ASAN use-after-free in m_reconnections #33615

issue Crypt-iQ openend this issue on October 13, 2025
  1. Crypt-iQ commented at 5:23 pm on October 13, 2025: contributor

    I ran into this while shutting my node down during IBD. I think it’s benign.

    What happens:

    • CConnman is started here.
      • This initializes semOutbound here.
    • While CConnman is active, m_reconnections is added to in DisconnectNodes here.
    • CConnman is stopped here
      • The call to Stop will call StopNodes which will reset semOutbound here.
    • ~CConnman is invoked a few lines below here.
      • In addition to calling Stop a second time, it also destructs a possibly non-empty m_reconnections (a list of ReconnectionInfo which contains a pointer to the memory that semOutbound also pointed to) by calling clear(). To destroy each element of m_reconnections, it looks like it accesses the grant field but that memory was already freed.

    I haven’t been able to reproduce this reliably, it appears timing-dependent. I think this can be fixed by calling WITH_LOCK(m_reconnections_mutex, m_reconnections.clear()) before this line.

    ASAN output:

     0=================================================================
 1==22244==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020018ba9d0 at pc 0x000100837e58 bp 0x00016f826280 sp 0x00016f826278
 2WRITE of size 8 at 0x6020018ba9d0 thread T0
 3==22244==WARNING: Can't write to symbolizer at fd 5
 4    [#0](/bitcoin-bitcoin/0/) 0x100837e54 in void std::__1::__destroy_at[abi:ne180100]<CConnman::ReconnectionInfo, 0>(CConnman::ReconnectionInfo*) construct_at.h:67
 5    [#1](/bitcoin-bitcoin/1/) 0x100837754 in std::__1::__list_imp<CConnman::ReconnectionInfo, std::__1::allocator<CConnman::ReconnectionInfo>>::clear() list:635
 6    [#2](/bitcoin-bitcoin/2/) 0x1008202b8 in CConnman::~CConnman() net.cpp:3526
 7    [#3](/bitcoin-bitcoin/3/) 0x10075802c in Shutdown(node::NodeContext&) init.cpp:328
 8    [#4](/bitcoin-bitcoin/4/) 0x1005decc0 in main bitcoind.cpp:292
 9    [#5](/bitcoin-bitcoin/5/) 0x1937bab48  (<unknown module>)
10
110x6020018ba9d0 is located 0 bytes inside of 8-byte region [0x6020018ba9d0,0x6020018ba9d8)
12freed by thread T0 here:
13    [#0](/bitcoin-bitcoin/0/) 0x1034ed2e4 in _ZdlPv+0x6c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x612e4)
14    [#1](/bitcoin-bitcoin/1/) 0x10081fe9c in CConnman::StopNodes() net.cpp:3511
15    [#2](/bitcoin-bitcoin/2/) 0x100757ebc in Shutdown(node::NodeContext&) init.cpp:315
16    [#3](/bitcoin-bitcoin/3/) 0x1005decc0 in main bitcoind.cpp:292
17    [#4](/bitcoin-bitcoin/4/) 0x1937bab48  (<unknown module>)
18
19previously allocated by thread T0 here:
20    [#0](/bitcoin-bitcoin/0/) 0x1034ececc in _Znwm+0x6c (libclang_rt.asan_osx_dynamic.dylib:arm64+0x60ecc)
21    [#1](/bitcoin-bitcoin/1/) 0x10081c77c in CConnman::Start(CScheduler&, CConnman::Options const&) net.cpp:3361
22    [#2](/bitcoin-bitcoin/2/) 0x10077d364 in AppInitMain(node::NodeContext&, interfaces::BlockAndHeaderTipInfo*) init.cpp:2183
23    [#3](/bitcoin-bitcoin/3/) 0x1005debd0 in main bitcoind.cpp:288
24    [#4](/bitcoin-bitcoin/4/) 0x1937bab48  (<unknown module>)
25
26SUMMARY: AddressSanitizer: heap-use-after-free construct_at.h:67 in void std::__1::__destroy_at[abi:ne180100]<CConnman::ReconnectionInfo, 0>(CConnman::ReconnectionInfo*)
27Shadow bytes around the buggy address:
28  0x6020018ba700: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
29  0x6020018ba780: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
30  0x6020018ba800: fa fa fd fd fa fa fd fa fa fa fa fa fa fa fa fa
31  0x6020018ba880: fa fa 00 00 fa fa fa fa fa fa fa fa fa fa 00 00
32  0x6020018ba900: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
33=>0x6020018ba980: fa fa fd fd fa fa fd fd fa fa[fd]fa fa fa fd fa
34  0x6020018baa00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
35  0x6020018baa80: fa fa fd fa fa fa fd fd fa fa fa fa fa fa fa fa
36  0x6020018bab00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
37  0x6020018bab80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
38  0x6020018bac00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
39Shadow byte legend (one shadow byte represents 8 application bytes):
40  Addressable:           00
41  Partially addressable: 01 02 03 04 05 06 07 
42  Heap left redzone:       fa
43  Freed heap region:       fd
44  Stack left redzone:      f1
45  Stack mid redzone:       f2
46  Stack right redzone:     f3
47  Stack after return:      f5
48  Stack use after scope:   f8
49  Global redzone:          f9
50  Global init order:       f6
51  Poisoned by user:        f7
52  Container overflow:      fc
53  Array cookie:            ac
54  Intra object redzone:    bb
55  ASan internal:           fe
56  Left alloca redzone:     ca
57  Right alloca redzone:    cb
58==22244==ABORTING
  2. maflcko added the label P2P on Oct 14, 2025
  3. maflcko added the label Bug on Oct 14, 2025


Crypt-iQ

Labels
Bug P2P

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-10-24 06:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me