View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004675 | GNUnet | cadet service | public | 2016-09-23 20:55 | 2018-06-07 00:24 |
Reporter | amatus | Assigned To | Christian Grothoff | ||
Priority | urgent | Severity | crash | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Platform | amd64 | OS | Debian | OS Version | jessie |
Product Version | Git master | ||||
Target Version | 0.11.0pre66 | Fixed in Version | 0.11.0pre66 | ||
Summary | 0004675: heap use-after-free in conn_message_sent | ||||
Description | I'm hitting this issue in rev 37989. Happens when running a peer for a short time. Looks like a tunnel is being destroyed but a message sent callback is being called for a channel that was freed. Maybe a message sent by GCC_destroy? | ||||
Additional Information | ================================================================= ==4390==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200000a4b8 at pc 0x416b6b bp 0x7fff18d61b80 sp 0x7fff18d61b78 READ of size 4 at 0x61200000a4b8 thread T0 #0 0x416b6a in conn_message_sent (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x416b6a) #1 0x438e4f in call_peer_cont (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x438e4f) #2 0x438f7d in mq_sent (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x438f7d) #3 0x7f8ef8546d28 in impl_send_continue (/opt/gnunet/lib/libgnunetutil.so.13+0xa7d28) #4 0x7f8ef8567d83 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc8d83) #5 0x7f8ef8568a42 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc9a42) #6 0x7f8ef8582cb7 in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe3cb7) #7 0x44106c in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x44106c) #8 0x7f8ef6da1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #9 0x403d88 (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x403d88) 0x61200000a4b8 is located 248 bytes inside of 272-byte region [0x61200000a3c0,0x61200000a4d0) freed by thread T0 here: #0 0x7f8ef8a58527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x7f8ef84ea095 in GNUNET_xfree_ (/opt/gnunet/lib/libgnunetutil.so.13+0x4b095) #2 0x41f49b in GCC_destroy (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x41f49b) #3 0x4123c1 in GCT_destroy (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x4123c1) #4 0x411fee in delayed_destroy (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x411fee) #5 0x7f8ef8567d83 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc8d83) #6 0x7f8ef8568a42 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc9a42) #7 0x7f8ef8582cb7 in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe3cb7) #8 0x44106c in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x44106c) #9 0x7f8ef6da1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) previously allocated by thread T0 here: #0 0x7f8ef8a5873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x7f8ef84e9d4c in GNUNET_xmalloc_unchecked_ (/opt/gnunet/lib/libgnunetutil.so.13+0x4ad4c) #2 0x7f8ef84e94f4 in GNUNET_xmalloc_ (/opt/gnunet/lib/libgnunetutil.so.13+0x4a4f4) #3 0x41e98f in GCC_new (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x41e98f) #4 0x412e1a in GCT_use_path (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x412e1a) #5 0x43a1a8 in GCP_connect (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x43a1a8) #6 0x42b73c in GCCH_handle_local_create (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x42b73c) #7 0x430900 in handle_channel_create (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x430900) #8 0x7f8ef856ffd5 in GNUNET_SERVER_inject (/opt/gnunet/lib/libgnunetutil.so.13+0xd0fd5) #9 0x7f8ef8570fd1 in client_message_tokenizer_callback (/opt/gnunet/lib/libgnunetutil.so.13+0xd1fd1) #10 0x7f8ef85759d1 in GNUNET_SERVER_mst_receive (/opt/gnunet/lib/libgnunetutil.so.13+0xd69d1) #11 0x7f8ef8570bb5 in process_incoming (/opt/gnunet/lib/libgnunetutil.so.13+0xd1bb5) #12 0x7f8ef84fcd50 in receive_ready (/opt/gnunet/lib/libgnunetutil.so.13+0x5dd50) #13 0x7f8ef8567d83 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc8d83) #14 0x7f8ef8568a42 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc9a42) #15 0x7f8ef8582cb7 in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe3cb7) #16 0x44106c in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x44106c) #17 0x7f8ef6da1b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 conn_message_sent Shadow bytes around the buggy address: 0x0c247fff9440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff9450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff9460: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c247fff9470: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c247fff9480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c247fff9490: fd fd fd fd fd fd fd[fd]fd fd fa fa fa fa fa fa 0x0c247fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c247fff94b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c247fff94c0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c247fff94d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c247fff94e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==4390==ABORTING | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2016-09-23 20:55 | amatus | New Issue | |
2016-09-23 20:55 | amatus | Status | new => assigned |
2016-09-23 20:55 | amatus | Assigned To | => Bart Polot |
2016-09-24 22:36 | Christian Grothoff | Priority | normal => urgent |
2017-02-21 18:27 | Christian Grothoff | Assigned To | Bart Polot => Christian Grothoff |
2017-02-21 18:27 | Christian Grothoff | Status | assigned => resolved |
2017-02-21 18:27 | Christian Grothoff | Resolution | open => fixed |
2017-02-21 18:27 | Christian Grothoff | Fixed in Version | => 0.11.0pre66 |
2017-02-21 18:27 | Christian Grothoff | Note Added: 0011809 | |
2017-02-21 18:27 | Christian Grothoff | Target Version | => 0.11.0pre66 |
2018-06-07 00:24 | Christian Grothoff | Status | resolved => closed |