View Issue Details

IDProjectCategoryView StatusLast Update
0004675GNUnetcadet servicepublic2018-06-07 00:24
ReporteramatusAssigned ToChristian Grothoff 
PriorityurgentSeveritycrashReproducibilityhave not tried
Status closedResolutionfixed 
Platformamd64OSDebianOS Versionjessie
Product VersionSVN HEAD 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0004675: heap use-after-free in conn_message_sent
DescriptionI'm hitting this issue in rev 37989. Happens when running a peer for a short time.
Looks like a tunnel is being destroyed but a message sent callback is being called for a channel that was freed. Maybe a message sent by GCC_destroy?
Additional Information=================================================================
==4390==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200000a4b8 at pc 0x416b6b bp 0x7fff18d61b80 sp 0x7fff18d61b78
READ of size 4 at 0x61200000a4b8 thread T0
    #0 0x416b6a in conn_message_sent (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x416b6a)
    #1 0x438e4f in call_peer_cont (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x438e4f)
    #2 0x438f7d in mq_sent (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x438f7d)
    #3 0x7f8ef8546d28 in impl_send_continue (/opt/gnunet/lib/libgnunetutil.so.13+0xa7d28)
    #4 0x7f8ef8567d83 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc8d83)
    #5 0x7f8ef8568a42 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc9a42)
    #6 0x7f8ef8582cb7 in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe3cb7)
    #7 0x44106c in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x44106c)
    #8 0x7f8ef6da1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #9 0x403d88 (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x403d88)

0x61200000a4b8 is located 248 bytes inside of 272-byte region [0x61200000a3c0,0x61200000a4d0)
freed by thread T0 here:
    #0 0x7f8ef8a58527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
    #1 0x7f8ef84ea095 in GNUNET_xfree_ (/opt/gnunet/lib/libgnunetutil.so.13+0x4b095)
    #2 0x41f49b in GCC_destroy (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x41f49b)
    #3 0x4123c1 in GCT_destroy (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x4123c1)
    #4 0x411fee in delayed_destroy (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x411fee)
    #5 0x7f8ef8567d83 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc8d83)
    #6 0x7f8ef8568a42 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc9a42)
    #7 0x7f8ef8582cb7 in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe3cb7)
    #8 0x44106c in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x44106c)
    #9 0x7f8ef6da1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

previously allocated by thread T0 here:
    #0 0x7f8ef8a5873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x7f8ef84e9d4c in GNUNET_xmalloc_unchecked_ (/opt/gnunet/lib/libgnunetutil.so.13+0x4ad4c)
    #2 0x7f8ef84e94f4 in GNUNET_xmalloc_ (/opt/gnunet/lib/libgnunetutil.so.13+0x4a4f4)
    #3 0x41e98f in GCC_new (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x41e98f)
    #4 0x412e1a in GCT_use_path (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x412e1a)
    #5 0x43a1a8 in GCP_connect (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x43a1a8)
    #6 0x42b73c in GCCH_handle_local_create (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x42b73c)
    #7 0x430900 in handle_channel_create (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x430900)
    #8 0x7f8ef856ffd5 in GNUNET_SERVER_inject (/opt/gnunet/lib/libgnunetutil.so.13+0xd0fd5)
    #9 0x7f8ef8570fd1 in client_message_tokenizer_callback (/opt/gnunet/lib/libgnunetutil.so.13+0xd1fd1)
    #10 0x7f8ef85759d1 in GNUNET_SERVER_mst_receive (/opt/gnunet/lib/libgnunetutil.so.13+0xd69d1)
    #11 0x7f8ef8570bb5 in process_incoming (/opt/gnunet/lib/libgnunetutil.so.13+0xd1bb5)
    #12 0x7f8ef84fcd50 in receive_ready (/opt/gnunet/lib/libgnunetutil.so.13+0x5dd50)
    #13 0x7f8ef8567d83 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc8d83)
    #14 0x7f8ef8568a42 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc9a42)
    #15 0x7f8ef8582cb7 in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe3cb7)
    #16 0x44106c in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x44106c)
    #17 0x7f8ef6da1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 conn_message_sent
Shadow bytes around the buggy address:
  0x0c247fff9440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9460: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c247fff9470: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fff9480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c247fff9490: fd fd fd fd fd fd fd[fd]fd fd fa fa fa fa fa fa
  0x0c247fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fff94b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fff94c0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c247fff94d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fff94e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==4390==ABORTING
TagsNo tags attached.

Activities

Christian Grothoff

2017-02-21 18:27

manager   ~0011809

No longer relevant after CADET rewrite.

Issue History

Date Modified Username Field Change
2016-09-23 20:55 amatus New Issue
2016-09-23 20:55 amatus Status new => assigned
2016-09-23 20:55 amatus Assigned To => Bart Polot
2016-09-24 22:36 Christian Grothoff Priority normal => urgent
2017-02-21 18:27 Christian Grothoff Assigned To Bart Polot => Christian Grothoff
2017-02-21 18:27 Christian Grothoff Status assigned => resolved
2017-02-21 18:27 Christian Grothoff Resolution open => fixed
2017-02-21 18:27 Christian Grothoff Fixed in Version => 0.11.0pre66
2017-02-21 18:27 Christian Grothoff Note Added: 0011809
2017-02-21 18:27 Christian Grothoff Target Version => 0.11.0pre66
2018-06-07 00:24 Christian Grothoff Status resolved => closed