Bug 1533121

Summary: libunistring is not thread safe and contains invalid memory accesses
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: libunistringAssignee: Pádraig Brady <p>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dueno, fweimer, i18n-bugs, jim, nmavrogi, p, redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-01 10:19:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1452750    

Description Florian Weimer 2018-01-10 14:05:10 UTC 
It uses malloca, which uses global data without synchronization.  This can result in crashes or information leaks in multi-threaded programs:

  http://lists.gnu.org/archive/html/bug-gnulib/2018-01/msg00046.html

Furthermore, the following example program results in a valgrind warning:

#include <err.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <uniconv.h>

int
main (void)
{
  if (setlocale (LC_ALL, "en_US.ISO-8859-1") == NULL)
    err (1, "setlocale");
  /* Try to provide better valgrind results.  */
  char *str = strdup ("non-idn.example");
  if (str == NULL)
    err (1, "strdup");
  unsigned char *result = u8_strconv_from_locale (str);
  if (result == NULL)
    errx (1, "u8_strconv_from_locale");
  printf ("[[%s]]\n", result);
  free (str);
  return 0;
}

==29579== Conditional jump or move depends on uninitialised value(s)
==29579==    at 0x4E4C61C: libunistring_freea (in /usr/lib64/libunistring.so.2.0.0)
==29579==    by 0x4E4EDA4: libunistring_mem_iconveha (in /usr/lib64/libunistring.so.2.0.0)
==29579==    by 0x4E55CFC: u8_conv_from_encoding (in /usr/lib64/libunistring.so.2.0.0)
==29579==    by 0x4E55FB7: u8_strconv_from_encoding (in /usr/lib64/libunistring.so.2.0.0)
==29579==    by 0x4006D9: main (unistring-uninit.c:17)
==29579==  Uninitialised value was created by a stack allocation
==29579==    at 0x4E4ED0C: libunistring_mem_iconveha (in /usr/lib64/libunistring.so.2.0.0)
Comment 1 Nikos Mavrogiannopoulos 2018-01-11 07:24:00 UTC 
Adding these for reference:
http://lists.gnu.org/archive/html/bug-gnulib/2018-01/msg00046.html
Comment 2 Nikos Mavrogiannopoulos 2018-02-20 14:35:21 UTC 
Florian if there is an upstream release with the fix and the fedora package includes would glibc be still blocked for F28?
Comment 3 Florian Weimer 2018-02-20 14:37:57 UTC 
I'm not aware of any libunistring upstream fix.  The code was copied from gnulib, and it was fixed in:

commit 8a4aa2ec86c0e94c6ed548519b1660c6b1bac0c1
Author: Bruno Haible <bruno>
Date:   Fri Feb 2 19:32:02 2018 +0100

    malloca, xmalloca: Make multithread-safe.

Plus some subsequent cleanups.

I think this issue arises only on non-UTF-8 locales.  Since UTF-8 is the default in Fedora, I don't think it qualifies as a blocker.
Comment 4 Fedora End Of Life 2018-02-20 15:36:55 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.
Comment 5 Florian Weimer 2018-02-28 20:35:30 UTC 
libunistring 0.9.9 was released today, copying the fixes from gnulib.
Comment 6 Daiki Ueno 2018-03-01 10:19:44 UTC 
Built it in all active branches and submitted the updates for F27 and F26.