Public bug reported:

[ Impact ]

 * LXC incorrectly frees memory returned by libcap's cap_to_text()
   using free() instead of cap_free(). This results in intermittent
   container startup failures due to an invalid memory deallocation
   in the LXC child process.

 * Users may observe the following errors on container startup:
   free(): invalid pointer
   lxc-start: [...] Failed to spawn container "bug-repro-10046-17"

 * This bug has been reproduced on 22.04 LTS, 24.04 LTS, and 26.04 LTS.

 * This update replaces the incorrect free() call with cap_free(),
   matching the requirements of cap_to_text() and eliminating the
   undefined behavior.

[ Test Plan ]

 * [0] LXC will be tested in the following environments:
       - Resolute (26.04 LTS)
       - Noble (24.04 LTS)
       - Jammy (22.04 LTS)

 * [1] Download the reproduction script (repro.sh) from the GitHub bug
       report or this Launchpad bug. The script repeatedly starts a minimal
       LXC container using user namespace ID mappings that expose the bug.

 * [2] Install LXC and dependencies for repro.sh:
       sudo apt update
       sudo apt install -y lxc uidmap debootstrap

 * [3] Configure subuid/subgid that repro.sh expects for reproduction:
       echo "root:0:1000" | sudo tee -a /etc/subuid
       echo "root:0:1000" | sudo tee -a /etc/subgid
       Verify these values are set with:
       grep '^root:' /etc/subuid
       grep '^root:' /etc/subgid

 * [4] Make sure repro.sh is executable:
       chmod +x repro.sh

 * [5] Run the script as root to set up the reproducer:
       sudo ./repro.sh
       This will set up the environment for the actual reproducer.

 * [6] Run the actual reproducer:
       sudo /tmp/lxc-bug-repro/run-test.sh <NUM-ITERATIONS>

       The issue is intermittent (~2–3% failure rate), so multiple runs
       or higher iteration counts (e.g. 200–2000) may be required.

       On an affected system, failures will show something like:

       === FAILED on run 351 ===
       Exit code: 1
       Output:
       free(): invalid pointer
       lxc-start: bug-repro-18106-351: ../src/lxc/sync.c: sync_wait: 25
       Connection reset by peer - Sync wait failure
       lxc-start: bug-repro-18106-351: ../src/lxc/start.c: __lxc_start: 2107
       Failed to spawn container "bug-repro-18106-351"
       lxc-start: bug-repro-18106-351: ../src/lxc/tools/lxc_start.c: main: 306
       The container failed to start 
       lxc-start: bug-repro-18106-351: ../src/lxc/tools/lxc_start.c: main: 311
       Additional information can be obtained by setting the --logfile and --
       logpriority options

       Bug reproduced! Container 'bug-repro-18106-351' failed to start.
       Full log at: /tmp/lxc-bug-repro/runs.log

 * [7] Install the updated package containing the fix.

 * [8] Rerun the reproducer (sudo /tmp/lxc-bug-repro/run-test.sh 
<NUM-ITERATIONS>)
       multiple times and verify that all iterations complete successfully.

[ Where problems could occur ]

 * This change affects the cleanup of capability strings during ambient
   capability setup. If incorrect, containers requiring ambient
   capabilities could fail to start or have incorrect capability sets.

[ Other Info ]

 * Upstream Bug: https://github.com/lxc/lxc/issues/4670
 * Upstream PR Fix: https://github.com/lxc/lxc/pull/4685
 * Debian MR Fix: https://salsa.debian.org/lxc-team/lxc/-/merge_requests/25

 * This is a minimal upstream fix consisting of a single memory cleanup
   change. No functional changes are made to capability handling beyond
   replacing the incorrect deallocation behavior.

** Affects: lxc (Ubuntu)
     Importance: High
     Assignee: Leah Goldberg (goldberl)
         Status: Fix Committed

** Affects: lxc (Ubuntu Jammy)
     Importance: High
     Assignee: Leah Goldberg (goldberl)
         Status: In Progress

** Affects: lxc (Ubuntu Noble)
     Importance: High
     Assignee: Leah Goldberg (goldberl)
         Status: In Progress

** Affects: lxc (Ubuntu Resolute)
     Importance: High
     Assignee: Leah Goldberg (goldberl)
         Status: In Progress

** Affects: lxc (Ubuntu Stonking)
     Importance: High
     Assignee: Leah Goldberg (goldberl)
         Status: Fix Committed

** Attachment added: "LXC reproduction script for cap_to_text() free() bug"
   https://bugs.launchpad.net/bugs/2158643/+attachment/5979457/+files/repro.sh

** Also affects: lxc (Ubuntu Resolute)
   Importance: Undecided
       Status: New

** Also affects: lxc (Ubuntu Stonking)
   Importance: Undecided
       Status: New

** Also affects: lxc (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Also affects: lxc (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Changed in: lxc (Ubuntu Jammy)
   Importance: Undecided => High

** Changed in: lxc (Ubuntu Resolute)
   Importance: Undecided => High

** Changed in: lxc (Ubuntu Noble)
     Assignee: (unassigned) => Leah Goldberg (goldberl)

** Changed in: lxc (Ubuntu Stonking)
     Assignee: (unassigned) => Leah Goldberg (goldberl)

** Changed in: lxc (Ubuntu Stonking)
   Importance: Undecided => High

** Changed in: lxc (Ubuntu Resolute)
     Assignee: (unassigned) => Leah Goldberg (goldberl)

** Changed in: lxc (Ubuntu Noble)
   Importance: Undecided => High

** Changed in: lxc (Ubuntu Jammy)
     Assignee: (unassigned) => Leah Goldberg (goldberl)

** Changed in: lxc (Ubuntu Jammy)
       Status: New => In Progress

** Changed in: lxc (Ubuntu Noble)
       Status: New => In Progress

** Changed in: lxc (Ubuntu Resolute)
       Status: New => In Progress

** Changed in: lxc (Ubuntu Stonking)
       Status: New => In Progress

** Changed in: lxc (Ubuntu Stonking)
       Status: In Progress => Fix Committed

** Description changed:

  [ Impact ]
  
-  * LXC incorrectly frees memory returned by libcap's cap_to_text()
-    using free() instead of cap_free(). This results in intermittent
-    container startup failures due to an invalid memory deallocation
-    in the LXC child process.
+  * LXC incorrectly frees memory returned by libcap's cap_to_text()
+    using free() instead of cap_free(). This results in intermittent
+    container startup failures due to an invalid memory deallocation
+    in the LXC child process.
  
-  * Users may observe the following errors on container startup:
-    free(): invalid pointer
-    lxc-start: [...] Failed to spawn container "bug-repro-10046-17"
+  * Users may observe the following errors on container startup:
+    free(): invalid pointer
+    lxc-start: [...] Failed to spawn container "bug-repro-10046-17"
  
-  * This bug has been reproduced on 22.04 LTS, 24.04 LTS, and 26.04 LTS.
+  * This bug has been reproduced on 22.04 LTS, 24.04 LTS, and 26.04 LTS.
  
-  * This update replaces the incorrect free() call with cap_free(),
-    matching the requirements of cap_to_text() and eliminating the
-    undefined behavior.
-    
+  * This update replaces the incorrect free() call with cap_free(),
+    matching the requirements of cap_to_text() and eliminating the
+    undefined behavior.
+ 
  [ Test Plan ]
  
-  * [0] LXC will be tested in the following environments:
-        - Resolute (26.04 LTS)
-        - Noble (24.04 LTS)
-        - Jammy (22.04 LTS)
+  * [0] LXC will be tested in the following environments:
+        - Resolute (26.04 LTS)
+        - Noble (24.04 LTS)
+        - Jammy (22.04 LTS)
  
-  * [1] Download the reproduction script (repro.sh) from the GitHub bug 
-        report or this Launchpad bug. The script repeatedly starts a minimal
-        LXC container using user namespace ID mappings that expose the bug.
+  * [1] Download the reproduction script (repro.sh) from the GitHub bug
+        report or this Launchpad bug. The script repeatedly starts a minimal
+        LXC container using user namespace ID mappings that expose the bug.
  
-  * [2] Install LXC and dependencies for repro.sh:
-        sudo apt update
-        sudo apt install -y lxc uidmap debootstrap
+  * [2] Install LXC and dependencies for repro.sh:
+        sudo apt update
+        sudo apt install -y lxc uidmap debootstrap
  
-  * [3] Configure subuid/subgid that repro.sh expects for reproduction:
-        echo "root:0:1000" | sudo tee -a /etc/subuid
-        echo "root:0:1000" | sudo tee -a /etc/subgid
-        Verify these values are set with:
-        grep '^root:' /etc/subuid
-        grep '^root:' /etc/subgid
+  * [3] Configure subuid/subgid that repro.sh expects for reproduction:
+        echo "root:0:1000" | sudo tee -a /etc/subuid
+        echo "root:0:1000" | sudo tee -a /etc/subgid
+        Verify these values are set with:
+        grep '^root:' /etc/subuid
+        grep '^root:' /etc/subgid
  
-  * [4] Make sure repro.sh is executable:
-        chmod +x repro.sh
+  * [4] Make sure repro.sh is executable:
+        chmod +x repro.sh
  
-  * [5] Run the script as root to set up the reproducer:
-        sudo ./repro.sh
-        This will set up the environment for the actual reproducer.
+  * [5] Run the script as root to set up the reproducer:
+        sudo ./repro.sh
+        This will set up the environment for the actual reproducer.
  
-  * [6] Run the actual reproducer:
-        sudo /tmp/lxc-bug-repro/run-test.sh <NUM-ITERATIONS>
-        
-        The issue is intermittent (~2–3% failure rate), so multiple runs
-        or higher iteration counts (e.g. 200–2000) may be required.
+  * [6] Run the actual reproducer:
+        sudo /tmp/lxc-bug-repro/run-test.sh <NUM-ITERATIONS>
  
-        On an affected system, failures will show:
+        The issue is intermittent (~2–3% failure rate), so multiple runs
+        or higher iteration counts (e.g. 200–2000) may be required.
+ 
+        On an affected system, failures will show something like:
+ 
+        === FAILED on run 351 ===
+        Exit code: 1
+        Output:
         free(): invalid pointer
-        lxc-start: Failed to spawn container
+        lxc-start: bug-repro-18106-351: ../src/lxc/sync.c: sync_wait: 25
+        Connection reset by peer - Sync wait failure
+        lxc-start: bug-repro-18106-351: ../src/lxc/start.c: __lxc_start: 2107
+        Failed to spawn container "bug-repro-18106-351"
+        lxc-start: bug-repro-18106-351: ../src/lxc/tools/lxc_start.c: main: 306
+        The container failed to start 
+        lxc-start: bug-repro-18106-351: ../src/lxc/tools/lxc_start.c: main: 311
+        Additional information can be obtained by setting the --logfile and --
+        logpriority options
  
-  * [7] Install the updated package containing the fix.
+        Bug reproduced! Container 'bug-repro-18106-351' failed to start.
+        Full log at: /tmp/lxc-bug-repro/runs.log
  
-  * [8] Rerun the reproducer (sudo /tmp/lxc-bug-repro/run-test.sh 
<NUM-ITERATIONS>)
-        multiple times and verify that all iterations complete successfully.
+  * [7] Install the updated package containing the fix.
+ 
+  * [8] Rerun the reproducer (sudo /tmp/lxc-bug-repro/run-test.sh 
<NUM-ITERATIONS>)
+        multiple times and verify that all iterations complete successfully.
  
  [ Where problems could occur ]
  
-  * This change affects the cleanup of capability strings during ambient
-    capability setup. If incorrect, containers requiring ambient
-    capabilities could fail to start or have incorrect capability sets.
+  * This change affects the cleanup of capability strings during ambient
+    capability setup. If incorrect, containers requiring ambient
+    capabilities could fail to start or have incorrect capability sets.
  
  [ Other Info ]
  
-  * Upstream Bug: https://github.com/lxc/lxc/issues/4670
-  * Upstream PR Fix: https://github.com/lxc/lxc/pull/4685 
-  * Debian MR Fix: https://salsa.debian.org/lxc-team/lxc/-/merge_requests/25 
+  * Upstream Bug: https://github.com/lxc/lxc/issues/4670
+  * Upstream PR Fix: https://github.com/lxc/lxc/pull/4685
+  * Debian MR Fix: https://salsa.debian.org/lxc-team/lxc/-/merge_requests/25
  
-  * This is a minimal upstream fix consisting of a single memory cleanup
-    change. No functional changes are made to capability handling beyond
-    replacing the incorrect deallocation behavior.
+  * This is a minimal upstream fix consisting of a single memory cleanup
+    change. No functional changes are made to capability handling beyond
+    replacing the incorrect deallocation behavior.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158643

Title:
  [SRU] lxc: incorrect free() of cap_to_text() result in ambient caps
  setup causes intermittent startup failure

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2158643/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to