Occasional crash in ip.c ip4_route after connectivity change

Question

Occasional crash in ip.c ip4_route after connectivity change

ignoramous opened this issue 4 years ago · 6 comments

I see an occasional SIGSEGV/SEGV_MAPERR and SIGBUS/BUS_ADRALN (from using this forked app) emanating presumably from this module when the VPN is restarted (on network change events?). Interestingly, this usually happens after a phone call.

Here's are two such crash logs pointing to ip4_route (see the attached android-bugreport: bugreport-OnePlus6-QKQ1.190716.003-2020-08-10-20-35-23.zip for multiple such tombstones):

08-10 20:12:02.952 20659 20722 F libc    : Fatal signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0x14004000000001 in tid 20722 (Thread-24), pid 20659 (elzero.bravedns)
08-10 20:12:03.156 23974 23974 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-10 20:12:03.156 23974 23974 F DEBUG   : Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2005052051:user/release-keys'
08-10 20:12:03.156 23974 23974 F DEBUG   : Revision: '0'
08-10 20:12:03.156 23974 23974 F DEBUG   : ABI: 'arm64'
08-10 20:12:03.156 23974 23974 F DEBUG   : Timestamp: 2020-08-10 20:12:03+0530
08-10 20:12:03.156 23974 23974 F DEBUG   : pid: 20659, tid: 20722, name: Thread-24  >>> com.celzero.bravedns <<<
08-10 20:12:03.156 23974 23974 F DEBUG   : uid: 10417
08-10 20:12:03.157 23974 23974 F DEBUG   : signal 7 (SIGBUS), code 1 (BUS_ADRALN), fault addr 0x14004000000001
08-10 20:12:03.157 23974 23974 F DEBUG   :     x0  0000007d8bd4bb08  x1  0000007dfbc47420  x2  0000007dfbce7b20  x3  0000007d8c26fa2c
08-10 20:12:03.157 23974 23974 F DEBUG   :     x4  0000000000009d82  x5  0000007d8c26fa44  x6  0000000000001194  x7  e414004000000001
08-10 20:12:03.157 23974 23974 F DEBUG   :     x8  000000009d820000  x9  0000000011940000  x10 000000000000007c  x11 0000000000000090
08-10 20:12:03.157 23974 23974 F DEBUG   :     x12 0000000000000001  x13 0000007d906e7c40  x14 0000000000000000  x15 0000007d8bdfd475
08-10 20:12:03.157 23974 23974 F DEBUG   :     x16 0000007e8af068f0  x17 0000007e8aef8070  x18 0000007d77272000  x19 0000007dfbce7b20
08-10 20:12:03.157 23974 23974 F DEBUG   :     x20 0000000000000014  x21 0000007d8c26f630  x22 0000000000000000  x23 0000007d8c26fa08
08-10 20:12:03.157 23974 23974 F DEBUG   :     x24 00000040004ef200  x25 0000007d8c26f630  x26 0000007d8bf01250  x27 0000000000000010
08-10 20:12:03.157 23974 23974 F DEBUG   :     x28 0000004000000d80  x29 0000007d906e7c00
08-10 20:12:03.157 23974 23974 F DEBUG   :     sp  0000007d906e7bc0  lr  0000007d8bd5b0ac  pc  0014004000000001
08-10 20:12:03.157 23974 23974 F DEBUG   :
08-10 20:12:03.157 23974 23974 F DEBUG   : backtrace:
08-10 20:12:03.157 23974 23974 F DEBUG   :       #00 pc 0014004000000001  <unknown>
08-10 20:12:03.157 23974 23974 F DEBUG   :       #01 pc 00000000005d70a8  /data/app/com.celzero.bravedns-uh_UnXi9HudXwQ66hkJ2zA==/base.apk (offset 0x76b000) (ip4_input+476)
08-10 20:35:25.136   583   583 F libc    : crash_dump helper failed to exec
08-11 02:32:32.641  3701  3701 F libc    : Fatal signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x5d8ecf841fbcad in tid 3701 (elzero.bravedns), pid 3701 (elzero.bravedns)
08-11 02:32:32.888 29947 29947 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-11 02:32:32.889 29947 29947 F DEBUG   : Build fingerprint: 'OnePlus/OnePlus6/OnePlus6:10/QKQ1.190716.003/2005052051:user/release-keys'
08-11 02:32:32.889 29947 29947 F DEBUG   : Revision: '0'
08-11 02:32:32.889 29947 29947 F DEBUG   : ABI: 'arm64'
08-11 02:32:32.891 29947 29947 F DEBUG   : Timestamp: 2020-08-11 02:32:32+0530
08-11 02:32:32.891 29947 29947 F DEBUG   : pid: 3701, tid: 3701, name: elzero.bravedns  >>> com.celzero.bravedns <<<
08-11 02:32:32.891 29947 29947 F DEBUG   : uid: 10417
08-11 02:32:32.891 29947 29947 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x5d8ecf841fbcad
08-11 02:32:32.891 29947 29947 F DEBUG   :     x0  105d8ecf841fbc97  x1  0000007dfbdd5800  x2  0000004000050b10  x3  0000004000000480
08-11 02:32:32.891 29947 29947 F DEBUG   :     x4  00000000000004f0  x5  0000004000000690  x6  0000000000000001  x7  0000007dfbdd5800
08-11 02:32:32.891 29947 29947 F DEBUG   :     x8  000000006f0a2304  x9  0000007dfbdc4c00  x10 0000000000000005  x11 0000000000000000
08-11 02:32:32.891 29947 29947 F DEBUG   :     x12 0000007e8dd2c700  x13 0000007fea76cac0  x14 0000007e8dc85550  x15 0000007e8dc85560
08-11 02:32:32.891 29947 29947 F DEBUG   :     x16 0000007e8af06940  x17 0000007e8ae90380  x18 0000007e8e56c000  x19 0000000000000000
08-11 02:32:32.891 29947 29947 F DEBUG   :     x20 105d8ecf841fbc97  x21 000000004a0beaa3  x22 00000000a928e97a  x23 0000000000000001
08-11 02:32:32.891 29947 29947 F DEBUG   :     x24 000000000000bb01  x25 0000007e8de85020  x26 0000007da653e370  x27 0000000000000010
08-11 02:32:32.891 29947 29947 F DEBUG   :     x28 0000004000000480  x29 0000007fea76ca00
08-11 02:32:32.891 29947 29947 F DEBUG   :     sp  0000007fea76c9f0  lr  0000007da6390b78  pc  0000007da638ad74
08-11 02:32:32.898 29947 29947 F DEBUG   :
08-11 02:32:32.898 29947 29947 F DEBUG   : backtrace:
08-11 02:32:32.898 29947 29947 F DEBUG   :       #00 pc 00000000005c9d74  /data/app/com.celzero.bravedns-F-y5acefxdj9t1YfPOXksw==/base.apk (offset 0x1ea000) (pbuf_free+40)

I wasn't sure if this project or go-tun2socks was the right one to report the bug to. That said, we're investigating this as well to see if the app's usage of outline-go-tun2socks is at fault, but haven't found much evidence to suggest that, but we'd continue to look.

Answer 1 · 2020-08-11T09:19:39.000Z

vv4.txt

adb logcat output points to the fact that the crash follows a restart-vpn in response to screen on / screen off.

Answer 2 · 2020-08-11T13:55:16.000Z

Thanks for the report! I'm not sure how we can act on this from the backtrace in your app, but please let us know if you identify the cause.

Answer 3 · 2020-08-11T17:29:38.000Z

We thought something was up with our fork (and it still might be because we've baked in a firewall and that's a pretty drastic change from Jigsaw upstream), but it looks like restarting the VPN in a loop (every 2s, if one wants to hit the issue quickly) in the background and using any app that initiates a connection or two (like loading different pages on the browser) 'causes the said crash.

We have created a sample app that hits this crash consistently: Would you have any pointers on how to enable debug to get a view of detailed trace from android -> go -> c here?

We plan to use Jigsaw's branch with the sample app to make sure it is our fork that's at fault: Will report back on that and close this issue if that's the case.

Answer 4 · 2020-08-12T13:00:40.000Z

We have confirmed our fork is at fault. Closing this issue in favour of: celzero/rethink-app#19

Answer 5 · 2020-08-12T14:45:43.000Z

@bemasc We think the old-GoVPNAdapter needs to be closed before a new one is created to eliminate this crash (at least doing so has eliminated it in our app): app/intra/sys/IntraVpnService.java#L237-L238. That said, we couldn't reproduce this issue with Intra (which happened occasionally with our app and consistently with the sample app using outline-go-tun2socks we forked)... so not sure if Intra needs to fix or change anything, but letting you know just in case.

Also: Please let us know how to enable debug logs/build/symbols (?) in outline-go-tun2socks (probably mention it in the README.md?). Thanks.

Answer 6 · 2020-08-12T15:06:26.000Z

Thanks for the explanation.

The log level is controlled here: https://github.com/Jigsaw-Code/outline-go-tun2socks/blob/master/intra/intra.go#L30