search

libevent / libevent

Event notification library
https://libevent.org
Other
11.09k stars 3.38k forks source link

Segmentation fault after bufferevent_write #1664

Open happybanban opened 3 months ago

happybanban commented 3 months ago

Hello, I got a issue after bufferevent_write is called.

It looks memcpy error at evbuffer_add (buffer.c) memcpy-avx-unaligned

libevent version: libevent-2.1.12-stable

below is stack trace.

Thread 263 "xxxxx." received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7fff1ffd7700 (LWP 18737)] __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:148 148 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: no such file or directory

(gdb) bt

0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:148

1 0x00007fffee5e8a03 in memcpy (len=, src=, __dest=)

at /usr/include/x86_64-linux-gnu/bits/string3.h:53

2 evbuffer_add (buf=0x7fff940029f0, data_in=0x7fff1ffd63c0, datlen=6) at buffer.c:1781

3 0x00007fffee5ee280 in bufferevent_write (bufev=, data=, size=) at bufferevent.c:454

Thanks.

widgetii commented 3 months ago

Can you make a simple reproducer?

azat commented 3 months ago

Or run under ASAN (or valgrind as a last resort)

happybanban commented 3 months ago

Or run under ASAN (or valgrind as a last resort) .

liudongmiao commented 3 months ago

@happybanban Do you make sure the argument of bufferevent_write is right?

  1. the data and size argument is valid
  2. don't make data point to inner memory of the bufferevent's output.

data_in=0x7fff1ffd63c0, datlen=6 seems wrong, as it's very closer to Thread 0x7fff1ffd7700.

happybanban commented 3 months ago

@happybanban Do you make sure the argument of bufferevent_write is right?

  1. the data and size argument is valid
  2. don't make data point to inner memory of the bufferevent's output.

data_in=0x7fff1ffd63c0, datlen=6 seems wrong, as it's very closer to Thread 0x7fff1ffd7700.

Thanks! data and size should be valid. Below is my source code. Please give me some suggestion.Thanks! BTW The problem doesn't happen every time, it happens occasionally.

void send_start(struct bufferevent* bev) { BYTE start[6] = { 0x68,0x04,0x07,0x00,0x00,0x00 }; bufferevent_write(bev, start, 6); }

liudongmiao commented 3 months ago

@happybanban Then, the possible case is use-after-free. You can log it, free log, and write log.

azat commented 2 months ago

@happybanban just use ASan to verify your code

You just need to compile your code with -fsanitize=address