double-free in compress.mod

[michaelortmann]

we start here:

eggdrop/src/mod/compress.mod/compress.c

Line 256 in 0ee04c2

if (compress_to_file_mmap(fout, fin) == COMPF_SUCCESS) {

first free() is here:

eggdrop/src/mod/compress.mod/compress.c

Line 217 in 0ee04c2

fclose(fin);

if the following gzClose() fails:

eggdrop/src/mod/compress.mod/compress.c

Lines 218 to 219 in 0ee04c2

	if (gzclose(fout) != Z_OK)
	return COMPF_ERROR;

the following code is executed:

eggdrop/src/mod/compress.mod/compress.c

Line 259 in 0ee04c2

} else {

it will not only double free, like here:

eggdrop/src/mod/compress.mod/compress.c

Line 271 in 0ee04c2

fclose(fin);

but also access the just closed fin.

I guess this code path was never checked.

We should fix this, but its low prio, because gzClose() like never fails ;)

[michaelortmann]

bug can not easily be triggered (because i dunno how to make gzClose() fail, but if the code is manually modified to simulate such fail, gcc would be able to report the bug like:

.tcl compressfile test.txt
[01:34:25.%f] tcl: builtin dcc call: *dcc:tcl -HQ 1 compressfile test.txt
[01:34:25.%f] tcl: evaluating .tcl compressfile test.txt
=================================================================
==2297507==ERROR: AddressSanitizer: attempting double-free on 0x515000018b80 in thread T0:
    #0 0x792d2f0fb422 in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x792d2de91083 in _IO_fclose (/usr/lib/libc.so.6+0x7d083) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #2 0x792d2f0cba1f in fclose /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6295
    #3 0x792d2f0cba1f in fclose /usr/src/debug/gcc/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6288
    #4 0x792d2d9b1968 in compress_to_file .././compress.mod/compress.c:271
    #5 0x792d2d9b1fc6 in compress_file .././compress.mod/compress.c:311
    #6 0x792d2d9afaaf in tcl_compress_file .././compress.mod/tclcompress.c:68
    #7 0x65174182cad5 in tcl_call_stringproc_cd /home/michael/projects/eggdrop/src/tcl.c:332
    #8 0x65174182cbf6 in tcl_call_stringproc /home/michael/projects/eggdrop/src/tcl.c:341
    #9 0x792d2ee7e7ff in TclNRRunCallbacks /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:4539
    #10 0x792d2ee807e4 in TclEvalEx /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:5408
    #11 0x792d2ee81096 in Tcl_EvalEx /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:5073
    #12 0x792d2ee810b9 in Tcl_Eval /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:6001
    #13 0x792d2ee81807 in Tcl_GlobalEval /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:7070
    #14 0x651741781b1a in cmd_tcl /home/michael/projects/eggdrop/src/cmds.c:2850
    #15 0x651741856995 in builtin_dcc /home/michael/projects/eggdrop/src/tclhash.c:694
    #16 0x65174182cad5 in tcl_call_stringproc_cd /home/michael/projects/eggdrop/src/tcl.c:332
    #17 0x792d2ee7e7ff in TclNRRunCallbacks /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:4539
    #18 0x792d2ee807e4 in TclEvalEx /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:5408
    #19 0x792d2ee81096 in Tcl_EvalEx /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:5073
    #20 0x792d2ee810b9 in Tcl_Eval /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:6001
    #21 0x792d2ee816df in Tcl_VarEvalVA /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:7001
    #22 0x792d2ee817bd in Tcl_VarEval /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:7032
    #23 0x6517418570f0 in trigger_bind /home/michael/projects/eggdrop/src/tclhash.c:746
    #24 0x6517418586ae in check_tcl_bind /home/michael/projects/eggdrop/src/tclhash.c:942
    #25 0x651741858f0b in check_tcl_dcc /home/michael/projects/eggdrop/src/tclhash.c:974
    #26 0x651741798cde in dcc_chat /home/michael/projects/eggdrop/src/dcc.c:1092
    #27 0x6517417eb9ce in mainloop main.c:796
    #28 0x6517417efd12 in main main.c:1211
    #29 0x792d2de39c87  (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #30 0x792d2de39d4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #31 0x6517417024a4 in _start (/home/michael/eggdrop/eggdrop-1.9.5+0x2774a4) (BuildId: 9d27919369708d33ddc619b9a1747beaa5c296bb)

0x515000018b80 is located 0 bytes inside of 472-byte region [0x515000018b80,0x515000018d58)
freed by thread T0 here:
    #0 0x792d2f0fca31 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x6517417f33c5 in n_malloc /home/michael/projects/eggdrop/src/mem.c:342
    #2 0x6517418586fb in check_tcl_bind /home/michael/projects/eggdrop/src/tclhash.c:945
    #3 0x792d2a2d0140 in check_tcl_rawt .././server.mod/servmsg.c:218
    #4 0x792d2a2e3592 in server_activity .././server.mod/servmsg.c:1267
    #5 0x6517417eb9ce in mainloop main.c:796
    #6 0x6517417efd12 in main main.c:1211
    #7 0x792d2de39c87  (/usr/lib/libc.so.6+0x25c87) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #8 0x792d2de39d4b in __libc_start_main (/usr/lib/libc.so.6+0x25d4b) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #9 0x6517417024a4 in _start (/home/michael/eggdrop/eggdrop-1.9.5+0x2774a4) (BuildId: 9d27919369708d33ddc619b9a1747beaa5c296bb)

previously allocated by thread T0 here:
    #0 0x792d2f0fca31 in malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x792d2de91a68  (/usr/lib/libc.so.6+0x7da68) (BuildId: 32a656aa5562eece8c59a585f5eacd6cf5e2307b)
    #2 0x792d2d9b1621 in compress_to_file .././compress.mod/compress.c:240
    #3 0x792d2d9b1fc6 in compress_file .././compress.mod/compress.c:311
    #4 0x792d2d9afaaf in tcl_compress_file .././compress.mod/tclcompress.c:68
    #5 0x65174182cad5 in tcl_call_stringproc_cd /home/michael/projects/eggdrop/src/tcl.c:332
    #6 0x65174182cbf6 in tcl_call_stringproc /home/michael/projects/eggdrop/src/tcl.c:341
    #7 0x792d2ee7e7ff in TclNRRunCallbacks /usr/src/debug/tcl/tcl8.6.14/generic/tclBasic.c:4539

SUMMARY: AddressSanitizer: double-free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52 in free
==2297507==ABORTING