Bug#1050208: libc6: double free detected in tcache 2, then abort

2023-08-23 Thread Marco d'Itri 
In one or two weeks I will also do a stable upload.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#1050208: libc6: double free detected in tcache 2, then abort

2023-08-22 Thread Aurelien Jarno 
control: reassign -1 openbsd-inetd
control: retitle -1 openbsd-inetd: double free detected in tcache 2, then abort
control: found -1 openbsd-inetd/0.20221205-1

Hi,

On 2023-08-22 14:32, Paul Szabo wrote:
> Package: libc6
> Version: 2.36-9+deb12u1
> Severity: important
> 
> Dear Maintainer,
> 
> I noticed an issue with malloc() or free(). I only noticed this
> recently, with libc6 version 2.36-9+deb12u1; reverting to previous
> 2.36-9 did not seem to help.
> 
> The issue: sending SIGHUP to the inetd process (from package
> openbsd-inetd version 0.20221205-1) should cause it to re-load its
> configuration, but instead it elicits
> 
>   free(): double free detected in tcache 2
> 
> and an abort. This is easiest seen (after "systemctl stop inetd") with
> 
>   root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs
>   [1] 2431
>   ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 
> server=/usr/sbin/identd
>   free(): double free detected in tcache 2
>   [1]+  Aborted inetd -d -i
>   root# 
> 
> I believe that this "double free" is spurious, as there are no errors
> (but inetd reloads as expected) when using e.g.

It is not, it is also reported by valgrind:

==9356== Invalid free() / delete / delete[] / realloc()
==9356==at 0x484317B: free (in 
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==by 0x10DB69: getconfigent (inetd.c:1176)
==9356==by 0x10EFFE: config (inetd.c:651)
==9356==by 0x48A0401: event_signal_closure (event.c:1369)
==9356==by 0x48A0401: event_process_active_single_queue (event.c:1678)
==9356==by 0x48A0C1E: event_process_active (event.c:1783)
==9356==by 0x48A0C1E: event_base_loop (event.c:2006)
==9356==by 0x10B9E2: main (inetd.c:475)
==9356==  Address 0x50747e0 is 0 bytes inside a block of size 1 free'd
==9356==at 0x484317B: free (in 
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==by 0x10DB69: getconfigent (inetd.c:1176)
==9356==by 0x10EFFE: config (inetd.c:651)
==9356==by 0x10B8C3: main (inetd.c:438)
==9356==  Block was alloc'd at
==9356==at 0x48407B4: malloc (in 
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==by 0x4A82539: strdup (strdup.c:42)
==9356==by 0x10DBE7: newstr (inetd.c:1597)
==9356==by 0x10DBE7: getconfigent (inetd.c:1186)
==9356==by 0x10EFFE: config (inetd.c:651)
==9356==by 0x10B8C3: main (inetd.c:438)

It appears that is has been introduced in the latest upload of
openbsd-inetd in the default_v4v6 patch. The following patch seems to
fix the issue, but I haven't spent time to verify it is correct:

--- openbsd-inetd-0.20221205.orig/inetd.c
+++ openbsd-inetd-0.20221205/inetd.c
@@ -1172,8 +1172,10 @@ more:
cp = saved_cp;
saved_cp = NULL;
} else {
-   if (saved_cp)
+   if (saved_cp) {
free(saved_cp);
+   saved_cp = NULL;
+   }
 
while ((cp = nextline(fconfig)) && *cp == '#')
;

I am therefore reassigning the bug to openbsd-inetd.

Regards
Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net

Bug#1050208: libc6: double free detected in tcache 2, then abort

2023-08-21 Thread Paul Szabo 
Package: libc6
Version: 2.36-9+deb12u1
Severity: important

Dear Maintainer,

I noticed an issue with malloc() or free(). I only noticed this
recently, with libc6 version 2.36-9+deb12u1; reverting to previous
2.36-9 did not seem to help.

The issue: sending SIGHUP to the inetd process (from package
openbsd-inetd version 0.20221205-1) should cause it to re-load its
configuration, but instead it elicits

  free(): double free detected in tcache 2

and an abort. This is easiest seen (after "systemctl stop inetd") with

  root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs
  [1] 2431
  ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 
server=/usr/sbin/identd
  free(): double free detected in tcache 2
  [1]+  Aborted inetd -d -i
  root# 

I believe that this "double free" is spurious, as there are no errors
(but inetd reloads as expected) when using e.g.

  root# LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=1 inetd -d -i & sleep 1; 
kill -HUP $!; sleep 1; jobs; kill $!; sleep 1; jobs
  [1] 2437
  ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 
server=/usr/sbin/identd
  REDO: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 
server=/usr/sbin/identd
  [1]+  Running LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 
inetd -d -i &
  [1]+  DoneLD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 
inetd -d -i
  root# 

No errors are shown with any value of MALLOC_CHECK_ from 0 to 20, or
even without any MALLOC_CHECK_ but with just LD_PRELOAD so with

  root# LD_PRELOAD=libc_malloc_debug.so inetd -d -i & sleep 1; kill -HUP $!; 
sleep 1; jobs; kill $!; sleep 1; jobs

Instead of LD_PRELOAD, some glibc tunables can also help to avoid the
"double free" error. The settings that I found to help were:

  GLIBC_TUNABLES=glibc.malloc.tcache_count=0
  GLIBC_TUNABLES=glibc.malloc.tcache_count=1

whereas none of the following helped:

  GLIBC_TUNABLES=glibc.malloc.tcache_count=2# or 3, 4, ...
  GLIBC_TUNABLES=glibc.cpu.hwcaps=-avx
  GLIBC_TUNABLES=glibc.cpu.hwcaps=-sse
  GLIBC_TUNABLES=glibc.cpu.hwcap_mask=1099511627775

The issue is present on all of my machines that boot from "disk", with
amd64 or i386 architectures (both using an amd64 kernel, custom-built
from linux-source version 6.1.38-4); some of these are VMs inside
VirtualBox. I hope that the issue can be reproduced elsewhere.
Curiously, the issue does not seem present on same machines when booting
PXE and then NFS-mounted root (similar to LTSP), though the contents of
/usr/lib seem identical whether booting from disk or PXE; the PXE boot
sequence uses sysvinit, not systemd.

Thanks Aurelien for suggesting the glibc tunables (in bug #1041836).
Did not try gdb since I am not proficient with it, would not know what
to look for. Please suggest anything else I should try.

Thanks, Paul
-- 
Paul Szabo   p...@maths.usyd.edu.au   www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics   University of SydneyAustralia



-- System Information:
Debian Release: 12.1
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1+pk12.06 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libc6 depends on:
ii  libgcc-s1  12.2.0-14

Versions of packages libc6 recommends:
ii  libidn2-0  2.3.3-1+b1

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.82
ii  glibc-doc  2.36-9+deb12u1
ii  libc-l10n  2.36-9+deb12u1
ii  libnss-nis 3.1-4
ii  libnss-nisplus 1.3-4
ii  locales2.36-9+deb12u1

-- debconf information:
  glibc/restart-failed:
* glibc/upgrade: true
  glibc/kernel-not-supported:
  glibc/disable-screensaver:
* libraries/restart-without-asking: true
  glibc/kernel-too-old:
  glibc/restart-services: