From: Stefan Seyfried <stefan.seyfried@googlemail.com>
To: "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>
Cc: Andrejs Hanins <andrejs.hanins@ubnt.com>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Subject: Re: [PATCH] core/gatt-database: Fix memory corruption
Date: Wed, 11 Mar 2015 22:19:23 +0100 [thread overview]
Message-ID: <5500B15B.9090508@message-id.googlemail.com> (raw)
In-Reply-To: <550052CA.20407@ubnt.com>
Am 11.03.2015 um 15:35 schrieb Andrejs Hanins:
> Pointer to on-stack variable was returned from pending_write_new.
I still get a crash in the tests when running with memory debugging
enabled (which is default in openSUSE Build Service):
$> MALLOC_CHECK_=3 MALLOC_PERTURB_=69 unit/test-gatt
/TP/GAC/CL/BV-01-C - init
/TP/GAC/CL/BV-01-C - setup
[...]
/TP/GAR/CL/BV-01-C - setup complete
/TP/GAR/CL/BV-01-C - run
/TP/GAR/CL/BV-01-C - test passed
Segmentation fault
Program received signal SIGSEGV, Segmentation fault.
0x000055555558cb70 in bt_att_send (att=0x4000000f300432d, opcode=opcode@entry=24 '\030',
pdu=pdu@entry=0x7fffffff4a0f, length=length@entry=1,
callback=callback@entry=0x55555558fc30 <cancel_long_write_cb>, user_data=0x5555557b1ca0,
destroy=destroy@entry=0x0) at src/shared/att.c:1135
1135 if (!att || !att->io)
(gdb) bt
#0 0x000055555558cb70 in bt_att_send (att=0x4000000f300432d, opcode=opcode@entry=24 '\030',
pdu=pdu@entry=0x7fffffff4a0f, length=length@entry=1,
callback=callback@entry=0x55555558fc30 <cancel_long_write_cb>, user_data=0x5555557b1ca0,
destroy=destroy@entry=0x0) at src/shared/att.c:1135
#1 0x0000555555591039 in cancel_long_write_req (client=<optimized out>, req=<optimized out>)
at src/shared/gatt-client.c:1791
#2 0x00005555555910ab in cancel_request (data=0x5555557b1e80) at src/shared/gatt-client.c:1855
#3 0x0000555555597903 in queue_remove_all (queue=<optimized out>, function=function@entry=0x0,
user_data=user_data@entry=0x0, destroy=destroy@entry=0x555555591060 <cancel_request>)
at src/shared/queue.c:387
#4 0x00005555555917cd in bt_gatt_client_cancel_all (client=client@entry=0x5555557b36f0)
at src/shared/gatt-client.c:1866
#5 0x0000555555591839 in bt_gatt_client_free (client=0x5555557b36f0) at src/shared/gatt-client.c:1569
#6 0x0000555555589439 in destroy_context (context=0x5555557b1bb0) at unit/test-gatt.c:284
#7 context_quit (user_data=0x5555557b1bb0) at unit/test-gatt.c:312
#8 0x000055555558d59b in handle_rsp (pdu_len=<optimized out>, pdu=0x5555557c6571 "\001\002\003\001)",
opcode=11 '\v', att=0x5555557b2e90) at src/shared/att.c:640
#9 can_read_data (io=<optimized out>, user_data=0x5555557b2e90) at src/shared/att.c:813
#10 0x0000555555596ec5 in watch_callback (channel=<optimized out>, cond=<optimized out>,
user_data=<optimized out>) at src/shared/io-glib.c:170
#11 0x00007ffff7b198e5 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#12 0x00007ffff7b19c48 in ?? () from /usr/lib64/libglib-2.0.so.0
#13 0x00007ffff7b19f0a in g_main_loop_run () from /usr/lib64/libglib-2.0.so.0
#14 0x000055555558c031 in tester_run () at src/shared/tester.c:830
#15 0x0000555555587e19 in main (argc=1, argv=0x7fffffffdc58) at unit/test-gatt.c:3182
Valgrind also complains loudly:
$> valgrind unit/test-gatt > /dev/null
==20817== Memcheck, a memory error detector
==20817== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==20817== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==20817== Command: unit/test-gatt
==20817==
==20817== Syscall param socketcall.bind(my_addr.sa_data) points to uninitialised byte(s)
==20817== at 0x522A737: bind (in /lib64/libc-2.21.so)
==20817== by 0x14BBC2: ecb_aes_setup (crypto.c:110)
==20817== by 0x14BBC2: bt_crypto_new (crypto.c:148)
==20817== by 0x140788: bt_att_new (att.c:937)
==20817== by 0x13EA4B: create_context.constprop.24 (test-gatt.c:592)
==20817== by 0x13F2E2: run_callback (tester.c:412)
==20817== by 0x4E808E4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80F09: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x140030: tester_run (tester.c:830)
==20817== by 0x13BE18: main (test-gatt.c:3182)
==20817== Address 0xffeff6aa8 is on thread 1's stack
==20817== in frame #1, created by bt_crypto_new (crypto.c:141)
==20817==
==20817== Syscall param socketcall.bind(my_addr.sa_data) points to uninitialised byte(s)
==20817== at 0x522A737: bind (in /lib64/libc-2.21.so)
==20817== by 0x14BC4B: cmac_aes_setup (crypto.c:132)
==20817== by 0x14BC4B: bt_crypto_new (crypto.c:161)
==20817== by 0x140788: bt_att_new (att.c:937)
==20817== by 0x13EA4B: create_context.constprop.24 (test-gatt.c:592)
==20817== by 0x13F2E2: run_callback (tester.c:412)
==20817== by 0x4E808E4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80F09: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x140030: tester_run (tester.c:830)
==20817== by 0x13BE18: main (test-gatt.c:3182)
==20817== Address 0xffeff6aa8 is on thread 1's stack
==20817== in frame #1, created by bt_crypto_new (crypto.c:141)
==20817==
==20817== Invalid read of size 1
==20817== at 0x145076: cancel_request (gatt-client.c:1854)
==20817== by 0x14B902: queue_remove_all (queue.c:387)
==20817== by 0x1457CC: bt_gatt_client_cancel_all (gatt-client.c:1866)
==20817== by 0x145838: bt_gatt_client_free (gatt-client.c:1569)
==20817== by 0x13D438: destroy_context (test-gatt.c:284)
==20817== by 0x13D438: context_quit (test-gatt.c:312)
==20817== by 0x14159A: handle_rsp (att.c:640)
==20817== by 0x14159A: can_read_data (att.c:813)
==20817== by 0x14AEC4: watch_callback (io-glib.c:170)
==20817== by 0x4E808E4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80F09: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x140030: tester_run (tester.c:830)
==20817== by 0x13BE18: main (test-gatt.c:3182)
==20817== Address 0x5a13908 is 8 bytes inside a block of size 40 free'd
==20817== at 0x4C2A37C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20817== by 0x140F1E: cancel_att_send_op (att.c:222)
==20817== by 0x140F1E: bt_att_cancel (att.c:1200)
==20817== by 0x145075: cancel_request (gatt-client.c:1852)
==20817== by 0x14B902: queue_remove_all (queue.c:387)
==20817== by 0x1457CC: bt_gatt_client_cancel_all (gatt-client.c:1866)
==20817== by 0x145838: bt_gatt_client_free (gatt-client.c:1569)
==20817== by 0x13D438: destroy_context (test-gatt.c:284)
==20817== by 0x13D438: context_quit (test-gatt.c:312)
==20817== by 0x14159A: handle_rsp (att.c:640)
==20817== by 0x14159A: can_read_data (att.c:813)
==20817== by 0x14AEC4: watch_callback (io-glib.c:170)
==20817== by 0x4E808E4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80F09: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817==
==20817== Invalid read of size 1
==20817== at 0x14507C: cancel_request (gatt-client.c:1857)
==20817== by 0x14B902: queue_remove_all (queue.c:387)
==20817== by 0x1457CC: bt_gatt_client_cancel_all (gatt-client.c:1866)
==20817== by 0x145838: bt_gatt_client_free (gatt-client.c:1569)
==20817== by 0x13D438: destroy_context (test-gatt.c:284)
==20817== by 0x13D438: context_quit (test-gatt.c:312)
==20817== by 0x14159A: handle_rsp (att.c:640)
==20817== by 0x14159A: can_read_data (att.c:813)
==20817== by 0x14AEC4: watch_callback (io-glib.c:170)
==20817== by 0x4E808E4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80F09: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x140030: tester_run (tester.c:830)
==20817== by 0x13BE18: main (test-gatt.c:3182)
==20817== Address 0x5a13909 is 9 bytes inside a block of size 40 free'd
==20817== at 0x4C2A37C: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==20817== by 0x140F1E: cancel_att_send_op (att.c:222)
==20817== by 0x140F1E: bt_att_cancel (att.c:1200)
==20817== by 0x145075: cancel_request (gatt-client.c:1852)
==20817== by 0x14B902: queue_remove_all (queue.c:387)
==20817== by 0x1457CC: bt_gatt_client_cancel_all (gatt-client.c:1866)
==20817== by 0x145838: bt_gatt_client_free (gatt-client.c:1569)
==20817== by 0x13D438: destroy_context (test-gatt.c:284)
==20817== by 0x13D438: context_quit (test-gatt.c:312)
==20817== by 0x14159A: handle_rsp (att.c:640)
==20817== by 0x14159A: can_read_data (att.c:813)
==20817== by 0x14AEC4: watch_callback (io-glib.c:170)
==20817== by 0x4E808E4: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80C47: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817== by 0x4E80F09: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1)
==20817==
==20817==
==20817== HEAP SUMMARY:
==20817== in use at exit: 29,640 bytes in 618 blocks
==20817== total heap usage: 36,545 allocs, 35,927 frees, 1,585,464 bytes allocated
==20817==
==20817== LEAK SUMMARY:
==20817== definitely lost: 0 bytes in 0 blocks
==20817== indirectly lost: 0 bytes in 0 blocks
==20817== possibly lost: 0 bytes in 0 blocks
==20817== still reachable: 29,640 bytes in 618 blocks
==20817== suppressed: 0 bytes in 0 blocks
==20817== Rerun with --leak-check=full to see details of leaked memory
==20817==
==20817== For counts of detected and suppressed errors, rerun with: -v
==20817== Use --track-origins=yes to see where uninitialised values come from
==20817== ERROR SUMMARY: 358 errors from 4 contexts (suppressed: 0 from 0)
Unfortunately, my understanding of the code did not allow me
to fis this :-(
Best regards,
Stefan
--
Stefan Seyfried
Linux Consultant & Developer -- GPG Key: 0x731B665B
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
next prev parent reply other threads:[~2015-03-11 21:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-11 13:31 [PATCH] core/gatt-database: Fix memory corruption Andrejs Hanins
2015-03-11 14:06 ` Luiz Augusto von Dentz
2015-03-11 14:35 ` Andrejs Hanins
2015-03-11 21:19 ` Stefan Seyfried [this message]
2015-03-12 8:24 ` Andrejs Hanins
2015-03-12 8:39 ` Luiz Augusto von Dentz
2015-03-12 8:54 ` Andrejs Hanins
2015-03-12 9:14 ` Luiz Augusto von Dentz
2015-03-12 9:32 ` Andrejs Hanins
2015-03-12 10:16 ` Johan Hedberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5500B15B.9090508@message-id.googlemail.com \
--to=stefan.seyfried@googlemail.com \
--cc=andrejs.hanins@ubnt.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox