search

usb-tools / USBProxy-legacy

A proxy for USB devices, libUSB and gadgetFS - this project is unmaintained, try here: https://github.com/usb-tools/Facedancer
GNU General Public License v2.0
439 stars 103 forks source link

usbproxy-fd-umass.py - Heap Corruption #58

Closed ghost closed 2 years ago

ghost commented 8 years ago

When I attempt to use this script (with multiple FS images I've created) I always get varying memory corruption errors. This is using the image provided on the release page.

I have tried with the following FS images:

50M ext3 50M ext4 50M NTFS

The errors seem to occur directly after the mass storage transfer takes place.

Are there any FS images that have been used with this script that I can test with to get a baseline?

lindi2 commented 8 years ago

I can reproduce this with git 021e810a88ea81e37c5e252f371bf2cf7173b47a and it occurs without any file system at all:

dd if=/dev/zero of=hdd.img bs=1M count=50
./bindings/python/usbproxy-fd-umass.py hdd.img
...
USB mass storage interface handling 31 bytes of SCSI data
USB mass storage interface got SCSI Read (10), lba 0 + 8 block(s)
9
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
8
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
*** glibc detected *** python3: double free or corruption (!prev): 0x0026c330 ***

* glibc detected * python3: double free or corruption (!prev): 0x0038b2e8 ***

lindi2 commented 8 years ago

Backtrace:

(gdb) thread apply all bt

Thread 9 (Thread 0xb0720470 (LWP 10977)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:44
#1  0xb6fcd0bc in __libc_pread (fd=<optimized out>, buf=<optimized out>, count=<optimized out>, offset=0) at ../ports/sysdeps/unix/sysv/linux/arm/eabi/pread.c:53
#2  0xb6a56b64 in handle_fildes_io (arg=<optimized out>) at ../sysdeps/pthread/aio_misc.c:536
#3  0xb6fc6ebc in start_thread (arg=0xb0720470) at pthread_create.c:306
#4  0xb6eb3328 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
#5  0xb6eb3328 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 8 (Thread 0xb0f20470 (LWP 10976)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:44
#1  0xb6e42f6a in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:67
#2  0xb6e45408 in __GI_abort () at abort.c:92
#3  0xb6e6a2d6 in __libc_message (do_abort=2, fmt=0xb6eecc4c "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#4  0xb6e70faa in malloc_printerr (action=<optimized out>, str=0xb6eece6c "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:6312
#5  0xb6e741ca in __GI___libc_free (mem=<optimized out>) at malloc.c:3738
#6  0xb6aab412 in Packet::~Packet (this=0x313a70, __in_chrg=<optimized out>) at /home/debian/USBProxy/src/lib/Packet.h:24
#7  0xb6aaccb0 in __gnu_cxx::new_allocator<Packet>::destroy<Packet> (this=0x313a6c, __p=0x313a70) at /usr/include/c++/4.7/ext/new_allocator.h:114
#8  0xb6aacc3e in std::allocator_traits<std::allocator<Packet> >::_S_destroy<Packet> (__a=..., __p=0x313a70) at /usr/include/c++/4.7/bits/alloc_traits.h:279
#9  0xb6aacbce in std::allocator_traits<std::allocator<Packet> >::destroy<Packet> (__a=..., __p=0x313a70) at /usr/include/c++/4.7/bits/alloc_traits.h:402
#10 0xb6aaca0a in std::_Sp_counted_ptr_inplace<Packet, std::allocator<Packet>, (__gnu_cxx::_Lock_policy)2>::_M_dispose (this=0x313a60)
    at /usr/include/c++/4.7/bits/shared_ptr_base.h:410
#11 0xb6aa6366 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release (this=0x313a60) at /usr/include/c++/4.7/bits/shared_ptr_base.h:147
#12 0xb6aa59ea in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count (this=0xb0f1fd24, __in_chrg=<optimized out>)
    at /usr/include/c++/4.7/bits/shared_ptr_base.h:558
#13 0xb6aab544 in std::__shared_ptr<Packet, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr (this=0xb0f1fd20, __in_chrg=<optimized out>)
    at /usr/include/c++/4.7/bits/shared_ptr_base.h:813
#14 0xb6aababc in std::__shared_ptr<Packet, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<Packet, (__gnu_cxx::_Lock_policy)2>&&) (this=0xb0f1fd58, __r=...)
    at /usr/include/c++/4.7/bits/shared_ptr_base.h:900
#15 0xb6aab7d4 in std::shared_ptr<Packet>::operator=(std::shared_ptr<Packet>&&) (this=0xb0f1fd58, __r=...) at /usr/include/c++/4.7/bits/shared_ptr.h:292
#16 0xb6ab3f16 in RelayWriter::relay_write (this=0x2a2578) at /home/debian/USBProxy/src/lib/RelayWriter.cpp:134
#17 0xb6aaab02 in std::_Mem_fn<void (RelayWriter::*)()>::operator() (this=0x26c340, __object=0x2a2578) at /usr/include/c++/4.7/functional:554
#18 0xb6aaa8bc in std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)>::_M_invoke<0u>(std::_Index_tuple<0u>) (this=0x26c33c)
    at /usr/include/c++/4.7/functional:1598
#19 0xb6aaa734 in std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)>::operator()() (this=0x26c33c) at /usr/include/c++/4.7/functional:1586
#20 0xb6aaa63c in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)> >::_M_run() (this=0x26c330) at /usr/include/c++/4.7/thread:115
#21 0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#22 0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

---Type <return> to continue, or q <return> to quit---
Thread 7 (Thread 0xb1720470 (LWP 10975)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:43
#1  0xb6ebc5dc in __lll_lock_wait_private (futex=0xb6f03250) at ../ports/sysdeps/unix/sysv/linux/arm/nptl/lowlevellock.c:32
#2  0xb6e74248 in __GI___libc_free (mem=<optimized out>) at malloc.c:3736
#3  0x00109616 in ?? ()
#4  0x00109616 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 6 (Thread 0xb1f20470 (LWP 10974)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:43
#1  0xb6fca02e in __pthread_cond_wait (cond=0x274ea8, mutex=0x274e90) at pthread_cond_wait.c:153
#2  0xb6a2a88c in std::condition_variable::wait(std::unique_lock<std::mutex>&) () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#3  0xb6aab76c in SafeQueue<std::shared_ptr<Packet> >::dequeue (this=0x274e68) at /home/debian/USBProxy/src/lib/SafeQueue.hpp:43
#4  0xb6ab3f06 in RelayWriter::relay_write (this=0x31a530) at /home/debian/USBProxy/src/lib/RelayWriter.cpp:134
#5  0xb6aaab02 in std::_Mem_fn<void (RelayWriter::*)()>::operator() (this=0x36de18, __object=0x31a530) at /usr/include/c++/4.7/functional:554
#6  0xb6aaa8bc in std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)>::_M_invoke<0u>(std::_Index_tuple<0u>) (this=0x36de14)
    at /usr/include/c++/4.7/functional:1598
#7  0xb6aaa734 in std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)>::operator()() (this=0x36de14) at /usr/include/c++/4.7/functional:1586
#8  0xb6aaa63c in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)> >::_M_run() (this=0x36de08) at /usr/include/c++/4.7/thread:115
#9  0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#10 0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 5 (Thread 0xb2720470 (LWP 10973)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:43
#1  0xb6a572fe in aio_suspend (list=0xb271fd34, nent=1, timeout=0xb271fd2c) at ../sysdeps/pthread/aio_suspend.c:172
#2  0xb695fa80 in HostProxy_GadgetFS::receive_data (this=0x3174f0, endpoint=1 '\001', attributes=2 '\002', maxPacketSize=64, dataptr=0xb271fd74, length=0xb271fd70, 
    timeout=1500) at /home/debian/USBProxy/src/Plugins/Hosts/HostProxy_GadgetFS.cpp:406
#3  0xb6aab290 in RelayReader::relay_read (this=0x2f0418) at /home/debian/USBProxy/src/lib/RelayReader.cpp:129
#4  0xb6aaab4e in std::_Mem_fn<void (RelayReader::*)()>::operator() (this=0x36dde8, __object=0x2f0418) at /usr/include/c++/4.7/functional:554
#5  0xb6aaa96c in std::_Bind_simple<std::_Mem_fn<void (RelayReader::*)()> (RelayReader*)>::_M_invoke<0u>(std::_Index_tuple<0u>) (this=0x36dde4)
    at /usr/include/c++/4.7/functional:1598
#6  0xb6aaa74c in std::_Bind_simple<std::_Mem_fn<void (RelayReader::*)()> (RelayReader*)>::operator()() (this=0x36dde4) at /usr/include/c++/4.7/functional:1586
#7  0xb6aaa658 in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (RelayReader::*)()> (RelayReader*)> >::_M_run() (this=0x36ddd8) at /usr/include/c++/4.7/thread:115
#8  0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#9  0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 4 (Thread 0xb6fdf470 (LWP 10972)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:43
#1  0xb6fca27a in __pthread_cond_timedwait (cond=0xb6a62188, mutex=0xb6a62120, abstime=0xb6fdedbc) at pthread_cond_timedwait.c:168
---Type <return> to continue, or q <return> to quit---
#2  0xb6a56ce2 in handle_fildes_io (arg=<optimized out>) at ../sysdeps/pthread/aio_misc.c:642
#3  0xb6fc6ebc in start_thread (arg=0xb6fdf470) at pthread_create.c:306
#4  0xb6eb3328 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
#5  0xb6eb3328 in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:116 from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 3 (Thread 0xb2f20470 (LWP 10971)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:43
#1  0xb6fca02e in __pthread_cond_wait (cond=0x38c538, mutex=0x38c520) at pthread_cond_wait.c:153
#2  0xb6a2a88c in std::condition_variable::wait(std::unique_lock<std::mutex>&) () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#3  0xb6aab76c in SafeQueue<std::shared_ptr<Packet> >::dequeue (this=0x38c4f8) at /home/debian/USBProxy/src/lib/SafeQueue.hpp:43
#4  0xb6ab3b66 in RelayWriter::relay_write_setup (this=0x3937d0) at /home/debian/USBProxy/src/lib/RelayWriter.cpp:86
#5  0xb6ab3eb8 in RelayWriter::relay_write (this=0x3937d0) at /home/debian/USBProxy/src/lib/RelayWriter.cpp:124
#6  0xb6aaab02 in std::_Mem_fn<void (RelayWriter::*)()>::operator() (this=0x31a520, __object=0x3937d0) at /usr/include/c++/4.7/functional:554
#7  0xb6aaa8bc in std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)>::_M_invoke<0u>(std::_Index_tuple<0u>) (this=0x31a51c)
    at /usr/include/c++/4.7/functional:1598
#8  0xb6aaa734 in std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)>::operator()() (this=0x31a51c) at /usr/include/c++/4.7/functional:1586
#9  0xb6aaa63c in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (RelayWriter::*)()> (RelayWriter*)> >::_M_run() (this=0x31a510) at /usr/include/c++/4.7/thread:115
#10 0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#11 0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Thread 2 (Thread 0xb3720470 (LWP 10970)):
#0  __libc_do_syscall () at ../ports/sysdeps/unix/sysv/linux/arm/eabi/libc-do-syscall.S:43
#1  0xb6eaa520 in __GI___poll (fds=0xb371fcd4, nfds=<optimized out>, timeout=<optimized out>) at ../sysdeps/unix/sysv/linux/poll.c:87
#2  0xb695f240 in HostProxy_GadgetFS::control_request (this=0x3174f0, setup_packet=0xb371fd08, nbytes=0xb371fd18, dataptr=0xb371fd1c, timeout=500)
    at /home/debian/USBProxy/src/Plugins/Hosts/HostProxy_GadgetFS.cpp:220
#3  0xb6aaaf8c in RelayReader::relay_read_setup (this=0x38ce50) at /home/debian/USBProxy/src/lib/RelayReader.cpp:70
#4  0xb6aab236 in RelayReader::relay_read (this=0x38ce50) at /home/debian/USBProxy/src/lib/RelayReader.cpp:118
#5  0xb6aaab4e in std::_Mem_fn<void (RelayReader::*)()>::operator() (this=0x3937b0, __object=0x38ce50) at /usr/include/c++/4.7/functional:554
#6  0xb6aaa96c in std::_Bind_simple<std::_Mem_fn<void (RelayReader::*)()> (RelayReader*)>::_M_invoke<0u>(std::_Index_tuple<0u>) (this=0x3937ac)
    at /usr/include/c++/4.7/functional:1598
#7  0xb6aaa74c in std::_Bind_simple<std::_Mem_fn<void (RelayReader::*)()> (RelayReader*)>::operator()() (this=0x3937ac) at /usr/include/c++/4.7/functional:1586
#8  0xb6aaa658 in std::thread::_Impl<std::_Bind_simple<std::_Mem_fn<void (RelayReader::*)()> (RelayReader*)> >::_M_run() (this=0x3937a0) at /usr/include/c++/4.7/thread:115
#9  0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
#10 0xb6a2c6d0 in ?? () from /usr/lib/arm-linux-gnueabihf/libstdc++.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
straithe commented 2 years ago

I am closing this issue as the initial poster is no longer on GitHub.