Bug 995783

Summary: malloc memory corruption
Product: [Fedora] Fedora Reporter: David Highley <david.m.highley>
Component: python-pillowAssignee: Roman Rakus <rrakus>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 19CC: bkabrda, dmalcolm, fredex, ivazqueznet, jamatos, jcapik, johnduchek, jonathansteffan, lilyfan, manisandro, rrakus, tomspur, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: python-pillow-2.0.0-11.gitd1c6db8.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1001122 (view as bug list) Environment:
Last Closed: 2013-08-28 18:24:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 982412, 1001122    
Attachments:
Description Flags
python-pillow-pymem.patch none

Description David Highley 2013-08-11 04:22:29 UTC
Description of problem:
Hangs on start up, running in command window see the malloc errors below.

Version-Release number of selected component (if applicable):
PySolFC-2.0-8.fc19.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. type pysol
2.
3.

Actual results:
pysol
*** Error in `/usr/bin/python': malloc(): memory corruption: 0x0000000004a8f720 ***
*** Error in `/usr/bin/python': malloc(): memory corruption: 0x0000000004a8f720 ***


Expected results:


Additional info:

Comment 1 David Highley 2013-08-13 03:43:09 UTC
Found a posted work around; pysol --tk

- Temporary fix was to; mv /bin/pysol pysol.orig
- Create a shell wrapper scripts named pysol
#!/bin/sh

exec pysol.orig --tk


- Set execution chmod u+x,g+x,o+x

Comment 2 Jaromír Cápík 2013-08-13 12:41:42 UTC
Hello David.

I can reproduce it here. Anyway, this looks like a python bug. I'm changing the component to python2 and we'll see.

Regards,
Jaromir.

Comment 3 Jean-Charles Malahieude 2013-08-23 17:40:29 UTC
Hi,

Reproduced on a 32 bit architecture, with another memory address:

---
jcharles@localhost ~$ python --version
Python 2.7.5
jcharles@localhost ~$ uname -r
3.10.9-200.fc19.i686
jcharles@localhost ~$ pysol
*** Error in `/usr/bin/python': malloc(): memory corruption: 0x0b883af0 ***
*** Error in `/usr/bin/python': malloc(): memory corruption: 0x0b883af0 ***

jcharles@localhost ~$ ps -ef | grep pysol
jcharles  3584  3386  0 19:34 pts/0    00:00:00 /bin/sh /usr/bin/pysol
jcharles  3585  3584  1 19:34 pts/0    00:00:03 /usr/bin/python /usr/share/PySolFC/pysol.py --sound-mod=pygame
jcharles  3600  3386  0 19:38 pts/0    00:00:00 grep --color=auto pysol
jcharles@localhost ~$
---

Regards,
Jean-Charles

Comment 4 Jaromír Cápík 2013-08-26 13:31:29 UTC
It seems python-imaging combines libc malloc calls with python object manipulations and that's forbidden:

http://docs.python.org/2/c-api/memory.html

The libc calls should be replaced with the python alternatives.

Comment 5 Roman Rakus 2013-08-26 13:42:00 UTC
For reproducer;  must have set MALLOC_CHECK_ at least 1.

Comment 6 Jaromír Cápík 2013-08-26 13:43:15 UTC
According to the following stacktrace, it seems the malicious call lies in the _imaging.so / Storage.c / ImagingNewPrologueSubtype(). As the libc calloc is used for creating a structure that contains a python object, it might be the reason of the memory corruption.

Thread 1 (Thread 0x7ffff7fc6740 (LWP 6047)):
#0  pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:94
#1  0x0000003aeb50909c in __GI___backtrace (array=array@entry=0x7fffffffa730, size=size@entry=64) at ../sysdeps/x86_64/backtrace.c:103
#2  0x0000003aeb475d64 in __libc_message (do_abort=2, fmt=fmt@entry=0x3aeb57db88 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:176
#3  0x0000003aeb47e24c in malloc_printerr (ptr=0x2e54580, str=0x3aeb57b2d7 "malloc(): memory corruption", action=<optimized out>) at malloc.c:4916
#4  _int_malloc (av=0x3aeb7b9780 <main_arena>, bytes=56) at malloc.c:3390
#5  0x0000003aeb48005c in __GI___libc_malloc (bytes=56) at malloc.c:2863
#6  0x0000003aeac0d379 in _dl_map_object_deps (map=map@entry=0x1b96b00, preloads=preloads@entry=0x0, npreloads=npreloads@entry=0, trace_mode=trace_mode@entry=0, open_mode=open_mode@entry=-2147483648) at dl-deps.c:515
#7  0x0000003aeac138ec in dl_open_worker (a=a@entry=0x7fffffffb2c8) at dl-open.c:265
#8  0x0000003aeac0f304 in _dl_catch_error (objname=objname@entry=0x7fffffffb2b8, errstring=errstring@entry=0x7fffffffb2c0, mallocedp=mallocedp@entry=0x7fffffffb2b0, operate=operate@entry=0x3aeac13770 <dl_open_worker>, args=args@entry=0x7fffffffb2c8) at dl-error.c:177
#9  0x0000003aeac1321b in _dl_open (file=0x3aeb57a0be "libgcc_s.so.1", mode=-2147483647, caller_dlopen=0x3aeb508f85 <init+21>, nsid=-2, argc=2, argv=<optimized out>, env=0x8ef770) at dl-open.c:656
#10 0x0000003aeb52fbc2 in do_dlopen (ptr=ptr@entry=0x7fffffffb4d0) at dl-libc.c:87
#11 0x0000003aeac0f304 in _dl_catch_error (objname=0x7fffffffb4b0, errstring=0x7fffffffb4c0, mallocedp=0x7fffffffb4a0, operate=0x3aeb52fb80 <do_dlopen>, args=0x7fffffffb4d0) at dl-error.c:177
#12 0x0000003aeb52fc82 in dlerror_run (args=0x7fffffffb4d0, operate=0x3aeb52fb80 <do_dlopen>) at dl-libc.c:46
#13 __GI___libc_dlopen_mode (name=name@entry=0x3aeb57a0be "libgcc_s.so.1", mode=mode@entry=-2147483647) at dl-libc.c:163
#14 0x0000003aeb508f85 in init () at ../sysdeps/x86_64/backtrace.c:52
#15 0x0000003aebc0ca50 in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:103
#16 0x0000003aeb50909c in __GI___backtrace (array=array@entry=0x7fffffffb790, size=size@entry=64) at ../sysdeps/x86_64/backtrace.c:103
#17 0x0000003aeb475d64 in __libc_message (do_abort=2, fmt=fmt@entry=0x3aeb57db88 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:176
#18 0x0000003aeb47e24c in malloc_printerr (ptr=0x2e54580, str=0x3aeb57b2d7 "malloc(): memory corruption", action=<optimized out>) at malloc.c:4916
#19 _int_malloc (av=av@entry=0x3aeb7b9780 <main_arena>, bytes=bytes@entry=88) at malloc.c:3390
#20 0x0000003aeb480a1a in __libc_calloc (n=<optimized out>, elem_size=<optimized out>) at malloc.c:3173
#21 0x00007fffef123d40 in ImagingNewPrologueSubtype () from /usr/lib64/python2.7/site-packages/_imaging.so
#22 0x00007fffef12427b in ImagingNewBlock () from /usr/lib64/python2.7/site-packages/_imaging.so
#23 0x00007fffef12433d in ImagingNew () from /usr/lib64/python2.7/site-packages/_imaging.so
#24 0x00007fffef10f2d8 in convert () from /usr/lib64/python2.7/site-packages/_imaging.so
#25 0x00007fffef107287 in _convert () from /usr/lib64/python2.7/site-packages/_imaging.so
#26 0x0000003b01addcee in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#27 0x0000003b01adec7d in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#28 0x0000003b01add769 in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#29 0x0000003b01adec7d in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#30 0x0000003b01add769 in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#31 0x0000003b01adec7d in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#32 0x0000003b01add769 in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#33 0x0000003b01add80c in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#34 0x0000003b01add80c in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#35 0x0000003b01adec7d in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#36 0x0000003b01add769 in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#37 0x0000003b01adec7d in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#38 0x0000003b01a6dd7d in ?? () from /lib64/libpython2.7.so.1.0
#39 0x0000003b01a49dd3 in PyObject_Call () from /lib64/libpython2.7.so.1.0
#40 0x0000003b01a58555 in ?? () from /lib64/libpython2.7.so.1.0
#41 0x0000003b01a49dd3 in PyObject_Call () from /lib64/libpython2.7.so.1.0
#42 0x0000003b01ad9f1d in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#43 0x0000003b01adec7d in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#44 0x0000003b01a6dd7d in ?? () from /lib64/libpython2.7.so.1.0
#45 0x0000003b01a49dd3 in PyObject_Call () from /lib64/libpython2.7.so.1.0
#46 0x0000003b01a58555 in ?? () from /lib64/libpython2.7.so.1.0
#47 0x0000003b01a49dd3 in PyObject_Call () from /lib64/libpython2.7.so.1.0
#48 0x0000003b01ad8af7 in PyEval_CallObjectWithKeywords () from /lib64/libpython2.7.so.1.0
#49 0x0000003b01a591dc in PyInstance_New () from /lib64/libpython2.7.so.1.0
#50 0x0000003b01a49dd3 in PyObject_Call () from /lib64/libpython2.7.so.1.0
#51 0x0000003b01adb6dc in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#52 0x0000003b01add80c in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#53 0x0000003b01adec7d in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#54 0x0000003b01add769 in PyEval_EvalFrameEx () from /lib64/libpython2.7.so.1.0
#55 0x0000003b01adec7d in PyEval_EvalCodeEx () from /lib64/libpython2.7.so.1.0
#56 0x0000003b01aded82 in PyEval_EvalCode () from /lib64/libpython2.7.so.1.0
#57 0x0000003b01af78af in ?? () from /lib64/libpython2.7.so.1.0
#58 0x0000003b01af89ce in PyRun_FileExFlags () from /lib64/libpython2.7.so.1.0
#59 0x0000003b01af9b39 in PyRun_SimpleFileExFlags () from /lib64/libpython2.7.so.1.0
#60 0x0000003b01b0a66f in Py_Main () from /lib64/libpython2.7.so.1.0
#61 0x0000003aeb421b75 in __libc_start_main (main=0x4006f0 <main>, argc=2, ubp_av=0x7fffffffdf78, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf68) at libc-start.c:258
#62 0x0000000000400721 in _start ()

Comment 7 Jaromír Cápík 2013-08-27 13:49:56 UTC
Created attachment 790988 [details]
python-pillow-pymem.patch

This patch replaces all libc memory manipulations with PyMem ones. Unfortunately it doesn't solve the memory corruption issue in case of pysol. It needs a deeper analysis.

Comment 8 Sandro Mani 2013-08-28 18:24:40 UTC

*** This bug has been marked as a duplicate of bug 1001122 ***

Comment 9 Fedora Update System 2013-08-28 20:14:41 UTC
python-pillow-2.0.0-11.gitd1c6db8.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/python-pillow-2.0.0-11.gitd1c6db8.fc19

Comment 10 Sandro Mani 2013-08-28 21:30:06 UTC
*** Bug 982412 has been marked as a duplicate of this bug. ***

Comment 11 Fedora Update System 2013-09-07 01:26:27 UTC
python-pillow-2.0.0-11.gitd1c6db8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Jaromír Cápík 2013-09-19 15:49:56 UTC
*** Bug 969591 has been marked as a duplicate of this bug. ***