View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003944GNUnetcadet servicepublic2015-08-11 17:342018-06-07 00:24
Reporteramatus Assigned ToBart Polot  
PrioritynormalSeveritycrashReproducibilitysometimes
Status closedResolutionfixed 
Platformx86OSDebianOS Versionjessie
Product VersionGit master 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0003944: Use after free in handle_kx_ax
DescriptionI've got a bunch of these in my logs. My node is running rev 36217.

=================================================================
==31497==ERROR: AddressSanitizer: heap-use-after-free on address 0x9c91e174 at pc 0xb71bacba bp 0xbf9dc8a8 sp 0xbf9dc89c
READ of size 4 at 0x9c91e174 thread T0
    #0 0xb71bacb9 in GNUNET_SCHEDULER_cancel /root/gnunet/src/util/scheduler.c:960
    #1 0x80596e9 in handle_kx_ax /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:2913
    #2 0x805b5f9 in GCT_handle_kx /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3179
    #3 0x806b220 in handle_cadet_kx /root/gnunet/src/cadet/gnunet-service-cadet_connection.c:2598
    #4 0x806b360 in GCC_handle_kx /root/gnunet/src/cadet/gnunet-service-cadet_connection.c:2628
    #5 0xb70e04bc in main_notify_handler /root/gnunet/src/core/core_api.c:967
    #6 0xb7130a06 in receive_task /root/gnunet/src/util/client.c:623
    #7 0xb71b9a56 in run_ready /root/gnunet/src/util/scheduler.c:587
    #8 0xb71ba774 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:868
    #9 0xb71d77d3 in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503
    #10 0x8090ffe in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174
    #11 0xb6efb722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722)
    #12 0x804acf0 (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x804acf0)

0x9c91e174 is located 52 bytes inside of 56-byte region [0x9c91e140,0x9c91e178)
freed by thread T0 here:
    #0 0xb728a4c4 in free (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e4c4)
    #1 0xb7139b89 in GNUNET_xfree_ /root/gnunet/src/util/common_allocation.c:256
    #2 0xb71b8c76 in destroy_task /root/gnunet/src/util/scheduler.c:516
    #3 0xb71bbe61 in GNUNET_SCHEDULER_cancel /root/gnunet/src/util/scheduler.c:992
    #4 0x80596e9 in handle_kx_ax /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:2913
    #5 0x805b5f9 in GCT_handle_kx /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:3179
    #6 0x806b220 in handle_cadet_kx /root/gnunet/src/cadet/gnunet-service-cadet_connection.c:2598
    #7 0x806b360 in GCC_handle_kx /root/gnunet/src/cadet/gnunet-service-cadet_connection.c:2628
    #8 0xb70e04bc in main_notify_handler /root/gnunet/src/core/core_api.c:967
    #9 0xb7130a06 in receive_task /root/gnunet/src/util/client.c:623
    #10 0xb71b9a56 in run_ready /root/gnunet/src/util/scheduler.c:587
    #11 0xb71ba774 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:868
    #12 0xb71d77d3 in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503
    #13 0x8090ffe in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174
    #14 0xb6efb722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722)

previously allocated by thread T0 here:
    #0 0xb728a6e4 in malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e6e4)
    #1 0xb7139864 in GNUNET_xmalloc_unchecked_ /root/gnunet/src/util/common_allocation.c:154
    #2 0xb71392c2 in GNUNET_xmalloc_ /root/gnunet/src/util/common_allocation.c:75
    #3 0xb71bc359 in GNUNET_SCHEDULER_add_delayed_with_priority /root/gnunet/src/util/scheduler.c:1073
    #4 0xb71bcfcc in GNUNET_SCHEDULER_add_delayed /root/gnunet/src/util/scheduler.c:1178
    #5 0x8055014 in ephm_sent /root/gnunet/src/cadet/gnunet-service-cadet_tunnel.c:2088
    #6 0x80630eb in conn_message_sent /root/gnunet/src/cadet/gnunet-service-cadet_connection.c:641
    #7 0x808771f in GCP_queue_destroy /root/gnunet/src/cadet/gnunet-service-cadet_peer.c:1366
    #8 0x808684f in queue_send /root/gnunet/src/cadet/gnunet-service-cadet_peer.c:1252
    #9 0xb70ddc41 in transmit_message /root/gnunet/src/core/core_api.c:676
    #10 0xb7133b19 in client_notify /root/gnunet/src/util/client.c:1206
    #11 0xb714e85e in process_notify /root/gnunet/src/util/connection.c:1280
    #12 0xb714f766 in transmit_ready /root/gnunet/src/util/connection.c:1424
    #13 0xb71b9a56 in run_ready /root/gnunet/src/util/scheduler.c:587
    #14 0xb71ba774 in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:868
    #15 0xb71d77d3 in GNUNET_SERVICE_run /root/gnunet/src/util/service.c:1503
    #16 0x8090ffe in main /root/gnunet/src/cadet/gnunet-service-cadet.c:174
    #17 0xb6efb722 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19722)

SUMMARY: AddressSanitizer: heap-use-after-free /root/gnunet/src/util/scheduler.c:960 GNUNET_SCHEDULER_cancel
Shadow bytes around the buggy address:
  0x33923bd0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x33923be0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x33923bf0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x33923c00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x33923c10: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
=>0x33923c20: fd fd fd fa fa fa fa fa fd fd fd fd fd fd[fd]fa
  0x33923c30: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x33923c40: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x33923c50: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x33923c60: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x33923c70: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==31497==ABORTING
TagsNo tags attached.

Activities

amatus

2015-08-11 18:08

developer   ~0009561

Testing a fix at rev 36236

Bart Polot

2015-08-19 12:54

manager   ~0009575

Fixed at r36258-r36262

Issue History

Date Modified Username Field Change
2015-08-11 17:34 amatus New Issue
2015-08-11 17:34 amatus Status new => assigned
2015-08-11 17:34 amatus Assigned To => Bart Polot
2015-08-11 18:08 amatus Note Added: 0009561
2015-08-19 12:54 Bart Polot Note Added: 0009575
2015-08-19 12:54 Bart Polot Status assigned => resolved
2015-08-19 12:54 Bart Polot Fixed in Version => 0.11.0pre66
2015-08-19 12:54 Bart Polot Resolution open => fixed
2017-02-26 02:19 Christian Grothoff Target Version => 0.11.0pre66
2018-06-07 00:24 Christian Grothoff Status resolved => closed