Bug #3882

SEGV - SAT>IP with descramble

Added by Luis Alves about 1 year ago. Updated about 1 year ago.

Status:NewStart date:2016-07-02
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Found in version:https://github.com/tvheadend/tvheadend/tree/f34fac1aab4635c83f209ae31564ddf62c870f21 Affected Versions:

Description

Tvheadend as SAT>IP server with service descrambling on
Consistent crash (and quick)

Compiled from: https://github.com/tvheadend/tvheadend/tree/f34fac1aab4635c83f209ae31564ddf62c870f21

clang output:

=================================================================
26835ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x563849b04012 sp 0x7fccb8df3a80 bp 0x7fccb8df3bd0 T50)
26835WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x563849b04011 in mpegts_pid_rexists /root/tvheadend_debug/src/input/mpegts.h:111
#2 0x563849b03154 in ts_recv_skipped0 /root/tvheadend_debug/src/input/mpegts/tsdemux.c:167
#4 0x563849b01afd in ts_skip_packet2 /root/tvheadend_debug/src/input/mpegts/tsdemux.c:284
#6 0x563849a88a6e in descrambler_data_cut /root/tvheadend_debug/src/descrambler/descrambler.c:108
#8 0x563849a855c2 in descrambler_descramble /root/tvheadend_debug/src/descrambler/descrambler.c:814
#10 0x563849afd57a in ts_recv_packet1 /root/tvheadend_debug/src/input/mpegts/tsdemux.c:232
#12 0x563849af65a7 in mpegts_input_process /root/tvheadend_debug/src/input/mpegts/mpegts_input.c:1366
#14 0x563849af1c4b in mpegts_input_thread /root/tvheadend_debug/src/input/mpegts/mpegts_input.c:1507
#16 0x56384933b4c7 in thread_wrapper /root/tvheadend_debug/src/wrappers.c:159
#18 0x7fcce2fe46f9 in start_thread ??:?
#20 0x7fcce2061b5c in clone ??:?

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
Thread T50 (tvh:mi-main) created by T20 (tvh:mtimer) here:
#0 0x56384925c0b2 in pthread_create ??:?
#2 0x56384933aedb in tvhthread_create /root/tvheadend_debug/src/wrappers.c:177
#4 0x563849aec18f in mpegts_input_thread_start /root/tvheadend_debug/src/input/mpegts/mpegts_input.c:1750
#6 0x56384929e1f4 in mtimer_thread /root/tvheadend_debug/src/main.c:618
#8 0x56384933b4c7 in thread_wrapper /root/tvheadend_debug/src/wrappers.c:159
#10 0x7fcce2fe46f9 in start_thread ??:?

Thread T20 (tvh:mtimer) created by T0 here:
#0 0x56384925c0b2 in pthread_create ??:?
#2 0x56384933aedb in tvhthread_create /root/tvheadend_debug/src/wrappers.c:177
#4 0x563849297051 in main /root/tvheadend_debug/src/main.c:1261
#6 0x7fcce1f7b82f in __libc_start_main ??:?

26835ABORTING

History

#1 Updated by Luis Alves about 1 year ago

Same conditions, but now a different one (heap-use-after-free)

=================================================================
28339ERROR: AddressSanitizer: heap-use-after-free on address 0x61900094a488 at pc 0x564a68fecd73 bp 0x7f406431d1f0 sp 0x7f406431d1e8
READ of size 4 at 0x61900094a488 thread T51 (tvh:mi-main)
28339WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x564a68fecd72 in service_set_streaming_status_flags /root/tvheadend_debug/src/service.h:570
#1 0x564a68fecd72 in ?? ??:0
#2 0x564a68ff2747 in ts_recv_raw /root/tvheadend_debug/src/input/mpegts/tsdemux.c:297
#3 0x564a68ff2747 in ?? ??:0
#4 0x564a68fe4f0c in mpegts_input_process /root/tvheadend_debug/src/input/mpegts/mpegts_input.c:1357
#5 0x564a68fe4f0c in ?? ??:0
#6 0x564a68fe0c4b in mpegts_input_thread /root/tvheadend_debug/src/input/mpegts/mpegts_input.c:1507
#7 0x564a68fe0c4b in ?? ??:0
#8 0x564a6882a4c7 in thread_wrapper /root/tvheadend_debug/src/wrappers.c:159
#9 0x564a6882a4c7 in ?? ??:0
#10 0x7f408f0136f9 in __reclaim_stacks ??:?
#11 0x7f408f0136f9 in ?? ??:0
#12 0x7f408e090b5c in argp_error ??:?
#13 0x7f408e090b5c in ?? ??:0

0x61900094a488 is located 520 bytes inside of 984-byte region [0x61900094a280,0x61900094a658)
freed by thread T20 (tvh:mtimer) here:
#0 0x564a6875ba79 in free ??:?
#1 0x564a6875ba79 in ?? ??:0
#2 0x564a689d8806 in service_unref /root/tvheadend_debug/src/service.c:882
#3 0x564a689d8806 in ?? ??:0
#4 0x564a689da20e in service_destroy /root/tvheadend_debug/src/service.c:946
#5 0x564a689da20e in ?? ??:0
#6 0x564a689dab99 in service_remove_raw_timer_cb /root/tvheadend_debug/src/service.c:954
#7 0x564a689dab99 in ?? ??:0
#8 0x564a6878d1f4 in mtimer_thread /root/tvheadend_debug/src/main.c:618
#9 0x564a6878d1f4 in ?? ??:0
#10 0x564a6882a4c7 in thread_wrapper /root/tvheadend_debug/src/wrappers.c:159
#11 0x564a6882a4c7 in ?? ??:0
#12 0x7f408f0136f9 in __reclaim_stacks ??:?
#13 0x7f408f0136f9 in ?? ??:0

previously allocated by thread T116 (tvh:tcp-start) here:
#0 0x564a6875bcc9 in calloc ??:?
#1 0x564a6875bcc9 in ?? ??:0
#2 0x564a6906c6a5 in mpegts_service_create_raw /root/tvheadend_debug/src/input/mpegts/mpegts_service.c:1021
#3 0x564a6906c6a5 in ?? ??:0
#4 0x564a689b9a19 in subscription_create_from_mux /root/tvheadend_debug/src/subscriptions.c:871
#5 0x564a689b9a19 in ?? ??:0
#6 0x564a68f3c79a in rtsp_start /root/tvheadend_debug/src/satip/rtsp.c:575
#7 0x564a68f3c79a in ?? ??:0
#8 0x564a68f2d47f in rtsp_process_play /root/tvheadend_debug/src/satip/rtsp.c:1384
#9 0x564a68f2d47f in ?? ??:0
#10 0x564a68f28f7c in rtsp_process_request /root/tvheadend_debug/src/satip/rtsp.c:1480
#11 0x564a68f28f7c in ?? ??:0
#12 0x564a688a316e in process_request /root/tvheadend_debug/src/http.c:1178
#13 0x564a688a316e in ?? ??:0
#14 0x564a6889f299 in http_serve_requests /root/tvheadend_debug/src/http.c:1476
#15 0x564a6889f299 in ?? ??:0
#16 0x564a68f262a4 in rtsp_serve /root/tvheadend_debug/src/satip/rtsp.c:1554
#17 0x564a68f262a4 in ?? ??:0
#18 0x564a688704e7 in tcp_server_start /root/tvheadend_debug/src/tcp.c:645
#19 0x564a688704e7 in ?? ??:0
#20 0x564a6882a4c7 in thread_wrapper /root/tvheadend_debug/src/wrappers.c:159
#21 0x564a6882a4c7 in ?? ??:0
#22 0x7f408f0136f9 in __reclaim_stacks ??:?
#23 0x7f408f0136f9 in ?? ??:0

Thread T51 (tvh:mi-main) created by T20 (tvh:mtimer) here:
#0 0x564a6874b0b2 in pthread_create ??:?
#1 0x564a6874b0b2 in ?? ??:0
#2 0x564a68829edb in tvhthread_create /root/tvheadend_debug/src/wrappers.c:177
#3 0x564a68829edb in ?? ??:0
#4 0x564a68fdb18f in mpegts_input_thread_start /root/tvheadend_debug/src/input/mpegts/mpegts_input.c:1750
#5 0x564a68fdb18f in ?? ??:0
#6 0x564a6878d1f4 in mtimer_thread /root/tvheadend_debug/src/main.c:618
#7 0x564a6878d1f4 in ?? ??:0
#8 0x564a6882a4c7 in thread_wrapper /root/tvheadend_debug/src/wrappers.c:159
#9 0x564a6882a4c7 in ?? ??:0
#10 0x7f408f0136f9 in __reclaim_stacks ??:?
#11 0x7f408f0136f9 in ?? ??:0

Thread T20 (tvh:mtimer) created by T0 here:
#0 0x564a6874b0b2 in pthread_create ??:?
#1 0x564a6874b0b2 in ?? ??:0
#2 0x564a68829edb in tvhthread_create /root/tvheadend_debug/src/wrappers.c:177
#3 0x564a68829edb in ?? ??:0
#4 0x564a68786051 in main /root/tvheadend_debug/src/main.c:1261
#5 0x564a68786051 in ?? ??:0
#6 0x7f408dfaa82f in ?? ??:0
#7 0x7f408dfaa82f in ?? ??:0

Thread T116 (tvh:tcp-start) created by T13 (tvh:tcp-loop) here:
#0 0x564a6874b0b2 in pthread_create ??:?
#1 0x564a6874b0b2 in ?? ??:0
#2 0x564a68829edb in tvhthread_create /root/tvheadend_debug/src/wrappers.c:177
#3 0x564a68829edb in ?? ??:0
#4 0x564a6886e48e in tcp_server_loop /root/tvheadend_debug/src/tcp.c:738
#5 0x564a6886e48e in ?? ??:0
#6 0x564a6882a4c7 in thread_wrapper /root/tvheadend_debug/src/wrappers.c:159
#7 0x564a6882a4c7 in ?? ??:0
#8 0x7f408f0136f9 in __reclaim_stacks ??:?
#9 0x7f408f0136f9 in ?? ??:0

Thread T13 (tvh:tcp-loop) created by T0 here:
#0 0x564a6874b0b2 in pthread_create ??:?
#1 0x564a6874b0b2 in ?? ??:0
#2 0x564a68829edb in tvhthread_create /root/tvheadend_debug/src/wrappers.c:177
#3 0x564a68829edb in ?? ??:0
#4 0x564a6886c87e in tcp_server_init /root/tvheadend_debug/src/tcp.c:1112
#5 0x564a6886c87e in ?? ??:0
#6 0x564a68785cbd in main /root/tvheadend_debug/src/main.c:1207
#7 0x564a68785cbd in ?? ??:0
#8 0x7f408dfaa82f in ?? ??:0
#9 0x7f408dfaa82f in ?? ??:0

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
0x0c3280121440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280121450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280121460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280121470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280121480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3280121490: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801214a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801214b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801214c0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c32801214d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32801214e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
28339ABORTING

#2 Updated by Luis Alves about 1 year ago

Another one:

tvheadend: src/input/mpegts/mpegts_service.c:993: mpegts_service_link: Asserção `((slave)->s_slaves_link.le_next ((void*)0) && (slave)->s_slaves_link.le_prev ((void*)0))' falhou.
2016-07-02 03:37:20.782 [ ALERT] CRASH: Signal: 6 in PRG: ./build.linux/tvheadend (4.1-2140~gf34fac1) [07ec40a9235d46e72ba36e4802adfb5165f84473] CWD: /root/tvheadend_debug
2016-07-02 03:37:20.782 [ ALERT] CRASH: Fault address 0x74ca (N/A)
(...)

Also available in: Atom PDF