Bug 1120925
Summary: | lynx crashes due to use after free in scan_cookie_sublist() | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Hin-Tak Leung <htl10> | ||||||||||||||||||||||
Component: | lynx | Assignee: | Kamil Dudka <kdudka> | ||||||||||||||||||||||
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||||||||||||
Priority: | unspecified | ||||||||||||||||||||||||
Version: | 20 | CC: | dickey, htl10, kdudka, tg | ||||||||||||||||||||||
Target Milestone: | --- | ||||||||||||||||||||||||
Target Release: | --- | ||||||||||||||||||||||||
Hardware: | x86_64 | ||||||||||||||||||||||||
OS: | Unspecified | ||||||||||||||||||||||||
URL: | https://retrace.fedoraproject.org/faf/reports/bthash/b561783a93d936ee201a0b9c2d2d05c1ad2c813a | ||||||||||||||||||||||||
Whiteboard: | abrt_hash:9e43e8d5067b4377e994e4a40444e837494741fc | ||||||||||||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||||||||
Clone Of: | Environment: | ||||||||||||||||||||||||
Last Closed: | 2015-01-20 13:25:57 UTC | Type: | --- | ||||||||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||||||||
Embargoed: | |||||||||||||||||||||||||
Attachments: |
|
Description
Hin-Tak Leung
2014-07-18 02:08:38 UTC
Created attachment 918910 [details]
File: backtrace
Created attachment 918911 [details]
File: cgroup
Created attachment 918912 [details]
File: core_backtrace
Created attachment 918914 [details]
File: dso_list
Created attachment 918916 [details]
File: environ
Created attachment 918919 [details]
File: limits
Created attachment 918921 [details]
File: maps
Created attachment 918923 [details]
File: open_fds
Created attachment 918925 [details]
File: proc_pid_status
Created attachment 918927 [details]
File: var_log_messages
hl = 0x9d9d9d9d9d9d9d9d looks like an apparent use after free bug due to the setting MALLOC_PERTURB_=157 in your environment. Is this something I can reproduce locally? I suspect this is caused by a call to HTList_removeObject(de->cookie_list, ...), which can invalidate de->cookie_list without updating the reference in case the object to remove is found at position zero. I will tell the maintainer... Actually, my analysis appears to be wrong. The first item of the list should be a header that contains no object (and is never freed by HTList_removeObject()). So the memory pointed by de->cookie_list must be freed somewhere else... I don't see a crash in visiting that site. However, using valgrind, I see this (which is fixed in 2.8.8pre.5): ==15557== at 0x525C709: idna_to_ascii_4z (in /usr/lib64/libidn.so.11.6.11) ==15557== by 0x525C9A7: idna_to_ascii_8z (in /usr/lib64/libidn.so.11.6.11) ==15557== by 0x497267: HTParse (in /usr/local/bin/lynx) ==15557== by 0x448033: LYEnsureAbsoluteURL (in /usr/local/bin/lynx) ==15557== by 0x42C10D: main (in /usr/local/bin/lynx) ==15557== Address 0x7e57aa4 is 4 bytes inside a block of size 5 alloc'd ==15557== at 0x4C2745D: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-am> ==15557== by 0x525C863: idna_to_ascii_4z (in /usr/lib64/libidn.so.11.6.11) ==15557== by 0x525C9A7: idna_to_ascii_8z (in /usr/lib64/libidn.so.11.6.11) ==15557== by 0x497267: HTParse (in /usr/local/bin/lynx) ==15557== by 0x448033: LYEnsureAbsoluteURL (in /usr/local/bin/lynx) ==15557== by 0x42C10D: main (in /usr/local/bin/lynx) 2014-02-14 (2.8.8pre.5) * use idn_free() rather than ordinary free (patch by GV) hmm - sorry (was running a test-version of lynx, not your package). With your package, valgrind has nothing to report. (In reply to Thomas E. Dickey from comment #14) > I don't see a crash in visiting that site. I was not able to reproduce the crash either. > However, using valgrind, > I see this (which is fixed in 2.8.8pre.5): It looks like the first line of valgrind's output is missing. What was the actual error reported by valgrind? Was it an invalid read? If so, it looks very similar to bug #678518 comment #2 -- in that case, it was a false positive of valgrind caused by the string routines optimization that GCC uses with -O2. yes, it looks like that case (thanks) (In reply to Kamil Dudka from comment #11) > hl = 0x9d9d9d9d9d9d9d9d looks like an apparent use after free bug due to the > setting MALLOC_PERTURB_=157 in your environment. Is this something I can > reproduce locally? That's likely correct. While the initial command line was correct, if I remember correctly, it crashed after a a bit navigating on and off, so the command line argument might not be relevant. Argh, greetings, Thomas E. Dickey. We have corresponded some years ago about cxterm (the xterm with an extra cjk-input panel and does anticipative/phrasal inputs...). I didn't notice MALLOC_PERTURB as a factor before. But setting that doesn't seem to change anything (I have not been able to find a case which shows any breakage). By the way, the original test-URL is defunct... I am closing the bug due to lack of information. Feel free to reopen it once you find reliable steps to reproduce. I think this could be the same bug I fixed yesterday which has annoyed me quite a bit for a while, since we on MirBSD have a malloc that overwrites free(3)d space. http://thread.gmane.org/gmane.comp.web.lynx.devel/8441/focus=8442 Please try whether the patch from there helps for you. Hm, actually, looking at it, LYHandleCookies() seems to have the same bug. I think all 23 calls to HTList_removeObject need to be audited. Sorry that was a one off event and I had not been able to reliably reproduce this anyway. |