View Issue Details

IDProjectCategoryView StatusLast Update
0004788GNUnetcadet servicepublic2018-06-07 00:24
ReporteramatusAssigned ToChristian Grothoff 
PrioritynormalSeveritycrashReproducibilityhave not tried
Status closedResolutionfixed 
Product VersionSVN HEAD 
Target Version0.11.0pre66Fixed in Version0.11.0pre66 
Summary0004788: heap use after free in GNUNET_MQ_send_cancel
DescriptionFound this in my logs on a node running rev 38251
Additional Information==11368==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000096058 at pc 0x7f8d2296e2e3 bp 0x7ffcb9230de0 sp 0x7ffcb9230dd8
READ of size 8 at 0x60f000096058 thread T0
    #0 0x7f8d2296e2e2 in GNUNET_MQ_send_cancel (/opt/gnunet/lib/libgnunetutil.so.13+0xa92e2)
    #1 0x439782 in GCP_send_cancel (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x439782)
    #2 0x420b3b in GCC_cancel (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x420b3b)
    #3 0x4197cb in connection_cancel_queues (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x4197cb)
    #4 0x41ed56 in GCC_destroy (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x41ed56)
    #5 0x419de0 in connection_timeout (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x419de0)
    #6 0x419eb3 in connection_bck_timeout (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x419eb3)
    #7 0x7f8d2298bc07 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc6c07)
    #8 0x7f8d2298c8c6 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc78c6)
    #9 0x7f8d229a6b3b in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe1b3b)
    #10 0x440e5a in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x440e5a)
    #11 0x7f8d211c7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #12 0x403df8 (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x403df8)

0x60f000096058 is located 24 bytes inside of 176-byte region [0x60f000096040,0x60f0000960f0)
freed by thread T0 here:
    #0 0x7f8d22e7c527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
    #1 0x7f8d2290e95c in GNUNET_xfree_ (/opt/gnunet/lib/libgnunetutil.so.13+0x4995c)
    #2 0x7f8d2296a427 in GNUNET_MQ_discard (/opt/gnunet/lib/libgnunetutil.so.13+0xa5427)
    #3 0x7f8d2296dbab in GNUNET_MQ_destroy (/opt/gnunet/lib/libgnunetutil.so.13+0xa8bab)
    #4 0x7f8d224a6828 in disconnect_and_free_peer_entry (/opt/gnunet/lib/libgnunetcore.so.0+0xa828)
    #5 0x7f8d224a8d9b in handle_disconnect_notify (/opt/gnunet/lib/libgnunetcore.so.0+0xcd9b)
    #6 0x7f8d22969f53 in GNUNET_MQ_inject_message (/opt/gnunet/lib/libgnunetutil.so.13+0xa4f53)
    #7 0x7f8d2290a161 in recv_message (/opt/gnunet/lib/libgnunetutil.so.13+0x45161)
    #8 0x7f8d22968f8c in GNUNET_MST_from_buffer (/opt/gnunet/lib/libgnunetutil.so.13+0xa3f8c)
    #9 0x7f8d22969a7a in GNUNET_MST_read (/opt/gnunet/lib/libgnunetutil.so.13+0xa4a7a)
    #10 0x7f8d2290ab61 in receive_ready (/opt/gnunet/lib/libgnunetutil.so.13+0x45b61)
    #11 0x7f8d2298bc07 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc6c07)
    #12 0x7f8d2298c8c6 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc78c6)
    #13 0x7f8d229a6b3b in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe1b3b)
    #14 0x440e5a in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x440e5a)
    #15 0x7f8d211c7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

previously allocated by thread T0 here:
    #0 0x7f8d22e7c73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x7f8d2290e613 in GNUNET_xmalloc_unchecked_ (/opt/gnunet/lib/libgnunetutil.so.13+0x49613)
    #2 0x7f8d2290ddad in GNUNET_xmalloc_ (/opt/gnunet/lib/libgnunetutil.so.13+0x48dad)
    #3 0x7f8d2296c426 in GNUNET_MQ_msg_copy (/opt/gnunet/lib/libgnunetutil.so.13+0xa7426)
    #4 0x438d4f in GCP_send (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x438d4f)
    #5 0x4206d4 in GCC_send_prebuilt_message (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x4206d4)
    #6 0x4180e6 in send_broken (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x4180e6)
    #7 0x41f886 in GCC_neighbor_disconnected (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x41f886)
    #8 0x434e49 in notify_broken (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x434e49)
    #9 0x7f8d229320f8 in GNUNET_CONTAINER_multihashmap_iterate (/opt/gnunet/lib/libgnunetutil.so.13+0x6d0f8)
    #10 0x435dde in core_disconnect_handler (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x435dde)
    #11 0x7f8d224a6710 in disconnect_and_free_peer_entry (/opt/gnunet/lib/libgnunetcore.so.0+0xa710)
    #12 0x7f8d224a8d9b in handle_disconnect_notify (/opt/gnunet/lib/libgnunetcore.so.0+0xcd9b)
    #13 0x7f8d22969f53 in GNUNET_MQ_inject_message (/opt/gnunet/lib/libgnunetutil.so.13+0xa4f53)
    #14 0x7f8d2290a161 in recv_message (/opt/gnunet/lib/libgnunetutil.so.13+0x45161)
    #15 0x7f8d22968f8c in GNUNET_MST_from_buffer (/opt/gnunet/lib/libgnunetutil.so.13+0xa3f8c)
    #16 0x7f8d22969a7a in GNUNET_MST_read (/opt/gnunet/lib/libgnunetutil.so.13+0xa4a7a)
    #17 0x7f8d2290ab61 in receive_ready (/opt/gnunet/lib/libgnunetutil.so.13+0x45b61)
    #18 0x7f8d2298bc07 in run_ready (/opt/gnunet/lib/libgnunetutil.so.13+0xc6c07)
    #19 0x7f8d2298c8c6 in GNUNET_SCHEDULER_run (/opt/gnunet/lib/libgnunetutil.so.13+0xc78c6)
    #20 0x7f8d229a6b3b in GNUNET_SERVICE_run (/opt/gnunet/lib/libgnunetutil.so.13+0xe1b3b)
    #21 0x440e5a in main (/opt/gnunet/lib/gnunet/libexec/gnunet-service-cadet+0x440e5a)
    #22 0x7f8d211c7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 GNUNET_MQ_send_cancel
Shadow bytes around the buggy address:
  0x0c1e8000abb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e8000abc0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1e8000abd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e8000abe0: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1e8000abf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c1e8000ac00: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
  0x0c1e8000ac10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c1e8000ac20: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1e8000ac30: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1e8000ac40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e8000ac50: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Contiguous container OOB:fc
  ASan internal: fe
==11368==ABORTING
TagsNo tags attached.

Activities

Christian Grothoff

2017-02-21 18:30

manager   ~0011815

No longer relevant after CADET rewrite.

Issue History

Date Modified Username Field Change
2016-11-15 06:47 amatus New Issue
2016-11-15 06:47 amatus Status new => assigned
2016-11-15 06:47 amatus Assigned To => Bart Polot
2017-02-21 18:30 Christian Grothoff Assigned To Bart Polot => Christian Grothoff
2017-02-21 18:30 Christian Grothoff Status assigned => resolved
2017-02-21 18:30 Christian Grothoff Resolution open => fixed
2017-02-21 18:30 Christian Grothoff Fixed in Version => 0.11.0pre66
2017-02-21 18:30 Christian Grothoff Note Added: 0011815
2017-02-21 18:30 Christian Grothoff Target Version => 0.11.0pre66
2018-06-07 00:24 Christian Grothoff Status resolved => closed