View Issue Details

IDProjectCategoryView StatusLast Update
0003794GNUnetcadet servicepublic2018-06-07 00:24
ReporterChristian GrothoffAssigned ToBart Polot 
PriorityurgentSeveritycrashReproducibilityhave not tried
Status closedResolutionfixed 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product VersionSVN HEAD 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0003794: cadet use after free valgrind report (on shutdown, with crash)
Description==25802== Invalid read of size 8
==25802== at 0x412C73: get_prev_hop (gnunet-service-cadet_connection.c:730)
==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==25802== by 0x50916BC: run_ready (scheduler.c:587)
==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==25802== Address 0x9e06288 is 200 bytes inside a block of size 256 free'd
==25802== at 0x4C29E90: free (vg_replace_malloc.c:473)
==25802== by 0x505630B: GNUNET_xfree_ (common_allocation.c:256)
==25802== by 0x41A2FB: GCC_destroy (gnunet-service-cadet_connection.c:2800)
==25802== by 0x419920: shutdown_iterator (gnunet-service-cadet_connection.c:2665)
==25802== by 0x50682CA: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:358)
==25802== by 0x419944: GCC_shutdown (gnunet-service-cadet_connection.c:2676)
==25802== by 0x432364: shutdown_task (gnunet-service-cadet.c:112)
==25802== by 0x50916BC: run_ready (scheduler.c:587)
==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==25802== by 0x50A07DB: GNUNET_SERVICE_run (service.c:1503)
==25802== by 0x432772: main (gnunet-service-cadet.c:174)
==25802==
==25802== Invalid read of size 4
==25802== at 0x412D2F: get_prev_hop (gnunet-service-cadet_connection.c:735)
==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==25802== by 0x50916BC: run_ready (scheduler.c:587)
==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==25802== Address 0x9e06290 is 208 bytes inside a block of size 256 free'd
==25802== at 0x4C29E90: free (vg_replace_malloc.c:473)
==25802== by 0x505630B: GNUNET_xfree_ (common_allocation.c:256)
==25802== by 0x41A2FB: GCC_destroy (gnunet-service-cadet_connection.c:2800)
==25802== by 0x419920: shutdown_iterator (gnunet-service-cadet_connection.c:2665)
==25802== by 0x50682CA: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:358)
==25802== by 0x419944: GCC_shutdown (gnunet-service-cadet_connection.c:2676)
==25802== by 0x432364: shutdown_task (gnunet-service-cadet.c:112)
==25802== by 0x50916BC: run_ready (scheduler.c:587)
==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==25802== by 0x50A07DB: GNUNET_SERVICE_run (service.c:1503)
==25802== by 0x432772: main (gnunet-service-cadet.c:174)
==25802==
==25802== Invalid read of size 8
==25802== at 0x412D3D: get_prev_hop (gnunet-service-cadet_connection.c:735)
==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==25802== by 0x50916BC: run_ready (scheduler.c:587)
==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==25802== Address 0x9e06288 is 200 bytes inside a block of size 256 free'd
==25802== at 0x4C29E90: free (vg_replace_malloc.c:473)
==25802== by 0x505630B: GNUNET_xfree_ (common_allocation.c:256)
==25802== by 0x41A2FB: GCC_destroy (gnunet-service-cadet_connection.c:2800)
==25802== by 0x419920: shutdown_iterator (gnunet-service-cadet_connection.c:2665)
==25802== by 0x50682CA: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:358)
==25802== by 0x419944: GCC_shutdown (gnunet-service-cadet_connection.c:2676)
==25802== by 0x432364: shutdown_task (gnunet-service-cadet.c:112)
==25802== by 0x50916BC: run_ready (scheduler.c:587)
==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==25802== by 0x50A07DB: GNUNET_SERVICE_run (service.c:1503)
==25802== by 0x432772: main (gnunet-service-cadet.c:174)
==25802==
==25802== Invalid read of size 4
==25802== at 0x412D44: get_prev_hop (gnunet-service-cadet_connection.c:735)
==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==25802== by 0x50916BC: run_ready (scheduler.c:587)
==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==25802== Address 0xdf0adba0df0add2 is not stack'd, malloc'd or (recently) free'd
==25802==
==25802==
==25802== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==25802== General Protection Fault
==25802== at 0x412D44: get_prev_hop (gnunet-service-cadet_connection.c:735)
==25802== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==25802== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==25802== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==25802== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==25802== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==25802== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==25802== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==25802== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==25802== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==25802== by 0x50916BC: run_ready (scheduler.c:587)
==25802== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==25802==
TagsNo tags attached.

Relationships

duplicate of 0003696 closedBart Polot segv in get_prev_hop() 
related to 0003723 closedChristian Grothoff cadet leaves sock file around (and only cadet) 
related to 0003842 closedChristian Grothoff Error: util-3140, Revision 35949 

Activities

Christian Grothoff

2015-05-21 11:05

manager   ~0009142

Seen again:

grothoff@pixel:~$ gnunet-arm -e
==13065== Invalid read of size 8
==13065== at 0x412C73: get_prev_hop (gnunet-service-cadet_connection.c:730)
==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==13065== by 0x50916BC: run_ready (scheduler.c:587)
==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==13065== Address 0xb5a40f8 is 5,704 bytes inside an unallocated block of size 14,496 in arena "client"
==13065==
May 21 11:08:35-088549 cadet-13065 WARNING Message `External protocol violation detected at gnunet-service-cadet_tunnel.c:2759.' repeated 123 times in the last 62 s
May 21 11:08:35-088549 cadet-13065 ERROR Assertion failed at gnunet-service-cadet_connection.c:2993.
==13065== Invalid read of size 4
==13065== at 0x412D2F: get_prev_hop (gnunet-service-cadet_connection.c:735)
==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==13065== by 0x50916BC: run_ready (scheduler.c:587)
==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==13065== Address 0x9f5def0 is 32 bytes before a block of size 16 in arena "client"
==13065==
==13065== Invalid read of size 8
==13065== at 0x412D3D: get_prev_hop (gnunet-service-cadet_connection.c:735)
==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==13065== by 0x50916BC: run_ready (scheduler.c:587)
==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==13065== Address 0x9f5dee8 is 24 bytes after a block of size 80 in arena "client"
==13065==
==13065== Invalid read of size 4
==13065== at 0x412D44: get_prev_hop (gnunet-service-cadet_connection.c:735)
==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==13065== by 0x50916BC: run_ready (scheduler.c:587)
==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==13065== Address 0xa8 is not stack'd, malloc'd or (recently) free'd
==13065==
==13065==
==13065== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==13065== Access not within mapped region at address 0xA8
==13065== at 0x412D44: get_prev_hop (gnunet-service-cadet_connection.c:735)
==13065== by 0x41A60D: GCC_notify_broken (gnunet-service-cadet_connection.c:2989)
==13065== by 0x428DF5: notify_broken (gnunet-service-cadet_peer.c:357)
==13065== by 0x506821E: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==13065== by 0x4294A4: core_disconnect (gnunet-service-cadet_peer.c:461)
==13065== by 0x54CED07: disconnect_and_free_peer_entry (core_api.c:389)
==13065== by 0x50699A8: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==13065== by 0x54D4164: GNUNET_CORE_disconnect (core_api.c:1259)
==13065== by 0x42DB6D: GCP_shutdown (gnunet-service-cadet_peer.c:1716)
==13065== by 0x432373: shutdown_task (gnunet-service-cadet.c:115)
==13065== by 0x50916BC: run_ready (scheduler.c:587)
==13065== by 0x5091FC7: GNUNET_SCHEDULER_run (scheduler.c:867)
==13065== If you believe this happened as a result of a stack
==13065== overflow in your program's main thread (unlikely but
==13065== possible), you can try to increase the size of the
==13065== main thread stack using the --main-stacksize= flag.
==13065== The main thread stack size used in this run was 8388608.
==13065==
==13065== HEAP SUMMARY:
==13065== in use at exit: 427,279 bytes in 10,596 blocks
==13065== total heap usage: 483,504,284 allocs, 483,493,688 frees, 33,705,358,254 bytes allocated
==13065==
==13065== LEAK SUMMARY:
==13065== definitely lost: 66,800 bytes in 1,405 blocks
==13065== indirectly lost: 39,164 bytes in 1,936 blocks
==13065== possibly lost: 0 bytes in 0 blocks
==13065== still reachable: 321,315 bytes in 7,255 blocks
==13065== suppressed: 0 bytes in 0 blocks
==13065== Rerun with --leak-check=full to see details of leaked memory
==13065==

Christian Grothoff

2015-06-08 22:14

manager   ~0009235

I've tried to narrow it down using assertions/etc, but the fucker is still there:

==21471== Invalid read of size 8
==21471== at 0x40F0CE: get_prev_hop (gnunet-service-cadet_connection.c:739)
==21471== by 0x414329: GCC_notify_broken (gnunet-service-cadet_connection.c:3022)
==21471== by 0x41DF43: notify_broken (gnunet-service-cadet_peer.c:354)
==21471== by 0x5065578: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==21471== by 0x41E694: core_disconnect (gnunet-service-cadet_peer.c:471)
==21471== by 0x54C6C90: disconnect_and_free_peer_entry (core_api.c:389)
==21471== by 0x5066D02: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==21471== by 0x54C7496: reconnect_later (core_api.c:450)
==21471== by 0x54C8E4F: main_notify_handler (core_api.c:788)
==21471== by 0x5050A0E: receive_helper (client.c:540)
==21471== by 0x505E021: receive_ready (connection.c:1139)
==21471== by 0x508DCE2: run_ready (scheduler.c:587)
==21471== Address 0x9873eb0 is 192 bytes inside a block of size 264 free'd
==21471== at 0x4C29E90: free (vg_replace_malloc.c:473)
==21471== by 0x5054F87: GNUNET_xfree_ (common_allocation.c:256)
==21471== by 0x414141: GCC_destroy (gnunet-service-cadet_connection.c:2832)
==21471== by 0x4143FB: GCC_notify_broken (gnunet-service-cadet_connection.c:3033)
==21471== by 0x41DF43: notify_broken (gnunet-service-cadet_peer.c:354)
==21471== by 0x5065578: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==21471== by 0x41E694: core_disconnect (gnunet-service-cadet_peer.c:471)
==21471== by 0x54C6C90: disconnect_and_free_peer_entry (core_api.c:389)
==21471== by 0x5066D02: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==21471== by 0x54C7496: reconnect_later (core_api.c:450)
==21471== by 0x54C8E4F: main_notify_handler (core_api.c:788)
==21471== by 0x5050A0E: receive_helper (client.c:540)
==21471==

Christian Grothoff

2015-06-08 22:49

manager   ~0009236

Current theory: we're iterating over all entries in a hashmap. Each channel is TWICE in the map. If we hid the 'GCC_destroy', it may remove TWO entries from the hashmap -- the current one, and another one. The multihashmap_iterate is happy to tolerate removal of the current entry, but if the "next" pointer happens to be the "other one", then we'll go and tango with a use-after-free (or rather, use-after-remove) immediately for the next round of the callback from the iterator. As 'c' is then dead, we die.

Christian Grothoff

2015-06-09 11:49

manager   ~0009237

Outch, fixing the note 9236, I now am 'rewarded' with one of the earlier assertions failing:

Jun 09 11:41:16-626431 cadet-25047 ERROR Assertion failed at gnunet-service-cadet_connection.c:1568.

This is the one in unregister_neighbours that is supposed to check that the peer that was the next hop during registration is still the same during unregistration. The assertion failing means that the connection suddenly has a different successor (bug in interning logic?).

On top of that, the original valgrind issue persists, even if we are lucky enough to not hit the assertion above:

^C==25522== Invalid read of size 8
==25522== at 0x40F0CE: get_prev_hop (gnunet-service-cadet_connection.c:739)
==25522== by 0x414478: GCC_notify_broken (gnunet-service-cadet_connection.c:3023)
==25522== by 0x41E0B0: notify_broken (gnunet-service-cadet_peer.c:363)
==25522== by 0x5065578: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:340)
==25522== by 0x41E8B7: core_disconnect (gnunet-service-cadet_peer.c:482)
==25522== by 0x54C6C90: disconnect_and_free_peer_entry (core_api.c:389)
==25522== by 0x5066D02: GNUNET_CONTAINER_multipeermap_iterate (container_multipeermap.c:361)
==25522== by 0x54CB505: GNUNET_CORE_disconnect (core_api.c:1259)
==25522== by 0x421D72: GCP_shutdown (gnunet-service-cadet_peer.c:1745)
==25522== by 0x424E65: shutdown_task (gnunet-service-cadet.c:115)
==25522== by 0x508DCE2: run_ready (scheduler.c:587)
==25522== by 0x508E576: GNUNET_SCHEDULER_run (scheduler.c:867)
==25522== Address 0x8c8d190 is 192 bytes inside a block of size 264 free'd
==25522== at 0x4C29E90: free (vg_replace_malloc.c:473)
==25522== by 0x5054F87: GNUNET_xfree_ (common_allocation.c:256)
==25522== by 0x414290: GCC_destroy (gnunet-service-cadet_connection.c:2833)
==25522== by 0x413B65: shutdown_iterator (gnunet-service-cadet_connection.c:2685)
==25522== by 0x5065624: GNUNET_CONTAINER_multihashmap_iterate (container_multihashmap.c:358)
==25522== by 0x413B89: GCC_shutdown (gnunet-service-cadet_connection.c:2696)
==25522== by 0x424E56: shutdown_task (gnunet-service-cadet.c:112)
==25522== by 0x508DCE2: run_ready (scheduler.c:587)
==25522== by 0x508E576: GNUNET_SCHEDULER_run (scheduler.c:867)
==25522== by 0x509B715: GNUNET_SERVICE_run (service.c:1503)
==25522== by 0x42512C: main (gnunet-service-cadet.c:174)
==25522==

amatus

2015-06-24 17:55

developer   ~0009326

SVN rev 35978 compiled with AddressSanatizer shows this on shutdown:

=================================================================
==30042==ERROR: AddressSanitizer: heap-use-after-free on address 0xb1729384 at pc 0x80525f7 bp 0xbfd13238 sp 0xbfd1322c
READ of size 4 at 0xb1729384 thread T0
    #0 0x80525f6 in unqueue_data /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1776
    #1 0x805f8c0 in GCT_cancel /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:4140
    #2 0x8072e63 in channel_rel_free_all /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:1007
    #3 0x807520d in GCCH_destroy /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:1379
    #4 0x805ddca in GCT_destroy /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3671
    #5 0x8056809 in destroy_iterator /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:2404
    #6 0xb716c03e in GNUNET_CONTAINER_multipeermap_iterate /root/gnunet/src/util/container_multipeermap.c:343
    #7 0x805adaf in GCT_shutdown /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3206
    #8 0x808ed38 in shutdown_task /root/gnunet/src/cadet/gnunet-service-cadet.c:113
    #9 0xb71bc497 in run_ready /root/gnunet/src/util/scheduler.c:587
    #10 0xb71bd1b6 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:867
    #11 0xb71da23f in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503
    #12 0x808f000 in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174
    #13 0xb6f02722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722)
    #14 0x804acf0 (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x804acf0)

0xb1729384 is located 4 bytes inside of 32-byte region [0xb1729380,0xb17293a0)
freed by thread T0 here:
    #0 0xb72874c4 in free (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e4c4)
    #1 0xb713fadd in GNUNET_xfree_ /root/gnunet/src/util/common_allocation.c:256
    #2 0x8052c58 in unqueue_data /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1777
    #3 0x805dbe0 in GCT_destroy /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3661
    #4 0x8056809 in destroy_iterator /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:2404
    #5 0xb716c03e in GNUNET_CONTAINER_multipeermap_iterate /root/gnunet/src/util/container_multipeermap.c:343
    #6 0x805adaf in GCT_shutdown /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3206
    #7 0x808ed38 in shutdown_task /root/gnunet/src/cadet/gnunet-service-cadet.c:113
    #8 0xb71bc497 in run_ready /root/gnunet/src/util/scheduler.c:587
    #9 0xb71bd1b6 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:867
    #10 0xb71da23f in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503
    #11 0x808f000 in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174
    #12 0xb6f02722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722)

previously allocated by thread T0 here:
    #0 0xb72876e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4)
    #1 0xb713f7b8 in GNUNET_xmalloc_unchecked_ /root/gnunet/src/util/common_allocation.c:154
    #2 0xb713f216 in GNUNET_xmalloc_ /root/gnunet/src/util/common_allocation.c:75
    #3 0x8052da4 in queue_data /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1797
    #4 0x805343b in send_prebuilt_message /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1852
    #5 0x805fa59 in GCT_send_prebuilt_message /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:4171
    #6 0x8079bc3 in GCCH_send_prebuilt_message /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:2414
    #7 0x8071b16 in send_create /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:897
    #8 0x8077393 in GCCH_handle_local_create /root/gnunet/src/cadet/gnunet-service-cadet_channel.c:1892
    #9 0x807b368 in handle_channel_create /root/gnunet/src/cadet/gnunet-service-cadet_local.c:394
    #10 0xb71c4ef8 in GNUNET_SERVER_inject /root/gnunet/src/util/server.c:997
    #11 0xb71c60a7 in client_message_tokenizer_callback /root/gnunet/src/util/server.c:1256
    #12 0xb71cb90b in GNUNET_SERVER_mst_receive /root/gnunet/src/util/server_mst.c:262
    #13 0xb71c5c56 in process_incoming /root/gnunet/src/util/server.c:1178
    #14 0xb715390e in receive_ready /root/gnunet/src/util/connection.c:1139
    #15 0xb71bc497 in run_ready /root/gnunet/src/util/scheduler.c:587
    #16 0xb71bd1b6 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:867
    #17 0xb71da23f in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503
    #18 0x808f000 in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174
    #19 0xb6f02722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722)

SUMMARY: AddressSanitizer: heap-use-after-free /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:1776 unqueue_data
Shadow bytes around the buggy address:
  0x362e5220: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x362e5230: fd fa fa fa fd fd fd fd fa fa 00 00 00 fa fa fa
  0x362e5240: 00 00 00 fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x362e5250: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x362e5260: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
=>0x362e5270:[fd]fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x362e5280: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x362e5290: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x362e52a0: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
  0x362e52b0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x362e52c0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==30042==ABORTING

Bart Polot

2015-06-24 17:56

manager   ~0009327

Awesome, this helps :)

Thanks!

Bart Polot

2015-06-24 17:59

manager   ~0009328

Also, btw, this bug is unrelated to the previous one...

Bart Polot

2015-06-25 05:34

manager   ~0009339

The newest bug (https://gnunet.org/bugs/view.php?id=3794#c9326) should be fixed at r35986.

Bart Polot

2015-10-02 06:01

manager   ~0009677

Haven't seen this in a while, seems resolved. Will leave GCC_check_connections in place for some more testing.

Issue History

Date Modified Username Field Change
2015-05-20 19:11 Christian Grothoff New Issue
2015-05-20 19:11 Christian Grothoff Status new => assigned
2015-05-20 19:11 Christian Grothoff Assigned To => Bart Polot
2015-05-21 11:05 Christian Grothoff Note Added: 0009142
2015-06-08 10:50 Christian Grothoff Relationship added duplicate of 0003696
2015-06-08 22:14 Christian Grothoff Note Added: 0009235
2015-06-08 22:49 Christian Grothoff Note Added: 0009236
2015-06-09 10:50 Christian Grothoff Assigned To Bart Polot => Christian Grothoff
2015-06-09 11:49 Christian Grothoff Note Added: 0009237
2015-06-19 06:52 Christian Grothoff Relationship added related to 0003723
2015-06-19 06:52 Christian Grothoff Relationship added related to 0003842
2015-06-19 16:27 Bart Polot Relationship added related to 0003845
2015-06-24 00:39 Christian Grothoff Assigned To Christian Grothoff => Bart Polot
2015-06-24 16:53 Bart Polot Status assigned => feedback
2015-06-24 17:55 amatus Note Added: 0009326
2015-06-24 17:56 Bart Polot Note Added: 0009327
2015-06-24 17:59 Bart Polot Note Added: 0009328
2015-06-25 05:19 Bart Polot Relationship deleted related to 0003845
2015-06-25 05:34 Bart Polot Note Added: 0009339
2015-10-02 06:01 Bart Polot Note Added: 0009677
2015-10-02 06:01 Bart Polot Status feedback => resolved
2015-10-02 06:01 Bart Polot Fixed in Version => SVN HEAD
2015-10-02 06:01 Bart Polot Resolution open => fixed
2015-10-02 14:32 Christian Grothoff Fixed in Version SVN HEAD => 0.11.0pre66
2018-06-07 00:24 Christian Grothoff Status resolved => closed