8000 A double- free bug · Issue #803 · stephane/libmodbus · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

A double- free bug #803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
balckgu1 opened this issue Mar 26, 2025 · 1 comment
Open

A double- free bug #803

balckgu1 opened this issue Mar 26, 2025 · 1 comment

Comments

@balckgu1
Copy link

libmodbus version

libmodbus v3.1.6

OS and/or distribution

Ubuntu 18

Environment

..

Description

A double- free bug was found in libmodbus v3.1.6, which could be triggered by sending a specific message to unit-test-server. The cause seems to be due to the ctx pointer in unit-test-server.c being free and then freed in modbus_free(ctx).

Actual behavior if applicable

double free or corruption (out)

Expected behavior or suggestion

no crash

Steps to reproduce the behavior (commands or source code)

  1. Requires installation of the prenny library
git clone https://github.com/zardus/preeny.git
cd preeny/
make

Then find the desock.so path in the prenny installation directory

2. Add the -fsanitize=address and -g parameter at compile time
  ./autogen.sh
  ./configure --enable-static CC="gcc -fsanitize=address  -O0 -g" CXX="g++ -fsanitize=address  -O0 -g"
   make -j8
   cd tests
   gcc -g -fsanitize=address -O0  unit-test-server.c -o unit-test-server -I ../src/ ../src/.libs/libmodbus.a
3. run in GDB
    LD_PRELOAD="/home/user/preeny/src/desock.so gdb ./unit-test-server"
    run < ./poc
 POC:

poc.zip

GDB output

Starting program: /home/zyl/libmodbuspoc/tests/unit-test-server < poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff7a00640 (LWP 8988)]
[New Thread 0x7ffff7000640 (LWP 8989)]
[Thread 0x7ffff7a00640 (LWP 8988) exited]
The client connection from 0.0.0.0 is accepted
Waiting for an indication...
<00><01><1F><03><7F><40><00><17><01><6C><00><03><00><42><00><20><40><06><EE><0F><10><00><00><08><01><FA><00><00><D7><01><01><01><01><01><01><40><00><11><00><FC><00><00><40><06><EE><01><01><40><00><09><E9><FC><00><00><40><00><12><00><FC><FF><7F><00><00><EE><0F><0E><00><00><08><01><FA><00><00><D7><01><01><01><01><01><01><40>
[[00](https://github.com/stephane/libmodbus/issues/new#)][01][[00](https://github.com/stephane/libmodbus/issues/new#)][[00](https://github.com/stephane/libmodbus/issues/new#)][[00](https://github.com/stephane/libmodbus/issues/new#)][09][00][17][[06](https://github.com/stephane/libmodbus/issues/new#)][[00](https://github.com/stephane/libmodbus/issues/new#)][[00](https://github.com/stephane/libmodbus/issues/new#)][00][00][00][00]
ERROR Bad file descriptor
Quit the loop: Bad file descriptor
double free or corruption (out)

Thread 1 "unit-test-serve" received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140737353619264) at ./nptl/pthread_kill.c:44
44	./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737353619264)
    at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737353619264)
    at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737353619264, signo=signo@entry=6)
    at ./nptl/pthread_kill.c:89
#3  0x00007ffff7c42476 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7c287f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7c89677 in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7ddbb77 "%s\n") at ../sysdeps/posix/libc_fatal.c:156
#6  0x00007ffff7ca0cfc in malloc_printerr (
    str=str@entry=0x7ffff7dde790 "double free or corruption (out)")
    at ./malloc/malloc.c:5664
#7  0x00007ffff7ca2e70 in _int_free (av=0x7ffff7e1ac80 <main_arena>, 
    p=0x555555578290, have_lock=<optimized out>) at ./malloc/malloc.c:4588
#8  0x00007ffff7ca5453 in __GI___libc_free (mem=<optimized out>)
    at ./malloc/malloc.c:3391
#9  0x00005555555570d3 in main (argc=<optimized out>, argv=<optimized out>)
    at unit-test-server.c:200

ASAN output

AddressSanitizer:DEADLYSIGNAL

==9026==ERROR: AddressSanitizer: SEGV on unknown address 0x605ffffffe44 (pc 0x5f6adb5a8c88 bp 0x7ffdd8725d60 sp 0x7ffdd8725b40 T0)
==9026==The signal is caused by a WRITE memory access.
    #0 0x5f6adb5a8c88  (/home/zyl/libmodbus/tests/unit-test-server+0xec88)
    #1 0x5f6adb5a0e30  (/home/zyl/libmodbus/tests/unit-test-server+0x6e30)
    #2 0x766c73a29d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #3 0x766c73a29e3f  (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #4 0x5f6adb59fcc4  (/home/zyl/libmodbus/tests/unit-test-server+0x5cc4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/zyl/libmodbus/tests/unit-test-server+0xec88) 
==9026==ABORTING
Aborted (core dumped)
@psychon
Copy link
6B0E
psychon commented Mar 31, 2025

libmodbus v3.1.6

Uhm... why do you keep reporting issues in this old version of the library? See e.g. #750 and #749 and #748

Until proven otherwise, I will assume that you are just reporting more ways to hit the same bugs. I will not even verify that this is fixed in commit b4ef4c1 and assume so until you prove otherwise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants
0