cf-agent 3.0.0b7 : double free

Joseph VanAndel Wed, 17 Dec 2008 16:21:06 -0800

On CentOS 5.2.2, cf-agent 3.0.0b7 can crash with a double free or corruption:


Here's a stack backtrace:
#0  0x00b1e402 in __kernel_vsyscall ()
#1  0x00549d10 in raise () from /lib/libc.so.6
#2  0x0054b621 in abort () from /lib/libc.so.6
#3  0x00581e5b in __libc_message () from /lib/libc.so.6
#4  0x00589d06 in _int_free () from /lib/libc.so.6
#5  0x0058d1e0 in free () from /lib/libc.so.6
#6  0x08076948 in DeletePromise (pp=0x65fff4) at promises.c:510

#7 0x08073049 in ExpandPromiseAndDo (agent=cf_agent, scopeid=0x8e90c00 "main", pp=0x8e96dd0, scalarvars=0x0, listvars=0x8e96158,

    fnptr=0x804b050 <KeepAgentPromise>) at expand.c:612

#8 0x0807440c in ExpandPromise (agent=cf_agent, scopeid=0x8e90c00 "main", pp=0x8e903b8, fnptr=0x804b050) at expand.c:117

#9  0x0804b48d in ScheduleAgentOperations (bp=0x8e90be8) at agent.c:609
#10 0x0804b631 in KeepPromiseBundles () at agent.c:573
#11 0x0804bde5 in KeepPromises () at agent.c:254
#12 0x0804c174 in main (argc=Cannot access memory at address 0x26b6
) at agent.c:126

valgrind also shows the issue, and indicates where the block was originally freed.


==10058== Invalid free() / delete / delete[]
==10058==    at 0x4004FDA: free (vg_replace_malloc.c:233)
==10058==    by 0x8076947: DeletePromise (promises.c:510)
==10058==    by 0x8073048: ExpandPromiseAndDo (expand.c:612)
==10058==    by 0x807440B: ExpandPromise (expand.c:117)
==10058==    by 0x804B48C: ScheduleAgentOperations (agent.c:609)
==10058==    by 0x804B630: KeepPromiseBundles (agent.c:573)
==10058==    by 0x804BDE4: KeepPromises (agent.c:254)
==10058==    by 0x804C173: main (agent.c:126)
==10058==  Address 0x420C080 is 0 bytes inside a block of size 12 free'd
==10058==    at 0x4004FDA: free (vg_replace_malloc.c:233)
==10058==    by 0x805B401: CopyFileSources (files_copy.c:76)
==10058==    by 0x8059E79: ScheduleCopyOperation (files_operators.c:170)
==10058==    by 0x804C715: VerifyFilePromise (verify_files.c:323)
==10058==    by 0x804C91B: LocateFilePromiserGroup (verify_files.c:84)
==10058==    by 0x804CE08: FindFilePromiserObjects (verify_files.c:62)

==10058== by 0x804CE49: FindAndVerifyFilesPromises (verify_files.c: 37)

==10058==    by 0x804B22F: KeepAgentPromise (agent.c:750)
==10058==    by 0x80730D4: ExpandPromiseAndDo (expand.c:599)
==10058==    by 0x807440B: ExpandPromise (expand.c:117)
==10058==    by 0x804B48C: ScheduleAgentOperations (agent.c:609)
==10058==    by 0x804B630: KeepPromiseBundles (agent.c:573)

I've attached the verbose output of cf-agent

cf.log
Description: Binary data

_______________________________________________
Bug-cfengine mailing list
Bug-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/bug-cfengine

cf-agent 3.0.0b7 : double free

Reply via email to