Bug#1050290: glibc: Harmless bug in tcsetattr() handling of CREAD, CSIZE, PARENB bits
Source: glibc Severity: minor Dear Maintainer, I believe that the "any/local-tcsetaddr.diff" (sic) patch applied to the glibc sources contains a probably unmanifestible bug in the checking of c_cflag changes other than the PARENB, CREAD, and CSIZE bits here: + else if ((k_termios_old.c_cflag | (PARENB & CREAD & CSIZE)) != + (k_termios.c_cflag | (PARENB & CREAD & CSIZE))) + { + /* Some other c_cflag setting was successfully changed, which +means we should not return an error. */ + __set_errno (save); + retval = 0; + } I believe the (PARENB & CREAD & CSIZE) subexpressions (which evaluate to 0) should be (PARENB | CREAD | CSIZE). This bug should be harmless as long as the TTY device either handles changes to the PARENB, CREAD, and CSIZE settings, or always sets them to consistently fixed values. -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (920, 'testing'), (910, 'unstable'), (820, 'testing'), (810, 'unstable'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'unstable'), (500, 'stable'), (120, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 6.4.0-2-amd64 (SMP w/6 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Processed: Re: Bug#1050208: libc6: double free detected in tcache 2, then abort
Processing control commands: > reassign -1 openbsd-inetd Bug #1050208 [libc6] libc6: double free detected in tcache 2, then abort Bug reassigned from package 'libc6' to 'openbsd-inetd'. No longer marked as found in versions glibc/2.36-9+deb12u1. Ignoring request to alter fixed versions of bug #1050208 to the same values previously set > retitle -1 openbsd-inetd: double free detected in tcache 2, then abort Bug #1050208 [openbsd-inetd] libc6: double free detected in tcache 2, then abort Changed Bug title to 'openbsd-inetd: double free detected in tcache 2, then abort' from 'libc6: double free detected in tcache 2, then abort'. > found -1 openbsd-inetd/0.20221205-1 Bug #1050208 [openbsd-inetd] openbsd-inetd: double free detected in tcache 2, then abort Marked as found in versions openbsd-inetd/0.20221205-1. -- 1050208: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050208 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1050208: libc6: double free detected in tcache 2, then abort
control: reassign -1 openbsd-inetd control: retitle -1 openbsd-inetd: double free detected in tcache 2, then abort control: found -1 openbsd-inetd/0.20221205-1 Hi, On 2023-08-22 14:32, Paul Szabo wrote: > Package: libc6 > Version: 2.36-9+deb12u1 > Severity: important > > Dear Maintainer, > > I noticed an issue with malloc() or free(). I only noticed this > recently, with libc6 version 2.36-9+deb12u1; reverting to previous > 2.36-9 did not seem to help. > > The issue: sending SIGHUP to the inetd process (from package > openbsd-inetd version 0.20221205-1) should cause it to re-load its > configuration, but instead it elicits > > free(): double free detected in tcache 2 > > and an abort. This is easiest seen (after "systemctl stop inetd") with > > root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs > [1] 2431 > ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 > server=/usr/sbin/identd > free(): double free detected in tcache 2 > [1]+ Aborted inetd -d -i > root# > > I believe that this "double free" is spurious, as there are no errors > (but inetd reloads as expected) when using e.g. It is not, it is also reported by valgrind: ==9356== Invalid free() / delete / delete[] / realloc() ==9356==at 0x484317B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==9356==by 0x10DB69: getconfigent (inetd.c:1176) ==9356==by 0x10EFFE: config (inetd.c:651) ==9356==by 0x48A0401: event_signal_closure (event.c:1369) ==9356==by 0x48A0401: event_process_active_single_queue (event.c:1678) ==9356==by 0x48A0C1E: event_process_active (event.c:1783) ==9356==by 0x48A0C1E: event_base_loop (event.c:2006) ==9356==by 0x10B9E2: main (inetd.c:475) ==9356== Address 0x50747e0 is 0 bytes inside a block of size 1 free'd ==9356==at 0x484317B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==9356==by 0x10DB69: getconfigent (inetd.c:1176) ==9356==by 0x10EFFE: config (inetd.c:651) ==9356==by 0x10B8C3: main (inetd.c:438) ==9356== Block was alloc'd at ==9356==at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==9356==by 0x4A82539: strdup (strdup.c:42) ==9356==by 0x10DBE7: newstr (inetd.c:1597) ==9356==by 0x10DBE7: getconfigent (inetd.c:1186) ==9356==by 0x10EFFE: config (inetd.c:651) ==9356==by 0x10B8C3: main (inetd.c:438) It appears that is has been introduced in the latest upload of openbsd-inetd in the default_v4v6 patch. The following patch seems to fix the issue, but I haven't spent time to verify it is correct: --- openbsd-inetd-0.20221205.orig/inetd.c +++ openbsd-inetd-0.20221205/inetd.c @@ -1172,8 +1172,10 @@ more: cp = saved_cp; saved_cp = NULL; } else { - if (saved_cp) + if (saved_cp) { free(saved_cp); + saved_cp = NULL; + } while ((cp = nextline(fconfig)) && *cp == '#') ; I am therefore reassigning the bug to openbsd-inetd. Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://aurel32.net