Skip to content

double free in DHT implementation? #166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
slingamn opened this issue Mar 18, 2018 · 2 comments
Open

double free in DHT implementation? #166

slingamn opened this issue Mar 18, 2018 · 2 comments

Comments

@slingamn
Copy link
Contributor 

Core was generated by `/home/shivaram/workspace/sandbox/bin/rtorrent [redacted]'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f03770aeccb in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
[Current thread is 1 (Thread 0x7f0378533740 (LWP 22646))]
(gdb) bt
#0  0x00007f03770aeccb in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#1  0x00007f03770b0668 in _Unwind_Backtrace () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#2  0x00007f0376bceb4f in __GI___backtrace (array=array@entry=0x7ffebdf1f450, size=size@entry=20)
    at ../sysdeps/x86_64/backtrace.c:110
#3  0x0000000000412007 in do_panic (signum=11) at main.cc:595
#4  <signal handler called>
#5  0x0000000000000081 in ?? ()
#6  0x00007f03779ec8dd in torrent::DhtTransactionSearch::~DhtTransactionSearch (this=0x780393b0, __in_chrg=<optimized out>)
    at dht_transaction.cc:309
#7  0x00007f03779ea7a3 in torrent::DhtTransactionFindNode::~DhtTransactionFindNode (this=0x780393b0, __in_chrg=<optimized out>)
    at dht_transaction.h:367
#8  torrent::DhtTransactionFindNode::~DhtTransactionFindNode (this=0x780393b0, __in_chrg=<optimized out>) at dht_transaction.h:367
#9  0x00007f03779e7b30 in torrent::DhtServer::failed_transaction (this=this@entry=0x19fb080, itr=..., quick=quick@entry=false)
    at dht_server.cc:684
#10 0x00007f03779e810d in torrent::DhtServer::receive_timeout (this=0x19fb080) at dht_server.cc:939
#11 0x00007f037796dee3 in std::function<void ()>::operator()() const (this=<optimized out>) at /usr/include/c++/5/functional:2267
#12 torrent::thread_main::call_events (this=<optimized out>) at thread_main.cc:82
#13 0x00007f03779cb0d0 in torrent::thread_base::event_loop (thread=0x1954e10) at thread_base.cc:141
#14 0x000000000041040e in main (argc=5, argv=<optimized out>) at main.cc:479

going through this line (I'm running a version based on c167c5a, including the patches from #134):

libtorrent/src/dht/dht_transaction.cc

Line 309 in c167c5a

delete m_search;

@slingamn
Copy link
Contributor Author

Another trace:

#0  0x00007f49ee25c428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007f49ee25e02a in __GI_abort () at abort.c:89
#2  0x0000000000412190 in do_panic (signum=11) at main.cc:616
#3  <signal handler called>
#4  0x00007f49ef15a8da in torrent::DhtTransactionSearch::~DhtTransactionSearch (this=0xd8ca190, __in_chrg=<optimized out>) at dht_transaction.cc:309
#5  0x00007f49ef1587a3 in torrent::DhtTransactionFindNode::~DhtTransactionFindNode (this=0xd8ca190, __in_chrg=<optimized out>) at dht_transaction.h:367
#6  torrent::DhtTransactionFindNode::~DhtTransactionFindNode (this=0xd8ca190, __in_chrg=<optimized out>) at dht_transaction.h:367
#7  0x00007f49ef155386 in torrent::DhtServer::add_transaction (this=this@entry=0x1b07460, transaction=transaction@entry=0xd8ca190, priority=priority@entry=2) at dht_server.cc:638
#8  0x00007f49ef155883 in torrent::DhtServer::find_node_next (this=this@entry=0x1b07460, transaction=transaction@entry=0xea8f380) at dht_server.cc:496
#9  0x00007f49ef15627e in torrent::DhtServer::parse_find_node_reply (this=this@entry=0x1b07460, transaction=transaction@entry=0xea8f380, nodes=...) at dht_server.cc:466
#10 0x00007f49ef15648e in torrent::DhtServer::process_response (this=this@entry=0x1b07460, id=..., sa=sa@entry=0x7ffc46ee6bd0, response=...) at dht_server.cc:397
#11 0x00007f49ef15790e in torrent::DhtServer::event_read (this=0x1b07460) at dht_server.cc:793
#12 0x00007f49ef0f4d8a in torrent::PollEPoll::perform (this=this@entry=0x1a708b0) at poll_epoll.cc:185
#13 0x00007f49ef0f4e2d in torrent::PollEPoll::do_poll (this=0x1a708b0, timeout_usec=<optimized out>, flags=<optimized out>) at poll_epoll.cc:224
#14 0x00007f49ef139084 in torrent::thread_base::event_loop (thread=0x1a6be30) at thread_base.cc:174
#15 0x000000000041040e in main (argc=5, argv=<optimized out>) at main.cc:479

@slingamn
Copy link
Contributor Author

Running under valgrind: https://gist.github.com/slingamn/578793a4b7eeffd0a564daa707a2ac1b

indicates that the following line is a source of use-after-frees:

libtorrent/src/dht/dht_server.cc

Line 638 in c167c5a

delete transaction;

@slingamn slingamn mentioned this issue Apr 2, 2020
Open
@slingamn slingamn mentioned this issue May 8, 2022
Open
jesec added a commit to jesec/libtorrent that referenced this issue May 23, 2022
@jesec
dht: add a transaction queue to avoid ID exhaustion
b25a6ea 
Use-after-free occurs when the transaction ID is exhausted.

As the ID only has one char, on an instance with many torrents, it
is easy to exhaust the ID space, so that new transactions have to
be discarded.

However, The new transaction could be associated with an ongoing
DhtSearch that does not expect transaction to be freed.

Follow up of "dht_server: fix potential use-after-free" (1418bf9),
properly fix the issue and deal with memory leak with this method.

Bug: rakshasa/libtorrent#166, rakshasa/libtorrent#209, rakshasa/libtorrent#944
@slingamn slingamn mentioned this issue Nov 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@slingamn