Bug 431836

Summary: glibc detected double free or corruption
Product: Red Hat Enterprise Linux 5 Reporter: Berthold Cogel <cogel>
Component: logrotateAssignee: Tomas Smetana <tsmetana>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.1CC: eric.williams, mkoci, mmalik, mmayer, nobody+bjmason, rvokal, syeghiay, tao
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-17 17:27:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch
none
Hopefully a better patch. none

Description Berthold Cogel 2008-02-07 09:05:09 UTC
Description of problem:
When /var/lib/logrotate.status is corrupted, logrotate crashes with a glibc
backtrace:
[root@logger ~]# logrotate -f /etc/syslog-ng/syslog-ng.logrotate 
error: bad line 340 in state file /var/lib/logrotate.status
*** glibc detected *** logrotate: double free or corruption (!prev): 0x080ff0d0 ***
======= Backtrace: =========
/lib/libc.so.6[0xbbcaa6]
/lib/libc.so.6(cfree+0x90)[0xbbffc0]
logrotate[0x804d23d]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb6bdec]
logrotate[0x80495c1]
======= Memory map: ========
00656000-0065d000 r-xp 00000000 08:01 522847     /usr/lib/libpopt.so.0.0.0
0065d000-0065e000 rwxp 00006000 08:01 522847     /usr/lib/libpopt.so.0.0.0
00a35000-00a36000 r-xp 00a35000 00:00 0          [vdso]
00b39000-00b52000 r-xp 00000000 08:01 776925     /lib/ld-2.5.so
00b52000-00b53000 r-xp 00019000 08:01 776925     /lib/ld-2.5.so
00b53000-00b54000 rwxp 0001a000 08:01 776925     /lib/ld-2.5.so
00b56000-00c90000 r-xp 00000000 08:01 776926     /lib/libc-2.5.so
00c90000-00c92000 r-xp 0013a000 08:01 776926     /lib/libc-2.5.so
00c92000-00c93000 rwxp 0013c000 08:01 776926     /lib/libc-2.5.so
00c93000-00c96000 rwxp 00c93000 00:00 0 
00cc1000-00cc3000 r-xp 00000000 08:01 776928     /lib/libdl-2.5.so
00cc3000-00cc4000 r-xp 00001000 08:01 776928     /lib/libdl-2.5.so
00cc4000-00cc5000 rwxp 00002000 08:01 776928     /lib/libdl-2.5.so
00cf5000-00d0a000 r-xp 00000000 08:01 776943     /lib/libselinux.so.1
00d0a000-00d0c000 rwxp 00015000 08:01 776943     /lib/libselinux.so.1
00d0e000-00d49000 r-xp 00000000 08:01 776942     /lib/libsepol.so.1
00d49000-00d4a000 rwxp 0003a000 08:01 776942     /lib/libsepol.so.1
00d4a000-00d54000 rwxp 00d4a000 00:00 0 
046a5000-046b0000 r-xp 00000000 08:01 776949     /lib/libgcc_s-4.1.2-20070626.so.1
046b0000-046b1000 rwxp 0000a000 08:01 776949     /lib/libgcc_s-4.1.2-20070626.so.1
08048000-08052000 r-xp 00000000 08:01 530746     /usr/sbin/logrotate
08052000-08053000 rw-p 0000a000 08:01 530746     /usr/sbin/logrotate
080f8000-08119000 rw-p 080f8000 00:00 0 
b7e00000-b7e21000 rw-p b7e00000 00:00 0 
b7e21000-b7f00000 ---p b7e21000 00:00 0 
b7f28000-b7f2b000 rw-p b7f28000 00:00 0 
b7f35000-b7f36000 rw-p b7f35000 00:00 0 
bfcc2000-bfcd7000 rw-p bfcc2000 00:00 0          [stack]
Abgebrochen

Version-Release number of selected component (if applicable):
logrotate-3.7.4-8

How reproducible:
Each time.

Steps to Reproduce:
1. Copy lines somewhere in /var/lib/logrotate.status and corrupt it: Replace
path of logfile with linefeed. Like this:

"
" 2008-1-21

2. Call 'logrotate -f <name of logrotate script>'
  
Actual results:
logrotate gives error message and glibc throws backtrace

Expected results:
logrotate gives error message and terminates


Additional info:

Comment 1 Tomas Smetana 2008-02-11 10:25:06 UTC
Created attachment 294546 [details]
Proposed patch

This is clearly a bug -- the uninitalised variable may happen to be freed.

Comment 3 Tomas Smetana 2008-04-23 12:00:02 UTC
The initialization itself should help.  The if() tests are useles.  After
applying the patch I'm not able to reproduce the bug.

Comment 4 Tomas Smetana 2008-04-23 12:14:12 UTC
The patch doesn't help if there are some lines correct and some corrupted.

Comment 5 Tomas Smetana 2008-04-23 12:28:10 UTC
Created attachment 303486 [details]
Hopefully a better patch.

Comment 6 Tomas Smetana 2008-06-16 11:21:47 UTC
*** Bug 451632 has been marked as a duplicate of this bug. ***

Comment 8 RHEL Program Management 2008-07-21 23:06:53 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 9 Bryan Mason 2008-08-19 18:43:11 UTC
Resetting flags to target RHEL 5.4...

Comment 10 Bryan Mason 2008-08-19 18:44:43 UTC
Customer has verified that the patch in Comment #5 resolves the issue in their environment.

Comment 17 errata-xmlrpc 2008-09-17 17:27:32 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0881.html