michaelortmann
commented
3 weeks ago bug can not easily be triggered (because i dunno how to make gzClose() fail, but if the code is manually modified to simulate such fail, gcc would be able to report the bug like:
.tcl compressfile test.txt
[01:34:25.%f] tcl: builtin dcc call: *dcc:tcl -HQ 1 compressfile test.txt
[01:34:25.%f] tcl: evaluating .tcl compressfile test.txt
=================================================================
==2297507==ERROR: AddressSanitizer: attempting double-free on 0x515000018b80 in thread T0:
#0 0x792d2f0fb422 in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x792d2de91083 in _IO_fclose (/usr/lib/libc.so.6+0x7d083) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
#2 0x792d2f0cba1f in fclose /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6295
#3 0x792d2f0cba1f in fclose /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6288
#4 0x792d2d9b1968 in compress_to_file .././compress.mod/compress.c:271
#5 0x792d2d9b1fc6 in compress_file .././compress.mod/compress.c:311
#6 0x792d2d9afaaf in tcl_compress_file .././compress.mod/tclcompress.c:68
#7 0x65174182cad5 in tcl_call_stringproc_cd /home/michael/projects/eggdrop/src/tcl.c:332
#8 0x65174182cbf6 in tcl_call_stringproc /home/michael/projects/eggdrop/src/tcl.c:341
#9 0x792d2ee7e7ff in TclNRRunCallbacks /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:4539
#10 0x792d2ee807e4 in TclEvalEx /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:5408
#11 0x792d2ee81096 in Tcl_EvalEx /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:5073
#12 0x792d2ee810b9 in Tcl_Eval /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:6001
#13 0x792d2ee81807 in Tcl_GlobalEval /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:7070
#14 0x651741781b1a in cmd_tcl /home/michael/projects/eggdrop/src/cmds.c:2850
#15 0x651741856995 in builtin_dcc /home/michael/projects/eggdrop/src/tclhash.c:694
#16 0x65174182cad5 in tcl_call_stringproc_cd /home/michael/projects/eggdrop/src/tcl.c:332
#17 0x792d2ee7e7ff in TclNRRunCallbacks /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:4539
#18 0x792d2ee807e4 in TclEvalEx /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:5408
#19 0x792d2ee81096 in Tcl_EvalEx /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:5073
#20 0x792d2ee810b9 in Tcl_Eval /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:6001
#21 0x792d2ee816df in Tcl_VarEvalVA /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:7001
#22 0x792d2ee817bd in Tcl_VarEval /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:7032
#23 0x6517418570f0 in trigger_bind /home/michael/projects/eggdrop/src/tclhash.c:746
#24 0x6517418586ae in check_tcl_bind /home/michael/projects/eggdrop/src/tclhash.c:942
#25 0x651741858f0b in check_tcl_dcc /home/michael/projects/eggdrop/src/tclhash.c:974
#26 0x651741798cde in dcc_chat /home/michael/projects/eggdrop/src/dcc.c:1092
#27 0x6517417eb9ce in mainloop main.c:796
#28 0x6517417efd12 in main main.c:1211
#29 0x792d2de39c87 (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
#30 0x792d2de39d4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
#31 0x6517417024a4 in _start (/home/michael/eggdrop/eggdrop-1.9.5+0x2774a4) (BuildId: 9d27919369708d33ddc619b9a1747beaa5c296bb)
0x515000018b80 is located 0 bytes inside of 472-byte region [0x515000018b80,0x515000018d58)
freed by thread T0 here:
#0 0x792d2f0fca31 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x6517417f33c5 in n_malloc /home/michael/projects/eggdrop/src/mem.c:342
#2 0x6517418586fb in check_tcl_bind /home/michael/projects/eggdrop/src/tclhash.c:945
#3 0x792d2a2d0140 in check_tcl_rawt .././server.mod/servmsg.c:218
#4 0x792d2a2e3592 in server_activity .././server.mod/servmsg.c:1267
#5 0x6517417eb9ce in mainloop main.c:796
#6 0x6517417efd12 in main main.c:1211
#7 0x792d2de39c87 (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
#8 0x792d2de39d4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
#9 0x6517417024a4 in _start (/home/michael/eggdrop/eggdrop-1.9.5+0x2774a4) (BuildId: 9d27919369708d33ddc619b9a1747beaa5c296bb)
previously allocated by thread T0 here:
#0 0x792d2f0fca31 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x792d2de91a68 (/usr/lib/libc.so.6+0x7da68) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
#2 0x792d2d9b1621 in compress_to_file .././compress.mod/compress.c:240
#3 0x792d2d9b1fc6 in compress_file .././compress.mod/compress.c:311
#4 0x792d2d9afaaf in tcl_compress_file .././compress.mod/tclcompress.c:68
#5 0x65174182cad5 in tcl_call_stringproc_cd /home/michael/projects/eggdrop/src/tcl.c:332
#6 0x65174182cbf6 in tcl_call_stringproc /home/michael/projects/eggdrop/src/tcl.c:341
#7 0x792d2ee7e7ff in TclNRRunCallbacks /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:4539
SUMMARY: AddressSanitizer: double-free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in free
==2297507==ABORTING
we start here:
https://github.com/eggheads/eggdrop/blob/0ee04c25700268e91f2f0bb7974b1ececf3aa380/src/mod/compress.mod/compress.c#L256
first free() is here:
https://github.com/eggheads/eggdrop/blob/0ee04c25700268e91f2f0bb7974b1ececf3aa380/src/mod/compress.mod/compress.c#L217
if the following
gzClose()fails:https://github.com/eggheads/eggdrop/blob/0ee04c25700268e91f2f0bb7974b1ececf3aa380/src/mod/compress.mod/compress.c#L218-L219
the following code is executed:
https://github.com/eggheads/eggdrop/blob/0ee04c25700268e91f2f0bb7974b1ececf3aa380/src/mod/compress.mod/compress.c#L259
it will not only double free, like here:
https://github.com/eggheads/eggdrop/blob/0ee04c25700268e91f2f0bb7974b1ececf3aa380/src/mod/compress.mod/compress.c#L271
but also access the just closed fin.
I guess this code path was never checked.
We should fix this, but its low prio, because
gzClose()like never fails ;)