Bug 2087520

Summary: anaconda (Python) crashes with gnutls 3.7.5: free(): invalid next size (fast)
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: gnutlsAssignee: Zoltan Fridrich <zfridric>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: high    
Version: rawhideCC: ansasaki, crypto-team, dueno, kevin, tm, zfridric
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa
Fixed In Version: gnutls-3.7.6-1.fc36 gnutls-3.7.6-1.fc35 Doc Type: Bug Fix
Doc Text:
Cause: gnutls_realloc_zero is set as gmp reallocfunc Consequence: programs using gmp might break due to heap corruption Fix: fix invalid write in gnutls_realloc_zero when new_size < old_size Result: no heap corruption when gnutls_realloc_zero is used in gmp
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-01 01:24:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2022-05-17 22:09:30 UTC 
openQA testing shows that anaconda consistently crashes when running against gnutls 3.7.5. The crash seems to be actually in Python itself, and an error message `free(): invalid next size (fast)` is shown. I don't have a full backtrace yet (this is slightly inconvenient to get for anaconda Python crashes).

I suspect this is the same as upstream https://gitlab.com/gnutls/gnutls/-/issues/1367 - I'll try and fix Jeremy comes up with there.

We have untagged gnutls-3.7.5-1.fc37 from Rawhide for now to avoid this breaking composes.
Comment 1 Zoltan Fridrich 2022-05-18 12:21:02 UTC 
(In reply to Adam Williamson from comment #0)
> openQA testing shows that anaconda consistently crashes when running against
> gnutls 3.7.5. The crash seems to be actually in Python itself, and an error
> message `free(): invalid next size (fast)` is shown. I don't have a full
> backtrace yet (this is slightly inconvenient to get for anaconda Python
> crashes).
> 
> I suspect this is the same as upstream
> https://gitlab.com/gnutls/gnutls/-/issues/1367 - I'll try and fix Jeremy
> comes up with there.
> 
> We have untagged gnutls-3.7.5-1.fc37 from Rawhide for now to avoid this
> breaking composes.

Within the release 3.7.5 we started using custom gmp memory allocator functions in order to increase the security level by nullifying memory. However, we did not realize that our gnutls_realloc_zero function was already broken (could cause heap corruption) and setting it as reallocfunc for gmp might have broken stuff. This upstream MR should fix this issue https://gitlab.com/gnutls/gnutls/-/merge_requests/1592
Comment 2 Zoltan Fridrich 2022-05-18 12:29:49 UTC 
Created attachment 1880807 [details]
Patch fixing the gnutls_realloc_zero funcion
Comment 3 Fedora Update System 2022-05-27 13:21:30 UTC 
FEDORA-2022-d46bf7581b has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2022-d46bf7581b
Comment 4 Fedora Update System 2022-05-27 13:21:31 UTC 
FEDORA-2022-93d7c9e45d has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-93d7c9e45d
Comment 5 Fedora Update System 2022-05-27 13:21:34 UTC 
FEDORA-2022-8568c6f3ac has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8568c6f3ac
Comment 6 Fedora Update System 2022-05-28 02:06:29 UTC 
FEDORA-2022-93d7c9e45d has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-93d7c9e45d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-93d7c9e45d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2022-05-28 02:23:27 UTC 
FEDORA-2022-8568c6f3ac has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-8568c6f3ac`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8568c6f3ac

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2022-05-28 02:39:27 UTC 
FEDORA-2022-d46bf7581b has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-d46bf7581b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-d46bf7581b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2022-06-01 01:24:19 UTC 
FEDORA-2022-93d7c9e45d has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 Fedora Update System 2022-06-12 01:16:15 UTC 
FEDORA-2022-8568c6f3ac has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.