[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SIGSEGV on master on ssh_channel_free

Subject: Re: SIGSEGV on master on ssh_channel_free
From: Tilo Eckert <tilo.eckert@xxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Mon, 22 May 2017 13:11:46 +0200
To: libssh@xxxxxxxxxx
Am 20.05.2017 um 17:29 schrieb Jason Curl:
> 
> On 20/05/2017 14:19, Jason Curl wrote:
>> Hello,
>>
>> My .NET wrapper (prototype) of libssh is crashing on
>> ssh_channel_free() with
>> a SIGSEGV. I've compiled abbd6e3 with MSYS2 32-bit with GCC 6.3.0 (see
>> attachment for cmake output). I'm running on Windows 10 64-bit release
>> 1703.
>>
>> $ cmake -G"Unix Makefiles" -DCMAKE_INSTALL_PREFIX=/usr/local
>> -DCMAKE_BUILD_TYPE=Debug -DWITH_SSH1=ON ..
>>
>> Using GDB to debug I get the following information:
>>
>> Thread 1 received signal SIGSEGV, Segmentation fault.
>> 0x61cd847c in ssh_list_get_iterator (list=0xfeeefeee)
>>      at C:/msys64/home/jcurl/libssh/src/misc.c:382
>> 382       return list->root;
>> (gdb) bt
>> #0  0x61cd847c in ssh_list_get_iterator (list=0xfeeefeee)
>>      at C:/msys64/home/jcurl/libssh/src/misc.c:382
>> #1  0x61cd8491 in ssh_list_find (list=0xfeeefeee, value=0x55101f0)
>>      at C:/msys64/home/jcurl/libssh/src/misc.c:387
>> #2  0x61cc771c in ssh_channel_do_free (channel=0x55101f0)
>>      at C:/msys64/home/jcurl/libssh/src/channels.c:1037
>> #3  0x61cc76f1 in ssh_channel_free (channel=0x55101f0)
>>      at C:/msys64/home/jcurl/libssh/src/channels.c:1025
>> #4  0x014921cd in ?? ()
>> #5  0x014952f6 in ?? ()
>>
>> The other frames are from the CLR and are uninteresting.
>>
>> Sometimes I also get:
>>
>> Thread 1 received signal SIGSEGV, Segmentation fault.
>> 0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
>>      at C:/msys64/home/jcurl/libssh/src/buffer.c:108
>> 108       if (buffer->data) {
>> (gdb) bt
>> #0  0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
>>      at C:/msys64/home/jcurl/libssh/src/buffer.c:108
>> #1  0x61cc774b in ssh_channel_do_free (channel=0x157c230)
>>      at C:/msys64/home/jcurl/libssh/src/channels.c:1041
>> #2  0x61cc76f1 in ssh_channel_free (channel=0x157c230)
>>      at C:/msys64/home/jcurl/libssh/src/channels.c:1025
>>
>> My .NET program is simple. It does the following logical steps:
>>
>> ssh_init();
>> m_Session = ssh_new();
>> ssh_options_set(m_Session, SSH_OPTIONS_COMPRESSION_LEVEL, 9);
>> ssh_options_set(m_Session, SSH_OPTIONS_HOST, "mylinuxserver.home.lan");
>> ssh_options_set(m_Session, SSH_OPTIONS_USER, "myuser");
>> ssh_connect(m_Session);  // Returns SSH_OK
>> ssh_pki_import_privkey_file("myprivatekey", null, null, null, &key);
>> ssh_userauth_none(m_Session, null);  // Returns SSH_AUTH_DENIED as
>> expected
>> ssh_userauth_try_publickey(m_Session, null, key);  // Returns
>> SSH_AUTH_SUCCESS as expected
>> ssh_userauth_publickey(m_Session, null, key);
>> m_Channel = ssh_channel_new(m_Session);  // returns a pointer
> Further testing shows that the next two commands are not necessary.
> Commenting out ssh_channel_open_session and ssh_channel_request_exec
> reproduces a crash on master also.
> 
>> ssh_channel_open_session(m_Channel);  // returns SSH_OK
>> ssh_channel_request_exec(m_Channel, "ps aux");
>> ssh_disconnect(m_Session);
>> ssh_channel_free(m_Channel);  // CRASH HERE
>>
>>
> The crash I get in GDB is:
> 
> Thread 1 received signal SIGSEGV, Segmentation fault.
> 0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
>     at C:/msys64/home/jcurl/libssh/src/buffer.c:108
> 108       if (buffer->data) {
> (gdb) bt full 4
> #0  0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
>     at C:/msys64/home/jcurl/libssh/src/buffer.c:108
> No locals.
> #1  0x61cc774b in ssh_channel_do_free (channel=0xe5c1e8)
>     at C:/msys64/home/jcurl/libssh/src/channels.c:1041
>         it = 0x0
>         session = 0xe5bfc8
> #2  0x61cc76f1 in ssh_channel_free (channel=0xe5c1e8)
>     at C:/msys64/home/jcurl/libssh/src/channels.c:1025
>         session = 0xe5bfc8
> #3  0x00d621d5 in ?? ()
> No symbol table info available.
> (More stack frames follow...)
> (gdb)
> 
> Googling, it appears that the MS function HeapFree() sets values to
> 0xFEEEFEEE. It's pretty tough to try and breakpoint a .NET program but I
> didn't observe any calls to ssh_free.
> 
> Create Channel from session: 26251480 0x19090D8
> 
> Thread 1 hit Breakpoint 1, ssh_channel_new (session=0x19090d8)
>     at C:/msys64/home/jcurl/libssh/src/channels.c:80
> 
> Create Channel: 26264040 0x190C1E8
> 
> Thread 1 received signal SIGSEGV, Segmentation fault.
> 0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
>     at C:/msys64/home/jcurl/libssh/src/buffer.c:108
> 108       if (buffer->data) {
> (gdb) bt ful 4
> #0  0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
>     at C:/msys64/home/jcurl/libssh/src/buffer.c:108
> No locals.
> #1  0x61cc774b in ssh_channel_do_free (channel=0x190c1e8)
>     at C:/msys64/home/jcurl/libssh/src/channels.c:1041
>         it = 0x0
>         session = 0x190bfc8
> #2  0x61cc76f1 in ssh_channel_free (channel=0x190c1e8)
>     at C:/msys64/home/jcurl/libssh/src/channels.c:1025
>         session = 0x190bfc8
> #3  0x031a21d5 in ?? ()
> 
> ssh_channel_free is given the value m_Channel, but isn't the value of
> session in frame #1 expected to be 0x19090D8 and not 0x190bfc8?
> 
> And I think I've found the problem. I'm calling ssh_disconnect which
> appears to also free the channel. And now the crash doesn't appear to
> occur when I remove the disconnect.
> 

Maybe you could add a hint to the documentation of ssh_disconnect() that
it frees all channels, internal buffers, etc and that all such pointers
are invalid after calling this function. Andreas is always happy about
patches. ;)

Regards
Tilo
Follow-Ups:
Re: SIGSEGV on master on ssh_channel_free	Aris Adamantiadis <aris@xxxxxxxxxxxx>
References:
SIGSEGV on master on ssh_channel_free	Jason Curl <jason@xxxxxxxxxxxxxxxxxxxxxxxx>
Re: SIGSEGV on master on ssh_channel_free	Jason Curl <jason@xxxxxxxxxxxxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org