Bug#1127766: kalign: autopkgtest failure with glibc 2.43 due to out of bounds access

Aurelien Jarno Thu, 12 Feb 2026 10:33:15 -0800

Source: kalign
Version: 1:3.4.0-1
Severity: important
Tags: upstream
User: [email protected]
Usertags: glibc-2.43


Dear maintainer,

kalign autopkgtest fails when run against libc 2.43, currently in
experimental. From the autopkgtest log:

| 16s autopkgtest [07:28:25]: test run-unit-test: [-----------------------
| 16s TEST 1: Passing sequences via stdin
| 16s TEST 3: Combining multiple input files
| 16s /usr/bin/kalign: line 7:  2006 Segmentation fault         "${cmd}" "$@"
| 16s autopkgtest [07:28:25]: test run-unit-test: -----------------------]

...

| 16s autopkgtest [07:28:25]: @@@@@@@@@@@@@@@@@@@@ summary
| 16s run-unit-test        FAIL non-zero exit status 139

The problem happens in the bpm_block function:

| #0  bpm_block (t=0x560378764ba0 
"\002\003\t\004\001\002\t\002\a\004\006\b\005\a\b\003\003\b\t\004\006\002\001\003",
 p=<optimized out>, n=<optimized out>, m=<optimized out>) at ./lib/src/bpm.c:490
| #1  0x00005603684f6d7a in calc_distance (seq_a=<optimized out>, 
seq_b=<optimized out>, len_a=<optimized out>, len_b=len_b@entry=1034) at 
./lib/src/sequence_distance.c:182
| #2  0x00005603684f6ec6 in d_estimation._omp_fn.0 () at 
./lib/src/sequence_distance.c:143
| #3  0x00007f203b48b226 in GOMP_parallel (fn=0x5603684f6d90 
<d_estimation._omp_fn.0>, data=0x7ffdb080daf0, num_threads=4, flags=0) at 
../../../src/libgomp/parallel.c:178
| #4  0x00005603684f70cd in d_estimation (msa=msa@entry=0x560378760930, 
samples=samples@entry=0x5603787585f0, num_samples=4, pair=pair@entry=0) at 
./lib/src/sequence_distance.c:131
| #5  0x00005603684f5dcc in build_tree_kmeans (msa=msa@entry=0x560378760930, 
tasks=tasks@entry=0x7ffdb080dc08) at ./lib/src/bisectingKmeans.c:106
| #6  0x00005603684e917e in kalign_run (msa=0x560378760930, n_threads=4, 
type=5, gpo=-1, gpe=-1, tgpe=-1) at ./lib/src/aln_wrap.c:88
| #7  0x00005603684dfc1f in run_kalign (param=<optimized out>) at 
./src/run_kalign.c:355
| #8  main (argc=<optimized out>, argv=0x7ffdb080dde8) at ./src/run_kalign.c:326

The full autopkgtest log is available there:
https://ci.debian.net/data/autopkgtest/unstable/amd64/k/kalign/68413772/log.gz

After investigation, it happens that glibc 2.43 had some changes in the
malloc code, which trigger this bug. But the problem is also
reproducible even with glibc 2.42 using the address sanitizer, ie by
rebuilding kalign with the following patch and using nocheck (as the
testsuite fails with that patch):

--- kalign-3.4.0/debian/rules
+++ kalign-3.4.0/debian/rules
@@ -4,8 +4,8 @@
 
 include /usr/share/dpkg/default.mk
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
-export DEB_CFLAGS_MAINT_APPEND+=-DSIMDE_ENABLE_OPENMP -fopenmp-simd -O3
-export DEB_CXXFLAGS_MAINT_APPEND+=-DSIMDE_ENABLE_OPENMP -fopenmp-simd -O3
+export DEB_CFLAGS_MAINT_APPEND+=-DSIMDE_ENABLE_OPENMP -fopenmp-simd -O3 
-fsanitize=address,undefined
+export DEB_CXXFLAGS_MAINT_APPEND+=-DSIMDE_ENABLE_OPENMP -fopenmp-simd -O3 
-fsanitize=address,undefined
 OBJ_DIR=obj-$(DEB_HOST_GNU_TYPE)
 prefix=$(CURDIR)/debian/$(DEB_SOURCE)/usr
 libexecdir=$(prefix)/lib/$(DEB_SOURCE)

This detects the following issues:
| /home/aurel32/kalign/kalign-3.4.0$ cat debian/tests/data/seqs* | 
./obj-x86_64-linux-gnu/src/kalign > /dev/null
| /home/aurel32/kalign/kalign-3.4.0/lib/src/bpm.c:490:42: runtime error: index 
190 out of bounds for type 'uint64_t [13][16]'
| /home/aurel32/kalign/kalign-3.4.0/lib/src/bpm.c:490:34: runtime error: load 
of address 0x7b44d0ffa0c0 with insufficient space for an object of type 
'uint64_t'
| 0x7b44d0ffa0c0: note: pointer points here
|  00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 
00 00 00 00  00 00 00 00
|               ^ 
| =================================================================
| ==1359334==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x7c44d5be0730 at pc 0x561002d5311f bp 0x7ffd9e0209b0 sp 0x7ffd9e0209a8
| READ of size 8 at 0x7c44d5be0730 thread T0
|     #0 0x561002d5311e in make_profile_n lib/src/aln_setup.c:79
|     #1 0x561002d48e3e in do_align lib/src/aln_run.c:133
|     #2 0x561002d48e3e in recursive_aln lib/src/aln_run.c:110
|     #3 0x7f44d73e590a  (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0x1b90a) 
(BuildId: dbeba738dce8fc1f671f7d46defae08f2c29dccd)
|     #4 0x7f44d73eed8b  (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0x24d8b) 
(BuildId: dbeba738dce8fc1f671f7d46defae08f2c29dccd)
|     #5 0x7f44d73ed697  (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0x23697) 
(BuildId: dbeba738dce8fc1f671f7d46defae08f2c29dccd)
|     #6 0x561002d4f872 in create_msa_tree lib/src/aln_run.c:59
|     #7 0x561002d3fb01 in kalign_run lib/src/aln_wrap.c:116
|     #8 0x561002d0fe14 in run_kalign src/run_kalign.c:355
|     #9 0x561002d0fe14 in main src/run_kalign.c:326
|     #10 0x7f44d6be7f74  (/usr/lib/x86_64-linux-gnu/libc.so.6+0x29f74) 
(BuildId: c9a199fd28ea54b305ea35a8b25500a79bfe684a)
|     #11 0x7f44d6be8026 in __libc_start_main 
(/usr/lib/x86_64-linux-gnu/libc.so.6+0x2a026) (BuildId: 
c9a199fd28ea54b305ea35a8b25500a79bfe684a)
|     #12 0x561002d10fb0 in _start 
(/home/aurel32/kalign/kalign-3.4.0/obj-x86_64-linux-gnu/src/kalign+0x10cfb0) 
(BuildId: 15ac21c781ce24c12cfc2adf1b8f9b519d7d5866)
| 
| 0x7c44d5be0730 is located 1336 bytes after 184-byte region 
[0x7c44d5be0140,0x7c44d5be01f8)
| allocated by thread T0 here:
|     #0 0x7f44d76310ab in malloc 
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:67
|     #1 0x561002d43ee8 in aln_param_init lib/src/aln_param.c:24
| 
| SUMMARY: AddressSanitizer: heap-buffer-overflow lib/src/aln_setup.c:79 in 
make_profile_n
| Shadow bytes around the buggy address:
|   0x7c44d5be0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| =>0x7c44d5be0700: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|   0x7c44d5be0980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
| Shadow byte legend (one shadow byte represents 8 application bytes):
|   Addressable:           00
|   Partially addressable: 01 02 03 04 05 06 07 
|   Heap left redzone:       fa
|   Freed heap region:       fd
|   Stack left redzone:      f1
|   Stack mid redzone:       f2
|   Stack right redzone:     f3
|   Stack after return:      f5
|   Stack use after scope:   f8
|   Global redzone:          f9
|   Global init order:       f6
|   Poisoned by user:        f7
|   Container overflow:      fc
|   Array cookie:            ac
|   Intra object redzone:    bb
|   ASan internal:           fe
|   Left alloca redzone:     ca
|   Right alloca redzone:    cb
| ==1359334==ABORTING

Note how the out of bounds issue happens at the same code location than
the crash found by GDB with glibc 2.43. I therefore believe that the
problem is in kalign and not in glibc 2.43. If the crash persists after
fixing the bug, please feel free to report a bug against glibc.

Regards
Aurelien

Bug#1127766: kalign: autopkgtest failure with glibc 2.43 due to out of bounds access

Reply via email to