[Android-tools-devel] Bug#857580: adb dev*** Error in `adb': free(): invalid pointer: 0x000055867c446b90 *** (Bug #857580)
Bernhard Übelacker
bernhardu at mailbox.org
Mon Sep 17 14:41:14 BST 2018
Hello all,
I tried to reproduce this crash.
This seem to happen just on the first run in the key generation.
It can be reproduced quite easily by these steps:
# If you need your android keys and settings remove the new .android and undo the move after testing!
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
gdb -q --args adb -P 5037 fork-server server --reply-fd 4
The crash from message #5 would look like this with debug symbols:
*** Error in `adb': free(): invalid pointer: 0x0000564666e92b90 ***
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fac9069442a in __GI_abort () at abort.c:89
#2 0x00007fac906d0c00 in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7fac907c5d98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007fac906d6fc6 in malloc_printerr (action=3, str=0x7fac907c294a "free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049
#4 0x00007fac906d780e in _int_free (av=0x7fac909f9b00 <main_arena>, p=0x564666e92b80, have_lock=0) at malloc.c:3905
#5 0x00007fac9028e558 in BN_clear_free (a=0x564666e91610) at ../crypto/bn/bn_lib.c:190
#6 0x00007fac903613d1 in RSA_free (r=r at entry=0x564666e911a0) at ../crypto/rsa/rsa_lib.c:147
#7 0x00007fac916d7273 in generate_key (file=file at entry=0x7ffd049df700 "/root/.android/adbkey") at adb/adb_auth_host.cpp:272
#8 0x00007fac916d7ca0 in get_user_key (list=0x7fac918e5d30 <key_list>) at adb/adb_auth_host.cpp:339
#9 0x00007fac916d8433 in adb_auth_init () at adb/adb_auth_host.cpp:449
#10 0x0000564665502c90 in adb_server_main (is_daemon=is_daemon at entry=1, server_port=server_port at entry=5037, ack_reply_fd=ack_reply_fd at entry=4) at adb/client/main.cpp:113
#11 0x000056466550730d in adb_commandline (argc=<optimized out>, argv=0x7ffd049e2e50) at adb/commandline.cpp:1595
#12 0x00007fac906802e1 in __libc_start_main (main=0x564665500ac0 <main(int, char**)>, argc=7, argv=0x7ffd049e2e18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd049e2e08) at ../csu/libc-start.c:291
#13 0x0000564665500b4a in _start ()
In an up to date Stretch this shows also as:
adb: malloc.c:3760: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.
Thread 1 "adb" received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff696b42a in __GI_abort () at abort.c:89
#2 0x00007ffff69ad9f8 in __malloc_assert (assertion=assertion at entry=0x7ffff6a9d298 "(unsigned long) (size) >= (unsigned long) (nb)", file=file at entry=0x7ffff6a99847 "malloc.c", line=line at entry=3760, function=function at entry=0x7ffff6a9d8a8 <__func__.11501> "_int_malloc") at malloc.c:301
#3 0x00007ffff69b0729 in _int_malloc (av=av at entry=0x7ffff6cd0b00 <main_arena>, bytes=bytes at entry=32) at malloc.c:3760
#4 0x00007ffff69b1f64 in __GI___libc_malloc (bytes=32) at malloc.c:2928
#5 0x00007ffff660fa5e in CRYPTO_zalloc (num=num at entry=32, file=file at entry=0x7ffff66977ac "../crypto/buffer/buffer.c", line=line at entry=35) at ../crypto/mem.c:100
#6 0x00007ffff6576c0a in BUF_MEM_new () at ../crypto/buffer/buffer.c:35
#7 0x00007ffff6621ddb in PEM_read_bio (bp=bp at entry=0x5555557881a0, name=name at entry=0x7fffffffae58, header=header at entry=0x7fffffffae60, data=data at entry=0x7fffffffae68, len=len at entry=0x7fffffffae70) at ../crypto/pem/pem_lib.c:681
#8 0x00007ffff6622686 in PEM_bytes_read_bio (pdata=pdata at entry=0x7fffffffaf00, plen=plen at entry=0x7fffffffaf08, pnm=pnm at entry=0x7fffffffaef0, name=<optimized out>, name at entry=0x7ffff66bc9c1 "ANY PRIVATE KEY", bp=bp at entry=0x5555557881a0, cb=cb at entry=0x0, u=0x0) at ../crypto/pem/pem_lib.c:242
#9 0x00007ffff6623339 in PEM_read_bio_PrivateKey (bp=bp at entry=0x5555557881a0, x=x at entry=0x0, cb=cb at entry=0x0, u=u at entry=0x0) at ../crypto/pem/pem_pkey.c:35
#10 0x00007ffff662388c in PEM_read_PrivateKey (fp=fp at entry=0x5555557893c0, x=x at entry=0x0, cb=cb at entry=0x0, u=u at entry=0x0) at ../crypto/pem/pem_pkey.c:175
#11 0x00007ffff661fa9b in PEM_read_RSAPrivateKey (fp=fp at entry=0x5555557893c0, rsa=rsa at entry=0x555555787e80, cb=cb at entry=0x0, u=u at entry=0x0) at ../crypto/pem/pem_all.c:76
#12 0x00007ffff79ad477 in read_key (file=file at entry=0x7fffffffb4d0 "/root/.android/adbkey", list=0x7ffff7bbbd30 <key_list>) at adb/adb_auth_host.cpp:290
#13 0x00007ffff79aeb4b in get_user_key (list=0x7ffff7bbbd30 <key_list>) at adb/adb_auth_host.cpp:345
#14 0x00007ffff79af413 in adb_auth_init () at adb/adb_auth_host.cpp:449
#15 0x000055555555bc60 in adb_server_main (is_daemon=is_daemon at entry=1, server_port=server_port at entry=5037, ack_reply_fd=ack_reply_fd at entry=4) at adb/client/main.cpp:118
#16 0x00005555555603dd in adb_commandline (argc=<optimized out>, argv=0x7fffffffecd0) at adb/commandline.cpp:1595
#17 0x00007ffff69572e1 in __libc_start_main (main=0x555555559ac0 <main(int, char**)>, argc=7, argv=0x7fffffffec98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffec88) at ../csu/libc-start.c:291
#18 0x0000555555559b4a in _start ()
This is also good visible in a valgrind run.
It seems also related to these Debian patches:
adb_libssl_11.diff
adb_libssl_bc.diff
Patch adb_libssl_11.diff replaces the BN_copy by RSA_get0_key.
Therefore we get in variable n the memory that belongs to the rsa struct.
As RSA_to_RSAPublicKey still expects n being a copy it does free
the memory pointed to by n.
Unfortunately this member of the rsa struct is then again freed in openssl's RSA_free.
This can be watched too in current unstable.
But there I could not build src:android-platform-system-core anymore.
Bugs 858764, 859195, 903939 look like exact duplicates.
Attached some debugging attempts and a patch removing the free in RSA_to_RSAPublicKey.
Kind regards,
Bernhard
-------------- next part --------------
Description: Avoid double free on first-time key generation.
Author: Bernhard Übelacker <bernhardu at mailbox.org>
Bug-Debian: https://bugs.debian.org/857580
Last-Update: 2018-09-17
---
--- android-platform-system-core-7.0.0+r33.orig/adb/adb_auth_host.cpp
+++ android-platform-system-core-7.0.0+r33/adb/adb_auth_host.cpp
@@ -110,7 +110,7 @@ static int RSA_to_RSAPublicKey(RSA *rsa,
out:
BN_free(n0inv);
- BN_free(n);
+ //BN_free(n);
BN_free(rem);
BN_free(r);
BN_free(rr);
-------------- next part --------------
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f59665b3bcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f59665b9f96]
/lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7f59665ba78e]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(BN_clear_free+0x88)[0x7f5966171558]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(RSA_free+0xa1)[0x7f59662443d1]
/usr/lib/x86_64-linux-gnu/android/libadb.so.0(+0x24273)[0x7f59675b8273]
/usr/lib/x86_64-linux-gnu/android/libadb.so.0(+0x24ca0)[0x7f59675b8ca0]
/usr/lib/x86_64-linux-gnu/android/libadb.so.0(_Z13adb_auth_initv+0x53)[0x7f59675b9433]
adb(+0x7c90)[0x55867b843c90]
adb(+0xc30d)[0x55867b84830d]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f59665632b1]
adb(+0x5b4a)[0x55867b841b4a]
============================
apt update
apt install mc dpkg-dev devscripts strace gdb valgrind systemd-coredump
wget http://snapshot.debian.org/archive/debian/20170301T033045Z/pool/main/a/android-platform-system-core/adb_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian-debug/20170301T030416Z/pool/main/a/android-platform-system-core/adb-dbgsym_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian/20170301T033045Z/pool/main/a/android-platform-system-core/android-libadb_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian-debug/20170301T030416Z/pool/main/a/android-platform-system-core/android-libadb-dbgsym_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian/20170301T033045Z/pool/main/a/android-platform-system-core/android-libbase_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian-debug/20170301T030416Z/pool/main/a/android-platform-system-core/android-libbase-dbgsym_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian/20170301T033045Z/pool/main/a/android-platform-system-core/android-libcutils_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian-debug/20170301T030416Z/pool/main/a/android-platform-system-core/android-libcutils-dbgsym_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian/20170301T033045Z/pool/main/a/android-platform-system-core/android-liblog_7.0.0%2Br1-3_amd64.deb
wget http://snapshot.debian.org/archive/debian-debug/20170301T030416Z/pool/main/a/android-platform-system-core/android-liblog-dbgsym_7.0.0%2Br1-3_amd64.deb
cd libssl
wget http://snapshot.debian.org/archive/debian/20170216T211316Z/pool/main/o/openssl/libssl1.1_1.1.0e-1_amd64.deb
wget http://snapshot.debian.org/archive/debian-debug/20170216T205145Z/pool/main/o/openssl/libssl1.1-dbgsym_1.1.0e-1_amd64.deb
wget http://snapshot.debian.org/archive/debian/20170526T032740Z/pool/main/o/openssl/libssl1.1_1.1.0f-1_amd64.deb
wget http://snapshot.debian.org/archive/debian/20180331T052301Z/pool/main/o/openssl/libssl1.1_1.1.0f-3%2Bdeb9u2_amd64.deb
wget http://snapshot.debian.org/archive/debian/20171103T035537Z/pool/main/o/openssl/libssl1.1_1.1.0g-1_amd64.deb
wget http://snapshot.debian.org/archive/debian/20180523T153942Z/pool/main/o/openssl/libssl1.1_1.1.0h-4_amd64.deb
wget http://snapshot.debian.org/archive/debian-debug/20180523T151339Z/pool/main/o/openssl/libssl1.1-dbgsym_1.1.0h-4_amd64.deb
wget http://snapshot.debian.org/archive/debian/20180913T030433Z/pool/main/o/openssl/libssl1.1_1.1.1-1_amd64.deb
cd ..
mkdir android-platform-system-core/orig -p
cd android-platform-system-core/orig/
dget http://snapshot.debian.org/archive/debian-debug/20170301T030416Z/pool/main/a/android-platform-system-core/android-platform-system-core_7.0.0%2Br1-3.dsc
cd ../..
dpkg -i *.deb
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
gdb -q --args adb shell
set pagination off
set width 0
set height 0
set follow-fork-mode child
run
b _start
display/i $pc
run
(gdb) disassemble RSA_free,RSA_free+298
(gdb) disassemble generate_key,generate_key+1484
(gdb) disassemble get_user_key,get_user_key+833
(gdb) disassemble _Z13adb_auth_initv,_Z13adb_auth_initv+1242
(gdb) disassemble adb_server_main,adb_server_main+1346
(gdb) disassemble adb_commandline,adb_commandline+19380
(gdb) disassemble __libc_start_main,__libc_start_main+0x400
(gdb) disassemble _start
0x00007ffff79ad26e <generate_key(char const*)+510>: callq 0x7ffff7992bc0 <RSA_free at plt>
0x00007ffff79ad273 <generate_key(char const*)+515>: mov %rbx,%rdi
0x00007ffff79adc9b <get_user_key(listnode*)+491>: callq 0x7ffff79ad070 <generate_key(char const*)>
0x00007ffff79adca0 <get_user_key(listnode*)+496>: test %eax,%eax
0x00007ffff79ae42e <adb_auth_init()+78>: callq 0x7ffff79adab0 <get_user_key(listnode*)>
0x00007ffff79ae433 <adb_auth_init()+83>: test %eax,%eax
0x000055555555bc8b <adb_server_main(int, int, int)+75>: callq 0x5555555583f0 <_Z13adb_auth_initv at plt>
0x000055555555bc90 <adb_server_main(int, int, int)+80>: lea 0x10(%rbp),%rax
0x0000555555560308 <adb_commandline(int, char const**)+2552>: callq 0x55555555bc40 <adb_server_main(int, int, int)>
0x000055555556030d <adb_commandline(int, char const**)+2557>: mov %eax,%ebx
0x00007ffff69562df <__libc_start_main+239>: callq *%rax
0x00007ffff69562e1 <__libc_start_main+241>: mov %eax,%edi
0x0000555555559b44 <_start+36>: callq *0x21b48e(%rip) # 0x555555774fd8
0x0000555555559b4a <_start+42>: hlt
adb + 0x5b4a = 0x55867b841b4a
adb = 0x55867b841b4a - 0x5b4a = 0x55867B83C000
adb = 0x0000555555559b4a - 0x5b4a = 0x555555554000
adb + 0xc30d = 0x555555554000 + 0xc30d = 0x55555556030D
-------------
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
script -c "strace -f adb start-server"
[pid 2672] execve("/usr/lib/android-sdk/platform-tools/adb", ["adb", "-P", "5037", "fork-server", "server", "--reply-fd", "4"], [/* 11 vars */]) = 0
-------------
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
adb -P 5037 fork-server server --reply-fd 4
root at debian:~# adb -P 5037 fork-server server --reply-fd 4
*** Error in `adb': free(): invalid pointer: 0x0000564666e92b90 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7fac906d0bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7fac906d6fc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7fac906d780e]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(BN_clear_free+0x88)[0x7fac9028e558]
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1(RSA_free+0xa1)[0x7fac903613d1]
/usr/lib/x86_64-linux-gnu/android/libadb.so.0(+0x24273)[0x7fac916d7273]
/usr/lib/x86_64-linux-gnu/android/libadb.so.0(+0x24ca0)[0x7fac916d7ca0]
/usr/lib/x86_64-linux-gnu/android/libadb.so.0(_Z13adb_auth_initv+0x53)[0x7fac916d8433]
adb(+0x7c90)[0x564665502c90]
adb(+0xc30d)[0x56466550730d]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7fac906802e1]
adb(+0x5b4a)[0x564665500b4a]
======= Memory map: ========
...
Abgebrochen (Speicherabzug geschrieben)
coredumpctl gdb
set pagination off
set width 0
set height 0
bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fac9069442a in __GI_abort () at abort.c:89
#2 0x00007fac906d0c00 in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7fac907c5d98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007fac906d6fc6 in malloc_printerr (action=3, str=0x7fac907c294a "free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049
#4 0x00007fac906d780e in _int_free (av=0x7fac909f9b00 <main_arena>, p=0x564666e92b80, have_lock=0) at malloc.c:3905
#5 0x00007fac9028e558 in BN_clear_free (a=0x564666e91610) at ../crypto/bn/bn_lib.c:190
#6 0x00007fac903613d1 in RSA_free (r=r at entry=0x564666e911a0) at ../crypto/rsa/rsa_lib.c:147
#7 0x00007fac916d7273 in generate_key (file=file at entry=0x7ffd049df700 "/root/.android/adbkey") at adb/adb_auth_host.cpp:272
#8 0x00007fac916d7ca0 in get_user_key (list=0x7fac918e5d30 <key_list>) at adb/adb_auth_host.cpp:339
#9 0x00007fac916d8433 in adb_auth_init () at adb/adb_auth_host.cpp:449
#10 0x0000564665502c90 in adb_server_main (is_daemon=is_daemon at entry=1, server_port=server_port at entry=5037, ack_reply_fd=ack_reply_fd at entry=4) at adb/client/main.cpp:113
#11 0x000056466550730d in adb_commandline (argc=<optimized out>, argv=0x7ffd049e2e50) at adb/commandline.cpp:1595
#12 0x00007fac906802e1 in __libc_start_main (main=0x564665500ac0 <main(int, char**)>, argc=7, argv=0x7ffd049e2e18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffd049e2e08) at ../csu/libc-start.c:291
#13 0x0000564665500b4a in _start ()
-------------
libssl1.1_1.1.0e-1_amd64.deb
libssl1.1_1.1.0h-4_amd64.deb
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007fd7c745342a in __GI_abort () at abort.c:89
#2 0x00007fd7c748fc00 in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7fd7c7584d98 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007fd7c7495fc6 in malloc_printerr (action=3, str=0x7fd7c758194a "free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5049
#4 0x00007fd7c749680e in _int_free (av=0x7fd7c77b8b00 <main_arena>, p=0x56360f570b90, have_lock=0) at malloc.c:3905
#5 0x00007fd7c704fd48 in BN_clear_free () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#6 0x00007fd7c7122fe1 in RSA_free () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#7 0x00007fd7c8496273 in generate_key (file=file at entry=0x7ffc99da3c70 "/root/.android/adbkey") at adb/adb_auth_host.cpp:272
#8 0x00007fd7c8496ca0 in get_user_key (list=0x7fd7c86a4d30 <key_list>) at adb/adb_auth_host.cpp:339
#9 0x00007fd7c8497433 in adb_auth_init () at adb/adb_auth_host.cpp:449
#10 0x000056360d69dc90 in adb_server_main (is_daemon=is_daemon at entry=1, server_port=server_port at entry=5037, ack_reply_fd=ack_reply_fd at entry=4) at adb/client/main.cpp:113
#11 0x000056360d6a230d in adb_commandline (argc=<optimized out>, argv=0x7ffc99da73c0) at adb/commandline.cpp:1595
#12 0x00007fd7c743f2e1 in __libc_start_main (main=0x56360d69bac0 <main(int, char**)>, argc=7, argv=0x7ffc99da7388, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc99da7378) at ../csu/libc-start.c:291
#13 0x000056360d69bb4a in _start ()
libssl1.1_1.1.0f-1_amd64.deb
libssl1.1_1.1.0f-3+deb9u2_amd64.deb
libssl1.1_1.1.0g-1_amd64.deb
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f560570c42a in __GI_abort () at abort.c:89
#2 0x00007f560574e9f8 in __malloc_assert (assertion=assertion at entry=0x7f560583e298 "(unsigned long) (size) >= (unsigned long) (nb)", file=file at entry=0x7f560583a847 "malloc.c", line=line at entry=3760, function=function at entry=0x7f560583e8a8 <__func__.11501> "_int_malloc") at malloc.c:301
#3 0x00007f5605751729 in _int_malloc (av=av at entry=0x7f5605a71b00 <main_arena>, bytes=bytes at entry=32) at malloc.c:3760
#4 0x00007f5605752f64 in __GI___libc_malloc (bytes=32) at malloc.c:2928
#5 0x00007f56053b0a3e in CRYPTO_zalloc () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#6 0x00007f5605317b0a in BUF_MEM_new () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#7 0x00007f56053c2d9b in PEM_read_bio () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#8 0x00007f56053c3646 in PEM_bytes_read_bio () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#9 0x00007f56053c42f9 in PEM_read_bio_PrivateKey () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#10 0x00007f56053c484c in PEM_read_PrivateKey () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#11 0x00007f56053c0a5b in PEM_read_RSAPrivateKey () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#12 0x00007f560674e4b7 in read_key (file=file at entry=0x7ffe14843580 "/root/.android/adbkey", list=0x7f560695dd30 <key_list>) at adb/adb_auth_host.cpp:290
#13 0x00007f560674fb6b in get_user_key (list=0x7f560695dd30 <key_list>) at adb/adb_auth_host.cpp:345
#14 0x00007f5606750433 in adb_auth_init () at adb/adb_auth_host.cpp:449
#15 0x0000564253db7c90 in adb_server_main (is_daemon=is_daemon at entry=1, server_port=server_port at entry=5037, ack_reply_fd=ack_reply_fd at entry=4) at adb/client/main.cpp:113
#16 0x0000564253dbc30d in adb_commandline (argc=<optimized out>, argv=0x7ffe14846cd0) at adb/commandline.cpp:1595
#17 0x00007f56056f82e1 in __libc_start_main (main=0x564253db5ac0 <main(int, char**)>, argc=7, argv=0x7ffe14846c98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe14846c88) at ../csu/libc-start.c:291
#18 0x0000564253db5b4a in _start ()
libssl1.1_1.1.1-1_amd64.deb # not installable in stretch
---------------
dpkg -i libssl1.1*_1.1.0h-4_amd64.deb
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
valgrind adb -P 5037 fork-server server --reply-fd 4
root at debian:~# valgrind adb -P 5037 fork-server server --reply-fd 4
==3387== Memcheck, a memory error detector
==3387== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==3387== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==3387== Command: adb -P 5037 fork-server server --reply-fd 4
==3387==
==3387== Invalid read of size 8
==3387== at 0x639CCD2: BN_clear_free (bn_lib.c:160)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89dd0 is 0 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid read of size 4
==3387== at 0x639CCDA: BN_clear_free (bn_lib.c:161)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89ddc is 12 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid write of size 8
==3387== at 0x64C6295: OPENSSL_cleanse (x86_64cpuid.s:207)
==3387== by 0x639CCE6: BN_clear_free (bn_lib.c:161)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6d59a90 is 0 bytes inside a block of size 512 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x639CD9F: BN_free (bn_lib.c:177)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639CE2C: bn_expand_internal (bn_lib.c:238)
==3387== by 0x639CE2C: bn_expand2 (bn_lib.c:304)
==3387== by 0x639FB2F: BN_mul (bn_mul.c:920)
==3387== by 0x646FD80: rsa_builtin_keygen (rsa_gen.c:151)
==3387== by 0x646FD80: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid write of size 8
==3387== at 0x64C62A7: OPENSSL_cleanse (x86_64cpuid.s:211)
==3387== by 0x639CCE6: BN_clear_free (bn_lib.c:161)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6d59a98 is 8 bytes inside a block of size 512 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x639CD9F: BN_free (bn_lib.c:177)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639CE2C: bn_expand_internal (bn_lib.c:238)
==3387== by 0x639CE2C: bn_expand2 (bn_lib.c:304)
==3387== by 0x639FB2F: BN_mul (bn_mul.c:920)
==3387== by 0x646FD80: rsa_builtin_keygen (rsa_gen.c:151)
==3387== by 0x646FD80: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid read of size 4
==3387== at 0x639CC60: BN_get_flags (bn_lib.c:967)
==3387== by 0x639CCF3: BN_clear_free (bn_lib.c:162)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89de4 is 20 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid read of size 4
==3387== at 0x639CC60: BN_get_flags (bn_lib.c:967)
==3387== by 0x639CC7D: bn_free_d (bn_lib.c:146)
==3387== by 0x639CD47: BN_clear_free (bn_lib.c:163)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89de4 is 20 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid read of size 8
==3387== at 0x639CC82: bn_free_d (bn_lib.c:149)
==3387== by 0x639CD47: BN_clear_free (bn_lib.c:163)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89dd0 is 0 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid free() / delete / delete[] / realloc()
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x639CD47: BN_clear_free (bn_lib.c:163)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6d59a90 is 0 bytes inside a block of size 512 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x639CD9F: BN_free (bn_lib.c:177)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639CE2C: bn_expand_internal (bn_lib.c:238)
==3387== by 0x639CE2C: bn_expand2 (bn_lib.c:304)
==3387== by 0x639FB2F: BN_mul (bn_mul.c:920)
==3387== by 0x646FD80: rsa_builtin_keygen (rsa_gen.c:151)
==3387== by 0x646FD80: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid read of size 4
==3387== at 0x639CC60: BN_get_flags (bn_lib.c:967)
==3387== by 0x639CD04: BN_clear_free (bn_lib.c:165)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89de4 is 20 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid write of size 8
==3387== at 0x64C6295: OPENSSL_cleanse (x86_64cpuid.s:207)
==3387== by 0x639CD13: BN_clear_free (bn_lib.c:166)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89dd0 is 0 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid write of size 8
==3387== at 0x64C62A7: OPENSSL_cleanse (x86_64cpuid.s:211)
==3387== by 0x639CD13: BN_clear_free (bn_lib.c:166)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89dd8 is 8 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Invalid free() / delete / delete[] / realloc()
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x646FFE0: RSA_free (rsa_lib.c:125)
==3387== by 0x5079272: generate_key(char const*) (adb_auth_host.cpp:272)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Address 0x6b89dd0 is 0 bytes inside a block of size 24 free'd
==3387== at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==3387== by 0x5078B52: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==3387== by 0x5078B52: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==3387== by 0x50792D4: generate_key(char const*) (adb_auth_host.cpp:261)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387== Block was alloc'd at
==3387== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==3387== by 0x6447468: CRYPTO_zalloc (mem.c:107)
==3387== by 0x639C2D9: BN_new (bn_lib.c:200)
==3387== by 0x646FBC0: rsa_builtin_keygen (rsa_gen.c:72)
==3387== by 0x646FBC0: RSA_generate_key_ex (rsa_gen.c:36)
==3387== by 0x50790FB: generate_key(char const*) (adb_auth_host.cpp:242)
==3387== by 0x5079C9F: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==3387== by 0x507A432: adb_auth_init() (adb_auth_host.cpp:449)
==3387== by 0x10FC8F: adb_server_main(int, int, int) (main.cpp:113)
==3387== by 0x11430C: adb_commandline(int, char const**) (commandline.cpp:1595)
==3387== by 0x5F5C2E0: (below main) (libc-start.c:291)
==3387==
==3387== Thread 3:
==3387== Conditional jump or move depends on uninitialised value(s)
==3387== at 0x4C2EDB8: strlen (vg_replace_strmem.c:454)
==3387== by 0x4E4A0C5: pthread_setname_np (pthread_setname.c:38)
==3387== by 0x5073E82: adb_thread_setname (sysdeps.h:771)
==3387== by 0x5073E82: client_socket_thread(void*) (transport_local.cpp:130)
==3387== by 0x507315B: adb_pthread_wrapper(void*) (sysdeps.h:721)
==3387== by 0x4E3F493: start_thread (pthread_create.c:333)
==3387== by 0x6024ACE: clone (clone.S:97)
==3387==
==3387== Syscall param prctl(set-name) points to uninitialised byte(s)
==3387== at 0x602530A: prctl (syscall-template.S:84)
==3387== by 0x4E4A1A6: pthread_setname_np (pthread_setname.c:43)
==3387== by 0x5073E82: adb_thread_setname (sysdeps.h:771)
==3387== by 0x5073E82: client_socket_thread(void*) (transport_local.cpp:130)
==3387== by 0x507315B: adb_pthread_wrapper(void*) (sysdeps.h:721)
==3387== by 0x4E3F493: start_thread (pthread_create.c:333)
==3387== by 0x6024ACE: clone (clone.S:97)
==3387== Address 0x7f77ebf is on thread 3's stack
==3387== in frame #2, created by client_socket_thread(void*) (sysdeps.h:129)
==3387==
==3387==
==3387== HEAP SUMMARY:
==3387== in use at exit: 2,839 bytes in 41 blocks
==3387== total heap usage: 6,296 allocs, 6,257 frees, 1,664,925 bytes allocated
==3387==
==3387== LEAK SUMMARY:
==3387== definitely lost: 48 bytes in 2 blocks
==3387== indirectly lost: 0 bytes in 0 blocks
==3387== possibly lost: 576 bytes in 2 blocks
==3387== still reachable: 2,215 bytes in 37 blocks
==3387== suppressed: 0 bytes in 0 blocks
==3387== Rerun with --leak-check=full to see details of leaked memory
==3387==
==3387== For counts of detected and suppressed errors, rerun with: -v
==3387== Use --track-origins=yes to see where uninitialised values come from
==3387== ERROR SUMMARY: 77 errors from 14 contexts (suppressed: 0 from 0)
-------------
dpkg -i libssl1.1*_1.1.0h-4_amd64.deb
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
gdb -q --args adb -P 5037 fork-server server --reply-fd 4
directory /root/android-platform-system-core/orig/android-platform-system-core-7.0.0+r1
set pagination off
set width 0
set height 0
b generate_key
run
-------------
Buster/Unstable:
apt install mc dpkg-dev devscripts strace gdb valgrind systemd-coredump libssl1.1-dbgsym
mkdir openssl/orig -p
cd openssl/orig
apt source openssl
cd ../..
# add unstable sources
apt update
apt install adb adb-dbgsym
mkdir android-platform-system-core/orig -p
cd android-platform-system-core/orig/
apt source android-platform-system-core
cd ../..
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
valgrind adb -P 5037 fork-server server --reply-fd 4
==15414== Memcheck, a memory error detector
==15414== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==15414== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==15414== Command: adb -P 5037 fork-server server --reply-fd 4
==15414==
==15414== Thread 3:
==15414== Conditional jump or move depends on uninitialised value(s)
==15414== at 0x48389F8: __strlen_sse2 (vg_replace_strmem.c:460)
==15414== by 0x485D92C: pthread_setname_np (pthread_setname.c:38)
==15414== by 0x4889E52: adb_thread_setname (sysdeps.h:771)
==15414== by 0x4889E52: client_socket_thread(void*) (transport_local.cpp:130)
==15414== by 0x488912B: adb_pthread_wrapper(void*) (sysdeps.h:721)
==15414== by 0x4851F29: start_thread (pthread_create.c:463)
==15414== by 0x52DEEDE: clone (clone.S:95)
==15414==
==15414== Syscall param prctl(set-name) points to uninitialised byte(s)
==15414== at 0x52DFADA: prctl (syscall-template.S:78)
==15414== by 0x485D9EE: pthread_setname_np (pthread_setname.c:43)
==15414== by 0x4889E52: adb_thread_setname (sysdeps.h:771)
==15414== by 0x4889E52: client_socket_thread(void*) (transport_local.cpp:130)
==15414== by 0x488912B: adb_pthread_wrapper(void*) (sysdeps.h:721)
==15414== by 0x4851F29: start_thread (pthread_create.c:463)
==15414== by 0x52DEEDE: clone (clone.S:95)
==15414== Address 0x6e48e9f is on thread 3's stack
==15414== in frame #2, created by client_socket_thread(void*) (sysdeps.h:129)
==15414==
==15414== Thread 1:
==15414== Invalid read of size 8
==15414== at 0x5465CD2: BN_clear_free (bn_lib.c:160)
==15414== by 0x5538FE0: RSA_free (rsa_lib.c:125)
==15414== by 0x488F242: generate_key(char const*) (adb_auth_host.cpp:272)
==15414== by 0x488FC87: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==15414== by 0x4890412: adb_auth_init() (adb_auth_host.cpp:449)
==15414== by 0x10FC5F: adb_server_main(int, int, int) (main.cpp:118)
==15414== by 0x1143DC: adb_commandline(int, char const**) (commandline.cpp:1595)
==15414== by 0x5209B16: (below main) (libc-start.c:310)
==15414== Address 0x5a5ae40 is 0 bytes inside a block of size 24 free'd
==15414== at 0x48369EB: free (vg_replace_malloc.c:530)
==15414== by 0x488EB22: RSA_to_RSAPublicKey (adb_auth_host.cpp:113)
==15414== by 0x488EB22: write_public_keyfile(rsa_st*, char const*) (adb_auth_host.cpp:176)
==15414== by 0x488F2A4: generate_key(char const*) (adb_auth_host.cpp:261)
==15414== by 0x488FC87: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==15414== by 0x4890412: adb_auth_init() (adb_auth_host.cpp:449)
==15414== by 0x10FC5F: adb_server_main(int, int, int) (main.cpp:118)
==15414== by 0x1143DC: adb_commandline(int, char const**) (commandline.cpp:1595)
==15414== by 0x5209B16: (below main) (libc-start.c:310)
==15414== Block was alloc'd at
==15414== at 0x48357BF: malloc (vg_replace_malloc.c:299)
==15414== by 0x5510468: CRYPTO_zalloc (mem.c:107)
==15414== by 0x54652D9: BN_new (bn_lib.c:200)
==15414== by 0x5538BC0: rsa_builtin_keygen (rsa_gen.c:72)
==15414== by 0x5538BC0: RSA_generate_key_ex (rsa_gen.c:36)
==15414== by 0x488F0CB: generate_key(char const*) (adb_auth_host.cpp:242)
==15414== by 0x488FC87: get_user_key(listnode*) [clone .constprop.25] (adb_auth_host.cpp:339)
==15414== by 0x4890412: adb_auth_init() (adb_auth_host.cpp:449)
==15414== by 0x10FC5F: adb_server_main(int, int, int) (main.cpp:118)
==15414== by 0x1143DC: adb_commandline(int, char const**) (commandline.cpp:1595)
==15414== by 0x5209B16: (below main) (libc-start.c:310)
==15414==
==15414== Invalid read of size 4
...
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
gdb -q --args adb -P 5037 fork-server server --reply-fd 4
set pagination off
set width 0
set height 0
directory /root/openssl/orig/openssl-1.1.0h/crypto
directory /root/android-platform-system-core/orig/android-platform-system-core-7.0.0+r33
run
root at debian:~# gdb -q --args adb -P 5037 fork-server server --reply-fd 4
Reading symbols from adb...Reading symbols from /usr/lib/debug/.build-id/86/41853079092aedfdf921fa89d7984193a8b45e.debug...done.
done.
(gdb) set pagination off
(gdb) set width 0
(gdb) set height 0
(gdb) run
Starting program: /usr/bin/adb -P 5037 fork-server server --reply-fd 4
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff6dc9700 (LWP 15426)]
[New Thread 0x7ffff65c8700 (LWP 15427)]
free(): invalid next size (fast)
Thread 1 "adb" received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff74a42f1 in __GI_abort () at abort.c:79
#2 0x00007ffff74e5867 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7ffff75ef273 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff74ebe0a in malloc_printerr (str=str at entry=0x7ffff75f0ef0 "free(): invalid next size (fast)") at malloc.c:5350
#4 0x00007ffff74ed6b8 in _int_free (av=0x7ffff7624c40 <main_arena>, p=0x555555794730, have_lock=<optimized out>) at malloc.c:4213
#5 0x00007ffff709dd48 in BN_clear_free (a=0x5555557888a0) at ../crypto/bn/bn_lib.c:163
#6 0x00007ffff7170fe1 in RSA_free (r=r at entry=0x555555788410) at ../crypto/rsa/rsa_lib.c:125
#7 0x00007ffff7d98243 in generate_key (file=file at entry=0x7fffffffb500 "/root/.android/adbkey") at adb/adb_auth_host.cpp:272
#8 0x00007ffff7d98c88 in get_user_key (list=0x7ffff7fa5d30 <key_list>) at adb/adb_auth_host.cpp:339
#9 0x00007ffff7d99413 in adb_auth_init () at adb/adb_auth_host.cpp:449
#10 0x000055555555bc60 in adb_server_main (is_daemon=is_daemon at entry=1, server_port=server_port at entry=5037, ack_reply_fd=ack_reply_fd at entry=4) at adb/client/main.cpp:118
#11 0x00005555555603dd in adb_commandline (argc=<optimized out>, argv=0x7fffffffed00) at adb/commandline.cpp:1595
#12 0x00007ffff748fb17 in __libc_start_main (main=0x555555559ac0 <main(int, char**)>, argc=7, argv=0x7fffffffecc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffecb8) at ../csu/libc-start.c:310
#13 0x0000555555559b4a in _start ()
(gdb) list BN_clear_free
152
153 void BN_clear_free(BIGNUM *a)
154 {
155 int i;
156
157 if (a == NULL)
158 return;
159 bn_check_top(a);
160 if (a->d != NULL) {
161 OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
162 if (!BN_get_flags(a, BN_FLG_STATIC_DATA))
163 bn_free_d(a);
164 }
165 i = BN_get_flags(a, BN_FLG_MALLOCED);
166 OPENSSL_cleanse(a, sizeof(*a));
167 if (i)
168 OPENSSL_free(a);
169 }
(gdb) list RSA_free
101
102 void RSA_free(RSA *r)
103 {
104 int i;
105
106 if (r == NULL)
107 return;
108
109 CRYPTO_atomic_add(&r->references, -1, &i, r->lock);
110 REF_PRINT_COUNT("RSA", r);
111 if (i > 0)
112 return;
113 REF_ASSERT_ISNT(i < 0);
114
115 if (r->meth->finish)
116 r->meth->finish(r);
117 #ifndef OPENSSL_NO_ENGINE
118 ENGINE_finish(r->engine);
119 #endif
120
121 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
122
123 CRYPTO_THREAD_lock_free(r->lock);
124
125 BN_clear_free(r->n);
126 BN_clear_free(r->e);
127 BN_clear_free(r->d);
128 BN_clear_free(r->p);
129 BN_clear_free(r->q);
130 BN_clear_free(r->dmp1);
131 BN_clear_free(r->dmq1);
132 BN_clear_free(r->iqmp);
133 BN_BLINDING_free(r->blinding);
134 BN_BLINDING_free(r->mt_blinding);
135 OPENSSL_free(r->bignum_data);
136 OPENSSL_free(r);
137 }
(gdb) list generate_key
224
225 static int generate_key(const char *file)
226 {
227 EVP_PKEY* pkey = EVP_PKEY_new();
228 BIGNUM* exponent = BN_new();
229 RSA* rsa = RSA_new();
230 mode_t old_mask;
231 FILE *f = NULL;
232 int ret = 0;
233
234 D("generate_key '%s'", file);
235
236 if (!pkey || !exponent || !rsa) {
237 D("Failed to allocate key");
238 goto out;
239 }
240
241 BN_set_word(exponent, RSA_F4);
242 RSA_generate_key_ex(rsa, 2048, exponent, NULL);
243 EVP_PKEY_set1_RSA(pkey, rsa);
244
245 old_mask = umask(077);
246
247 f = fopen(file, "w");
248 if (!f) {
249 D("Failed to open '%s'", file);
250 umask(old_mask);
251 goto out;
252 }
253
254 umask(old_mask);
255
256 if (!PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL)) {
257 D("Failed to write key");
258 goto out;
259 }
260
261 if (!write_public_keyfile(rsa, file)) {
262 D("Failed to write public key");
263 goto out;
264 }
265
266 ret = 1;
267
268 out:
269 if (f)
270 fclose(f);
271 EVP_PKEY_free(pkey);
272 RSA_free(rsa);
273 BN_free(exponent);
274 return ret;
275 }
276
(gdb) list write_public_keyfile
160
161 static int write_public_keyfile(RSA *private_key, const char *private_key_path)
162 {
163 RSAPublicKey pkey;
164 FILE *outfile = NULL;
165 char path[PATH_MAX], info[MAX_PAYLOAD_V1];
166 uint8_t* encoded = nullptr;
167 size_t encoded_length;
168 int ret = 0;
169
170 if (snprintf(path, sizeof(path), "%s.pub", private_key_path) >=
171 (int)sizeof(path)) {
172 D("Path too long while writing public key");
173 return 0;
174 }
175
176 if (!RSA_to_RSAPublicKey(private_key, &pkey)) {
177 D("Failed to convert to publickey");
178 return 0;
179 }
180
181 outfile = fopen(path, "w");
182 if (!outfile) {
183 D("Failed to open '%s'", path);
184 return 0;
185 }
186
187 D("Writing public key to '%s'", path);
188
189 #if defined(OPENSSL_IS_BORINGSSL)
190 if (!EVP_EncodedLength(&encoded_length, sizeof(pkey))) {
191 D("Public key too large to base64 encode");
192 goto out;
193 }
194 #else
195 /* While we switch from OpenSSL to BoringSSL we have to implement
196 * |EVP_EncodedLength| here. */
197 encoded_length = 1 + ((sizeof(pkey) + 2) / 3 * 4);
198 #endif
199
200 encoded = new uint8_t[encoded_length];
201 if (encoded == nullptr) {
202 D("Allocation failure");
203 goto out;
204 }
205
206 encoded_length = EVP_EncodeBlock(encoded, (uint8_t*) &pkey, sizeof(pkey));
207 get_user_info(info, sizeof(info));
208
209 if (fwrite(encoded, encoded_length, 1, outfile) != 1 ||
210 fwrite(info, strlen(info), 1, outfile) != 1) {
211 D("Write error while writing public key");
212 goto out;
213 }
214
215 ret = 1;
216
217 out:
218 if (outfile != NULL) {
219 fclose(outfile);
220 }
221 delete[] encoded;
222 return ret;
223 }
(gdb) list RSA_to_RSAPublicKey
75 static int RSA_to_RSAPublicKey(RSA *rsa, RSAPublicKey *pkey)
76 {
77 int ret = 1;
78 unsigned int i;
79
80 BN_CTX* ctx = BN_CTX_new();
81 BIGNUM* r32 = BN_new();
82 BIGNUM* rr = BN_new();
83 BIGNUM* r = BN_new();
84 BIGNUM* rem = BN_new();
85 BIGNUM* n = BN_new();
86 BIGNUM* n0inv = BN_new();
87 BIGNUM* e = BN_new();
88
89 if (RSA_size(rsa) != RSANUMBYTES) {
90 ret = 0;
91 goto out;
92 }
93
94 BN_set_bit(r32, 32);
95 RSA_get0_key(rsa, &n, &e, NULL);
96 BN_set_bit(r, RSANUMWORDS * 32);
97 BN_mod_sqr(rr, r, n, ctx);
98 BN_div(NULL, rem, n, r32, ctx);
99 BN_mod_inverse(n0inv, rem, r32, ctx);
100
101 pkey->len = RSANUMWORDS;
102 pkey->n0inv = 0 - BN_get_word(n0inv);
103 for (i = 0; i < RSANUMWORDS; i++) {
104 BN_div(rr, rem, rr, r32, ctx);
105 pkey->rr[i] = BN_get_word(rem);
106 BN_div(n, rem, n, r32, ctx);
107 pkey->n[i] = BN_get_word(rem);
108 }
109 pkey->exponent = BN_get_word(e);
110
111 out:
112 BN_free(n0inv);
113 BN_free(n);
114 BN_free(rem);
115 BN_free(r);
116 BN_free(rr);
117 BN_free(r32);
118 BN_CTX_free(ctx);
119
120 return ret;
121 }
(gdb) list RSA_get0_key
238
239 void RSA_get0_key(const RSA *r,
240 const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
241 {
242 if (n != NULL)
243 *n = r->n;
244 if (e != NULL)
245 *e = r->e;
246 if (d != NULL)
247 *d = r->d;
248 }
---------------
apt install android-libunwind-dev dh-exec libsafe-iop-dev libssl-dev pandoc zlib1g-dev googletest
apt install android-libext4-utils-dev android-libf2fs-utils-dev
cp orig/ try1 -a
dpkg-buildpackage -b
include/backtrace/Backtrace.h:70:18: error: conflicting declaration ‘typedef struct ucontext ucontext_t’
typedef ucontext ucontext_t;
^~~~~~~~~~
--> maybe with full Debian unstable
#############
#############
#############
# unstable
apt update
apt dist-upgrade
apt install mc dpkg-dev devscripts quilt strace gdb valgrind systemd-coredump adb adb-dbgsym android-libadb-dbgsym libssl1.1-dbgsym
apt build-dep android-platform-system-core
mkdir openssl/orig -p
cd openssl/orig
apt source openssl
cd ../..
mkdir android-platform-system-core/orig -p
cd android-platform-system-core/orig/
apt source android-platform-system-core
cd ../..
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
gdb -q --args adb -P 5037 fork-server server --reply-fd 4
set pagination off
set width 0
set height 0
directory /root/openssl/orig/openssl-1.1.1/crypto
directory /root/android-platform-system-core/orig/android-platform-system-core-7.0.0+r33
run
root at debian:~# gdb -q --args adb -P 5037 fork-server server --reply-fd 4
Reading symbols from adb...Reading symbols from /usr/lib/debug/.build-id/86/41853079092aedfdf921fa89d7984193a8b45e.debug...done.
done.
(gdb) set pagination off
(gdb) set width 0
(gdb) set height 0
(gdb) directory /root/openssl/orig/openssl-1.1.1/crypto
Source directories searched: /root/openssl/orig/openssl-1.1.1/crypto:$cdir:$cwd
(gdb) directory /root/android-platform-system-core/orig/android-platform-system-core-7.0.0+r33
Source directories searched: /root/android-platform-system-core/orig/android-platform-system-core-7.0.0+r33:/root/openssl/orig/openssl-1.1.1/crypto:$cdir:$cwd
(gdb) run
Starting program: /usr/bin/adb -P 5037 fork-server server --reply-fd 4
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff6f73700 (LWP 24142)]
[New Thread 0x7ffff6772700 (LWP 24143)]
free(): invalid next size (fast)
Thread 1 "adb" received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff74a42f1 in __GI_abort () at abort.c:79
#2 0x00007ffff74e5867 in __libc_message (action=action at entry=do_abort, fmt=fmt at entry=0x7ffff75ef273 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff74ebe0a in malloc_printerr (str=str at entry=0x7ffff75f0ef0 "free(): invalid next size (fast)") at malloc.c:5350
#4 0x00007ffff74ed6b8 in _int_free (av=0x7ffff7624c40 <main_arena>, p=0x5555557a2fe0, have_lock=<optimized out>) at malloc.c:4213
#5 0x00007ffff725ad10 in BN_clear_free (a=0x555555788890) at ../crypto/bn/bn_lib.c:160
#6 0x00007ffff7345307 in RSA_free (r=0x555555788410) at ../crypto/rsa/rsa_lib.c:128
#7 0x00007ffff7d98243 in generate_key (file=file at entry=0x7fffffffb500 "/root/.android/adbkey") at adb/adb_auth_host.cpp:272
#8 0x00007ffff7d98c88 in get_user_key (list=0x7ffff7fa5d30 <key_list>) at adb/adb_auth_host.cpp:339
#9 0x00007ffff7d99413 in adb_auth_init () at adb/adb_auth_host.cpp:449
#10 0x000055555555bc60 in adb_server_main (is_daemon=is_daemon at entry=1, server_port=server_port at entry=5037, ack_reply_fd=ack_reply_fd at entry=4) at adb/client/main.cpp:118
#11 0x00005555555603dd in adb_commandline (argc=<optimized out>, argv=0x7fffffffed00) at adb/commandline.cpp:1595
#12 0x00007ffff748fb17 in __libc_start_main (main=0x555555559ac0 <main(int, char**)>, argc=7, argv=0x7fffffffecc8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffecb8) at ../csu/libc-start.c:310
#13 0x0000555555559b4a in _start ()
cd /root/android-platform-system-core
cp orig/ try1 -a
cd try1/android-platform-system-core-7.0.0+r33/
mc -e ./adb/adb_auth_host.cpp
dpkg-source --commit
dpkg-buildpackage -b
In file included from libbacktrace/Backtrace.cpp:27:
include/backtrace/Backtrace.h:70:18: error: conflicting declaration ‘typedef struct ucontext ucontext_t’
typedef ucontext ucontext_t;
^~~~~~~~~~
In file included from /usr/include/ucontext.h:26,
from libbacktrace/Backtrace.cpp:21:
/usr/include/x86_64-linux-gnu/sys/ucontext.h:150:5: note: previous declaration as ‘typedef struct ucontext_t ucontext_t’
} ucontext_t;
^~~~~~~~~~
libbacktrace/Backtrace.cpp: In member function ‘std::__cxx11::string Backtrace::GetErrorString(BacktraceUnwindError)’:
libbacktrace/Backtrace.cpp:155:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
#############
#############
#############
# Stretch
apt update
apt dist-upgrade
apt install mc dpkg-dev devscripts quilt strace gdb valgrind systemd-coredump adb adb-dbgsym android-libadb-dbgsym libssl1.1-dbgsym
apt build-dep android-platform-system-core
mkdir openssl/orig -p
cd openssl/orig
apt source openssl
cd ../..
mkdir android-platform-system-core/orig -p
cd android-platform-system-core/orig/
apt source android-platform-system-core
cd ../..
adb kill-server
mv .android old.android_$(date +%Y-%m-%d_%H-%M-%S)
gdb -q --args adb -P 5037 fork-server server --reply-fd 4
set pagination off
set width 0
set height 0
directory /root/openssl/orig/openssl-1.1.0f/crypto
directory /root/android-platform-system-core/orig/android-platform-system-core-7.0.0+r33
run
root at debian:~# gdb -q --args adb -P 5037 fork-server server --reply-fd 4
Reading symbols from adb...Reading symbols from /usr/lib/debug/.build-id/39/4b35d811e3d13584aa0540425cfc896c597a36.debug...done.
done.
(gdb) set pagination off
(gdb) set width 0
(gdb) set height 0
(gdb) directory /root/openssl/orig/openssl-1.1.0f/crypto
Source directories searched: /root/openssl/orig/openssl-1.1.0f/crypto:$cdir:$cwd
(gdb) directory /root/android-platform-system-core/orig/android-platform-system-core-7.0.0+r33
Source directories searched: /root/android-platform-system-core/orig/android-platform-system-core-7.0.0+r33:/root/openssl/orig/openssl-1.1.0f/crypto:$cdir:$cwd
(gdb) run
Starting program: /usr/bin/adb -P 5037 fork-server server --reply-fd 4
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff6097700 (LWP 14666)]
[New Thread 0x7ffff5896700 (LWP 14667)]
adb: malloc.c:3760: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.
Thread 1 "adb" received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff696b42a in __GI_abort () at abort.c:89
#2 0x00007ffff69ad9f8 in __malloc_assert (assertion=assertion at entry=0x7ffff6a9d298 "(unsigned long) (size) >= (unsigned long) (nb)", file=file at entry=0x7ffff6a99847 "malloc.c", line=line at entry=3760, function=function at entry=0x7ffff6a9d8a8 <__func__.11501> "_int_malloc") at malloc.c:301
#3 0x00007ffff69b0729 in _int_malloc (av=av at entry=0x7ffff6cd0b00 <main_arena>, bytes=bytes at entry=32) at malloc.c:3760
#4 0x00007ffff69b1f64 in __GI___libc_malloc (bytes=32) at malloc.c:2928
#5 0x00007ffff660fa5e in CRYPTO_zalloc (num=num at entry=32, file=file at entry=0x7ffff66977ac "../crypto/buffer/buffer.c", line=line at entry=35) at ../crypto/mem.c:100
#6 0x00007ffff6576c0a in BUF_MEM_new () at ../crypto/buffer/buffer.c:35
#7 0x00007ffff6621ddb in PEM_read_bio (bp=bp at entry=0x5555557881a0, name=name at entry=0x7fffffffae58, header=header at entry=0x7fffffffae60, data=data at entry=0x7fffffffae68, len=len at entry=0x7fffffffae70) at ../crypto/pem/pem_lib.c:681
#8 0x00007ffff6622686 in PEM_bytes_read_bio (pdata=pdata at entry=0x7fffffffaf00, plen=plen at entry=0x7fffffffaf08, pnm=pnm at entry=0x7fffffffaef0, name=<optimized out>, name at entry=0x7ffff66bc9c1 "ANY PRIVATE KEY", bp=bp at entry=0x5555557881a0, cb=cb at entry=0x0, u=0x0) at ../crypto/pem/pem_lib.c:242
#9 0x00007ffff6623339 in PEM_read_bio_PrivateKey (bp=bp at entry=0x5555557881a0, x=x at entry=0x0, cb=cb at entry=0x0, u=u at entry=0x0) at ../crypto/pem/pem_pkey.c:35
#10 0x00007ffff662388c in PEM_read_PrivateKey (fp=fp at entry=0x5555557893c0, x=x at entry=0x0, cb=cb at entry=0x0, u=u at entry=0x0) at ../crypto/pem/pem_pkey.c:175
#11 0x00007ffff661fa9b in PEM_read_RSAPrivateKey (fp=fp at entry=0x5555557893c0, rsa=rsa at entry=0x555555787e80, cb=cb at entry=0x0, u=u at entry=0x0) at ../crypto/pem/pem_all.c:76
#12 0x00007ffff79ad477 in read_key (file=file at entry=0x7fffffffb4d0 "/root/.android/adbkey", list=0x7ffff7bbbd30 <key_list>) at adb/adb_auth_host.cpp:290
#13 0x00007ffff79aeb4b in get_user_key (list=0x7ffff7bbbd30 <key_list>) at adb/adb_auth_host.cpp:345
#14 0x00007ffff79af413 in adb_auth_init () at adb/adb_auth_host.cpp:449
#15 0x000055555555bc60 in adb_server_main (is_daemon=is_daemon at entry=1, server_port=server_port at entry=5037, ack_reply_fd=ack_reply_fd at entry=4) at adb/client/main.cpp:118
#16 0x00005555555603dd in adb_commandline (argc=<optimized out>, argv=0x7fffffffecd0) at adb/commandline.cpp:1595
#17 0x00007ffff69572e1 in __libc_start_main (main=0x555555559ac0 <main(int, char**)>, argc=7, argv=0x7fffffffec98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffec88) at ../csu/libc-start.c:291
#18 0x0000555555559b4a in _start ()
cd /root/android-platform-system-core
cp orig/ try1 -a
cd try1/android-platform-system-core-7.0.0+r33/
mc -e ./adb/adb_auth_host.cpp
dpkg-source --commit
dpkg-buildpackage -b
More information about the Android-tools-devel
mailing list