Bug#728144: squid3: Pinger Segmentation fault in Debug::finishDebug on delete CurrentDebug;

[Amos Jeffries]

Source: squid3
thanks

Trying to reassign to 3.x source packages. So BTS does not block v4
squid package uploads on this old RC issue.

Amos

Bug#728144: squid3: Pinger Segmentation fault in Debug::finishDebug on delete CurrentDebug;

[Fernando Toledo]

Bug still exists in 3.4.8-6+deb8u2, please apply the patch that solved it!
Thanks!

-- 
Fernando Toledo
Dock Sud BBS
http://bbs.docksud.com.ar
telnet://bbs.docksud.com.ar

Bug#728144: squid3: Pinger Segmentation fault in Debug::finishDebug on delete CurrentDebug;

[Amos Jeffries]

tags 728144 +jesse
fixed 728144 3.5.10-1
thanks

The patch confirmed by Geralt as fixing this was finalized as upstream
patch

which still needs to be applied to the 3.4 Jesse packages.

I am marking this as fixed in the current 3.5 packages since the
upstream patch for this particular crash was applied to 3.5, but not 3.4
like the TZ and CVE patches.

Amos

Bug#728144: squid3: Pinger Segmentation fault in Debug::finishDebug on delete CurrentDebug;

[Bjørn Mork]

Package: squid3
Version: 3.4.8-6+deb8u1
Followup-For: Bug #728144

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I see that there is some confusion about whether or not this bug is fixed,
and which of many pinger sigsegv bugs this is all about.  So to be clear:

- - the additional info I provide here concerns the version currently in
  Debian jessie (stable), which is 3.4.8-6+deb8u1
- - the crash I see is the IcmpPinger.cc:190 (debugFinish) one, but the
  same bug is likely to trigger a similar crash anywhere debugs is used
- - this bug is fixed upstream, but it is *not* fixed in the  Debian jessie
  squid version, which is what this report is about.

The bug trivial to reproduce:
1) run the Debian jessie squid3 (version 3.4.8-6+deb8u1) on a dual stack
   system with default pinger config
2) stop squid.

That's all. The debugs statement attempting to log Pinger exiting. at
IcmpPinger.cc:190 will crash.

Sample backtrace:

(gdb) bt full
#0  0x7f46f854bb05 in malloc_consolidate (av=av@entry=0x7f46f8876620 
main_arena) at malloc.c:4165
fb = optimized out
maxfb = 0x7f46f8876670 main_arena+80
p = 0x7f46fb825110
nextp = 0x0
unsorted_bin = 0x7f46f8876678 main_arena+88
first_unsorted = optimized out
nextchunk = 0x7f46fb825130
size = 336
nextsize = 304
prevsize = optimized out
nextinuse = 0
bck = 0x23e7f57b0081
fwd = 0x23e7f57c0080
__func__ = malloc_consolidate
#1  0x7f46f854c691 in _int_free (av=0x7f46f8876620 main_arena, 
p=optimized out, have_lock=0) at malloc.c:4057
size = 132400
fb = optimized out
nextchunk = 0x7f46fb825d00
nextsize = 131840
nextinuse = optimized out
prevsize = optimized out
bck = optimized out
fwd = optimized out
errstr = 0x0
locked = 1
__func__ = _int_free
#2  0x7f46f8e2e604 in std::basic_ostringstreamchar, 
std::char_traitschar, std::allocatorchar ::~basic_ostringstream() ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
No symbol table info available.
#3  0x7f46fa135f27 in Debug::finishDebug () at ../../src/debug.cc:762
No locals.
#4  0x7f46fa132ea4 in IcmpPinger::Recv (this=0x7f46fa344660 control) at 
IcmpPinger.cc:190
_dbo = @0x7f46fb825970: incomplete type
pecho = {to = {mSocketAddr_ = {sin6_family = 0, sin6_port = 0, 
sin6_flowinfo = 0, sin6_addr = {__in6_u = {
  __u6_addr8 = '\000' repeats 15 times, __u6_addr16 = {0, 0, 
0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, 
  sin6_scope_id = 0}, static STRLEN_IP4A = 16, static STRLEN_IP4R = 
28, static STRLEN_IP4S = 21, 
static MAX_IP4_STRLEN = 28, static STRLEN_IP6A = 42, static 
STRLEN_IP6R = 75, static STRLEN_IP6S = 48, 
static MAX_IP6_STRLEN = 75, static v4_localhost = {__in6_u = {
- ---Type return to continue, or q return to quit---
__u6_addr8 = 
\000\000\000\000\000\000\000\000\000\000\377\377\177\000\000\001, __u6_addr16 
= {0, 0, 0, 0, 0, 
  65535, 127, 256}, __u6_addr32 = {0, 0, 4294901760, 
16777343}}}, static v4_anyaddr = {__in6_u = {
__u6_addr8 = 
\000\000\000\000\000\000\000\000\000\000\377\377\000\000\000, __u6_addr16 = 
{0, 0, 0, 0, 0, 65535, 
  0, 0}, __u6_addr32 = {0, 0, 4294901760, 0}}}, static 
v4_noaddr = {__in6_u = {
__u6_addr8 = 
\000\000\000\000\000\000\000\000\000\000\377\377\377\377\377\377, __u6_addr16 
= {0, 0, 0, 0, 0, 
  65535, 65535, 65535}, __u6_addr32 = {0, 0, 4294901760, 
4294967295}}}, static v6_noaddr = {__in6_u = {
__u6_addr8 = '\377' repeats 16 times, __u6_addr16 = {65535, 
65535, 65535, 65535, 65535, 65535, 65535, 65535}, 
__u6_addr32 = {4294967295, 4294967295, 4294967295, 
4294967295, opcode = 0 '\000', psize = 0, 
  payload = '\000' repeats 8191 times}
n = optimized out
guess_size = optimized out
__FUNCTION__ = Recv
#5  0x7f46fa1318c3 in main (argc=optimized out, argv=optimized out) at 
pinger.cc:223
t = optimized out


I took a quick look at upstream and noticed this commit, which appears to have
resolved the issue once and for all:

- 
- From 41b2578a9ee6b692869b9d962197cf6e3773898e Mon Sep 17 00:00:00 2001
From: Amos Jeffries squ...@treenet.co.nz
Date: Fri, 19 Dec 2014 08:26:44 -0800
Subject: [PATCH] MemPool the debug output stream buffers

The CurrentDebug output stream controller for cache.log was
defined as a std::ostringstream object and allocated with
new/delete on each call to debugs().

The std::ostringstream is defined as a templates output stream
which uses the std::allocatorchar built into libc when its
new()'d. Since this is all internal to the STL library
definitions it links against the libc global-scope allocator.

However, there is no matching deallocator definition and when
the object is delete()'d the standard C++ 

Bug#728144: squid3: Pinger Segmentation fault in Debug::finishDebug on delete CurrentDebug;

[Amos Jeffries]

forwarded 728144 http://bugs.squid-cache.org/show_bug.cgi?id=2656

Amos


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org