search

drowe67 / freedv-gui

GUI Application for FreeDV – open source digital voice for HF radio
https://freedv.org/
GNU Lesser General Public License v2.1
206 stars 52 forks source link

[Fedora] FreeDV crashes when pushing "Rec 2s" or "Play 2s" on audio config #159

Closed tmiw closed 3 years ago

tmiw commented 3 years ago

Per digitialvoice list discussion and https://github.com/drowe67/freedv-gui/pull/154, FreeDV crashes on Fedora 34 due to a buffer overflow when performing the following steps:

  1. Go to Tools->Audio Options.
  2. Configure your sound devices and then push any of the "Rec 2s" or "Play 2s" buttons; freedv throws SIGSEGV after doing so.

Compiling FreeDV with libasan produces the following:

New Thread 0x7fffdebaa640 (LWP 77363)]
=================================================================
==77212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000966100 at pc 0x7ffff75f1b10 bp 0x7fffe0ccd600 sp 0x7fffe0cccdb0
READ of size 8192 at 0x621000966100 thread T86
#0 0x7ffff75f1b0f in __interceptor_memcpy (/lib64/libasan.so.6+0x39b0f)
#1 0x7ffff759f87d in memcpy /usr/include/bits/string_fortified.h:29
#2 0x7ffff759f87d in PaUtil_WriteRingBuffer src/common/pa_ringbuffer.c:212
#3 0x7ffff75908f2 in BlockingCallback src/hostapi/jack/pa_jack.c:290
#4 0x7ffff758f0a8 in AdaptingInputOnlyProcess src/common/pa_process.c:1053
#5 0x7ffff7597e00 in PaUtil_EndBufferProcessing src/common/pa_process.c:1623
#6 0x7ffff759d4f0 in RealProcess src/hostapi/jack/pa_jack.c:1473
#7 0x7ffff759d4f0 in JackCallback src/hostapi/jack/pa_jack.c:1614
#8 0x7ffff477920f (/usr/lib64/pipewire-0.3/jack/libjack.so.0+0x1820f)
#9 0x7fffef85016a in loop_iterate ../spa/plugins/support/loop.c:333
#10 0x7ffff3457942 in do_loop ../src/pipewire/data-loop.c:80
#11 0x7ffff4a86298 in start_thread /usr/src/debug/glibc-2.33-20.fc34.x86_64/nptl/pthread_create.c:481
#12 0x7ffff49ae352 in clone (/lib64/libc.so.6+0x100352)

0x621000966100 is located 0 bytes to the right of 4096-byte region [0x621000965100,0x621000966100)
allocated by thread T88 here:
#0 0x7ffff7666af7 in calloc (/lib64/libasan.so.6+0xaeaf7)
#1 0x7ffff7596dd8 in PaUtil_AllocateMemory src/os/unix/pa_unix_util.c:76
#2 0x7ffff7596dd8 in PaUtil_InitializeBufferProcessor src/common/pa_process.c:252

Thread T86 created by T0 here:
#0 0x7ffff760e8d6 in pthread_create (/lib64/libasan.so.6+0x568d6)
#1 0x7fffde362542 (/usr/lib64/pipewire-0.3/libpipewire-module-rt.so+0x1542)

Thread T88 created by T0 here:
#0 0x7ffff760e8d6 in pthread_create (/lib64/libasan.so.6+0x568d6)
#1 0x7ffff4cd8f39 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /usr/src/debug/gcc-11.2.1-1.fc34.x86_64/obj-x86_64-redhat-linux/x86_64-redhat-linux/libstdc++-v3/include/x86_64-redhat-linux/bits/gthr-default.h:663
#2 0x49b5b5 in AudioOptsDialog::plotDeviceInputForAFewSecs(int, PlotScalar*) /home/bdm/git/freedv-gui-ms-bugfixes-audio/src/dlg_audiooptions.cpp:1125
#3 0x49d8bd in AudioOptsDialog::OnRxInTest(wxCommandEvent&) /home/bdm/git/freedv-gui-ms-bugfixes-audio/src/dlg_audiooptions.cpp:1280
#4 0x7ffff62f05c2 in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) ../src/common/event.cpp:1390
#5 0x7ffff62f05c2 in wxEvtHandler::ProcessEventIfMatchesId(wxEventTableEntryBase const&, wxEvtHandler*, wxEvent&) ../src/common/event.cpp:1365

This particular crash cannot currently be duplicated on a Fedora 34 VM (running in VMware Fusion) but another crash occurs immediately on opening Audio Config when using the system PortAudio package; upgrading to 35/Rawhide (or compiling FreeDV with -DUSE_STATIC_PORTAUDIO=1) results in the audio configuration and buttons working without issue.

Current fix attempts done:

  1. Replace TEST_BUF_SIZE in Pa_OpenStream with 0 to allow PortAudio to perform its own allocation.

As of now, this appears to be a PortAudio issue but more investigation/testing is needed.

drowe67 commented 3 years ago

Do we have any other Fedora 34 users reporting this problem? @hobbes1069 can you please try to reproduce this issue?

hobbes1069 commented 3 years ago

I try this weekend. Still fighting a huge OpenEXR update in Fedora. Lot's of dependent packages and many of them needed porting to the new API.

drowe67 commented 3 years ago

Thanks @hobbes1069 - no rush on this one :slightly_smiling_face:

hobbes1069 commented 3 years ago

Just submitted an update for Fedora 34, should be available in testing soon.

https://bodhi.fedoraproject.org/updates/FEDORA-2021-39513a0a6a

Tyrbiter commented 3 years ago

Right, well I am now officially embarrassed.

Turns out that -DLPCNET=OFF in the codec2 spec file was responsible for this crash too. Apologies to everyone for not realising what was happening sooner.

Off to shut my head in the door a few times...

tmiw commented 3 years ago

No worries!

I took a look too and it seems you can't even run cmake on freedv-gui without -DLPCNET_BUILD_DIR. @drowe67, is it intended to be able to run FreeDV without LPCNet?

drowe67 commented 3 years ago

I took a look too and it seems you can't even run cmake on freedv-gui without -DLPCNET_BUILD_DIR. @drowe67, is it intended to be able to run FreeDV without LPCNet?

Nope. Thanks @hobbes1069 :slightly_smiling_face: