Ticket #11 (closed defect: wontfix)
usb_find_devices() crashes
| Reported by: | pitti | Owned by: | |
|---|---|---|---|
| Component: | libusb-0.1 (unmaintained) | Keywords: | |
| Cc: | Blocked By: | ||
| Blocks: |
Description
Hello!
We got two independent reports that usb_find_devices() segfaults with a trace like
#0 *GI_libc_free (mem=0x1) at malloc.c:3687
ar_ptr = <value optimized out>
p = <value optimized out>
#1 0x00007f8ac80d6113 in usb_destroy_configuration (dev=0x66dbe0)
at ../descriptors.c:414
as = (struct usb_interface_descriptor *) 0x66d450
ifp = (struct usb_interface *) 0x66eee0
cf = (struct usb_config_descriptor *) 0x669d50
c = 0
i = 1
j = 0
k = 1
#2 0x00007f8ac80d58c9 in usb_free_dev (dev=0x1) at ../usb.c:293
No locals.
#3 0x00007f8ac80d5cd6 in usb_find_devices () at ../usb.c:121
tndev = (struct usb_device *) 0x0
ndev = (struct usb_device *) 0x66dbe0
tdev = (struct usb_device *) 0x67d370
devices = (struct usb_device *) 0x66eed0
dev = (struct usb_device *) 0x67c310
bus = (struct usb_bus *) 0x6750b0
ret = <value optimized out>
changes = 0
So clearly the pointer argument to usb_free_dev() is bogus here. I'm a bit stunned how it can reappear correctly in usb_destroy_configuration() again (that's the ndev pointer again), but I guess memory is just messed up at this point. This often indicates a double free.
http://launchpadlibrarian.net/29856678/Stacktrace.txt has a different instance of this (different pointers), just in case it helps.
Attachments
Change History
comment:4 Changed 20 months ago by pitti
I know this is an unmaintained version upstream, but for folks who have this problem in their supported distro releases, http://launchpadlibrarian.net/49424586/libusb_memset_altsetting_alloc.patch fixes this.
comment:5 Changed 17 months ago by stuge
- Status changed from new to closed
- Resolution set to wontfix
Closing this since the code is unmaintained. The patch mentioned in #comment:4 is now attached here.
In both cases, this happens with the last element in the list. Coincidence?