Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1115952

Summary: Possible memory leak in libfreebl when used with libnspr
Product: Red Hat Enterprise Linux 6 Reporter: Miloš Prchlík <mprchlik>
Component: nsprAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED WORKSFORME QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: low    
Version: 6.6CC: hkario, mmalik, nkinder
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-26 20:22:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miloš Prchlík 2014-07-03 11:46:13 UTC 
Description of problem:

While running pcp upstream testsuite I stepped on to these valgrind warning about possible memory leak (a bit condensed "reproducer"):


[root@ibm-x3550m3-01 ~]# cat main.c
int main(int argc, char **argv)
{
        return 0;
}

[root@ibm-x3550m3-01 ~]# 
[root@ibm-x3550m3-01 ~]# 
[root@ibm-x3550m3-01 ~]# gcc -Wall -O2 -g main.c -o main -lfreebl3 -lnspr4
[root@ibm-x3550m3-01 ~]# 
[root@ibm-x3550m3-01 ~]# 
[root@ibm-x3550m3-01 ~]# valgrind --leak-check=full --read-var-info=yes ./main
==952== Memcheck, a memory error detector
==952== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==952== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==952== Command: ./main
==952== 
==952== 
==952== HEAP SUMMARY:
==952==     in use at exit: 6,904 bytes in 70 blocks
==952==   total heap usage: 159 allocs, 89 frees, 64,755 bytes allocated
==952== 
==952== 40 bytes in 1 blocks are possibly lost in loss record 33 of 63
==952==    at 0x4A069EE: malloc (vg_replace_malloc.c:270)
==952==    by 0x33A180D60B: _PR_Getfd (prfdcach.c:112)
==952==    by 0x33A1825094: pt_SetMethods (ptio.c:3303)
==952==    by 0x33A1825468: PR_OpenFile (ptio.c:3581)
==952==    by 0x339FC2B9D7: blapi_SHVerifyFile (shvfy.c:356)
==952==    by 0x339FC2BD6E: blapi_SHVerify (shvfy.c:290)
==952==    by 0x339FC16338: bl_startup_tests (fipsfreebl.c:1541)
==952==    by 0x339FC54E55: ??? (in /lib64/libfreebl3.so)
==952==    by 0x339FC039C2: ??? (in /lib64/libfreebl3.so)
==952== 
==952== 48 bytes in 1 blocks are possibly lost in loss record 37 of 63
==952==    at 0x4A069EE: malloc (vg_replace_malloc.c:270)
==952==    by 0x33A180D5F9: _PR_Getfd (prfdcach.c:109)
==952==    by 0x33A1825094: pt_SetMethods (ptio.c:3303)
==952==    by 0x33A1825468: PR_OpenFile (ptio.c:3581)
==952==    by 0x339FC2B9D7: blapi_SHVerifyFile (shvfy.c:356)
==952==    by 0x339FC2BD6E: blapi_SHVerify (shvfy.c:290)
==952==    by 0x339FC16338: bl_startup_tests (fipsfreebl.c:1541)
==952==    by 0x339FC54E55: ??? (in /lib64/libfreebl3.so)
==952==    by 0x339FC039C2: ??? (in /lib64/libfreebl3.so)
==952== 
==952== LEAK SUMMARY:
==952==    definitely lost: 0 bytes in 0 blocks
==952==    indirectly lost: 0 bytes in 0 blocks
==952==      possibly lost: 88 bytes in 2 blocks
==952==    still reachable: 6,816 bytes in 68 blocks
==952==         suppressed: 0 bytes in 0 blocks
==952== Reachable blocks (those to which a pointer was found) are not shown.
==952== To see them, rerun with: --leak-check=full --show-reachable=yes
==952== 
==952== For counts of detected and suppressed errors, rerun with: -v
==952== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 6 from 6)
[root@ibm-x3550m3-01 ~]# 

After some digging into the code my initial idea about what's going on was that some fd closing calls in blapi_SHVerifyFile are missing _PR_Putfd() call somewhere. Well, I think I found it in stubs.c finally, so this probably is not the case. Also "possibly lost" warning can be caused by some pointer manipulation as mentioned in valgrind docs ([1]) and does not necessary mean there is actual memory leak. In that case it would be good if someone more familiar with nss-softtokn/nspr sources call it false positive, then we could make valgrind ignore this and not to disturb pcp testsuite any longer.


Version-Release number of selected component (if applicable):

nspr-4.10.6-1.el6
nss-softokn-3.14.3-14.el6


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

[1] http://valgrind.org/docs/manual/mc-manual.html#mc-manual.leaks
Comment 2 Nathan Scott 2014-07-10 02:12:57 UTC 
Hi all,

One followup note to add to Miloš description (which points towards a possible leak in a .so -init routine, as I understand it) - earlier versions of RHEL6 do not seem to exhibit this behavior.  I have RHEL 6.3 handy currently (nspr-4.9.2-1) and these tests are all passing there.  Just FYI - hopefully that helps to narrow down the point where this behaviour began.

cheers.
Comment 4 Elio Maldonado Batiz 2016-01-23 17:35:38 UTC 
Running the trivial reproducer that Miloš pasted in  Description I couldn't reproduce it against the currently shipping versions of the packages

[emaldona@rhel6ws ~]$ rpm -q valgrind nspr nss nss-util nss-softokn
valgrind-3.8.1-8.el6.x86_64
nspr-4.10.8-2.el6_7.x86_64
nss-3.19.1-8.el6_7.x86_64
nss-util-3.19.1-2.el6_7.x86_64
nss-softokn-3.14.3-23.el6_7.x86_64

[emaldona@rhel6ws ~]$ gcc -Wall -O2 -g main.c -o main -lfreebl3 -lnspr4

[emaldona@rhel6ws ~]$ valgrind --leak-check=full --read-var-info=yes ./main
==3608== Memcheck, a memory error detector
==3608== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==3608== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==3608== Command: ./main
==3608== 
==3608== 
==3608== HEAP SUMMARY:
==3608==     in use at exit: 0 bytes in 0 blocks
==3608==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==3608== 
==3608== All heap blocks were freed -- no leaks are possible
==3608== 
==3608== For counts of detected and suppressed errors, rerun with: -v
==3608== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)
Comment 5 Elio Maldonado Batiz 2016-01-23 18:52:56 UTC 
(In reply to Elio Maldonado Batiz from comment #4)
Reran as superuser with the same good results.
Comment 6 Nathan Kinder 2016-01-26 20:22:29 UTC 
Closing as WORKSFORME based off of comment#4 and comment#5.  If you are still seeing this issue with current package versions, please reopen this bug.