[systemd-devel] resolved crashes on SIGTERM
Cristian RodrÃguez
cristian.rodriguez at opensuse.org
Mon May 11 18:00:55 PDT 2015
resolved crashes on SIGTERM with ...
=================================================================
==33557==ERROR: AddressSanitizer: heap-use-after-free on address
0x60c00000bd60 at pc 0x5555556098c5 bp 0x7fffffffde70 sp
0x7fffffffde68
READ of size 8 at 0x60c00000bd60 thread T0
#0 0x5555556098c4 in dns_cache_flush src/resolve/resolved-dns-cache.c:88
#1 0x5555555e123d in link_set_dns_server src/resolve/resolved-link.c:321
#2 0x555555608c7e in dns_server_free src/resolve/resolved-dns-server.c:96
#3 0x5555555df543 in link_free src/resolve/resolved-link.c:76
#4 0x5555555cf138 in manager_free src/resolve/resolved-manager.c:531
#5 0x5555555cb5e7 in manager_freep src/resolve/resolved-manager.h:151
#6 0x5555555cbd58 in main src/resolve/resolved.c:32
#7 0x7ffff5d6586f in __libc_start_main (/lib64/libc.so.6+0x2086f)
#8 0x5555555cb498 in _start
(/home/crrodriguez/scm/systemd/systemd-resolved+0x77498)
0x60c00000bd60 is located 32 bytes inside of 128-byte region
[0x60c00000bd40,0x60c00000bdc0)
freed by thread T0 here:
#0 0x7ffff6f049aa in __interceptor_free (/usr/lib64/libasan.so.2+0x969aa)
#1 0x5555556021a9 in dns_scope_free src/resolve/resolved-dns-scope.c:97
#2 0x5555555df4a2 in link_free src/resolve/resolved-link.c:71
#3 0x5555555cf138 in manager_free src/resolve/resolved-manager.c:531
#4 0x5555555cb5e7 in manager_freep src/resolve/resolved-manager.h:151
#5 0x5555555cbd58 in main src/resolve/resolved.c:32
#6 0x7ffff5d6586f in __libc_start_main (/lib64/libc.so.6+0x2086f)
previously allocated by thread T0 here:
#0 0x7ffff6f04db1 in __interceptor_calloc (/usr/lib64/libasan.so.2+0x96db1)
#1 0x555555601785 in dns_scope_new src/resolve/resolved-dns-scope.c:41
#2 0x5555555df67b in link_allocate_scopes src/resolve/resolved-link.c:89
#3 0x5555555e0933 in link_update_monitor src/resolve/resolved-link.c:248
#4 0x5555555cc591 in manager_process_link src/resolve/resolved-manager.c:78
#5 0x5555555cd267 in manager_rtnl_listen src/resolve/resolved-manager.c:235
#6 0x5555555cefbc in manager_new src/resolve/resolved-manager.c:498
#7 0x5555555cba15 in main src/resolve/resolved.c:75
#8 0x7ffff5d6586f in __libc_start_main (/lib64/libc.so.6+0x2086f)
SUMMARY: AddressSanitizer: heap-use-after-free
src/resolve/resolved-dns-cache.c:88 dns_cache_flush
Shadow bytes around the buggy address:
0x0c187fff9750: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fff9760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c187fff9770: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff9780: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff97a0: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
0x0c187fff97b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff97d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fff97e0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c187fff97f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==33557==ABORTING
apparently, it crashes on
void dns_cache_flush(DnsCache *c) {
DnsCacheItem *i;
assert(c);
while ((i = hashmap_first(c->by_key))) --> here, because
c->by_key was already free'd at this point.. can someone familiar thr
the code look at this ?
to reproduce, build with --enable-address-sanitizer , start resolved
in gdb .. then send SIGTERM to the running binary..
More information about the systemd-devel
mailing list