commit c0589d06be698ea864e2c58e40ffda0f228440d4 Author: George Kadianakis desnacked@riseup.net Date: Mon Feb 22 13:31:29 2021 +0200
Fix a test failure in test_hs_control_add_onion_helper_add_service().
This bug made the pipeline fail. It basically tries to access a service we just freed because it's still on the service list.
It only occurs about once every 10 tests and it looks like this:
$ ./src/test/test hs_control/hs_control_add_onion_helper_add_service hs_control/hs_control_add_onion_helper_add_service: [forking] ================================================================= ==354311==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000940 at pc 0x55a159251b03 bp 0x7ffc6abb5b30 sp 0x7ffc6abb5b28 READ of size 8 at 0x613000000940 thread T0 ^[[A #0 0x55a159251b02 in hs_service_ht_HT_FIND_P_ src/feature/hs/hs_service.c:153 #1 0x55a159251b02 in hs_service_ht_HT_FIND src/feature/hs/hs_service.c:153 #2 0x55a159251b02 in find_service src/feature/hs/hs_service.c:175 #3 0x55a159251c2c in register_service src/feature/hs/hs_service.c:188 #4 0x55a159262379 in hs_service_add_ephemeral src/feature/hs/hs_service.c:3811 #5 0x55a158e865e6 in test_hs_control_add_onion_helper_add_service src/test/test_hs_control.c:847 #6 0x55a1590fe77b in testcase_run_bare_ src/ext/tinytest.c:107 #7 0x55a1590fee98 in testcase_run_forked_ src/ext/tinytest.c:201 #8 0x55a1590fee98 in testcase_run_one src/ext/tinytest.c:267 #9 0x55a1590ffb06 in tinytest_main src/ext/tinytest.c:454 #10 0x55a158b1b1a4 in main src/test/testing_common.c:420 #11 0x7f7f06f8dd09 in __libc_start_main ../csu/libc-start.c:308 #12 0x55a158b21f69 in _start (/home/f/Computers/tor/mytor/src/test/test+0x372f69)
0x613000000940 is located 64 bytes inside of 344-byte region [0x613000000900,0x613000000a58) freed by thread T0 here: #0 0x7f7f0774ab6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 #1 0x55a158e86508 in test_hs_control_add_onion_helper_add_service src/test/test_hs_control.c:838 #2 0x55a1590fe77b in testcase_run_bare_ src/ext/tinytest.c:107 #3 0x55a1590fee98 in testcase_run_forked_ src/ext/tinytest.c:201 #4 0x55a1590fee98 in testcase_run_one src/ext/tinytest.c:267 #5 0x55a1590ffb06 in tinytest_main src/ext/tinytest.c:454 #6 0x55a158b1b1a4 in main src/test/testing_common.c:420 #7 0x7f7f06f8dd09 in __libc_start_main ../csu/libc-start.c:308
previously allocated by thread T0 here: #0 0x7f7f0774ae8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x55a15948b728 in tor_malloc_ src/lib/malloc/malloc.c:45 #2 0x55a15948b7c0 in tor_malloc_zero_ src/lib/malloc/malloc.c:71 #3 0x55a159261bb5 in hs_service_new src/feature/hs/hs_service.c:4290 #4 0x55a159261f49 in hs_service_add_ephemeral src/feature/hs/hs_service.c:3758 #5 0x55a158e8619f in test_hs_control_add_onion_helper_add_service src/test/test_hs_control.c:832 #6 0x55a1590fe77b in testcase_run_bare_ src/ext/tinytest.c:107 #7 0x55a1590fee98 in testcase_run_forked_ src/ext/tinytest.c:201 #8 0x55a1590fee98 in testcase_run_one src/ext/tinytest.c:267 #9 0x55a1590ffb06 in tinytest_main src/ext/tinytest.c:454 #10 0x55a158b1b1a4 in main src/test/testing_common.c:420 #11 0x7f7f06f8dd09 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free src/feature/hs/hs_service.c:153 in hs_service_ht_HT_FIND_P_ Shadow bytes around the buggy address: 0x0c267fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c267fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c267fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff8110: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa =>0x0c267fff8120: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd 0x0c267fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fff8140: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c267fff8150: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c267fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==354311==ABORTING [Lost connection!] [hs_control_add_onion_helper_add_service FAILED] 1/1 TESTS FAILED. (0 skipped) --- src/test/test_hs_control.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/src/test/test_hs_control.c b/src/test/test_hs_control.c index e4999a4ed5..fc5e801fea 100644 --- a/src/test/test_hs_control.c +++ b/src/test/test_hs_control.c @@ -835,6 +835,7 @@ test_hs_control_add_onion_helper_add_service(void *arg) service_good = find_service(global_map, &pk_good); tt_int_op(smartlist_len(service_good->config.clients), OP_EQ, 1);
+ remove_service(global_map, service_good); hs_service_free(service_good);
list_bad = smartlist_new();