search

ParallelSSH / ssh2-python

Python bindings for libssh2 C library.
https://parallel-ssh.org
GNU Lesser General Public License v2.1
229 stars 73 forks source link

Double free on python 3.8 from channel.__dealloc__ #95

Closed dkropachev closed 4 years ago

dkropachev commented 4 years ago

Bug reports

After upgrading to python 3.8 started to get double free.

Caused by no nogil at session and channel __dealloc__: https://github.com/ParallelSSH/ssh2-python/blob/e5fdd3e8e60e4984d87fa0673d7de5b86a154323/ssh2/channel.pyx#L38-L42 https://github.com/ParallelSSH/ssh2-python/blob/e5fdd3e8e60e4984d87fa0673d7de5b86a154323/ssh2/session.pyx#L60-L64 and/or wrong free_state implementation in _libssh2_channel_free: https://github.com/ParallelSSH/ssh2-python/blob/e5fdd3e8e60e4984d87fa0673d7de5b86a154323/libssh2/src/channel.c#L2477-L2553

Commit that brought the bug in: https://github.com/ParallelSSH/ssh2-python/search?q=a3d077ec6370a870a463ddb3dbafc9bf0f5dc11a&type=Commits

_libssh2_channelfree is called from session.__dealloc__ and from channel.__dealloc_\ creating race condition if these guys called simultaneously, while free_state is not doing what it suppose to do.

Steps to reproduce:

  1. Python 3.8.
  2. Create lots of connections in multiple (10>) threads

Additional info: [Include version of libssh2 and any other relevant information.]

OS: Ubuntu 20.04 LTS libssh2: libssh2-1/focal,now 1.8.0-2.1build1 amd64 [installed] ssh2-python: 0.18.0.post1

Coredump: PID: 478136 (python) UID: 1000 () GID: 1000 (() Signal: 6 (ABRT) Timestamp: Tue 2020-07-07 18:56:22 +07 (15h ago) Command Line: /usr/src/scylladb/scylla-cluster-tests/venv/bin/python /snap/pycharm-professional/201/plugins/python/helpers/pycharm/_jb_unittest_runner.py --target test_remoter.TestRemoteCmdRunners Executable: /usr/bin/python3.8 Control Group: /user.slice/user-1000.slice/user@1000.service/gnome-launched-pycharm-professional_pycharm-professional.desktop-2141.scope Unit: user@1000.service User Unit: gnome-launched-pycharm-professional_pycharm-professional.desktop-2141.scope Slice: user-1000.slice Owner UID: 1000 () Boot ID: bf46036b244c4892bda38eb554c597e8 Machine ID: 8d0016f80e894e3b9dd46b4151a24456 Hostname: Storage: /var/lib/systemd/coredump/core.python.1000.bf46036b244c4892bda38eb554c597e8.478136.1594122982000000000000.lz4 Message: Process 478136 (python) of user 1000 dumped core.

            Stack trace of thread 517474:
            #0  0x00007ff099aeb18b __GI_raise (libc.so.6 + 0x4618b)
            #1  0x00007ff099aca859 __GI_abort (libc.so.6 + 0x25859)
            #2  0x00007ff099b353ee __libc_message (libc.so.6 + 0x903ee)
            #3  0x00007ff099b3d47c malloc_printerr (libc.so.6 + 0x9847c)
            #4  0x00007ff099b3f0ed _int_free (libc.so.6 + 0x9a0ed)
            #5  0x00007ff0968fce79 libssh2_default_free (libssh2.so.1 + 0x34e79)
            #6  0x00007ff0968e09b2 _libssh2_channel_free (libssh2.so.1 + 0x189b2)
            #7  0x00007ff0968e0a05 libssh2_channel_free (libssh2.so.1 + 0x18a05)
            #8  0x00007ff096986351 __pyx_pf_4ssh2_7channel_7Channel_2__dealloc__ (channel.cpython-38-x86_64-linux-gnu.so + 0x6351)

Full backtrace: ssh2-python.zip

pkittenis commented 4 years ago

Can you please share code to reproduce?

dkropachev commented 4 years ago

Can you please share code to reproduce?

https://github.com/ParallelSSH/ssh2-python/pull/102

pkittenis commented 4 years ago

Libssh2 does not support sharing sessions across threads.

Thread-safe: just don't share handles simultaneously