2bbb9c0 "use configuration file FILENAME", require_argument = 1, processor = 0x7f0ad2b8c455 <GNUNET_GETOPT_set_string>, scls = 0x7fff52655258}, {shortName = 100 'd', name = 0x7f0ad2bbb9e0 "daemonize", argumentHelp = 0x0, description = 0x7f0ad2bbb9f0 "do daemonize (detach from terminal)", require_argument = 0, processor = 0x7f0ad2b8c428 <GNUNET_GETOPT_set_one>, scls = 0x7fff52655244}, {shortName = 104 'h', name = 0x7f0ad2bbba14 "help", argumentHelp = 0x0, description = 0x7f0ad2bbba19 "print this help", require_argument = 0, processor = 0x7f0ad2b8bef3 <GNUNET_GETOPT_format_help_>, scls = 0x0}, {shortName = 76 'L', name = 0x7f0ad2bbba29 "log", argumentHelp = 0x7f0ad2bbba2d "LOGLEVEL", description = 0x7f0ad2bbba38 "configure logging to use LOGLEVEL", require_argument = 1, processor = 0x7f0ad2b8c455 <GNUNET_GETOPT_set_string>, scls = 0x7fff52655250}, {shortName = 108 'l', name = 0x7f0ad2bbba5a "logfile", argumentHelp = 0x7f0ad2bbba62 "LOGFILE", description = 0x7f0ad2bbba70 "configure logging to write logs to LOGFILE", require_argument = 1, processor = 0x7f0ad2b8c455 <GNUNET_GETOPT_set_string>, scls = 0x7fff52655248}, { shortName = 118 'v', name = 0x7f0ad2bbba9b "version", argumentHelp = 0x0, description = 0x7f0ad2bbbaa3 "print the version number", require_argument = 0, processor = 0x7f0ad2b8bead <GNUNET_GETOPT_print_version_>, scls = 0x7f0ad2bbbabc}, {shortName = 0 '\000', name = 0x0, argumentHelp = 0x0, description = 0x0, require_argument = 0, processor = 0x0, scls = 0x0}} __FUNCTION__ = "GNUNET_SERVICE_run" #6 0x0000000000407f3b in main (argc=3, argv=0x7fff52655428) at gnunet-service-transport.c:1181 No locals. |
|
|
(gdb) up 1 #1 0x00007f0ad2b9cb05 in process_requests () at resolver_api.c:667 667 memcpy (&msg[1], &rh[1], rh->data_len); (gdb) p msg $1 = (struct GNUNET_RESOLVER_GetMessage *) 0x7fff52644db0 (gdb) p *msg $2 = {header = {size = 50861, type = 1024}, direction = -1163005939, af = -1163005939} (gdb) p rh $3 = (struct GNUNET_RESOLVER_RequestHandle *) 0x1aa3780 (gdb) p *rh $4 = {next = 0x1aa3830, prev = 0xdf0adba0df0adba, addr_callback = 0xdf0adba0df0adba, name_callback = 0xdf0adba0df0adba, cls = 0xdf0adba0df0adba, timeout = {abs_value_us = 1004493731513019834}, task = 1004493731513019834, af = 233876922, was_transmitted = 233876922, was_queued = 233876922, direction = 233876922, received_response = 233876922, data_len = 1004493731513019834} (gdb) |
|
|
Use after free due to duplicate timeout handling: GNUNET_RESOLVER_hostname_get:numeric_reverse free the resolver request but did not unqueue it ... \ Fixed in 33980. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2014-07-15 00:15 | Bart Polot | New Issue | |
| 2014-07-15 00:15 | Bart Polot | Status | new => assigned |
| 2014-07-15 00:15 | Bart Polot | Assigned To | => Matthias Wachs |
| 2014-07-15 00:17 | Bart Polot | Note Added: 0008523 | |
| 2014-07-15 00:18 | Bart Polot | Note Added: 0008524 | |
| 2014-07-15 00:18 | Bart Polot | Summary | Transport crash due to unaligned memory access on x64 (!) => Transport crash due to use after free. |
| 2014-07-17 17:25 | Matthias Wachs | Note Added: 0008529 | |
| 2014-07-17 17:26 | Matthias Wachs | Status | assigned => resolved |
| 2014-07-17 17:26 | Matthias Wachs | Resolution | open => fixed |
| 2014-07-17 17:26 | Matthias Wachs | Category | transport service => util library |
| 2018-06-07 00:25 | Christian Grothoff | Status | resolved => closed |
