Bug 730952
| Summary: | sed: double free or corruption when building sssd | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Pavel Březina <pbrezina> | ||||||||||||
| Component: | glibc | Assignee: | Jeff Law <law> | ||||||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||
| Severity: | unspecified | Docs Contact: | |||||||||||||
| Priority: | unspecified | ||||||||||||||
| Version: | 15 | CC: | fweimer, jakub, law, pbonzini, schwab, vvitek | ||||||||||||
| Target Milestone: | --- | ||||||||||||||
| Target Release: | --- | ||||||||||||||
| Hardware: | x86_64 | ||||||||||||||
| OS: | Linux | ||||||||||||||
| Whiteboard: | |||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||
| Clone Of: | |||||||||||||||
| : | 757700 757881 757887 757888 (view as bug list) | Environment: | |||||||||||||
| Last Closed: | 2012-01-25 18:29:00 UTC | Type: | --- | ||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||
| Documentation: | --- | CRM: | |||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
| Embargoed: | |||||||||||||||
| Bug Depends On: | |||||||||||||||
| Bug Blocks: | 757881, 757887, 757888 | ||||||||||||||
| Attachments: |
|
||||||||||||||
Can you get the input? It might as well be a glibc bug. Created attachment 518816 [details]
Possible input for sed
It looks like the sed is called from Makefile, line 6171. If I'm correct, the input in the attachment is the one that is passed to sed. But LANG="cs_CZ.UTF8" sed '/\//!d;s|^|sssd-1.7.0/|;s,/[^/]*$$,,' < input does not reproduce the error :-(. Created attachment 537445 [details]
zip file with reproducers
valgrind reports a problem with this in all UTF-8 locales:
echo 'abcdefghijklmnopqrstuvwxy' | valgrind sed -e 's/\(.*z[^z]*z.*\)//p'
This was dumbed down from a reproducer from Terje Braten. There may be other problems, so I attach less reduced versions of the input.
"sh updmap_edit tmp2.small" hangs after printing a malloc error.
"SED='valgrind sed' sh updmap_edit tmp1.small" prints:
==21135== Invalid write of size 8
==21135== at 0x338F28936A: __GI_memset (memset.S:339)
==21135== by 0x338F2C9DDB: clean_state_log_if_needed (regexec.c:1749)
==21135== by 0x338F2D091F: re_search_internal (regexec.c:2554)
==21135== by 0x338F2D50EB: re_search_stub (regexec.c:463)
==21135== by 0x338F2D5B67: re_search (regexec.c:326)
==21135== by 0x4078C1: match_regex (regexp.c:252)
==21135== by 0x4058FE: match_an_address_p (execute.c:959)
==21135== by 0x406F14: execute_program (execute.c:1011)
==21135== by 0x40758F: process_files (execute.c:1857)
==21135== by 0x4023AB: main (sed.c:366)
==21135== Address 0x4db0ee8 is 0 bytes after a block of size 136 alloc'd
==21135== at 0x4A075B2: realloc (vg_replace_malloc.c:525)
==21135== by 0x338F2C9CAE: extend_buffers (regexec.c:4126)
==21135== by 0x338F2D0AFE: re_search_internal (regexec.c:1164)
==21135== by 0x338F2D50EB: re_search_stub (regexec.c:463)
==21135== by 0x338F2D5B67: re_search (regexec.c:326)
==21135== by 0x4078C1: match_regex (regexp.c:252)
==21135== by 0x4058FE: match_an_address_p (execute.c:959)
==21135== by 0x406F14: execute_program (execute.c:1011)
==21135== by 0x40758F: process_files (execute.c:1857)
==21135== by 0x4023AB: main (sed.c:366)
==21135==
"sh updmap_edit tmp1.med" crashes.
"SED='valgrind sed' sh updmap_edit tmp1.med" prints:
==21112== Invalid read of size 8
==21112== at 0x338F28F49D: _wordcopy_fwd_dest_aligned (wordcopy.c:205)
==21112== by 0x338F2890DB: __GI_memmove (memmove.c:76)
==21112== by 0x338F2C6001: re_string_reconstruct (regex_internal.c:675)
==21112== by 0x338F2CFC6F: re_search_internal (regexec.c:829)
==21112== by 0x338F2D50EB: re_search_stub (regexec.c:463)
==21112== by 0x338F2D5B67: re_search (regexec.c:326)
==21112== by 0x4078C1: match_regex (regexp.c:252)
==21112== by 0x406D9B: execute_program (execute.c:1189)
==21112== by 0x40758F: process_files (execute.c:1857)
==21112== by 0x4023AB: main (sed.c:366)
==21112== Address 0x4c951f8 is 216 bytes inside a block of size 220 alloc'd
==21112== at 0x4A075B2: realloc (vg_replace_malloc.c:525)
==21112== by 0x338F2C4DCF: re_string_realloc_buffers (regex_internal.c:143)
==21112== by 0x338F2C9C86: extend_buffers (regexec.c:4116)
==21112== by 0x338F2D0AFE: re_search_internal (regexec.c:1164)
==21112== by 0x338F2D50EB: re_search_stub (regexec.c:463)
==21112== by 0x338F2D5B67: re_search (regexec.c:326)
==21112== by 0x4078C1: match_regex (regexp.c:252)
==21112== by 0x406D9B: execute_program (execute.c:1189)
==21112== by 0x40758F: process_files (execute.c:1857)
==21112== by 0x4023AB: main (sed.c:366)
==21112==
Created attachment 537469 [details]
untested patch
The bug is that mctx->input.mbs is
%fourier-alt-itaalic -s -0.168exnansi
0 1
012345678901234^
with cur_idx pointing to the "a" at &mctx->input.mbs[15], which is also the last character (valid_len = 16). "aa" is a multicharacter collation element in the bokmal locale, so re_string_elem_size_at returns 2 and clean_state_log_if_needed accesses one item past the allocated memory.
Testing the attached glibc patch.
Created attachment 537575 [details]
better patch
The memmoves are a slow path, so it does not work to add zeros there. We need to hack into findidx.
Paulo, In comment #4 you mention that one of the tests hangs after printing a malloc error. It just so happens that I'm trying to pull together some of Andreas's work which is supposed to fix the deadlocks in malloc's error case handling. Can you file a new BZ with the tester for that problem so that it can be tracked independently? Thanks, Jeff Done, bug 757881. |
Created attachment 518464 [details] core dump Description of problem: sed: double free or corruption when building sssd Version-Release number of selected component (if applicable): GNU sed version 4.2. How reproducible: always Steps to Reproduce: (I don't know how to reproduce it using sed only) 1. git clone git://git.fedorahosted.org/git/sssd.git . 2. git checkout 5bf2314b9f64099cd4e88b8f3498d986d97e1ac6 3. autoreconf -if 4. ./configure 5. LANG="cs_CZ.UTF8" make prerelease-rpms Actual results: *** glibc detected *** sed: double free or corruption (!prev): 0x0000000002158080 *** ======= Backtrace: ========= /lib64/libc.so.6[0x3be427703a] /lib64/libc.so.6[0x3be42c0349] /lib64/libc.so.6[0x3be42c50bc] /lib64/libc.so.6(re_search+0x18)[0x3be42c5ac8] sed[0x4078a2] sed[0x406d6c] sed[0x407570] sed[0x40237c] /lib64/libc.so.6(__libc_start_main+0xed)[0x3be422139d] sed[0x402469] ======= Memory map: ======== 00400000-00410000 r-xp 00000000 08:03 20447269 /bin/sed 0060f000-00610000 rw-p 0000f000 08:03 20447269 /bin/sed 00610000-00619000 rw-p 00000000 00:00 0 0080f000-00811000 rw-p 0000f000 08:03 20447269 /bin/sed 02150000-02171000 rw-p 00000000 00:00 0 [heap] 3be3e00000-3be3e1f000 r-xp 00000000 08:03 11538960 /lib64/ld-2.14.so 3be401e000-3be401f000 r--p 0001e000 08:03 11538960 /lib64/ld-2.14.so 3be401f000-3be4020000 rw-p 0001f000 08:03 11538960 /lib64/ld-2.14.so 3be4020000-3be4021000 rw-p 00000000 00:00 0 3be4200000-3be438f000 r-xp 00000000 08:03 11538961 /lib64/libc-2.14.so 3be438f000-3be458e000 ---p 0018f000 08:03 11538961 /lib64/libc-2.14.so 3be458e000-3be4592000 r--p 0018e000 08:03 11538961 /lib64/libc-2.14.so 3be4592000-3be4593000 rw-p 00192000 08:03 11538961 /lib64/libc-2.14.so 3be4593000-3be4599000 rw-p 00000000 00:00 0 3be4a00000-3be4a02000 r-xp 00000000 08:03 11538964 /lib64/libdl-2.14.so 3be4a02000-3be4c02000 ---p 00002000 08:03 11538964 /lib64/libdl-2.14.so 3be4c02000-3be4c03000 r--p 00002000 08:03 11538964 /lib64/libdl-2.14.so 3be4c03000-3be4c04000 rw-p 00003000 08:03 11538964 /lib64/libdl-2.14.so 3be6200000-3be621d000 r-xp 00000000 08:03 11538970 /lib64/libselinux.so.1 3be621d000-3be641c000 ---p 0001d000 08:03 11538970 /lib64/libselinux.so.1 3be641c000-3be641d000 r--p 0001c000 08:03 11538970 /lib64/libselinux.so.1 3be641d000-3be641e000 rw-p 0001d000 08:03 11538970 /lib64/libselinux.so.1 3be641e000-3be641f000 rw-p 00000000 00:00 0 3fb4e00000-3fb4e15000 r-xp 00000000 08:03 11538984 /lib64/libgcc_s-4.6.0-20110603.so.1 3fb4e15000-3fb5014000 ---p 00015000 08:03 11538984 /lib64/libgcc_s-4.6.0-20110603.so.1 3fb5014000-3fb5015000 rw-p 00014000 08:03 11538984 /lib64/libgcc_s-4.6.0-20110603.so.1 2ab18dabf000-2ab18dac0000 rw-p 00000000 00:00 0 2ab18dada000-2ab18dadd000 rw-p 00000000 00:00 0 2ab18dadd000-2ab193eff000 r--p 00000000 08:03 10355505 /usr/lib/locale/locale-archive 2ab193eff000-2ab193f06000 r--s 00000000 08:03 10486788 /usr/lib64/gconv/gconv-modules.cache 2ab193f06000-2ab193f09000 rw-p 00000000 00:00 0 7fff2738a000-7fff273ab000 rw-p 00000000 00:00 0 [stack] 7fff273ff000-7fff27400000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Expected results: RPMs created. Additional info: core file in attachment file core: core.18362: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'sed /\//!d;s|^|sssd-1.7.0/|;s,/[^/]*$,,' backtrace: #0 0x00002b628b6d32d5 in raise () from /lib64/libc.so.6 #1 0x00002b628b6d4beb in abort () from /lib64/libc.so.6 #2 0x00002b628b70ebce in __libc_message () from /lib64/libc.so.6 #3 0x00002b628b71503a in malloc_printerr () from /lib64/libc.so.6 #4 0x00002b628b75e459 in re_search_internal () from /lib64/libc.so.6 #5 0x00002b628b7631cc in re_search_stub () from /lib64/libc.so.6 #6 0x00002b628b763bd8 in re_search () from /lib64/libc.so.6 #7 0x00000000004078a2 in ?? () #8 0x0000000000406d6c in ?? () #9 0x0000000000407570 in ?? () #10 0x000000000040237c in ?? () #11 0x00002b628b6bf39d in __libc_start_main () from /lib64/libc.so.6 #12 0x0000000000402469 in ?? () #13 0x00007fffa416cdc8 in ?? () #14 0x000000000000001c in ?? () #15 0x0000000000000002 in ?? () #16 0x00007fffa416e452 in ?? () #17 0x00007fffa416e456 in ?? () #18 0x0000000000000000 in ?? ()