Bug 754026

Summary: getaddrinfo causes invalid free of noai6ai_cached
Product: [Fedora] Fedora Reporter: Matt McCutchen <matt>
Component: glibcAssignee: Andreas Schwab <schwab>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: ccecchi, emiel.kollof, erik-fedora, fweimer, jakub, kdudka, law, mishu, schwab, sorn.denis, theo148, yann, yunustj
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-16 17:04:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Test program none

Description Matt McCutchen 2011-11-15 07:38:33 UTC 
Created attachment 533697 [details]
Test program

Description of problem:
On my Dell Latitude D620, with no wired network connection and the wireless connection disabled by the hardware kill switch, calling getaddrinfo("localhost") several times in a row causes an invalid free.  This is with unmodified /etc/hosts and unmodified glibc configuration files (rpm -V glibc) except for /etc/localtime.

Version-Release number of selected component (if applicable):
glibc-2.14.90-16.x86_64

How reproducible:
Almost always on my system.

Steps to Reproduce:
1. Download attached test.c.
2. make test
3. Offline with wireless hardware-disabled: valgrind ./test

Actual results:
[valgrind header]
resolve one
==3271== Invalid free() / delete / delete[]
==3271==    at 0x4C2962E: free (vg_replace_malloc.c:366)
==3271==    by 0x4F459B7: __free_in6ai (check_pf.c:426)
==3271==    by 0x4F0D444: getaddrinfo (getaddrinfo.c:2560)
==3271==    by 0x4005F4: _resolve_addr (in /home/matt/test/gai-invalid-free/test)
==3271==    by 0x400652: main (in /home/matt/test/gai-invalid-free/test)
==3271==  Address 0x51e3390 is 0 bytes inside data symbol "noai6ai_cached"
==3271== 
resolve one
resolve one
[valgrind footer]

Expected results:
[valgrind header]
resolve one
resolve one
resolve one
[valgrind footer]

Additional info:
After I upgraded from F15 to F16, this problem caused cupsd to crash, which caused gnome-settings-daemon to hang and ultimately led to the GNOME "Oh no! Something has gone wrong" screen.  The test case is a simplified version of what cupsd was doing via libaudit.
Comment 1 Andreas Schwab 2011-11-15 09:22:22 UTC 
*** Bug 754019 has been marked as a duplicate of this bug. ***
Comment 2 Andreas Schwab 2011-11-15 10:27:26 UTC 
*** Bug 753470 has been marked as a duplicate of this bug. ***
Comment 3 Jeff Law 2011-11-16 04:03:51 UTC 
*** Bug 754283 has been marked as a duplicate of this bug. ***
Comment 4 Emiel Kollof 2011-11-16 15:21:52 UTC 
This also crashes firefox, google chrome, yum update. Basically anything that tries to resolve stuff. I get the exact same error and trace.
Comment 5 Jeff Law 2011-11-16 16:36:36 UTC 
*** Bug 754434 has been marked as a duplicate of this bug. ***
Comment 6 Jeff Law 2011-11-16 16:41:36 UTC 
*** Bug 753736 has been marked as a duplicate of this bug. ***
Comment 7 Matt McCutchen 2011-11-16 17:04:37 UTC 
The affected update has been unpushed.
Comment 8 Theodore Lee 2011-11-17 00:30:14 UTC 
*** Bug 753733 has been marked as a duplicate of this bug. ***