Bug 1494309

Summary: Use of aligned_alloc causes invalid free in libtcmalloc
Product: [Fedora] Fedora Reporter: Brad Hubbard <bhubbard>
Component: gperftoolsAssignee: Tom "spot" Callaway <tcallawa>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 26CC: fweimer, herrold, tcallawa
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: gperftools-2.6.1-5.fc26 gperftools-2.6.1-5.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-01 00:02:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch aginst f26 fedpkg branch none

Description Brad Hubbard 2017-09-22 01:41:02 UTC 
Created attachment 1329295 [details]
Patch aginst f26 fedpkg branch

Description of problem:

the libtcmalloc shipped does not support aligned_alloc so use of that function falls through to the libc implementation. A subsequent call to free will result in libtcmalloc reporting 'Invalid free'


Version-Release number of selected component (if applicable):
gperftools-libs-2.5.93-1.fc26.x86_64

How reproducible:
100%

Steps to Reproduce:
$ cat<<EOF>tc_aligned_alloc.c
#include <stdlib.h>                                        


int main (int argc, char **argv)                           
{                                                          
    void *p2 = aligned_alloc(1024, 1024*sizeof(p2));       
    free(p2);                                              
    return 0;                                              

}
EOF

$ gcc -ggdb tc_aligned_alloc.c -o tc_aligned_alloc -ltcmalloc
$ ./tc_aligned_alloc
src/tcmalloc.cc:284] Attempt to free invalid pointer 0x2bfa400            
Aborted
$ gdb -q -batch -ex 'run' -ex 'bt' ./tc_aligned_alloc                                                                                                                                                                                         
[Thread debugging using libthread_db enabled]                                                                                                                                                                                               
Using host libthread_db library "/lib64/libthread_db.so.1".                                                                                                                                                                                 
src/tcmalloc.cc:284] Attempt to free invalid pointer 0xf02400                                                                                                                                                                               
                                                                                                                                                                                                                                            
Program received signal SIGABRT, Aborted.                                                                                                                                                                                               
0x00007ffff764769b in raise () from /lib64/libc.so.6             
#0  0x00007ffff764769b in raise () from /lib64/libc.so.6                                                                                                    
#1  0x00007ffff76494a0 in abort () from /lib64/libc.so.6   
#2  0x00007ffff7a03a29 in tcmalloc::Log(tcmalloc::LogMode, char const*, int, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem, tcmalloc::LogItem) () from /lib64/libtcmalloc.so.4                                                     
#3  0x00007ffff79f83d9 in (anonymous namespace)::InvalidFree(void*) () from /lib64/libtcmalloc.so.4                                                                                                                                          
#4  0x0000000000400645 in main (argc=1, argv=0x7fffffffdbe8) at tc_aligned_alloc.c:7


Additional info:
When linked to libc there is no issue and valgrind and libasan report no memory issues obviously.

I have created a test package that appears to resolve the issue.

https://copr-be.cloud.fedoraproject.org/results/badone/misc/fedora-26-x86_64/00606401-gperftools/

It copies the upstream patch here.

https://github.com/gperftools/gperftools/commit/d406f228

I'll attach the patch I used in case it is helpful.
Comment 1 Florian Weimer 2017-09-24 10:03:55 UTC 
The list of functions an interposing malloc should implement is documented here:

https://www.gnu.org/software/libc/manual/html_node/Replacing-malloc.html
Comment 2 Brad Hubbard 2017-10-06 01:44:43 UTC 
Bumping severity since this is stopping the ceph package building on >= f26
Comment 3 Fedora Update System 2017-10-11 20:38:10 UTC 
gperftools-2.6.1-5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d7884ae0b9
Comment 4 Fedora Update System 2017-10-11 20:38:23 UTC 
gperftools-2.6.1-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-236ad80b82
Comment 5 Fedora Update System 2017-10-13 04:23:18 UTC 
gperftools-2.6.1-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-236ad80b82
Comment 6 Fedora Update System 2017-10-13 06:23:23 UTC 
gperftools-2.6.1-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d7884ae0b9
Comment 7 Fedora Update System 2017-11-01 00:02:00 UTC 
gperftools-2.6.1-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2017-11-11 02:51:34 UTC 
gperftools-2.6.1-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.