free(): invalid pointer
| Task Info (Flyspray) | |
|---|---|
| Opened By | Cebtenzzre (cebtenzzre) |
| Task ID | 79120 |
| Type | Bug Report |
| Project | Arch Linux |
| Category | Upstream Bugs |
| Version | None |
| OS | All |
| Opened | 2023-07-16 16:54:37 UTC |
| Status | Assigned |
| Assignee | Sébastien Luttringer (seblu) |
Details
Description:
When I was helping a friend use ext4magic, it crashed with SIGABRT because a non-malloc()ed address was passed to free.
Additional info:
- package version(s): 0.3.2-4
ASAN report:
==1535==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7ff6f6131794 in thread T0 #0 0x7ff6f86f6dc2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x7ff6f852dcc0 in ext2fs_free_mem (/usr/lib/libext2fs.so.2+0x2ccc0) (BuildId: 53d2cdd8626816ff908b663e489ddd3708b64b54) #2 0x557d7f3fd718 in local_ext2fs_extent_free /usr/src/debug/ext4magic/ext4magic-0.3.2/src/block.c:100 #3 0x557d7f4023d9 in local_block_iterate3 /usr/src/debug/ext4magic/ext4magic-0.3.2/src/block.c:703 #4 0x557d7f480e65 in check_file_recover /usr/src/debug/ext4magic/ext4magic-0.3.2/src/recover.c:600 #5 0x557d7f46cc91 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:641 #6 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626 #7 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626 #8 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626 #9 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626 #10 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626 #11 0x557d7f46cac0 in lookup_local /usr/src/debug/ext4magic/ext4magic-0.3.2/src/lookup_local.c:626 #12 0x557d7f408cf2 in main /usr/src/debug/ext4magic/ext4magic-0.3.2/src/ext4magic.c:1096 #13 0x7ff6f831584f (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e) #14 0x7ff6f8315909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e) #15 0x557d7f3fd494 in _start (/usr/bin/ext4magic+0x11494) (BuildId: 0bfaf5e9786079b8b1a9382d9fd602aa2773f700)
Address 0x7ff6f6131794 is located in stack of thread T0 at offset 404 in frame #0 0x557d7f4010fa in local_block_iterate3 /usr/src/debug/ext4magic/ext4magic-0.3.2/src/block.c:549
This frame has 7 object(s): [48, 56) 'blk64' (line 556) [80, 88) 'handle' (line 609) [112, 120) 'blk' (line 612) [144, 152) 'new_blk' (line 612) [176, 200) 'extent' (line 610) [240, 312) 'ctx' (line 554) [352, 480) 'inode' (line 539) <== Memory access at offset 404 is inside this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions are supported) SUMMARY: AddressSanitizer: bad-free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in __interceptor_free ==1535==ABORTING
This appears to be a mismatch between ext2fs_extent_open2 and local_ext2fs_extent_free. Changing it to ext2fs_extent_free fixed the problem for me.