[bug #48776] avrdude attempts to free() an invalid address

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #48776] avrdude attempts to free() an invalid address

Jan Egil Ruud
URL:
  <http://savannah.nongnu.org/bugs/?48776>

                 Summary: avrdude attempts to free() an invalid address
                 Project: AVR Downloader/UploaDEr
            Submitted by: esot_eric
            Submitted on: Sun 14 Aug 2016 01:40:35 AM GMT
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: esot_eric
        Originator Email:
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

READING the flash into an ihex file: AVR-Dude crashes with:

*** Error in `avrdude': free(): invalid next size (normal): 0x09323798 ***
Aborted


* Linux x86-32bit
* ATmega8515
  * Tried later with ATtiny861, same problem. (also with eeprom-read)
* avr-dude v6.1
  * Tried later with v6.3, same problem.
* usb-tiny-isp v1.04 (this is the version that comes from adafruit)
  * Tried later with FT2232H-based programmer, NO PROBLEM.
  *  v1.07 has been tried with same problem at second link, below

The ihex file is written and appears to be correct.

VERY LITTLE info 'round the web about this error-message...

I think, mostly, due to the fact that the message isn't coming from avrdude,
but from glibc(?)... most OS's probably don't actually print-out an
error-message when free() is given an invalid address.

Here's what I've found:

http://www.avrfreaks.net/forum/error-avrdude-free-invalid-next-size-normal-0x000000000112c720

https://bugs.launchpad.net/ubuntu/+source/avrdude/+bug/1400185

http://www.mikrocontroller.net/attachment/301320/avrdude_crash.txt

http://savannah.nongnu.org/bugs/?41292 (not a usb-tiny-isp)

Otherwise, search-fu is failing me...

Again, from what I can tell, I think this "bug" is probably more-existant than
these results, but I don't know what to search for, because, again, most OS's
probably don't even report an error, and the file *is* created, so basically
it *looks* like the program's exitting normally.

I've done a tiny bit of debugging (within my skillset) and determined that my
encounter with this error appears to occur within avrpart.c:

"avr_free_mem() -> m->buf = 0x9323798"

(maybe it was already freed?)




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|

[bug #48776] avrdude attempts to free() an invalid address

Jan Egil Ruud
Update of bug #48776 (project avrdude):

                Severity:              3 - Normal => 6 - Security          


    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|

[bug #48776] avrdude attempts to free() an invalid address

Jan Egil Ruud
Update of bug #48776 (project avrdude):

                 Release:                    None => 6.3                    

    _______________________________________________________

Follow-up Comment #1:

Well, my major problem I'm having with this bug report is, I
cannot reproduce it.

I've got an USBtiny here (don't know which firmware level),
I tried to run AVRDUDE both with Valgrind as well as with
jemalloc's option to junk-fill the allocated memory.  No
abnormal behaviour is observable.

If you can, I'd ask you to run AVRDUDE under control of a
debugger, in the hope it might reveal a bit more of the
actual problem.

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|

[bug #48776] avrdude attempts to free() an invalid address

Jan Egil Ruud
Follow-up Comment #2, bug #48776 (project avrdude):

Cool, thanks for looking into this!

Am unfamiliar with most debugging tools, though I did attempt to use valgrind.
In so-doing, it updated libc6, which apparently caused it to replace the
"free()" message with "Segmentation Fault".

Oddities surrounding use of 'sudo' (a few times, running sudo, it didn't
segfault, now it does. Same effect as not running sudo.).

Again, the read-process completes, the file is written, but the segfault
occurs after that.

---------------
Here's the output:
$ make read
rm -f flash.hex
valgrind --leak-check=yes avrdude -c usbtiny -pt861 -U flash:r:flash.hex:i
==2729== Memcheck, a memory error detector
==2729== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2729== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==2729== Command: avrdude -c usbtiny -pt861 -U flash:r:flash.hex:i
==2729==
==2729== Invalid read of size 1
==2729==    at 0x407ADD0: usb_parse_descriptor (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x407B709: usb_parse_configuration (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x407D08B: usb_os_find_devices (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x407A791: usb_find_devices (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x8064026: usbtiny_open (usbtiny.c:224)
==2729==    by 0x804BB87: main (main.c:956)
==2729==  Address 0x479cada is 0 bytes after a block of size 18 alloc'd
==2729==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==2729==    by 0x407D02F: usb_os_find_devices (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x407A791: usb_find_devices (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x8064026: usbtiny_open (usbtiny.c:224)
==2729==    by 0x804BB87: main (main.c:956)
==2729==

avrdude: AVR device initialized and ready to accept instructions

Reading | ################################################## | 100% 0.10s

avrdude: Device signature = 0x1e930d (probably t861)
avrdude: reading flash memory:

Reading | ################################################## | 99%
22.38s==2729== Syscall param ioctl(USBDEVFS_CONTROL).data points to
unaddressable byte(s)
==2729==    at 0x4214AC9: ioctl (syscall-template.S:81)
==2729==    by 0x407C88C: usb_control_msg (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x8063DA9: usb_in (usbtiny.c:123)
==2729==    by 0x80647B7: usbtiny_paged_load (usbtiny.c:461)
==2729==    by 0x804EFD5: avr_read (avr.c:405)
==2729==    by 0x80650F1: do_op (update.c:236)
==2729==    by 0x804C4E6: main (main.c:1227)
==2729==  Address 0x4755878 is 0 bytes after a block of size 8,192 alloc'd
==2729==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==2729==    by 0x8050C44: avr_initmem (avrpart.c:273)
==2729==    by 0x804B897: main (main.c:891)
==2729==
Reading | ################################################## | 100% 22.55s

avrdude: writing output file "flash.hex"

avrdude: safemode: Fuses OK (E:FF, H:DF, L:E1)

avrdude done.  Thank you.

==2729==
==2729== HEAP SUMMARY:
==2729==     in use at exit: 88,734 bytes in 99 blocks
==2729==   total heap usage: 24,085 allocs, 23,986 frees, 3,700,669 bytes
allocated
==2729==
==2729== LEAK SUMMARY:
==2729==    definitely lost: 0 bytes in 0 blocks
==2729==    indirectly lost: 0 bytes in 0 blocks
==2729==      possibly lost: 0 bytes in 0 blocks
==2729==    still reachable: 88,734 bytes in 99 blocks
==2729==         suppressed: 0 bytes in 0 blocks
==2729== Reachable blocks (those to which a pointer was found) are not shown.
==2729== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==2729==
==2729== For counts of detected and suppressed errors, rerun with: -v
==2729== ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 0 from 0)
-------------------
here's my makefile:
VALGRIND = valgrind --leak-check=yes
#VALGRIND =
MCU = t861
AVRDUDE_PROGRAMMER = usbtiny
AVRDUDE = avrdude -c $(AVRDUDE_PROGRAMMER) -p$(MCU)

read:
   rm -f flash.hex
   $(VALGRIND) $(AVRDUDE) -U flash:r:flash.hex:i

# $(AVRDUDE) -U eeprom:r:$(BACKUP_DIR)/eeprom.hex:i

-------------
If you've got specific instructions for what to try, lemme know.

Oh, currently it's connected via USB2.0 hub, if that helps.

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|

[bug #48776] avrdude attempts to free() an invalid address

Jan Egil Ruud
Follow-up Comment #3, bug #48776 (project avrdude):

I think I found the problem. In usbtiny_page_load chunk_size was 128 but
n_bytes 64. This could result in buffer overflow corrupting memory and causing
free to fail. Limiting the chunk size fixed the crash.

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|

[bug #48776] avrdude attempts to free() an invalid address

Jan Egil Ruud
Follow-up Comment #4, bug #48776 (project avrdude):

I just encountered this problem as well in avrdude 6.3-2; here's a stack trace
and memory map, in case you want it.

$ avrdude -c usbtiny -p m644 -U eeprom:r:eeprom.bkp.hex:i

avrdude: AVR device initialized and ready to accept instructions

Reading | ################################################## | 100% 0.00s

avrdude: Device signature = 0x1e9609 (probably m644)
avrdude: reading eeprom memory:

Reading | ################################################## | 100% 31.47s

avrdude: writing output file "eeprom.bkp.hex"

avrdude: safemode: Fuses OK (E:FD, H:DC, L:FE)

avrdude done.  Thank you.

*** Error in `avrdude': free(): invalid next size (normal): 0x000055d662d446a0
***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f8d22582bcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f8d22588f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x777de)[0x7f8d225897de]
avrdude(+0xb1d5)[0x55d6625f01d5]
avrdude(+0xcafe)[0x55d6625f1afe]
avrdude(+0xbc3a)[0x55d6625f0c3a]
avrdude(+0xcafe)[0x55d6625f1afe]
avrdude(+0xc0d7)[0x55d6625f10d7]
/lib/x86_64-linux-gnu/libc.so.6(+0x35910)[0x7f8d22547910]
/lib/x86_64-linux-gnu/libc.so.6(+0x3596a)[0x7f8d2254796a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf8)[0x7f8d225322b8]
avrdude(+0x6fda)[0x55d6625ebfda]
======= Memory map: ========
55d6625e5000-55d662653000 r-xp 00000000 103:07 6820509                  
/usr/bin/avrdude
55d662853000-55d662854000 r--p 0006e000 103:07 6820509                  
/usr/bin/avrdude
55d662854000-55d662855000 rw-p 0006f000 103:07 6820509                  
/usr/bin/avrdude
55d662855000-55d66285c000 rw-p 00000000 00:00 0
55d662d44000-55d66306d000 rw-p 00000000 00:00 0                        
[heap]
7f8d1c000000-7f8d1c021000 rw-p 00000000 00:00 0
7f8d1c021000-7f8d20000000 ---p 00000000 00:00 0
7f8d21edd000-7f8d21ef3000 r-xp 00000000 103:07 3801623                  
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f8d21ef3000-7f8d220f2000 ---p 00016000 103:07 3801623                  
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f8d220f2000-7f8d220f3000 r--p 00015000 103:07 3801623                  
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f8d220f3000-7f8d220f4000 rw-p 00016000 103:07 3801623                  
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f8d220f4000-7f8d220f7000 r-xp 00000000 103:07 3802227                  
/lib/x86_64-linux-gnu/libdl-2.24.so
7f8d220f7000-7f8d222f6000 ---p 00003000 103:07 3802227                  
/lib/x86_64-linux-gnu/libdl-2.24.so
7f8d222f6000-7f8d222f7000 r--p 00002000 103:07 3802227                  
/lib/x86_64-linux-gnu/libdl-2.24.so
7f8d222f7000-7f8d222f8000 rw-p 00003000 103:07 3802227                  
/lib/x86_64-linux-gnu/libdl-2.24.so
7f8d222f8000-7f8d22311000 r-xp 00000000 103:07 3801566                  
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f8d22311000-7f8d22510000 ---p 00019000 103:07 3801566                  
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f8d22510000-7f8d22511000 r--p 00018000 103:07 3801566                  
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f8d22511000-7f8d22512000 rw-p 00019000 103:07 3801566                  
/lib/x86_64-linux-gnu/libz.so.1.2.8
7f8d22512000-7f8d226a7000 r-xp 00000000 103:07 3802194                  
/lib/x86_64-linux-gnu/libc-2.24.so
7f8d226a7000-7f8d228a7000 ---p 00195000 103:07 3802194                  
/lib/x86_64-linux-gnu/libc-2.24.so
7f8d228a7000-7f8d228ab000 r--p 00195000 103:07 3802194                  
/lib/x86_64-linux-gnu/libc-2.24.so
7f8d228ab000-7f8d228ad000 rw-p 00199000 103:07 3802194                  
/lib/x86_64-linux-gnu/libc-2.24.so
7f8d228ad000-7f8d228b1000 rw-p 00000000 00:00 0
7f8d228b1000-7f8d228d6000 r-xp 00000000 103:07 3801341                  
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f8d228d6000-7f8d22ad6000 ---p 00025000 103:07 3801341                  
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f8d22ad6000-7f8d22ada000 r--p 00025000 103:07 3801341                  
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f8d22ada000-7f8d22adb000 rw-p 00029000 103:07 3801341                  
/lib/x86_64-linux-gnu/libtinfo.so.5.9
7f8d22adb000-7f8d22afc000 r-xp 00000000 103:07 3801262                  
/lib/x86_64-linux-gnu/libncurses.so.5.9
7f8d22afc000-7f8d22cfc000 ---p 00021000 103:07 3801262                  
/lib/x86_64-linux-gnu/libncurses.so.5.9
7f8d22cfc000-7f8d22cfd000 r--p 00021000 103:07 3801262                  
/lib/x86_64-linux-gnu/libncurses.so.5.9
7f8d22cfd000-7f8d22cfe000 rw-p 00022000 103:07 3801262                  
/lib/x86_64-linux-gnu/libncurses.so.5.9
7f8d22cfe000-7f8d22d42000 r-xp 00000000 103:07 3801174                  
/lib/x86_64-linux-gnu/libreadline.so.7.0
7f8d22d42000-7f8d22f41000 ---p 00044000 103:07 3801174                  
/lib/x86_64-linux-gnu/libreadline.so.7.0
7f8d22f41000-7f8d22f43000 r--p 00043000 103:07 3801174                  
/lib/x86_64-linux-gnu/libreadline.so.7.0
7f8d22f43000-7f8d22f49000 rw-p 00045000 103:07 3801174                  
/lib/x86_64-linux-gnu/libreadline.so.7.0
7f8d22f49000-7f8d22f4b000 rw-p 00000000 00:00 0
7f8d22f4b000-7f8d2304e000 r-xp 00000000 103:07 3802232                  
/lib/x86_64-linux-gnu/libm-2.24.so
7f8d2304e000-7f8d2324d000 ---p 00103000 103:07 3802232                  
/lib/x86_64-linux-gnu/libm-2.24.so
7f8d2324d000-7f8d2324e000 r--p 00102000 103:07 3802232                  
/lib/x86_64-linux-gnu/libm-2.24.so
7f8d2324e000-7f8d2324f000 rw-p 00103000 103:07 3802232                  
/lib/x86_64-linux-gnu/libm-2.24.so
7f8d2324f000-7f8d23267000 r-xp 00000000 103:07 3802268                  
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f8d23267000-7f8d23466000 ---p 00018000 103:07 3802268                  
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f8d23466000-7f8d23467000 r--p 00017000 103:07 3802268                  
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f8d23467000-7f8d23468000 rw-p 00018000 103:07 3802268                  
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f8d23468000-7f8d2346c000 rw-p 00000000 00:00 0
7f8d2346c000-7f8d23483000 r-xp 00000000 103:07 6822009                  
/usr/lib/x86_64-linux-gnu/libelf-0.168.so
7f8d23483000-7f8d23682000 ---p 00017000 103:07 6822009                  
/usr/lib/x86_64-linux-gnu/libelf-0.168.so
7f8d23682000-7f8d23683000 r--p 00016000 103:07 6822009                  
/usr/lib/x86_64-linux-gnu/libelf-0.168.so
7f8d23683000-7f8d23684000 rw-p 00017000 103:07 6822009                  
/usr/lib/x86_64-linux-gnu/libelf-0.168.so
7f8d23684000-7f8d2368b000 r-xp 00000000 103:07 3801237                  
/lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4
7f8d2368b000-7f8d2388a000 ---p 00007000 103:07 3801237                  
/lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4
7f8d2388a000-7f8d2388b000 r--p 00006000 103:07 3801237                  
/lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4
7f8d2388b000-7f8d2388c000 rw-p 00007000 103:07 3801237                  
/lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4
7f8d2388c000-7f8d2388d000 rw-p 00000000 00:00 0
7f8d2388d000-7f8d23894000 r-xp 00000000 103:07 6820189                  
/usr/lib/x86_64-linux-gnu/libftdi.so.1.20.0
7f8d23894000-7f8d23a93000 ---p 00007000 103:07 6820189                  
/usr/lib/x86_64-linux-gnu/libftdi.so.1.20.0
7f8d23a93000-7f8d23a94000 r--p 00006000 103:07 6820189                  
/usr/lib/x86_64-linux-gnu/libftdi.so.1.20.0
7f8d23a94000-7f8d23a95000 rw-p 00007000 103:07 6820189                  
/usr/lib/x86_64-linux-gnu/libftdi.so.1.20.0
7f8d23a95000-7f8d23ab8000 r-xp 00000000 103:07 3802102                  
/lib/x86_64-linux-gnu/ld-2.24.so
7f8d23c82000-7f8d23c88000 rw-p 00000000 00:00 0
7f8d23cb4000-7f8d23cb8000 rw-p 00000000 00:00 0
7f8d23cb8000-7f8d23cb9000 r--p 00023000 103:07 3802102                  
/lib/x86_64-linux-gnu/ld-2.24.so
7f8d23cb9000-7f8d23cba000 rw-p 00024000 103:07 3802102                  
/lib/x86_64-linux-gnu/ld-2.24.so
7f8d23cba000-7f8d23cbb000 rw-p 00000000 00:00 0
7ffdbfcc7000-7ffdbfce8000 rw-p 00000000 00:00 0                        
[stack]
7ffdbfd6b000-7ffdbfd6d000 r--p 00000000 00:00 0                        
[vvar]
7ffdbfd6d000-7ffdbfd6f000 r-xp 00000000 00:00 0                        
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                
[vsyscall]
Aborted
$

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|

[bug #48776] avrdude attempts to free() an invalid address

Jan Egil Ruud
Follow-up Comment #5, bug #48776 (project avrdude):

Here is a patch I use.

Index: avrdude/usbtiny.c
===================================================================
--- avrdude/usbtiny.c (revision 1395)
+++ avrdude/usbtiny.c (working copy)
@@ -455,6 +455,10 @@
 
   for (; addr < maxaddr; addr += chunk) {
     chunk = PDATA(pgm)->chunk_size;         // start with the maximum chunk
size possible
+    
+    if (chunk > maxaddr - addr) {
+        chunk = maxaddr - addr;
+    }
 
     // Send the chunk of data to the USBtiny with the function we want
     // to perform
@@ -510,6 +514,10 @@
   for (; addr < maxaddr; addr += chunk) {
     // start with the max chunk size
     chunk = PDATA(pgm)->chunk_size;
+    
+    if (chunk > maxaddr - addr) {
+        chunk = maxaddr - addr;
+    }
 
     // we can only write a page at a time anyways
     if (m->paged && chunk > page_size)


    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev