View Issue Details

IDProjectCategoryView StatusLast Update
0003920GNUnetcadet servicepublic2018-06-07 00:24
ReporteramatusAssigned ToChristian Grothoff 
PrioritynormalSeveritycrashReproducibilityhave not tried
Status closedResolutionfixed 
Platformamd64OSDebianOS Versionjessie
Product VersionSVN HEAD 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0003920: segfault in path_get_length
DescriptionMy peer running rev 36117 hit this:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000432ce5 in path_get_length (path=0xdf0adba0df0adba) at cadet_path.c:139
139 cadet_path.c: No such file or directory.
(gdb) bt
#0 0x0000000000432ce5 in path_get_length (path=0xdf0adba0df0adba) at cadet_path.c:139
#1 0x000000000042feeb in GCP_add_path (peer=0x1db9b30, path=0x1de1390, trusted=1)
    at gnunet-service-cadet_peer.c:2124
#2 0x0000000000430565 in GCP_add_path_to_all (p=0x1dd5530, confirmed=1)
    at gnunet-service-cadet_peer.c:2205
#3 0x00000000004177ef in GCC_handle_confirm (cls=0x0, peer=0x7ffdd89f4de4, message=0x7ffdd89f4e04)
    at gnunet-service-cadet_connection.c:2085
#4 0x00007fd425184a0c in main_notify_handler (cls=0x1d7dfb0, msg=0x7ffdd89f4de0) at core_api.c:967
#5 0x00007fd4255adb7b in receive_task (cls=0x1d7d8a0, tc=0x7ffdd89f4f00) at client.c:618
#6 0x00007fd4255ef909 in run_ready (rs=0x1d90f00, ws=0x1d7ba20) at scheduler.c:587
#7 0x00007fd4255f0214 in GNUNET_SCHEDULER_run (task=0x7fd4255fccef <service_task>,
    task_cls=0x7ffdd89f5290) at scheduler.c:867
#8 0x00007fd4255fea28 in GNUNET_SERVICE_run (argc=7, argv=0x7ffdd89f5528,
    service_name=0x43aefa "cadet", options=GNUNET_SERVICE_OPTION_NONE, task=0x433bd9 <run>, task_cls=0x0)
    at service.c:1503
#9 0x0000000000433f48 in main (argc=7, argv=0x7ffdd89f5528) at gnunet-service-cadet.c:174
(gdb) up
#1 0x000000000042feeb in GCP_add_path (peer=0x1db9b30, path=0x1de1390, trusted=1)
    at gnunet-service-cadet_peer.c:2124
2124 gnunet-service-cadet_peer.c: No such file or directory.
(gdb) p *peer
$1 = {id = 39, last_contact = {abs_value_us = 1437857245482958}, path_head = 0x1dbd050,
  path_tail = 0x1e62e10, search_h = 0x1e62b20, search_delayed = 0x0, tunnel = 0x1ddd170,
  connections = 0x1dac8b0, core_transmit = 0x0, tmt_time = {abs_value_us = 0}, queue_head = 0x0,
  queue_tail = 0x0, queue_n = 0, hello = 0x0}
(gdb) p *peer->path_head
$2 = {next = 0x1ef24a0, prev = 0x0, peers = 0x0, length = 0, c = 0x0, path_delete = 0xdf0adba0df00004}
(gdb) p *peer->path_head->next
$3 = {next = 0xdf0adba0df0adba, prev = 0x41, peers = 0x1ddb130, length = 0, c = 0x0, path_delete = 0x0}
TagsNo tags attached.

Activities

amatus

2015-07-28 01:01

developer   ~0009492

This may be related, captured on an x86 node running rev 36105.

==8022== Invalid read of size 4
==8022== at 0x806A2A3: path_get_length (cadet_path.c:139)
==8022== by 0x806849F: GCP_add_path (gnunet-service-cadet_peer.c:2124)
==8022== by 0x806893D: GCP_add_path_to_all (gnunet-service-cadet_peer.c:2205)
==8022== by 0x8065A11: search_handler (gnunet-service-cadet_peer.c:1026)
==8022== by 0x8069875: dht_get_id_handler (gnunet-service-cadet_dht.c:192)
==8022== by 0x40D51C5: process_reply (dht_api.c:740)
==8022== by 0x406D092: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:816)
==8022== by 0x40D5D43: service_message_handler (dht_api.c:1016)
==8022== by 0x4059247: receive_task (client.c:618)
==8022== by 0x4094230: run_ready (scheduler.c:587)
==8022== by 0x4094ABE: GNUNET_SCHEDULER_run (scheduler.c:867)
==8022== by 0x40A11EA: GNUNET_SERVICE_run (service.c:1503)
==8022== Address 0x47b9efc is 12 bytes inside a block of size 20 free'd
==8022== at 0x402A3A8: free (vg_replace_malloc.c:473)
==8022== by 0x42CF940: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x42CB720: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x432BA94: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x4324A60: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x432DAD0: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x432E37B: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x430EEFF: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x430E4E4: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x432D06A: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x42C7D9F: gcry_mpi_ec_get_mpi (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x4070F8D: GNUNET_CRYPTO_ecdhe_key_get_public (crypto_ecc.c:286)
==8022==
==8022== Invalid read of size 4
==8022== at 0x806869C: GCP_add_path (gnunet-service-cadet_peer.c:2122)
==8022== by 0x806893D: GCP_add_path_to_all (gnunet-service-cadet_peer.c:2205)
==8022== by 0x8065A11: search_handler (gnunet-service-cadet_peer.c:1026)
==8022== by 0x8069875: dht_get_id_handler (gnunet-service-cadet_dht.c:192)
==8022== by 0x40D51C5: process_reply (dht_api.c:740)
==8022== by 0x406D092: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:816)
==8022== by 0x40D5D43: service_message_handler (dht_api.c:1016)
==8022== by 0x4059247: receive_task (client.c:618)
==8022== by 0x4094230: run_ready (scheduler.c:587)
==8022== by 0x4094ABE: GNUNET_SCHEDULER_run (scheduler.c:867)
==8022== by 0x40A11EA: GNUNET_SERVICE_run (service.c:1503)
==8022== by 0x806AE78: main (gnunet-service-cadet.c:174)
==8022== Address 0x47b9ef0 is 0 bytes inside a block of size 20 free'd
==8022== at 0x402A3A8: free (vg_replace_malloc.c:473)
==8022== by 0x42CF940: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x42CB720: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x432BA94: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x4324A60: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x432DAD0: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x432E37B: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x430EEFF: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x430E4E4: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x432D06A: ??? (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x42C7D9F: gcry_mpi_ec_get_mpi (in /lib/i386-linux-gnu/libgcrypt.so.20.0.3)
==8022== by 0x4070F8D: GNUNET_CRYPTO_ecdhe_key_get_public (crypto_ecc.c:286)
==8022==
==8022==
==8022== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==8022== Access not within mapped region at address 0x14
==8022== at 0x806A2A3: path_get_length (cadet_path.c:139)
==8022== by 0x806849F: GCP_add_path (gnunet-service-cadet_peer.c:2124)
==8022== by 0x806893D: GCP_add_path_to_all (gnunet-service-cadet_peer.c:2205)
==8022== by 0x8065A11: search_handler (gnunet-service-cadet_peer.c:1026)
==8022== by 0x8069875: dht_get_id_handler (gnunet-service-cadet_dht.c:192)
==8022== by 0x40D51C5: process_reply (dht_api.c:740)
==8022== by 0x406D092: GNUNET_CONTAINER_multihashmap_get_multiple (container_multihashmap.c:816)
==8022== by 0x40D5D43: service_message_handler (dht_api.c:1016)
==8022== by 0x4059247: receive_task (client.c:618)
==8022== by 0x4094230: run_ready (scheduler.c:587)
==8022== by 0x4094ABE: GNUNET_SCHEDULER_run (scheduler.c:867)
==8022== by 0x40A11EA: GNUNET_SERVICE_run (service.c:1503)
==8022== If you believe this happened as a result of a stack
==8022== overflow in your program's main thread (unlikely but
==8022== possible), you can try to increase the size of the
==8022== main thread stack using the --main-stacksize= flag.
==8022== The main thread stack size used in this run was 8388608.
==8022==
==8022== HEAP SUMMARY:
==8022== in use at exit: 754,926 bytes in 7,938 blocks
==8022== total heap usage: 626,955,937 allocs, 626,947,999 frees, 415,194,610,669 bytes allocated
==8022==
==8022== LEAK SUMMARY:
==8022== definitely lost: 0 bytes in 0 blocks
==8022== indirectly lost: 0 bytes in 0 blocks
==8022== possibly lost: 0 bytes in 0 blocks
==8022== still reachable: 754,926 bytes in 7,938 blocks
==8022== suppressed: 0 bytes in 0 blocks
==8022== Rerun with --leak-check=full to see details of leaked memory
==8022==
==8022== For counts of detected and suppressed errors, rerun with: -v
==8022== Use --track-origins=yes to see where uninitialised values come from
==8022== ERROR SUMMARY: 64 errors from 18 contexts (suppressed: 0 from 0)

Bart Polot

2015-07-28 01:04

manager   ~0009493

Looks like memory corruption if a path is being read in memory free'd by libgcrypt.

amatus

2015-07-28 01:54

developer   ~0009495

Last edited: 2015-07-28 01:55

View 2 revisions

It could be a use-after-free:
1) cadet frees some memory but still has a pointer to it
2) libgcrypt allocates the memory, uses it, then frees it
3) cadet tries to access the memory using its dangling pointer
4) valgrind tells us cadet tried to access memory freed by libgcrypt

Christian Grothoff

2017-02-21 18:31

manager   ~0011817

No longer relevant after CADET rewrite.

Issue History

Date Modified Username Field Change
2015-07-27 23:34 amatus New Issue
2015-07-27 23:34 amatus Status new => assigned
2015-07-27 23:34 amatus Assigned To => Bart Polot
2015-07-28 01:01 amatus Note Added: 0009492
2015-07-28 01:04 Bart Polot Note Added: 0009493
2015-07-28 01:54 amatus Note Added: 0009495
2015-07-28 01:55 amatus Note Edited: 0009495 View Revisions
2017-02-21 18:31 Christian Grothoff Assigned To Bart Polot => Christian Grothoff
2017-02-21 18:31 Christian Grothoff Status assigned => resolved
2017-02-21 18:31 Christian Grothoff Resolution open => fixed
2017-02-21 18:31 Christian Grothoff Fixed in Version => 0.11.0pre66
2017-02-21 18:31 Christian Grothoff Note Added: 0011817
2017-02-21 18:31 Christian Grothoff Target Version => 0.11.0pre66
2018-06-07 00:24 Christian Grothoff Status resolved => closed