Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EVP_DigestVerify crash (nullptr usage) #1997

Closed
olekolek1000 opened this issue Dec 30, 2023 · 13 comments
Closed

EVP_DigestVerify crash (nullptr usage) #1997

olekolek1000 opened this issue Dec 30, 2023 · 13 comments

Comments

@olekolek1000
Copy link

olekolek1000 commented Dec 30, 2023
edited

Architecture: aarch64

gdb backtrace:

Thread 8 "SSU2" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xffffe77ef0e0 (LWP 81383)]
0x0000000000000000 in ?? ()
(gdb)
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x0000fffff74dd360 in EVP_DigestVerify () from /usr/lib/libcrypto.so.3
#2  0x0000fffff7ea6d30 in i2p::crypto::EDDSA25519Verifier::Verify(unsigned char const*, unsigned long, unsigned char const*) const () from /usr/lib/libi2pd.so
#3  0x0000fffff7ea50c4 in i2p::transport::SignedData::Verify(std::shared_ptr<i2p::data::IdentityEx const>, unsigned char const*) const () from /usr/lib/libi2pd.so
#4  0x0000fffff7e90984 in i2p::transport::SSU2Session::HandleRelayIntro(unsigned char const*, unsigned long, int) ()
   from /usr/lib/libi2pd.so
#5  0x0000fffff7e991ec in i2p::transport::SSU2Session::HandlePayload(unsigned char const*, unsigned long) ()
   from /usr/lib/libi2pd.so
#6  0x0000fffff7e9c450 in i2p::transport::SSU2Session::ProcessData(unsigned char*, unsigned long, boost::asio::ip::basic_endpoint<boost::asio::ip::udp> const&) () from /usr/lib/libi2pd.so
#7  0x0000fffff7e751a4 in i2p::transport::SSU2Server::HandleReceivedPackets(std::vector<i2p::transport::SSU2Server::Packet*, std::allocator<i2p::transport::SSU2Server::Packet*> >) () from /usr/lib/libi2pd.so
#8  0x0000fffff7e8637c in boost::asio::detail::completion_handler<std::_Bind<void (i2p::transport::SSU2Server::*(i2p::transport::SSU2Server*, std::vector<i2p::transport::SSU2Server::Packet*, std::allocator<i2p::transport::SSU2Server::Packet*> >))(std::vector<i2p::transport::SSU2Server::Packet*, std::allocator<i2p::transport::SSU2Server::Packet*> >)>, boost::asio::io_context::basic_executor_type<std::allocator<void>, 0ul> >::do_complete(void*, boost::asio::detail::scheduler_operation*, boost::system::error_code const&, unsigned long) () from /usr/lib/libi2pd.so
#9  0x0000aaaaaab04db0 in boost::asio::detail::scheduler::do_run_one(boost::asio::detail::conditionally_enabled_mutex::scoped_lock&, boost::asio::detail::scheduler_thread_info&, boost::system::error_code const&) ()
#10 0x0000fffff7f02abc in i2p::util::RunnableService::Run() () from /usr/lib/libi2pd.so
#11 0x0000fffff70e78ac in std::execute_native_thread_routine (__p=0xaaaaaac93cd0)
    at /usr/src/debug/gcc/libstdc++-v3/src/c++11/thread.cc:82
#12 0x0000fffff6ea0aec in ?? () from /usr/lib/libc.so.6
#13 0x0000fffff6f0a5dc in ?? () from /usr/lib/libc.so.6

Crashed after a few hours, occurs randomly
@olekolek1000 olekolek1000 changed the title i2p::crypto::EDDSA25519Verifier::Verify EVP_DigestVerify crash Dec 30, 2023
@olekolek1000 olekolek1000 changed the title EVP_DigestVerify crash EVP_DigestVerify crash (nullptr usage) Dec 30, 2023
@Vort
Copy link
Contributor

Vort commented Dec 30, 2023

What i2pd version?

@olekolek1000
Copy link
Author

i2pd version 2.50.1 (0.9.61)
Boost version 1.83.0
OpenSSL 3.2.0 23 Nov 2023

@olekolek1000
Copy link
Author

Will recompile with debug info and run again. Odroid M1 is quite slow, so it can take some time, a .cpp file for every locale language is not optimal ;)

@Vort
Copy link
Contributor

Vort commented Dec 30, 2023

I'm almost sure it's a regression from 43e130e.

@olekolek1000
Copy link
Author

Compiling with address sanitizer in debug mode right now

@olekolek1000
Copy link
Author 

SUMMARY: AddressSanitizer: heap-use-after-free /home/aleksander/i2pd/libi2pd/Streaming.h:81 in i2p::stream::Packet::GetNACKCount() const
Shadow bytes around the buggy address:
  0x200ff9b7c1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x200ff9b7c1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x200ff9b7c1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x200ff9b7c200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x200ff9b7c210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x200ff9b7c220: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x200ff9b7c230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff9b7c240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff9b7c250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff9b7c260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x200ff9b7c270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
ext.cpp:368
    #7 0xaaaaab538338 in i2p::client::ClientContext::CreateNewLocalDestination(i2p::data::PrivateKeys const&, bool, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > const*) /home/aleksander/i2pd/libi2pd_client/ClientContext.cpp:397
    #8 0xaaaaab544fa8 in i2p::client::ClientContext::ReadHttpProxy() /home/aleksander/i2pd/libi2pd_client/ClientContext.cpp:890
    #9 0xaaaaab53352c in i2p::client::ClientContext::Start() /home/aleksander/i2pd/libi2pd_client/ClientContext.cpp:53
    #10 0xaaaaaadf70b8 in i2p::util::Daemon_Singleton::start() /home/aleksander/i2pd/daemon/Daemon.cpp:343
    #11 0xaaaaaafa9b24 in i2p::util::DaemonLinux::start() /home/aleksander/i2pd/daemon/UnixDaemon.cpp:203
    #12 0xaaaaaafa7ed8 in main /home/aleksander/i2pd/daemon/i2pd.cpp:30
    #13 0xfffff6b77b7c  (/usr/lib/libc.so.6+0x27b7c)
    #14 0xfffff6b77c5c in __libc_start_main (/usr/lib/libc.so.6+0x27c5c)
    #15 0xaaaaaadf3eac in _start (/usr/bin/i2pd+0x353eac)

@olekolek1000
Copy link
Author 

    #0 0xfffff786de28 in __interceptor_pthread_create /usr/src/debug/gcc/libsanitizer/asan/asan_interceptors.cpp:207
    #1 0xfffff6ec7a08 in __gthread_create /usr/src/debug/gcc-build/aarch64-unknown-linux-gnu/libstdc++-v3/include/aarch64-unknown-linux-gnu/bits/gthr-default.h:663
    #2 0xfffff6ec7a08 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /usr/src/debug/gcc/libstdc++-v3/src/c++11/thread.cc:147
    #3 0xaaaaab36d768 in std::thread::thread<std::_Bind<void (i2p::util::RunnableService::*(i2p::util::RunnableService*))()>, , void>(std::_Bind<void (i2p::util::RunnableService::*(i2p::util::RunnableService*))()>&&) /usr/include/c++/12.1.0/bits/std_thread.h:142
    #4 0xaaaaab366208 in i2p::util::RunnableService::StartIOService() /home/aleksander/i2pd/libi2pd/util.cpp:139
    #5 0xaaaaab014d40 in i2p::client::RunnableClientDestination::Start() /home/aleksander/i2pd/libi2pd/Destination.cpp:1452
    #6 0xaaaaab537a6c in i2p::client::ClientContext::AddLocalDestination(std::shared_ptr<i2p::client::ClientDestination>) /home/aleksander/i2pd/libi2pd_client/ClientContext.cpp:368
    #7 0xaaaaab538338 in i2p::client::ClientContext::CreateNewLocalDestination(i2p::data::PrivateKeys const&, bool, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > const*) /home/aleksander/i2pd/libi2pd_client/ClientContext.cpp:397
    #8 0xaaaaab544fa8 in i2p::client::ClientContext::ReadHttpProxy() /home/aleksander/i2pd/libi2pd_client/ClientContext.cpp:890
    #9 0xaaaaab53352c in i2p::client::ClientContext::Start() /home/aleksander/i2pd/libi2pd_client/ClientContext.cpp:53
    #10 0xaaaaaadf70b8 in i2p::util::Daemon_Singleton::start() /home/aleksander/i2pd/daemon/Daemon.cpp:343
    #11 0xaaaaaafa9b24 in i2p::util::DaemonLinux::start() /home/aleksander/i2pd/daemon/UnixDaemon.cpp:203
    #12 0xaaaaaafa7ed8 in main /home/aleksander/i2pd/daemon/i2pd.cpp:30
    #13 0xfffff6b77b7c  (/usr/lib/libc.so.6+0x27b7c)
    #14 0xfffff6b77c5c in __libc_start_main (/usr/lib/libc.so.6+0x27c5c)
    #15 0xaaaaaadf3eac in _start (/usr/bin/i2pd+0x353eac)

@olekolek1000
Copy link
Author

I have caught something else this time, interesting.

@olekolek1000
Copy link
Author

Okay, got SIGSEGV related to this issue.
Backtrace:

0x0000fffff73d6cd8 in ?? () from /usr/lib/libcrypto.so.3
(gdb) bt
#0  0x0000fffff73d6cd8 in ?? () from /usr/lib/libcrypto.so.3
#1  0x0000aaaaab22a044 in i2p::crypto::EDDSA25519Verifier::Verify (this=0xffffcd106220, 
    buf=0xffffebafd670 "<REDACTED>", <incomplete sequence \336>..., len=1191, 
    signature=0xffffebafdb17 "<REDACTED>") at /home/aleksander/i2pd/libi2pd/Signature.cpp:39
#2  0x0000aaaaab0f0348 in i2p::data::IdentityEx::Verify (this=0xfffff4d6ac40, 
    buf=0xffffebafd670 "<REDACTED>", <incomplete sequence \336>..., len=1191, 
    signature=0xffffebafdb17 "<REDACTED>") at /home/aleksander/i2pd/libi2pd/Identity.cpp:314
#3  0x0000aaaaab202714 in i2p::data::RouterInfo::Update (this=0xfffff3521ad0, 
    buf=0xffffebafd670 "<REDACTED>", <incomplete sequence \336>..., len=1255) at /home/aleksander/i2pd/libi2pd/RouterInfo.cpp:91
#4  0x0000aaaaab138d74 in i2p::data::NetDb::AddRouterInfo (this=0xaaaaac0bd3c0 <i2p::data::netdb>, ident=..., 
    buf=0xffffebafd670 "<REDACTED>", <incomplete sequence \336>..., len=1255, updated=@0xffffebafd2c0: true) at /home/aleksander/i2pd/libi2pd/NetDb.cpp:244
#5  0x0000aaaaab1389c0 in i2p::data::NetDb::AddRouterInfo (this=0xaaaaac0bd3c0 <i2p::data::netdb>, ident=..., 
    buf=0xffffebafd670 "<REDACTED>", <incomplete sequence \336>..., len=1255) at /home/aleksander/i2pd/libi2pd/NetDb.cpp:229
#6  0x0000aaaaab1426ec in i2p::data::NetDb::HandleDatabaseStoreMsg (this=0xaaaaac0bd3c0 <i2p::data::netdb>, 
    m=std::shared_ptr<const i2p::I2NPMessage> (use count 2, weak count 0) = {...}) at /home/aleksander/i2pd/libi2pd/NetDb.cpp:881
#7  0x0000aaaaab137b10 in i2p::data::NetDb::Run (this=0xaaaaac0bd3c0 <i2p::data::netdb>) at /home/aleksander/i2pd/libi2pd/NetDb.cpp:127
#8  0x0000aaaaab17a374 in std::__invoke_impl<void, void (i2p::data::NetDb::*&)(), i2p::data::NetDb*&> (
    __f=@0xfffff4bea018: (void (i2p::data::NetDb::*)(i2p::data::NetDb * const)) 0xaaaaab137860 <i2p::data::NetDb::Run()>, 
    __t=@0xfffff4bea028: 0xaaaaac0bd3c0 <i2p::data::netdb>) at /usr/include/c++/12.1.0/bits/invoke.h:74
#9  0x0000aaaaab17a17c in std::__invoke<void (i2p::data::NetDb::*&)(), i2p::data::NetDb*&> (
    __fn=@0xfffff4bea018: (void (i2p::data::NetDb::*)(i2p::data::NetDb * const)) 0xaaaaab137860 <i2p::data::NetDb::Run()>) at /usr/include/c++/12.1.0/bits/invoke.h:96
#10 0x0000aaaaab17a094 in std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (
    this=0xfffff4bea018, __args=...) at /usr/include/c++/12.1.0/functional:484
#11 0x0000aaaaab179f34 in std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()>::operator()<, void>() (this=0xfffff4bea018)
    at /usr/include/c++/12.1.0/functional:567
#12 0x0000aaaaab179e4c in std::__invoke_impl<void, std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()>>(std::__invoke_other, std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()>&&) (__f=...) at /usr/include/c++/12.1.0/bits/invoke.h:61
#13 0x0000aaaaab179e04 in std::__invoke<std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()>>(std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()>&&) (
    __fn=...) at /usr/include/c++/12.1.0/bits/invoke.h:96
#14 0x0000aaaaab179da0 in std::thread::_Invoker<std::tuple<std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()> > >::_M_invoke<0ul>(std::_Index_tuple<0ul>) (
    this=0xfffff4bea018) at /usr/include/c++/12.1.0/bits/std_thread.h:252
#15 0x0000aaaaab179d04 in std::thread::_Invoker<std::tuple<std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()> > >::operator()() (this=0xfffff4bea018)
    at /usr/include/c++/12.1.0/bits/std_thread.h:259
#16 0x0000aaaaab179ca4 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::_Bind<void (i2p::data::NetDb::*(i2p::data::NetDb*))()> > > >::_M_run() (
    this=0xfffff4bea010) at /usr/include/c++/12.1.0/bits/std_thread.h:210
#17 0x0000fffff6ec78ac in std::execute_native_thread_routine (__p=0xfffff4bea010) at /usr/src/debug/gcc/libstdc++-v3/src/c++11/thread.cc:82
#18 0x0000fffff6bd0aec in ?? () from /usr/lib/libc.so.6
#19 0x0000fffff6c3a5dc in ?? () from /usr/lib/libc.so.6

@Vort
Copy link
Contributor

Vort commented Dec 30, 2023

I have caught something else this time, interesting.

Related to #1955 probably.

@Vort
Copy link
Contributor

Vort commented Dec 30, 2023

@olekolek1000 can you try 302af82 commit?

@olekolek1000
Copy link
Author

Yes, compiled a while ago (took maybe 20 minutes), testing right now. It will be running whole night.

@olekolek1000
Copy link
Author

olekolek1000 commented Dec 31, 2023
edited

Still working without any problems (running under gdb, without sanitizers). Probably fixed!

@Vort Vort mentioned this issue Dec 31, 2023
Closed
@Vort Vort mentioned this issue Jan 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Vort @olekolek1000