View Issue Details

IDProjectCategoryView StatusLast Update
0005608GNUnetset servicepublic2019-02-28 11:17
ReporteramatusAssigned ToChristian Grothoff 
PrioritynormalSeveritycrashReproducibilityhave not tried
Status closedResolutionfixed 
Platformamd64OSdebianOS Version9
Product VersionSVN HEAD 
Target Version0.11.0Fixed in Version0.11.0 
Summary0005608: double-free in set service
DescriptionI noticed this in the logs from my peer compiled with ASAN (see Additional Information). Looks like maybe op->listener == op, so in _GSS_operation_destroy2() it frees op->listener and then frees op. If op->listener == op is expected we need to check that and avoid a double-free.
Additional Information=================================================================
==12711==ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x60d00001fce0
    #0 0x7fd53cd2c670 in __interceptor_malloc_usable_size (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2670)
    #1 0x7fd53c9530a1 in GNUNET_xfree_ /root/gnunet/src/util/common_allocation.c:330
    #2 0x55750d9fda5a in _GSS_operation_destroy2 /root/gnunet/src/set/gnunet-service-set.c:1230
    #3 0x55750d9fd88b in channel_end_cb /root/gnunet/src/set/gnunet-service-set.c:1200
    #4 0x7fd53c2c7c78 in destroy_channel /root/gnunet/src/cadet/cadet_api.c:299
    #5 0x7fd53c2c9c38 in handle_channel_destroy /root/gnunet/src/cadet/cadet_api.c:643
    #6 0x7fd53c9b3c14 in GNUNET_MQ_handle_message /root/gnunet/src/util/mq.c:279
    #7 0x7fd53c9b37c0 in GNUNET_MQ_inject_message /root/gnunet/src/util/mq.c:220
    #8 0x7fd53c94e6b5 in recv_message /root/gnunet/src/util/client.c:336
    #9 0x7fd53c9b2745 in GNUNET_MST_from_buffer /root/gnunet/src/util/mst.c:233
    #10 0x7fd53c9b36a0 in GNUNET_MST_read /root/gnunet/src/util/mst.c:376
    #11 0x7fd53c94f18b in receive_ready /root/gnunet/src/util/client.c:423
    #12 0x7fd53c9e1aeb in GNUNET_SCHEDULER_do_work /root/gnunet/src/util/scheduler.c:2115
    #13 0x7fd53c9e3437 in select_loop /root/gnunet/src/util/scheduler.c:2412
    #14 0x7fd53c9d949c in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:727
    #15 0x7fd53c9f068c in GNUNET_SERVICE_run_ /root/gnunet/src/util/service.c:2449
    #16 0x55750da051d2 in main /root/gnunet/src/set/gnunet-service-set.c:2015
    #17 0x7fd53b82a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #18 0x55750d9f5c39 in _start (/opt/gnunet/lib/gnunet/libexec/gnunet-service-set+0x11c39)

0x60d00001fce0 is located 0 bytes inside of 144-byte region [0x60d00001fce0,0x60d00001fd70)
freed by thread T0 here:
    #0 0x7fd53cd2ba10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7fd53c953164 in GNUNET_xfree_ /root/gnunet/src/util/common_allocation.c:339
    #2 0x55750d9fda5a in _GSS_operation_destroy2 /root/gnunet/src/set/gnunet-service-set.c:1230
    #3 0x55750d9f6428 in incoming_destroy /root/gnunet/src/set/gnunet-service-set.c:225
    #4 0x55750d9fd99d in _GSS_operation_destroy2 /root/gnunet/src/set/gnunet-service-set.c:1224
    #5 0x55750d9fd88b in channel_end_cb /root/gnunet/src/set/gnunet-service-set.c:1200
    #6 0x7fd53c2c7c78 in destroy_channel /root/gnunet/src/cadet/cadet_api.c:299
    #7 0x7fd53c2c9c38 in handle_channel_destroy /root/gnunet/src/cadet/cadet_api.c:643
    #8 0x7fd53c9b3c14 in GNUNET_MQ_handle_message /root/gnunet/src/util/mq.c:279
    #9 0x7fd53c9b37c0 in GNUNET_MQ_inject_message /root/gnunet/src/util/mq.c:220
    #10 0x7fd53c94e6b5 in recv_message /root/gnunet/src/util/client.c:336
    #11 0x7fd53c9b2745 in GNUNET_MST_from_buffer /root/gnunet/src/util/mst.c:233
    #12 0x7fd53c9b36a0 in GNUNET_MST_read /root/gnunet/src/util/mst.c:376
    #13 0x7fd53c94f18b in receive_ready /root/gnunet/src/util/client.c:423
    #14 0x7fd53c9e1aeb in GNUNET_SCHEDULER_do_work /root/gnunet/src/util/scheduler.c:2115
    #15 0x7fd53c9e3437 in select_loop /root/gnunet/src/util/scheduler.c:2412
    #16 0x7fd53c9d949c in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:727
    #17 0x7fd53c9f068c in GNUNET_SERVICE_run_ /root/gnunet/src/util/service.c:2449
    #18 0x55750da051d2 in main /root/gnunet/src/set/gnunet-service-set.c:2015
    #19 0x7fd53b82a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
    #0 0x7fd53cd2bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7fd53c952d11 in GNUNET_xmalloc_unchecked_ /root/gnunet/src/util/common_allocation.c:232
    #2 0x7fd53c95258f in GNUNET_xmalloc_ /root/gnunet/src/util/common_allocation.c:75
    #3 0x55750d9fd2a8 in channel_new_cb /root/gnunet/src/set/gnunet-service-set.c:1159
    #4 0x7fd53c2c9888 in handle_channel_created /root/gnunet/src/cadet/cadet_api.c:610
    #5 0x7fd53c9b3c14 in GNUNET_MQ_handle_message /root/gnunet/src/util/mq.c:279
    #6 0x7fd53c9b37c0 in GNUNET_MQ_inject_message /root/gnunet/src/util/mq.c:220
    #7 0x7fd53c94e6b5 in recv_message /root/gnunet/src/util/client.c:336
    #8 0x7fd53c9b2745 in GNUNET_MST_from_buffer /root/gnunet/src/util/mst.c:233
    #9 0x7fd53c9b36a0 in GNUNET_MST_read /root/gnunet/src/util/mst.c:376
    #10 0x7fd53c94f18b in receive_ready /root/gnunet/src/util/client.c:423
    #11 0x7fd53c9e1aeb in GNUNET_SCHEDULER_do_work /root/gnunet/src/util/scheduler.c:2115
    #12 0x7fd53c9e3437 in select_loop /root/gnunet/src/util/scheduler.c:2412
    #13 0x7fd53c9d949c in GNUNET_SCHEDULER_run /root/gnunet/src/util/scheduler.c:727
    #14 0x7fd53c9f068c in GNUNET_SERVICE_run_ /root/gnunet/src/util/service.c:2449
    #15 0x55750da051d2 in main /root/gnunet/src/set/gnunet-service-set.c:2015
    #16 0x7fd53b82a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: bad-malloc_usable_size (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2670) in __interceptor_malloc_usable_size
==12711==ABORTING
TagsNo tags attached.

Activities

Christian Grothoff

2019-02-25 22:04

manager   ~0014036

3cb49e832..4b72d1fe1 should fix this. The logic remains a bit awful, but at least the double free should be gone.

Issue History

Date Modified Username Field Change
2019-02-24 18:35 amatus New Issue
2019-02-24 18:35 amatus Status new => assigned
2019-02-24 18:35 amatus Assigned To => Florian Dold
2019-02-25 22:04 Christian Grothoff Note Added: 0014036
2019-02-25 22:04 Christian Grothoff Assigned To Florian Dold => Christian Grothoff
2019-02-25 22:04 Christian Grothoff Status assigned => resolved
2019-02-25 22:04 Christian Grothoff Resolution open => fixed
2019-02-25 22:04 Christian Grothoff Fixed in Version => 0.11.0
2019-02-25 22:04 Christian Grothoff Target Version => 0.11.0
2019-02-28 11:17 Christian Grothoff Status resolved => closed