Bug#926658: gnuplot: free(): double free detected in tcache 2

2019-04-09 Thread Anton Gladky 
Hello,

thank you all for participating. I will upload a package
with the fix into experimental soon.

Regards

Anton


Am Di., 9. Apr. 2019 um 20:27 Uhr schrieb Bernhard Übelacker <
bernha...@mailbox.org>:

> Control: tags 926658 + patch upstream fixed-upstream
>
>
> Dear Maintainer,
> I just tried to help triage this issue.
>
> I think this is related to upstream bug [1] and
> was already fixed in the 5.2 branch by commit [2].
>
> A package built with this patch does just show the
> 'undefined variable' error, but not the double free fault.
>
> Kind regards,
> Bernhard
>
> [1] https://sourceforge.net/p/gnuplot/bugs/2115/
> [2]
> https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/
> --
> debian-science-maintainers mailing list
> debian-science-maintain...@alioth-lists.debian.net
>
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Bug#926658: gnuplot: free(): double free detected in tcache 2

2019-04-09 Thread Bernhard Übelacker 
Control: tags 926658 + patch upstream fixed-upstream


Dear Maintainer,
I just tried to help triage this issue.

I think this is related to upstream bug [1] and
was already fixed in the 5.2 branch by commit [2].

A package built with this patch does just show the
'undefined variable' error, but not the double free fault.

Kind regards,
Bernhard

[1] https://sourceforge.net/p/gnuplot/bugs/2115/
[2] 
https://sourceforge.net/p/gnuplot/gnuplot-main/ci/732014eefd41235a143626d2bc02d3d34934e1b3/

# Buster amd64 real hardware 2019-04-09


apt update
apt dist-upgrade


#


mkdir /home/benutzer/926658_gnuplot-crash -p
cd/home/benutzer/926658_gnuplot-crash

debootstrap --arch=amd64 buster chroot 
http://192.168.178.25:/debian-10-buster-deb.debian.org/
mount --rbind /proc chroot/proc

cp -a ../rr*.deb chroot/
# workaround https://github.com/mozilla/rr/issues/2342

env -i TERM=xterm LANG=de_DE.UTF-8 /usr/sbin/chroot chroot /bin/su -l root
apt install locales
dpkg-reconfigure locales
nano /etc/inputrc
adduser benutzer
mv /etc/apt/sources.list /etc/apt/sources.list.d/buster-approx.list
echo "deb-src http://192.168.178.25:/debian-10-buster-deb.debian.org 
buster main" >> /etc/apt/sources.list.d/buster-approx.list
echo "deb 
http://192.168.178.25:/debian-10-buster-debug.mirrors.debian.org 
buster-debug main" >> /etc/apt/sources.list.d/buster-approx.list


apt update
apt install dpkg-dev devscripts mc wget unzip rr gdb gnuplot 
gnuplot-qt-dbgsym

dpkg -i /*.deb
# workaround https://github.com/mozilla/rr/issues/2342

echo 1 > /proc/sys/kernel/perf_event_paranoid


env -i TERM=xterm LANG=de_DE.UTF-8 /usr/sbin/chroot chroot /bin/su -l benutzer

mkdir /home/benutzer/source/gnuplot/orig -p
cd/home/benutzer/source/gnuplot/orig
apt source gnuplot
cd

mkdir /home/benutzer/source/libc6/orig -p
cd/home/benutzer/source/libc6/orig
apt source libc6
cd

wget 
"https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=926658;filename=test-files.zip;msg=10";
 -O test-files.zip
unzip test-files.zip
cd test-files
rr record gnuplot call.gpi
rr replay



set width 0
set pagination off
directory 
/home/benutzer/source/gnuplot/orig/gnuplot-5.2.6+dfsg1/src/wxterminal/bitmaps
directory /home/benutzer/source/libc6/orig/glibc-2.28/malloc
cont
bt
reverse-finish
reverse-finish
reverse-finish
reverse-finish
reverse-finish
reverse-finish
reverse-finish
print a->v.string_val
print &(a->v.string_val)
b __GI___libc_free if mem==0x564e97351a60
watch *0x564e9734ed90
reverse-cont
bt
reverse-finish
print a->v.string_val
print &(a->v.string_val)
reverse-cont
bt


#


benutzer@willi-laptop:~$ gnuplot --version
gnuplot 5.2 patchlevel 6


benutzer@willi-laptop:~/test-files$ rr record gnuplot call.gpi
rr: Saving execution to trace directory 
`/home/benutzer/.local/share/rr/gnuplot-0'.
Plotting $tag statistics...
"./tags.gpi" line 27: undefined variable: date_min

free(): double free detected in tcache 2
Abgebrochen




benutzer@willi-laptop:~/test-files$ rr replay
...
Reading symbols from /usr/bin/gnuplot-qt...(no debugging symbols found)...done.
Really redefine built-in command "restart"? (y or n) [answered Y; input not 
from terminal]
Remote debugging using 127.0.0.1:16489
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from 
/usr/lib/debug/.build-id/75/5312dcb2382eb2fde78494879bb2104028ae80.debug...done.
done.
0x7f088a6fd090 in _start () from /lib64/ld-linux-x86-64.so.2
(rr) set width 0
(rr) set pagination off
(rr) cont
Continuing.
Plotting $tag statistics...
"./tags.gpi" line 27: undefined variable: date_min

free(): double free detected in tcache 2

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht 
gefunden.
(rr) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x7f0d2535 in __GI_abort () at abort.c:79
#2  0x7f0888929778 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x7f0888a3428d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x7f088892fe6a in malloc_printerr (str=str@entry=0x7f0888a35f58 
"free(): double free detected in tcache 2") at malloc.c:5341
#4  0x7f088893194d in _int_free (av=0x7f0888a6bc40 , 
p=0x564e97351a50, have_lock=) at malloc.c:4193
#5  0x564e95fbb8bd in ?? ()
#6  0x564e95fbbd6b in ?? ()
#7  0x564e95fec887 in ?? ()
#8  0x564e95fece8d in ?? ()
#9  0x564e95f9b3bd in ?? ()
#10 0x7f0d409b in __libc_start_main (main=0x564e95f9b000, argc=2, 
argv=0x7ffe67c3fb68, init=, fini=, 
rtld_fini=, stack_end=0x7ffe67c3fb58) at ../csu/libc-start.c:308
#11 0x564e95f9c76a in ?? ()







# With debug symbols

benutzer@willi-laptop:~$ rr replay
GNU gdb (Debian 8.2.1-2) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GP

Bug#926658: gnuplot: free(): double free detected in tcache 2

2019-04-08 Thread Niels Thykier 
Source: gnuplot
Version: 5.2.6+dfsg1-1
Severity: important

Hi,

After upgrading lindsay.d.o to buster, we see errors when trying to
generate graphs of the tags.  While trying to create a minimal
reproducer I tripped a double free bug in gnuplot.

The following steps were done to reproduce the issue:

"""
$ unzip test-files.zip
$ cd test-files
test-files$ gdb -args gnuplot call.gp
[...]
(gdb) run
Starting program: /usr/bin/gnuplot call.gpi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Plotting $tag statistics...
"./tags.gpi" line 27: undefined variable: date_min

free(): double free detected in tcache 2

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x778c6535 in __GI_abort () at abort.c:79
#2  0x7791d778 in __libc_message (action=action@entry=do_abort, 
fmt=fmt@entry=0x77a2828d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x77923e6a in malloc_printerr (str=str@entry=0x77a29f58 
"free(): double free detected in tcache 2") at malloc.c:5341
#4  0x7792594d in _int_free (av=0x77a5fc40 , 
p=0x556eb250, have_lock=) at malloc.c:4193
#5  0x5558d71d in gpfree_string (a=0x556e9828) at 
.././../../src/eval.c:423
#6  0x5558dbcb in gpfree_string (a=) at 
.././../../src/eval.c:422
#7  gpfree_array (a=a@entry=0x556e9860) at .././../../src/eval.c:446
#8  0x555be5a7 in lf_pop () at .././../../src/misc.c:515
#9  0x555bebad in load_file_error () at .././../../src/misc.c:626
#10 0x5556e8e5 in main (argc=2, argv=0x7fffe178) at 
.././../../src/plot.c:555
(gdb) quit
"""

Note: The test files *are* invalid - the common.gpi file should define
some variables but it does not (e.g. date_min).  Nonetheless, gnuplot
should not trip a double-free regardless of whether the input is valid
or not.

Relevant versions of gnuplot used for reproducing this:

"""
$ dpkg -l | grep gnuplot
ii  gnuplot-data 5.2.6+dfsg1-1   
all  Command-line driven interactive plotting program. Data-files
ii  gnuplot-nox  5.2.6+dfsg1-1   
amd64Command-line driven interactive plotting program. No-X package
ii  gnuplot-nox-dbgsym   5.2.6+dfsg1-1   
amd64debug symbols for gnuplot-nox
"""

Thanks,
~Niels