Bug#846888: depmod crashes after detecting a dependency cycle
Control: tag -1 upstream patch The problem seems to be that depmod_report_cycles() sees not just the modules in the cycle but all their non-cyclic dependencies too. When it follows the chain from a module that isn't part of the cycle, it proceeds to print its dependency chain as if it were a cycle but miscalculates the buffer size needed for that. (I do wonder why it bothers to use its own buffer for this rather than relying on stdio buffering.) This changes the function to: - say nothing about modules that aren't part of a cycle - not claim to know the number of modules in cycles (since some of them aren't) It seems like there should be a more elegant fix, but I don't understand the control flow of this function well enough to improve on this. diff --git a/tools/depmod.c b/tools/depmod.c index a2e07c15ba60..fb0f23c66da7 100644 --- a/tools/depmod.c +++ b/tools/depmod.c @@ -1455,7 +1455,7 @@ static void depmod_report_cycles(struct depmod *depmod, uint16_t n_mods, { const char sep[] = " -> "; int ir = 0; - ERR("Found %u modules in dependency cycles!\n", n_roots); + ERR("Found a dependency cycle!\n"); while (n_roots > 0) { int is, ie; @@ -1500,6 +1500,8 @@ static void depmod_report_cycles(struct depmod *depmod, uint16_t n_mods, break; } } + if (i < 0) + continue; buf = malloc(sz + n * strlen(sep) + 1); sz = 0; -- Ben Hutchings Every program is either trivial or else contains at least one bug signature.asc Description: Digital signature
Bug#846888: depmod crashes after detecting a dependency cycle
ASAN provides some details: = ==3449==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f9a506cbf at pc 0x7fa424475c bp 0x7fc1b55320 sp 0x7fc1b55388 WRITE of size 7 at 0x7f9a506cbf thread T0 #0 0x7fa424475b (/usr/lib/aarch64-linux-gnu/libasan.so.3+0x5775b) #1 0x5559676d7b in memcpy /usr/include/aarch64-linux-gnu/bits/string3.h:53 #2 0x5559676d7b in depmod_report_cycles ../tools/depmod.c:1515 #3 0x5559676d7b in depmod_calculate_dependencies ../tools/depmod.c:1596 #4 0x5559676d7b in depmod_load ../tools/depmod.c:1623 #5 0x5559676d7b in do_depmod ../tools/depmod.c:2605 #6 0x7fa40c2363 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x1f363) 0x7f9a506cbf is located 0 bytes to the right of 15-byte region [0x7f9a506cb0,0x7f9a506cbf) allocated by thread T0 here: #0 0x7fa429cbc3 in malloc (/usr/lib/aarch64-linux-gnu/libasan.so.3+0xafbc3) #1 0x5559676c87 in depmod_report_cycles ../tools/depmod.c:1504 #2 0x5559676c87 in depmod_calculate_dependencies ../tools/depmod.c:1596 #3 0x5559676c87 in depmod_load ../tools/depmod.c:1623 #4 0x5559676c87 in do_depmod ../tools/depmod.c:2605 #5 0x7fa40c2363 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x1f363) #6 0x555966b5ff (/home/benh/kmod-23/build-deb/tools/kmod+0x135ff) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/aarch64-linux-gnu/libasan.so.3+0x5775b) Shadow bytes around the buggy address: 0x1ff34a0d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1ff34a0d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1ff34a0d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1ff34a0d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1ff34a0d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x1ff34a0d90: fa fa fa fa fa fa 00[07]fa fa fd fa fa fa fd fa 0x1ff34a0da0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x1ff34a0db0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x1ff34a0dc0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa 0x1ff34a0dd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x1ff34a0de0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb ==3449==ABORTING -- Ben Hutchings I'm always amazed by the number of people who take up solipsism because they heard someone else explain it. - E*Borg on alt.fan.pratchett signature.asc Description: This is a digitally signed message part
Bug#846888: depmod crashes after detecting a dependency cycle
Package: kmod Version: 23-1 Severity: normal In this build log: https://buildd.debian.org/status/fetch.php?pkg=linux=arm64=4.9~rc7-1~exp1=1480766537 the initial error messages are: depmod: ERROR: Found 8 modules in dependency cycles! depmod: ERROR: Cycle detected: remoteproc -> virtio depmod: ERROR: Cycle detected: remoteproc -> virtio_ring depmod: ERROR: Cycle detected: qcom_mdt_loader -> remoteproc *** Error in `depmod': free(): invalid next size (fast): 0x0055bf918060 *** I assume that the dependency cycle is real and this needs to be fixed in the kernel, but depmod shouldn't crash while reporting this. Ben. -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages kmod depends on: ii libc6 2.24-7 ii libkmod2 23-1 ii lsb-base 9.20161125 kmod recommends no packages. kmod suggests no packages. -- no debconf information