Your message dated Fri, 25 Apr 2025 22:29:26 +1000
with message-id 
<CAOA=VS+B7D33POYfJ1K6fVvHQ-MEYb=-p8ns5xvt5serw1c...@mail.gmail.com>
and subject line Re: Bug#1103909: libnuma1: free(): invalid pointer in 
set_nodemask_size
has caused the Debian Bug report #1103909,
regarding libnuma1: free(): invalid pointer in set_nodemask_size
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1103909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103909
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libnuma1
Version: 2.0.16-1
Severity: important
Tags: upstream

Dear Maintainer,

The version of libnuma1 in Debian stable has a memory corruption bug
that triggers simply from the library being loaded via dlopen(), which
happens frequently as libnuma1 is a depdendency of many other libraries.

This is fixed upstream in v2.0.19 via the following patch:
https://github.com/numactl/numactl/commit/f9deba0c8404529772468d6dd01389f7dbfa5ba9

Would it be possible to backport this patch to stable?

Thank you.

-- System Information:
Debian Release: 12.10
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.12+bpo-amd64 (SMP w/80 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libnuma1 depends on:
ii  libc6  2.36-9+deb12u10

libnuma1 recommends no packages.

libnuma1 suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Package: numactl
Version: 2.0.19-1

OK, well thanks for prompting me to update, anyway.  I think let's
mark this as done for now.

-i

On Thu, 24 Apr 2025 at 06:15, Richard Stanway
<[email protected]> wrote:
>
> Hi Ian,
> Thanks for the quick response! Unfortunately it seems I may have
> jumped the gun here - I saw the bugfix commit specifically mentioned
> mimalloc which I am also trying to use and running into segfaults,
> however after further debugging and testing I have been able to
> reproduce my mimalloc-related segfaults in a program without libnuma
> loaded, so my issue is unrelated to libnuma and more likely caused by
> the mimalloc library override functions not covering enough of glibc.
>
> While the libnuma commit does fix a legitimate memory corruption
> issue, the realloc code path that the bug is in seems to only be used
> as a fallback, so I suspect this is only affecting programs like
> Firefox that have sandboxing or similar security mechanisms in place
> to prevent libnuma from reading /proc/self/status. Due to this limited
> impact, backporting it to stable is not as important as I thought it
> was as most programs will never hit the bug.
>
> Regards,
> Richard
>
> On Wed, 23 Apr 2025 at 07:26, Ian Wienand <[email protected]> wrote:
> >
> > On Wed, 23 Apr 2025 at 04:12, Richard Stanway
> > <[email protected]> wrote:
> > > Would it be possible to backport this patch to stable?
> >
> > It may be possible :)  I've at least updated unstable to 2.0.19 now to
> > include this.
> >
> > For us to file a bug at release.debian.org for a stable update we'll
> > have to be quite clear about the issue and it's effect.    I will
> > admit from inspection it seems small and quite clear, but still good
> > to have all the information here.
> >
> > The original code [1] is not new, and I guess it took some time to be
> > noticed.  So on one side of the argument, it's been like this for a
> > long time.
> >
> > On the other side, the fix [2] references playing videos on Firefox.
> > Has this caused other known issues; can we add any links to related
> > bugs?
> >
> > -i
> >
> > [1] 
> > https://github.com/numactl/numactl/commit/ef967ac82a7314adae0822353ba8bc904929628e
> > [2] 
> > https://github.com/numactl/numactl/commit/f9deba0c8404529772468d6dd01389f7dbfa5ba9

--- End Message ---

Reply via email to