Bug#1050290: glibc: Harmless bug in tcsetattr() handling of CREAD, CSIZE, PARENB bits
Source: glibc
Severity: minor
Dear Maintainer,
I believe that the "any/local-tcsetaddr.diff" (sic) patch applied to the glibc
sources contains a probably unmanifestible bug in the checking of c_cflag
changes other than the PARENB, CREAD, and CSIZE bits here:
+ else if ((k_termios_old.c_cflag | (PARENB & CREAD & CSIZE)) !=
+ (k_termios.c_cflag | (PARENB & CREAD & CSIZE)))
+ {
+ /* Some other c_cflag setting was successfully changed, which
+means we should not return an error. */
+ __set_errno (save);
+ retval = 0;
+ }
I believe the (PARENB & CREAD & CSIZE) subexpressions (which evaluate to 0)
should be (PARENB | CREAD | CSIZE).
This bug should be harmless as long as the TTY device either handles changes to
the PARENB, CREAD, and CSIZE settings, or always sets them to consistently
fixed values.
-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (920, 'testing'), (910, 'unstable'), (820, 'testing'), (810,
'unstable'), (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-debug'), (500, 'unstable'), (500, 'stable'), (120, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 6.4.0-2-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Processed: Re: Bug#1050208: libc6: double free detected in tcache 2, then abort
Processing control commands: > reassign -1 openbsd-inetd Bug #1050208 [libc6] libc6: double free detected in tcache 2, then abort Bug reassigned from package 'libc6' to 'openbsd-inetd'. No longer marked as found in versions glibc/2.36-9+deb12u1. Ignoring request to alter fixed versions of bug #1050208 to the same values previously set > retitle -1 openbsd-inetd: double free detected in tcache 2, then abort Bug #1050208 [openbsd-inetd] libc6: double free detected in tcache 2, then abort Changed Bug title to 'openbsd-inetd: double free detected in tcache 2, then abort' from 'libc6: double free detected in tcache 2, then abort'. > found -1 openbsd-inetd/0.20221205-1 Bug #1050208 [openbsd-inetd] openbsd-inetd: double free detected in tcache 2, then abort Marked as found in versions openbsd-inetd/0.20221205-1. -- 1050208: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050208 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1050208: libc6: double free detected in tcache 2, then abort
control: reassign -1 openbsd-inetd
control: retitle -1 openbsd-inetd: double free detected in tcache 2, then abort
control: found -1 openbsd-inetd/0.20221205-1
Hi,
On 2023-08-22 14:32, Paul Szabo wrote:
> Package: libc6
> Version: 2.36-9+deb12u1
> Severity: important
>
> Dear Maintainer,
>
> I noticed an issue with malloc() or free(). I only noticed this
> recently, with libc6 version 2.36-9+deb12u1; reverting to previous
> 2.36-9 did not seem to help.
>
> The issue: sending SIGHUP to the inetd process (from package
> openbsd-inetd version 0.20221205-1) should cause it to re-load its
> configuration, but instead it elicits
>
> free(): double free detected in tcache 2
>
> and an abort. This is easiest seen (after "systemctl stop inetd") with
>
> root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs
> [1] 2431
> ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0
> server=/usr/sbin/identd
> free(): double free detected in tcache 2
> [1]+ Aborted inetd -d -i
> root#
>
> I believe that this "double free" is spurious, as there are no errors
> (but inetd reloads as expected) when using e.g.
It is not, it is also reported by valgrind:
==9356== Invalid free() / delete / delete[] / realloc()
==9356==at 0x484317B: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==by 0x10DB69: getconfigent (inetd.c:1176)
==9356==by 0x10EFFE: config (inetd.c:651)
==9356==by 0x48A0401: event_signal_closure (event.c:1369)
==9356==by 0x48A0401: event_process_active_single_queue (event.c:1678)
==9356==by 0x48A0C1E: event_process_active (event.c:1783)
==9356==by 0x48A0C1E: event_base_loop (event.c:2006)
==9356==by 0x10B9E2: main (inetd.c:475)
==9356== Address 0x50747e0 is 0 bytes inside a block of size 1 free'd
==9356==at 0x484317B: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==by 0x10DB69: getconfigent (inetd.c:1176)
==9356==by 0x10EFFE: config (inetd.c:651)
==9356==by 0x10B8C3: main (inetd.c:438)
==9356== Block was alloc'd at
==9356==at 0x48407B4: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==by 0x4A82539: strdup (strdup.c:42)
==9356==by 0x10DBE7: newstr (inetd.c:1597)
==9356==by 0x10DBE7: getconfigent (inetd.c:1186)
==9356==by 0x10EFFE: config (inetd.c:651)
==9356==by 0x10B8C3: main (inetd.c:438)
It appears that is has been introduced in the latest upload of
openbsd-inetd in the default_v4v6 patch. The following patch seems to
fix the issue, but I haven't spent time to verify it is correct:
--- openbsd-inetd-0.20221205.orig/inetd.c
+++ openbsd-inetd-0.20221205/inetd.c
@@ -1172,8 +1172,10 @@ more:
cp = saved_cp;
saved_cp = NULL;
} else {
- if (saved_cp)
+ if (saved_cp) {
free(saved_cp);
+ saved_cp = NULL;
+ }
while ((cp = nextline(fconfig)) && *cp == '#')
;
I am therefore reassigning the bug to openbsd-inetd.
Regards
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://aurel32.net
