You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A double- free bug was found in libmodbus v3.1.6, which could be triggered by sending a specific message to unit-test-server. The cause seems to be due to the ctx pointer in unit-test-server.c being free and then freed in modbus_free(ctx).
Actual behavior if applicable
double free or corruption (out)
Expected behavior or suggestion
no crash
Steps to reproduce the behavior (commands or source code)
1. Requires installation of the prenny library
git clone https://github.com/zardus/preeny.git
cd preeny/
make
Then find the desock.so path in the prenny installation directory
2. Add the -fsanitize=address and -g parameter at compile time
Starting program: /home/zyl/libmodbuspoc/tests/unit-test-server < poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff7a00640 (LWP 8988)]
[New Thread 0x7ffff7000640 (LWP 8989)]
[Thread 0x7ffff7a00640 (LWP 8988) exited]
The client connection from 0.0.0.0 is accepted
Waiting for an indication...
<00><01><1F><03><7F><40><00><17><01><6C><00><03><00><42><00><20><40><06><EE><0F><10><00><00><08><01><FA><00><00><D7><01><01><01><01><01><01><40><00><11><00><FC><00><00><40><06><EE><01><01><40><00><09><E9><FC><00><00><40><00><12><00><FC><FF><7F><00><00><EE><0F><0E><00><00><08><01><FA><00><00><D7><01><01><01><01><01><01><40>
[[00](https://github.com/stephane/libmodbus/issues/new#)][01][[00](https://github.com/stephane/libmodbus/issues/new#)][[00](https://github.com/stephane/libmodbus/issues/new#)][[00](https://github.com/stephane/libmodbus/issues/new#)][09][00][17][[06](https://github.com/stephane/libmodbus/issues/new#)][[00](https://github.com/stephane/libmodbus/issues/new#)][[00](https://github.com/stephane/libmodbus/issues/new#)][00][00][00][00]
ERROR Bad file descriptor
Quit the loop: Bad file descriptor
double free or corruption (out)
Thread 1 "unit-test-serve" received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737353619264) at ./nptl/pthread_kill.c:44
44 ./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737353619264)
at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737353619264)
at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737353619264, signo=signo@entry=6)
at ./nptl/pthread_kill.c:89
#3 0x00007ffff7c42476 in __GI_raise (sig=sig@entry=6)
at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7c287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7c89677 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ffff7ddbb77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156
#6 0x00007ffff7ca0cfc in malloc_printerr (
str=str@entry=0x7ffff7dde790 "double free or corruption (out)")
at ./malloc/malloc.c:5664
#7 0x00007ffff7ca2e70 in _int_free (av=0x7ffff7e1ac80 <main_arena>,
p=0x555555578290, have_lock=<optimized out>) at ./malloc/malloc.c:4588
#8 0x00007ffff7ca5453 in __GI___libc_free (mem=<optimized out>)
at ./malloc/malloc.c:3391
#9 0x00005555555570d3 in main (argc=<optimized out>, argv=<optimized out>)
at unit-test-server.c:200
ASAN output
AddressSanitizer:DEADLYSIGNAL
==9026==ERROR: AddressSanitizer: SEGV on unknown address 0x605ffffffe44 (pc 0x5f6adb5a8c88 bp 0x7ffdd8725d60 sp 0x7ffdd8725b40 T0)
==9026==The signal is caused by a WRITE memory access.
#0 0x5f6adb5a8c88 (/home/zyl/libmodbus/tests/unit-test-server+0xec88)
#1 0x5f6adb5a0e30 (/home/zyl/libmodbus/tests/unit-test-server+0x6e30)
#2 0x766c73a29d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#3 0x766c73a29e3f (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#4 0x5f6adb59fcc4 (/home/zyl/libmodbus/tests/unit-test-server+0x5cc4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/zyl/libmodbus/tests/unit-test-server+0xec88)
==9026==ABORTING
Aborted (core dumped)
The text was updated successfully, but these errors were encountered:
Uhm... why do you keep reporting issues in this old version of the library? See e.g. #750 and #749 and #748
Until proven otherwise, I will assume that you are just reporting more ways to hit the same bugs. I will not even verify that this is fixed in commit b4ef4c1 and assume so until you prove otherwise.
libmodbus version
libmodbus v3.1.6
OS and/or distribution
Ubuntu 18
Environment
..
Description
A double- free bug was found in libmodbus v3.1.6, which could be triggered by sending a specific message to unit-test-server. The cause seems to be due to the ctx pointer in unit-test-server.c being free and then freed in modbus_free(ctx).
Actual behavior if applicable
double free or corruption (out)
Expected behavior or suggestion
no crash
Steps to reproduce the behavior (commands or source code)
Then find the desock.so path in the prenny installation directory
poc.zip
GDB output
ASAN output
The text was updated successfully, but these errors were encountered: