Bug 1258846
| Summary: | local_sock() double free error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Filip Krska <fkrska> | ||||
| Component: | pcp | Assignee: | Nathan Scott <nathans> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Miloš Prchlík <mprchlik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.7 | CC: | brolley, fche, lberk, mbenitez, mcermak, mgoodwin, qe-baseos-tools-bugs | ||||
| Target Milestone: | rc | Keywords: | EasyFix, Patch, Reproducer | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1258860 1258862 (view as bug list) | Environment: | |||||
| Last Closed: | 2016-05-10 21:13:10 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Thanks for the detailed problem report and diagnosis Filip, this is now fixed upstream and will make its way into RHEL6 at the first available opportunity. Verified for build pcp-3.10.9-5.el6. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0825.html |
Created attachment 1068978 [details] Fix double free in local_sock() Description of problem: pmdamemcache crashes with following backtrace: Core was generated by `perl /var/lib/pcp/pmdas/memcache/pmdamemcache.pl'. Program terminated with signal 6, Aborted. #0 0x00007f9464552625 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007f9464553e05 in abort () at abort.c:92 #2 0x00007f9464590537 in __libc_message (do_abort=2, fmt=0x7f9464678940 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198 #3 0x00007f9464595e66 in malloc_printerr (action=3, str=0x7f9464676a2e "free(): invalid pointer", ptr=<value optimized out>) at malloc.c:6336 #4 0x00007f946459897a in _int_free (av=0x7f94648afe80, p=0x7f94648afef8, have_lock=0) at malloc.c:4832 #5 0x00007f945de06d25 in __pmHostEntFree (hostent=0x15cb740) at auxconnect.c:39 #6 0x00007f945e265517 in local_sock (host=0x15cb780 "127.0.0.1", port=11211, callback=0x16ba050, cookie=0) at local.c:209 #7 0x00007f945e273eaa in XS_PCP__PMDA_add_sock (my_perl=0x7633, cv=0x1693560) at PMDA.xs:1099 #8 0x00007f946588e815 in Perl_pp_entersub (my_perl=0x159f010) at pp_hot.c:2888 #9 0x00007f946588cb06 in Perl_runops_standard (my_perl=0x159f010) at run.c:40 #10 0x00007f94658350d8 in S_run_body (my_perl=0x159f010) at perl.c:2435 #11 perl_run (my_perl=0x159f010) at perl.c:2353 #12 0x0000000000400e74 in main (argc=2, argv=0x7ffcf217ad98, env=0x7ffcf217adb0) at perlmain.c:117 Version-Release number of selected component (if applicable): pcp-3.10.3-3.el6.x86_64 perl-PCP-PMDA-3.10.3-3.el6.x86_64 How reproducible: No reproducer known so far, abrt reports generated often in customer's environment Steps to Reproduce: 1. 2. 3. Actual results: Program terminated with signal 6, Aborted. Expected results: No abort Additional info: The same double free bug seem to be present in RHEL 7's, fedora master's pcp as well, upstream propagation needed. Hypothesis: pcp-3.10.3/src/perl/PMDA/local.c: int local_sock(char *host, int port, scalar_t *callback, int cookie) { __pmSockAddr *myaddr; __pmHostEnt *servinfo = NULL; ... if ((servinfo = __pmGetAddrInfo(host)) == NULL) { __pmNotifyErr(LOG_ERR, "__pmGetAddrInfo (%s): %s", host, netstrerror()); goto error; <------------ local.c:158 ... __pmHostEntFree(servinfo); < first free() ... if (sts < 0) { __pmNotifyErr(LOG_ERR, "__pmConnect (%s): %s", host, netstrerror()); goto error; <------------ local.c:196 } ... error: if (fd >= 0) __pmCloseSocket(fd); if (servinfo) __pmHostEntFree(servinfo); <------------ local.c:209 second free() We can get to line 209 only from line 196 (just after __pmHostEntFree(), so servinfo is already freed). We cannot get there from line 158 because servinfo would be NULL.