Bug 487700
Summary: | double free or corruption detected in ps | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Olivier Fourdan <ofourdan> | ||||||
Component: | procps | Assignee: | Daniel Novotny <dnovotny> | ||||||
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE <qe-baseos-auto> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 5.3 | CC: | albert, bhubbard, cward, kem, mosvald, psplicha, rvokal, tao | ||||||
Target Milestone: | rc | Keywords: | Patch | ||||||
Target Release: | 5.5 | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-03-30 08:06:15 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 499522 | ||||||||
Attachments: |
|
Description
Olivier Fourdan
2009-02-27 15:00:01 UTC
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?". hello, since the problem occured only *once* and the issue tracker is closed, can I close this as WORKSFORME? Created attachment 359482 [details] reproducer program Attaching reproducer and procedure. To reproduce: 1) Build the two executables create_zombie and dummy_sleep: $ make 2) Run "dummy_sleep" in a loop: $ for i in `seq 1 1 10000`; do ./create_zombie 2 & done 3) In a separate terminal/console, run ps -eo pid,args in a loop $ while $(ps -eo pid,args > log.txt); do /bin/true; done Actual results: ps will abort after a few seconds with a: *** glibc detected *** ps: double free or corruption (out) *** Expected results: ps does not abort Additional info: The problem is related to the patch from bug#134516 ("ps truncates line to 2048 characters") and more precisely to that change: https://bugzilla.redhat.com/show_bug.cgi?id=134516#c24 Using: while ((n = read(fd, buf, sizeof buf - 1)) > 0) Instead of: while ((n = read(fd, buf, sizeof buf - 1)) >= 0) does not trigger the corruption but I am not entirely sure why... Created attachment 359498 [details]
Proposed patch
I think what happens is the following:
With "while ((n = read(fd, buf, sizeof buf - 1)) >= 0)", "end_of_file" is set to 1 by:
if (n < (int)(sizeof buf - 1))
end_of_file = 1;
At the same time, with n = 0, buf[n-1] points to uninitialized data, so the value of buf[n-1] is likely to be not null, therefore the test is false:
if (end_of_file && buf[n-1]) /* last read char not null */
buf[n++] = '\0'; /* so append null-terminator */
So no null-terminator is inserted. And that breaks the computation of the string array entries later in the code.
Adding a test for n == 0 avoids the problem:
if (end_of_file && (n == 0 || buf[n-1]))/* last read char not null */
buf[n++] = '\0'; /* so append null-terminator */
The reproducer works fine with that patch.
Same problem present in RHEL-4 (bug #521200). Same patch fixes the problem. fixed in procps-3.2.7-12.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0200.html |