View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004788 | GNUnet | cadet service | public | 2016-11-15 06:47 | 2018-06-07 00:24 |
Reporter | amatus | Assigned To | Christian Grothoff | ||
Priority | normal | Severity | crash | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Product Version | Git master | ||||
Target Version | 0.11.0pre66 | Fixed in Version | 0.11.0pre66 | ||
Summary | 0004788: heap use after free in GNUNET_MQ_send_cancel | ||||
Description | Found this in my logs on a node running rev 38251 | ||||
Additional Information | ==11368==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000096058 at pc 0x7f8d2296e2e3 bp 0x7ffcb9230de0 sp 0x7ffcb9230dd8 READ of size 8 at 0x60f000096058 thread T0 #0 0x7f8d2296e2e2 in GNUNET_MQ_send_cancel (/opt/gnunet/lib/libgnunetutil.so.13+0xa92e2) #1 0x439782 in GCP_send_cancel (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x439782) #2 0x420b3b in GCC_cancel (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x420b3b) #3 0x4197cb in connection_cancel_queues (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x4197cb) #4 0x41ed56 in GCC_destroy (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x41ed56) #5 0x419de0 in connection_timeout (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x419de0) #6 0x419eb3 in connection_bck_timeout (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x419eb3) #7 0x7f8d2298bc07 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc6c07) #8 0x7f8d2298c8c6 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc78c6) #9 0x7f8d229a6b3b in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe1b3b) #10 0x440e5a in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x440e5a) #11 0x7f8d211c7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #12 0x403df8 (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x403df8) 0x60f000096058 is located 24 bytes inside of 176-byte region [0x60f000096040,0x60f0000960f0) freed by thread T0 here: #0 0x7f8d22e7c527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x7f8d2290e95c in GNUNET_xfree_ (/opt/gnunet/lib/libgnunetutil.so.13+0x4995c) #2 0x7f8d2296a427 in GNUNET_MQ_discard (/opt/gnunet/lib/libgnunetutil.so.13+0xa5427) #3 0x7f8d2296dbab in GNUNET_MQ_destroy (/opt/gnunet/lib/libgnunetutil.so.13+0xa8bab) #4 0x7f8d224a6828 in disconnect_and_free_peer_entry (/opt/gnunet/lib/libgnunetcore.so.0+0xa828) #5 0x7f8d224a8d9b in handle_disconnect_notify (/opt/gnunet/lib/libgnunetcore.so.0+0xcd9b) #6 0x7f8d22969f53 in GNUNET_MQ_inject_message (/opt/gnunet/lib/libgnunetutil.so.13+0xa4f53) #7 0x7f8d2290a161 in recv_message (/opt/gnunet/lib/libgnunetutil.so.13+0x45161) #8 0x7f8d22968f8c in GNUNET_MST_from_buffer (/opt/gnunet/lib/libgnunetutil.so.13+0xa3f8c) #9 0x7f8d22969a7a in GNUNET_MST_read (/opt/gnunet/lib/libgnunetutil.so.13+0xa4a7a) #10 0x7f8d2290ab61 in receive_ready (/opt/gnunet/lib/libgnunetutil.so.13+0x45b61) #11 0x7f8d2298bc07 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc6c07) #12 0x7f8d2298c8c6 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc78c6) #13 0x7f8d229a6b3b in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe1b3b) #14 0x440e5a in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x440e5a) #15 0x7f8d211c7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) previously allocated by thread T0 here: #0 0x7f8d22e7c73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x7f8d2290e613 in GNUNET_xmalloc_unchecked_ (/opt/gnunet/lib/libgnunetutil.so.13+0x49613) #2 0x7f8d2290ddad in GNUNET_xmalloc_ (/opt/gnunet/lib/libgnunetutil.so.13+0x48dad) #3 0x7f8d2296c426 in GNUNET_MQ_msg_copy (/opt/gnunet/lib/libgnunetutil.so.13+0xa7426) #4 0x438d4f in GCP_send (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x438d4f) #5 0x4206d4 in GCC_send_prebuilt_message (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x4206d4) #6 0x4180e6 in send_broken (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x4180e6) #7 0x41f886 in GCC_neighbor_disconnected (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x41f886) #8 0x434e49 in notify_broken (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x434e49) #9 0x7f8d229320f8 in GNUNET_CONTAINER_multihashmap_iterate (/opt/gnunet/lib/libgnunetutil.so.13+0x6d0f8) #10 0x435dde in core_disconnect_handler (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x435dde) #11 0x7f8d224a6710 in disconnect_and_free_peer_entry (/opt/gnunet/lib/libgnunetcore.so.0+0xa710) #12 0x7f8d224a8d9b in handle_disconnect_notify (/opt/gnunet/lib/libgnunetcore.so.0+0xcd9b) #13 0x7f8d22969f53 in GNUNET_MQ_inject_message (/opt/gnunet/lib/libgnunetutil.so.13+0xa4f53) #14 0x7f8d2290a161 in recv_message (/opt/gnunet/lib/libgnunetutil.so.13+0x45161) #15 0x7f8d22968f8c in GNUNET_MST_from_buffer (/opt/gnunet/lib/libgnunetutil.so.13+0xa3f8c) #16 0x7f8d22969a7a in GNUNET_MST_read (/opt/gnunet/lib/libgnunetutil.so.13+0xa4a7a) #17 0x7f8d2290ab61 in receive_ready (/opt/gnunet/lib/libgnunetutil.so.13+0x45b61) #18 0x7f8d2298bc07 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc6c07) #19 0x7f8d2298c8c6 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc78c6) #20 0x7f8d229a6b3b in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe1b3b) #21 0x440e5a in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x440e5a) #22 0x7f8d211c7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 GNUNET_MQ_send_cancel Shadow bytes around the buggy address: 0x0c1e8000abb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e8000abc0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd 0x0c1e8000abd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e8000abe0: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x0c1e8000abf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa =>0x0c1e8000ac00: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd 0x0c1e8000ac10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c1e8000ac20: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd 0x0c1e8000ac30: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c1e8000ac40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e8000ac50: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==11368==ABORTING | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2016-11-15 06:47 | amatus | New Issue | |
2016-11-15 06:47 | amatus | Status | new => assigned |
2016-11-15 06:47 | amatus | Assigned To | => Bart Polot |
2017-02-21 18:30 | Christian Grothoff | Assigned To | Bart Polot => Christian Grothoff |
2017-02-21 18:30 | Christian Grothoff | Status | assigned => resolved |
2017-02-21 18:30 | Christian Grothoff | Resolution | open => fixed |
2017-02-21 18:30 | Christian Grothoff | Fixed in Version | => 0.11.0pre66 |
2017-02-21 18:30 | Christian Grothoff | Note Added: 0011815 | |
2017-02-21 18:30 | Christian Grothoff | Target Version | => 0.11.0pre66 |
2018-06-07 00:24 | Christian Grothoff | Status | resolved => closed |