[bug #48776] avrdude attempts to free() an invalid address

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[bug #48776] avrdude attempts to free() an invalid address

Joerg Wunsch-6
URL:
  <http://savannah.nongnu.org/bugs/?48776>

                 Summary: avrdude attempts to free() an invalid address
                 Project: AVR Downloader/UploaDEr
            Submitted by: esot_eric
            Submitted on: Sun 14 Aug 2016 01:40:35 AM GMT
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: esot_eric
        Originator Email:
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

READING the flash into an ihex file: AVR-Dude crashes with:

*** Error in `avrdude': free(): invalid next size (normal): 0x09323798 ***
Aborted


* Linux x86-32bit
* ATmega8515
  * Tried later with ATtiny861, same problem. (also with eeprom-read)
* avr-dude v6.1
  * Tried later with v6.3, same problem.
* usb-tiny-isp v1.04 (this is the version that comes from adafruit)
  * Tried later with FT2232H-based programmer, NO PROBLEM.
  *  v1.07 has been tried with same problem at second link, below

The ihex file is written and appears to be correct.

VERY LITTLE info 'round the web about this error-message...

I think, mostly, due to the fact that the message isn't coming from avrdude,
but from glibc(?)... most OS's probably don't actually print-out an
error-message when free() is given an invalid address.

Here's what I've found:

http://www.avrfreaks.net/forum/error-avrdude-free-invalid-next-size-normal-0x000000000112c720

https://bugs.launchpad.net/ubuntu/+source/avrdude/+bug/1400185

http://www.mikrocontroller.net/attachment/301320/avrdude_crash.txt

http://savannah.nongnu.org/bugs/?41292 (not a usb-tiny-isp)

Otherwise, search-fu is failing me...

Again, from what I can tell, I think this "bug" is probably more-existant than
these results, but I don't know what to search for, because, again, most OS's
probably don't even report an error, and the file *is* created, so basically
it *looks* like the program's exitting normally.

I've done a tiny bit of debugging (within my skillset) and determined that my
encounter with this error appears to occur within avrpart.c:

"avr_free_mem() -> m->buf = 0x9323798"

(maybe it was already freed?)




    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[bug #48776] avrdude attempts to free() an invalid address

Joerg Wunsch-6
Update of bug #48776 (project avrdude):

                Severity:              3 - Normal => 6 - Security          


    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[bug #48776] avrdude attempts to free() an invalid address

Joerg Wunsch-6
Update of bug #48776 (project avrdude):

                 Release:                    None => 6.3                    

    _______________________________________________________

Follow-up Comment #1:

Well, my major problem I'm having with this bug report is, I
cannot reproduce it.

I've got an USBtiny here (don't know which firmware level),
I tried to run AVRDUDE both with Valgrind as well as with
jemalloc's option to junk-fill the allocated memory.  No
abnormal behaviour is observable.

If you can, I'd ask you to run AVRDUDE under control of a
debugger, in the hope it might reveal a bit more of the
actual problem.

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[bug #48776] avrdude attempts to free() an invalid address

Joerg Wunsch-6
Follow-up Comment #2, bug #48776 (project avrdude):

Cool, thanks for looking into this!

Am unfamiliar with most debugging tools, though I did attempt to use valgrind.
In so-doing, it updated libc6, which apparently caused it to replace the
"free()" message with "Segmentation Fault".

Oddities surrounding use of 'sudo' (a few times, running sudo, it didn't
segfault, now it does. Same effect as not running sudo.).

Again, the read-process completes, the file is written, but the segfault
occurs after that.

---------------
Here's the output:
$ make read
rm -f flash.hex
valgrind --leak-check=yes avrdude -c usbtiny -pt861 -U flash:r:flash.hex:i
==2729== Memcheck, a memory error detector
==2729== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==2729== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==2729== Command: avrdude -c usbtiny -pt861 -U flash:r:flash.hex:i
==2729==
==2729== Invalid read of size 1
==2729==    at 0x407ADD0: usb_parse_descriptor (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x407B709: usb_parse_configuration (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x407D08B: usb_os_find_devices (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x407A791: usb_find_devices (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x8064026: usbtiny_open (usbtiny.c:224)
==2729==    by 0x804BB87: main (main.c:956)
==2729==  Address 0x479cada is 0 bytes after a block of size 18 alloc'd
==2729==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==2729==    by 0x407D02F: usb_os_find_devices (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x407A791: usb_find_devices (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x8064026: usbtiny_open (usbtiny.c:224)
==2729==    by 0x804BB87: main (main.c:956)
==2729==

avrdude: AVR device initialized and ready to accept instructions

Reading | ################################################## | 100% 0.10s

avrdude: Device signature = 0x1e930d (probably t861)
avrdude: reading flash memory:

Reading | ################################################## | 99%
22.38s==2729== Syscall param ioctl(USBDEVFS_CONTROL).data points to
unaddressable byte(s)
==2729==    at 0x4214AC9: ioctl (syscall-template.S:81)
==2729==    by 0x407C88C: usb_control_msg (in
/lib/i386-linux-gnu/libusb-0.1.so.4.4.4)
==2729==    by 0x8063DA9: usb_in (usbtiny.c:123)
==2729==    by 0x80647B7: usbtiny_paged_load (usbtiny.c:461)
==2729==    by 0x804EFD5: avr_read (avr.c:405)
==2729==    by 0x80650F1: do_op (update.c:236)
==2729==    by 0x804C4E6: main (main.c:1227)
==2729==  Address 0x4755878 is 0 bytes after a block of size 8,192 alloc'd
==2729==    at 0x40291CC: malloc (vg_replace_malloc.c:296)
==2729==    by 0x8050C44: avr_initmem (avrpart.c:273)
==2729==    by 0x804B897: main (main.c:891)
==2729==
Reading | ################################################## | 100% 22.55s

avrdude: writing output file "flash.hex"

avrdude: safemode: Fuses OK (E:FF, H:DF, L:E1)

avrdude done.  Thank you.

==2729==
==2729== HEAP SUMMARY:
==2729==     in use at exit: 88,734 bytes in 99 blocks
==2729==   total heap usage: 24,085 allocs, 23,986 frees, 3,700,669 bytes
allocated
==2729==
==2729== LEAK SUMMARY:
==2729==    definitely lost: 0 bytes in 0 blocks
==2729==    indirectly lost: 0 bytes in 0 blocks
==2729==      possibly lost: 0 bytes in 0 blocks
==2729==    still reachable: 88,734 bytes in 99 blocks
==2729==         suppressed: 0 bytes in 0 blocks
==2729== Reachable blocks (those to which a pointer was found) are not shown.
==2729== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==2729==
==2729== For counts of detected and suppressed errors, rerun with: -v
==2729== ERROR SUMMARY: 3 errors from 2 contexts (suppressed: 0 from 0)
-------------------
here's my makefile:
VALGRIND = valgrind --leak-check=yes
#VALGRIND =
MCU = t861
AVRDUDE_PROGRAMMER = usbtiny
AVRDUDE = avrdude -c $(AVRDUDE_PROGRAMMER) -p$(MCU)

read:
   rm -f flash.hex
   $(VALGRIND) $(AVRDUDE) -U flash:r:flash.hex:i

# $(AVRDUDE) -U eeprom:r:$(BACKUP_DIR)/eeprom.hex:i

-------------
If you've got specific instructions for what to try, lemme know.

Oh, currently it's connected via USB2.0 hub, if that helps.

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[bug #48776] avrdude attempts to free() an invalid address

Joerg Wunsch-6
Follow-up Comment #3, bug #48776 (project avrdude):

I think I found the problem. In usbtiny_page_load chunk_size was 128 but
n_bytes 64. This could result in buffer overflow corrupting memory and causing
free to fail. Limiting the chunk size fixed the crash.

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?48776>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev
Loading...