search

KotoDevelopers / cpuminer-yescrypt

CPU miner for Koto
Other
12 stars 9 forks source link

Use-after-free on reconnect #3

Closed solardiz closed 5 years ago

solardiz commented 5 years ago

Along with two "Fix memory leak" commits, upstream cpuminer silently fixed a use-after-free bug, which in my experience manifested itself as libcurl trying to reconnect to a bogus URL (located in freed memory reused by other data). You'll want to either rebase on latest upstream cpuminer or merge these commits:

commit 96c3676d884acf2e1d967f383c9fbf0e055d7792
Author: pooler <pooler@litecoinpool.org>
Date:   Thu Apr 21 23:44:55 2016 +0200

    Fix memory leak in the long polling thread

commit aa071501587e34122fbaed76bb4c81c131540338
Author: pooler <pooler@litecoinpool.org>
Date:   Tue Mar 15 20:13:22 2016 +0100

    Fix memory leaks affecting getblocktemplate

where the resulting changes will look something like:

+++ b/cpu-miner.c
@@ -558,6 +558,7 @@ static bool gbt_work_decode(const json_t *val, struct work *work)
                        goto out;
                }
                sha256d(merkle_tree[1 + i], tx, tx_size);
+               free(tx);
                if (!submit_coinbase)
                        strcat(work->txs, tx_hex);
        }
@@ -608,7 +609,7 @@ static bool gbt_work_decode(const json_t *val, struct work *work)
                if (!have_longpoll) {
                        char *lp_uri;
                        tmp = json_object_get(val, "longpolluri");
-                       lp_uri = json_is_string(tmp) ? strdup(json_string_value(tmp)) : rpc_url;
+                       lp_uri = strdup(json_is_string(tmp) ? json_string_value(tmp) : rpc_url);
                        have_longpoll = true;
                        tq_push(thr_info[longpoll_thr_id].q, lp_uri);
                }
@@ -1132,6 +1133,7 @@ static void *miner_thread(void *userdata)
                        if (!have_stratum &&
                            (time(NULL) - g_work_time >= min_scantime ||
                             work.data[19] >= end_nonce)) {
+                               work_free(&g_work);
                                if (unlikely(!get_work(mythr, &g_work))) {
                                        applog(LOG_ERR, "work retrieval failed, exiting "
                                                "mining thread %d", mythr->id);
@@ -1312,6 +1314,7 @@ start:
                        soval = json_object_get(res, "submitold");
                        submit_old = soval ? json_is_true(soval) : false;
                        pthread_mutex_lock(&g_work_lock);
+                       work_free(&g_work);
                        if (have_gbt)
                                rc = gbt_work_decode(res, &g_work);
                        else

The use-after-free fix is on the line with strdup().

wo01 commented 5 years ago

Thank you. I have cherry-picked their commits. cd2883454f6ebd4e009ae66174c8e79593303c6b 8e71bf5c6ea14ec88516966142d647405a61992b