Hi Thierry, On Fri, Jul 06, 2018 at 04:28:22PM +0200, Thierry Fournier wrote: > Hi list, > > I caught a double-free whien I reload haproxy-1.8: > > writev(2, [{"*** Error in `", 14}, {"/opt/o3-haproxy/sbin/haproxy", 28}, > {"': ", 3}, {"double free or corruption (!prev)", 33}, {": 0x", 4}, > {"000000001cec2ab0", 16}, {" ***\n", 5}], 7) = 103 > > Decoded: > > *** Error in `/opt/o3-haproxy/sbin/haproxy': double free or corruption > (!prev): 0x000000001cec2ab0 *** > > Gdb says: > > #0 0x00007f4bac88b067 in __GI_raise (sig=sig@entry=6) at > ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x00007f4bac88c448 in __GI_abort () at abort.c:89 > #2 0x00007f4bac8c91b4 in __libc_message (do_abort=do_abort@entry=1, > fmt=fmt@entry=0x7f4bac9be210 "*** Error in `%s': %s: 0x%s ***\n") > at ../sysdeps/posix/libc_fatal.c:175 > #3 0x00007f4bac8ce98e in malloc_printerr (action=1, > str=0x7f4bac9be318 "double free or corruption (!prev)", ptr=<optimized > out>) at malloc.c:4996 > #4 0x00007f4bac8cf696 in _int_free (av=<optimized out>, p=<optimized > out>, have_lock=0) at malloc.c:3840 > #5 0x000000000042af56 in ssl_sock_destroy_bind_conf > (bind_conf=0x1d27e810) at src/ssl_sock.c:4819 > #6 0x00000000004b1390 in deinit () at src/haproxy.c:2240 > #7 0x000000000041b83c in main (argc=<optimized out>, argv=0x7ffc22f6b4d8) > at src/haproxy.c:3094 > > I use the last 1.8.12 version.
This one looks a bit strange. I looked at it a little bit and it corresponds to the line "free(bind_conf->keys_ref->tlskeys);". Unfortunately, there is no other line in the code appearing to perfom a free on this element, and when passing through this code the key_ref is destroyed and properly nulled. I checked if it was possible for this element not to be allocated and I don't see how that could happen either. Thus I'm seeing only three possibilities : - this element was duplicated and appears at multiple places (multiple list elements) leading to a real double free - there is a memory corruption somewhere possibly resulting in this element being corrupted and not in fact victim of a double free - I can't read code and there is another free that I failed to detect. Are you able to trigger this on a trivial config ? Maybe it only happens when certain features you have in your config are enabled ? willy