View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0005608 | GNUnet | set service | public | 2019-02-24 18:35 | 2019-02-28 11:17 |
Reporter | amatus | Assigned To | Christian Grothoff | ||
Priority | normal | Severity | crash | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Platform | amd64 | OS | debian | OS Version | 9 |
Product Version | Git master | ||||
Target Version | 0.11.0 | Fixed in Version | 0.11.0 | ||
Summary | 0005608: double-free in set service | ||||
Description | I noticed this in the logs from my peer compiled with ASAN (see Additional Information). Looks like maybe op->listener == op, so in _GSS_operation_destroy2() it frees op->listener and then frees op. If op->listener == op is expected we need to check that and avoid a double-free. | ||||
Additional Information | ================================================================= ==12711==ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x60d00001fce0 #0 0x7fd53cd2c670 in __interceptor_malloc_usable_size (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2670) #1 0x7fd53c9530a1 in GNUNET_xfree_ /root/gnunet/src/util/common_allocation.c:330 #2 0x55750d9fda5a in _GSS_operation_destroy2 /root/gnunet/src/set/gnunet-service-set.c:1230 #3 0x55750d9fd88b in channel_end_cb /root/gnunet/src/set/gnunet-service-set.c:1200 #4 0x7fd53c2c7c78 in destroy_channel /root/gnunet/src/cadet/cadet_api.c:299 #5 0x7fd53c2c9c38 in handle_channel_destroy /root/gnunet/src/cadet/cadet_api.c:643 #6 0x7fd53c9b3c14 in GNUNET_MQ_handle_message /root/gnunet/src/util/mq.c:279 #7 0x7fd53c9b37c0 in GNUNET_MQ_inject_message /root/gnunet/src/util/mq.c:220 #8 0x7fd53c94e6b5 in recv_message /root/gnunet/src/util/client.c:336 #9 0x7fd53c9b2745 in GNUNET_MST_from_buffer /root/gnunet/src/util/mst.c:233 #10 0x7fd53c9b36a0 in GNUNET_MST_read /root/gnunet/src/util/mst.c:376 #11 0x7fd53c94f18b in receive_ready /root/gnunet/src/util/client.c:423 #12 0x7fd53c9e1aeb in GNUNET_SCHEDULER_do_work /root/gnunet/src/util/scheduler.c:2115 #13 0x7fd53c9e3437 in select_loop /root/gnunet/src/util/scheduler.c:2412 #14 0x7fd53c9d949c in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:727 #15 0x7fd53c9f068c in GNUNET_SERVICE_run_ /root/gnunet/src/util/service.c:2449 #16 0x55750da051d2 in main /root/gnunet/src/set/gnunet-service-set.c:2015 #17 0x7fd53b82a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #18 0x55750d9f5c39 in _start (/opt/gnunet/lib/gnunet/libexec/gnunet-service-set+0x11c39) 0x60d00001fce0 is located 0 bytes inside of 144-byte region [0x60d00001fce0,0x60d00001fd70) freed by thread T0 here: #0 0x7fd53cd2ba10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) #1 0x7fd53c953164 in GNUNET_xfree_ /root/gnunet/src/util/common_allocation.c:339 #2 0x55750d9fda5a in _GSS_operation_destroy2 /root/gnunet/src/set/gnunet-service-set.c:1230 #3 0x55750d9f6428 in incoming_destroy /root/gnunet/src/set/gnunet-service-set.c:225 #4 0x55750d9fd99d in _GSS_operation_destroy2 /root/gnunet/src/set/gnunet-service-set.c:1224 #5 0x55750d9fd88b in channel_end_cb /root/gnunet/src/set/gnunet-service-set.c:1200 #6 0x7fd53c2c7c78 in destroy_channel /root/gnunet/src/cadet/cadet_api.c:299 #7 0x7fd53c2c9c38 in handle_channel_destroy /root/gnunet/src/cadet/cadet_api.c:643 #8 0x7fd53c9b3c14 in GNUNET_MQ_handle_message /root/gnunet/src/util/mq.c:279 #9 0x7fd53c9b37c0 in GNUNET_MQ_inject_message /root/gnunet/src/util/mq.c:220 #10 0x7fd53c94e6b5 in recv_message /root/gnunet/src/util/client.c:336 #11 0x7fd53c9b2745 in GNUNET_MST_from_buffer /root/gnunet/src/util/mst.c:233 #12 0x7fd53c9b36a0 in GNUNET_MST_read /root/gnunet/src/util/mst.c:376 #13 0x7fd53c94f18b in receive_ready /root/gnunet/src/util/client.c:423 #14 0x7fd53c9e1aeb in GNUNET_SCHEDULER_do_work /root/gnunet/src/util/scheduler.c:2115 #15 0x7fd53c9e3437 in select_loop /root/gnunet/src/util/scheduler.c:2412 #16 0x7fd53c9d949c in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:727 #17 0x7fd53c9f068c in GNUNET_SERVICE_run_ /root/gnunet/src/util/service.c:2449 #18 0x55750da051d2 in main /root/gnunet/src/set/gnunet-service-set.c:2015 #19 0x7fd53b82a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) previously allocated by thread T0 here: #0 0x7fd53cd2bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x7fd53c952d11 in GNUNET_xmalloc_unchecked_ /root/gnunet/src/util/common_allocation.c:232 #2 0x7fd53c95258f in GNUNET_xmalloc_ /root/gnunet/src/util/common_allocation.c:75 #3 0x55750d9fd2a8 in channel_new_cb /root/gnunet/src/set/gnunet-service-set.c:1159 #4 0x7fd53c2c9888 in handle_channel_created /root/gnunet/src/cadet/cadet_api.c:610 #5 0x7fd53c9b3c14 in GNUNET_MQ_handle_message /root/gnunet/src/util/mq.c:279 #6 0x7fd53c9b37c0 in GNUNET_MQ_inject_message /root/gnunet/src/util/mq.c:220 #7 0x7fd53c94e6b5 in recv_message /root/gnunet/src/util/client.c:336 #8 0x7fd53c9b2745 in GNUNET_MST_from_buffer /root/gnunet/src/util/mst.c:233 #9 0x7fd53c9b36a0 in GNUNET_MST_read /root/gnunet/src/util/mst.c:376 #10 0x7fd53c94f18b in receive_ready /root/gnunet/src/util/client.c:423 #11 0x7fd53c9e1aeb in GNUNET_SCHEDULER_do_work /root/gnunet/src/util/scheduler.c:2115 #12 0x7fd53c9e3437 in select_loop /root/gnunet/src/util/scheduler.c:2412 #13 0x7fd53c9d949c in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:727 #14 0x7fd53c9f068c in GNUNET_SERVICE_run_ /root/gnunet/src/util/service.c:2449 #15 0x55750da051d2 in main /root/gnunet/src/set/gnunet-service-set.c:2015 #16 0x7fd53b82a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) SUMMARY: AddressSanitizer: bad-malloc_usable_size (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2670) in __interceptor_malloc_usable_size ==12711==ABORTING | ||||
Tags | No tags attached. | ||||
|
3cb49e832..4b72d1fe1 should fix this. The logic remains a bit awful, but at least the double free should be gone. |
Date Modified | Username | Field | Change |
---|---|---|---|
2019-02-24 18:35 | amatus | New Issue | |
2019-02-24 18:35 | amatus | Status | new => assigned |
2019-02-24 18:35 | amatus | Assigned To | => Florian Dold |
2019-02-25 22:04 | Christian Grothoff | Note Added: 0014036 | |
2019-02-25 22:04 | Christian Grothoff | Assigned To | Florian Dold => Christian Grothoff |
2019-02-25 22:04 | Christian Grothoff | Status | assigned => resolved |
2019-02-25 22:04 | Christian Grothoff | Resolution | open => fixed |
2019-02-25 22:04 | Christian Grothoff | Fixed in Version | => 0.11.0 |
2019-02-25 22:04 | Christian Grothoff | Target Version | => 0.11.0 |
2019-02-28 11:17 | Christian Grothoff | Status | resolved => closed |