Public bug reported:
[ Impact ]
* LXC incorrectly frees memory returned by libcap's cap_to_text()
using free() instead of cap_free(). This results in intermittent
container startup failures due to an invalid memory deallocation
in the LXC child process.
* Users may observe the following errors on container startup:
free(): invalid pointer
lxc-start: [...] Failed to spawn container "bug-repro-10046-17"
* This bug has been reproduced on 22.04 LTS, 24.04 LTS, and 26.04 LTS.
* This update replaces the incorrect free() call with cap_free(),
matching the requirements of cap_to_text() and eliminating the
undefined behavior.
[ Test Plan ]
* [0] LXC will be tested in the following environments:
- Resolute (26.04 LTS)
- Noble (24.04 LTS)
- Jammy (22.04 LTS)
* [1] Download the reproduction script (repro.sh) from the GitHub bug
report or this Launchpad bug. The script repeatedly starts a minimal
LXC container using user namespace ID mappings that expose the bug.
* [2] Install LXC and dependencies for repro.sh:
sudo apt update
sudo apt install -y lxc uidmap debootstrap
* [3] Configure subuid/subgid that repro.sh expects for reproduction:
echo "root:0:1000" | sudo tee -a /etc/subuid
echo "root:0:1000" | sudo tee -a /etc/subgid
Verify these values are set with:
grep '^root:' /etc/subuid
grep '^root:' /etc/subgid
* [4] Make sure repro.sh is executable:
chmod +x repro.sh
* [5] Run the script as root to set up the reproducer:
sudo ./repro.sh
This will set up the environment for the actual reproducer.
* [6] Run the actual reproducer:
sudo /tmp/lxc-bug-repro/run-test.sh <NUM-ITERATIONS>
The issue is intermittent (~2–3% failure rate), so multiple runs
or higher iteration counts (e.g. 200–2000) may be required.
On an affected system, failures will show something like:
=== FAILED on run 351 ===
Exit code: 1
Output:
free(): invalid pointer
lxc-start: bug-repro-18106-351: ../src/lxc/sync.c: sync_wait: 25
Connection reset by peer - Sync wait failure
lxc-start: bug-repro-18106-351: ../src/lxc/start.c: __lxc_start: 2107
Failed to spawn container "bug-repro-18106-351"
lxc-start: bug-repro-18106-351: ../src/lxc/tools/lxc_start.c: main: 306
The container failed to start
lxc-start: bug-repro-18106-351: ../src/lxc/tools/lxc_start.c: main: 311
Additional information can be obtained by setting the --logfile and --
logpriority options
Bug reproduced! Container 'bug-repro-18106-351' failed to start.
Full log at: /tmp/lxc-bug-repro/runs.log
* [7] Install the updated package containing the fix.
* [8] Rerun the reproducer (sudo /tmp/lxc-bug-repro/run-test.sh
<NUM-ITERATIONS>)
multiple times and verify that all iterations complete successfully.
[ Where problems could occur ]
* This change affects the cleanup of capability strings during ambient
capability setup. If incorrect, containers requiring ambient
capabilities could fail to start or have incorrect capability sets.
[ Other Info ]
* Upstream Bug: https://github.com/lxc/lxc/issues/4670
* Upstream PR Fix: https://github.com/lxc/lxc/pull/4685
* Debian MR Fix: https://salsa.debian.org/lxc-team/lxc/-/merge_requests/25
* This is a minimal upstream fix consisting of a single memory cleanup
change. No functional changes are made to capability handling beyond
replacing the incorrect deallocation behavior.
** Affects: lxc (Ubuntu)
Importance: High
Assignee: Leah Goldberg (goldberl)
Status: Fix Committed
** Affects: lxc (Ubuntu Jammy)
Importance: High
Assignee: Leah Goldberg (goldberl)
Status: In Progress
** Affects: lxc (Ubuntu Noble)
Importance: High
Assignee: Leah Goldberg (goldberl)
Status: In Progress
** Affects: lxc (Ubuntu Resolute)
Importance: High
Assignee: Leah Goldberg (goldberl)
Status: In Progress
** Affects: lxc (Ubuntu Stonking)
Importance: High
Assignee: Leah Goldberg (goldberl)
Status: Fix Committed
** Attachment added: "LXC reproduction script for cap_to_text() free() bug"
https://bugs.launchpad.net/bugs/2158643/+attachment/5979457/+files/repro.sh
** Also affects: lxc (Ubuntu Resolute)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Stonking)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: lxc (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: lxc (Ubuntu Jammy)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Resolute)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Noble)
Assignee: (unassigned) => Leah Goldberg (goldberl)
** Changed in: lxc (Ubuntu Stonking)
Assignee: (unassigned) => Leah Goldberg (goldberl)
** Changed in: lxc (Ubuntu Stonking)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Resolute)
Assignee: (unassigned) => Leah Goldberg (goldberl)
** Changed in: lxc (Ubuntu Noble)
Importance: Undecided => High
** Changed in: lxc (Ubuntu Jammy)
Assignee: (unassigned) => Leah Goldberg (goldberl)
** Changed in: lxc (Ubuntu Jammy)
Status: New => In Progress
** Changed in: lxc (Ubuntu Noble)
Status: New => In Progress
** Changed in: lxc (Ubuntu Resolute)
Status: New => In Progress
** Changed in: lxc (Ubuntu Stonking)
Status: New => In Progress
** Changed in: lxc (Ubuntu Stonking)
Status: In Progress => Fix Committed
** Description changed:
[ Impact ]
- * LXC incorrectly frees memory returned by libcap's cap_to_text()
- using free() instead of cap_free(). This results in intermittent
- container startup failures due to an invalid memory deallocation
- in the LXC child process.
+ * LXC incorrectly frees memory returned by libcap's cap_to_text()
+ using free() instead of cap_free(). This results in intermittent
+ container startup failures due to an invalid memory deallocation
+ in the LXC child process.
- * Users may observe the following errors on container startup:
- free(): invalid pointer
- lxc-start: [...] Failed to spawn container "bug-repro-10046-17"
+ * Users may observe the following errors on container startup:
+ free(): invalid pointer
+ lxc-start: [...] Failed to spawn container "bug-repro-10046-17"
- * This bug has been reproduced on 22.04 LTS, 24.04 LTS, and 26.04 LTS.
+ * This bug has been reproduced on 22.04 LTS, 24.04 LTS, and 26.04 LTS.
- * This update replaces the incorrect free() call with cap_free(),
- matching the requirements of cap_to_text() and eliminating the
- undefined behavior.
-
+ * This update replaces the incorrect free() call with cap_free(),
+ matching the requirements of cap_to_text() and eliminating the
+ undefined behavior.
+
[ Test Plan ]
- * [0] LXC will be tested in the following environments:
- - Resolute (26.04 LTS)
- - Noble (24.04 LTS)
- - Jammy (22.04 LTS)
+ * [0] LXC will be tested in the following environments:
+ - Resolute (26.04 LTS)
+ - Noble (24.04 LTS)
+ - Jammy (22.04 LTS)
- * [1] Download the reproduction script (repro.sh) from the GitHub bug
- report or this Launchpad bug. The script repeatedly starts a minimal
- LXC container using user namespace ID mappings that expose the bug.
+ * [1] Download the reproduction script (repro.sh) from the GitHub bug
+ report or this Launchpad bug. The script repeatedly starts a minimal
+ LXC container using user namespace ID mappings that expose the bug.
- * [2] Install LXC and dependencies for repro.sh:
- sudo apt update
- sudo apt install -y lxc uidmap debootstrap
+ * [2] Install LXC and dependencies for repro.sh:
+ sudo apt update
+ sudo apt install -y lxc uidmap debootstrap
- * [3] Configure subuid/subgid that repro.sh expects for reproduction:
- echo "root:0:1000" | sudo tee -a /etc/subuid
- echo "root:0:1000" | sudo tee -a /etc/subgid
- Verify these values are set with:
- grep '^root:' /etc/subuid
- grep '^root:' /etc/subgid
+ * [3] Configure subuid/subgid that repro.sh expects for reproduction:
+ echo "root:0:1000" | sudo tee -a /etc/subuid
+ echo "root:0:1000" | sudo tee -a /etc/subgid
+ Verify these values are set with:
+ grep '^root:' /etc/subuid
+ grep '^root:' /etc/subgid
- * [4] Make sure repro.sh is executable:
- chmod +x repro.sh
+ * [4] Make sure repro.sh is executable:
+ chmod +x repro.sh
- * [5] Run the script as root to set up the reproducer:
- sudo ./repro.sh
- This will set up the environment for the actual reproducer.
+ * [5] Run the script as root to set up the reproducer:
+ sudo ./repro.sh
+ This will set up the environment for the actual reproducer.
- * [6] Run the actual reproducer:
- sudo /tmp/lxc-bug-repro/run-test.sh <NUM-ITERATIONS>
-
- The issue is intermittent (~2–3% failure rate), so multiple runs
- or higher iteration counts (e.g. 200–2000) may be required.
+ * [6] Run the actual reproducer:
+ sudo /tmp/lxc-bug-repro/run-test.sh <NUM-ITERATIONS>
- On an affected system, failures will show:
+ The issue is intermittent (~2–3% failure rate), so multiple runs
+ or higher iteration counts (e.g. 200–2000) may be required.
+
+ On an affected system, failures will show something like:
+
+ === FAILED on run 351 ===
+ Exit code: 1
+ Output:
free(): invalid pointer
- lxc-start: Failed to spawn container
+ lxc-start: bug-repro-18106-351: ../src/lxc/sync.c: sync_wait: 25
+ Connection reset by peer - Sync wait failure
+ lxc-start: bug-repro-18106-351: ../src/lxc/start.c: __lxc_start: 2107
+ Failed to spawn container "bug-repro-18106-351"
+ lxc-start: bug-repro-18106-351: ../src/lxc/tools/lxc_start.c: main: 306
+ The container failed to start
+ lxc-start: bug-repro-18106-351: ../src/lxc/tools/lxc_start.c: main: 311
+ Additional information can be obtained by setting the --logfile and --
+ logpriority options
- * [7] Install the updated package containing the fix.
+ Bug reproduced! Container 'bug-repro-18106-351' failed to start.
+ Full log at: /tmp/lxc-bug-repro/runs.log
- * [8] Rerun the reproducer (sudo /tmp/lxc-bug-repro/run-test.sh
<NUM-ITERATIONS>)
- multiple times and verify that all iterations complete successfully.
+ * [7] Install the updated package containing the fix.
+
+ * [8] Rerun the reproducer (sudo /tmp/lxc-bug-repro/run-test.sh
<NUM-ITERATIONS>)
+ multiple times and verify that all iterations complete successfully.
[ Where problems could occur ]
- * This change affects the cleanup of capability strings during ambient
- capability setup. If incorrect, containers requiring ambient
- capabilities could fail to start or have incorrect capability sets.
+ * This change affects the cleanup of capability strings during ambient
+ capability setup. If incorrect, containers requiring ambient
+ capabilities could fail to start or have incorrect capability sets.
[ Other Info ]
- * Upstream Bug: https://github.com/lxc/lxc/issues/4670
- * Upstream PR Fix: https://github.com/lxc/lxc/pull/4685
- * Debian MR Fix: https://salsa.debian.org/lxc-team/lxc/-/merge_requests/25
+ * Upstream Bug: https://github.com/lxc/lxc/issues/4670
+ * Upstream PR Fix: https://github.com/lxc/lxc/pull/4685
+ * Debian MR Fix: https://salsa.debian.org/lxc-team/lxc/-/merge_requests/25
- * This is a minimal upstream fix consisting of a single memory cleanup
- change. No functional changes are made to capability handling beyond
- replacing the incorrect deallocation behavior.
+ * This is a minimal upstream fix consisting of a single memory cleanup
+ change. No functional changes are made to capability handling beyond
+ replacing the incorrect deallocation behavior.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158643
Title:
[SRU] lxc: incorrect free() of cap_to_text() result in ambient caps
setup causes intermittent startup failure
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/2158643/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs