Bug 1258846 - local_sock() double free error
local_sock() double free error
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pcp (Show other bugs)
6.7
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Nathan Scott
Miloš Prchlík
: EasyFix, Patch, Reproducer
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-01 08:07 EDT by Filip Krska
Modified: 2016-05-10 17:13 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1258860 1258862 (view as bug list)
Environment:
Last Closed: 2016-05-10 17:13:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix double free in local_sock() (457 bytes, patch)
2015-09-01 08:07 EDT, Filip Krska
fkrska: review?
Details | Diff

  None (edit)
Description Filip Krska 2015-09-01 08:07:17 EDT
Created attachment 1068978 [details]
Fix double free in local_sock()

Description of problem:

pmdamemcache crashes with following backtrace:

Core was generated by `perl /var/lib/pcp/pmdas/memcache/pmdamemcache.pl'.
Program terminated with signal 6, Aborted.

#0  0x00007f9464552625 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f9464553e05 in abort () at abort.c:92
#2  0x00007f9464590537 in __libc_message (do_abort=2, fmt=0x7f9464678940 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007f9464595e66 in malloc_printerr (action=3, str=0x7f9464676a2e "free(): invalid pointer", ptr=<value optimized out>)
    at malloc.c:6336
#4  0x00007f946459897a in _int_free (av=0x7f94648afe80, p=0x7f94648afef8, have_lock=0) at malloc.c:4832
#5  0x00007f945de06d25 in __pmHostEntFree (hostent=0x15cb740) at auxconnect.c:39
#6  0x00007f945e265517 in local_sock (host=0x15cb780 "127.0.0.1", port=11211, callback=0x16ba050, cookie=0) at local.c:209
#7  0x00007f945e273eaa in XS_PCP__PMDA_add_sock (my_perl=0x7633, cv=0x1693560) at PMDA.xs:1099
#8  0x00007f946588e815 in Perl_pp_entersub (my_perl=0x159f010) at pp_hot.c:2888
#9  0x00007f946588cb06 in Perl_runops_standard (my_perl=0x159f010) at run.c:40
#10 0x00007f94658350d8 in S_run_body (my_perl=0x159f010) at perl.c:2435
#11 perl_run (my_perl=0x159f010) at perl.c:2353
#12 0x0000000000400e74 in main (argc=2, argv=0x7ffcf217ad98, env=0x7ffcf217adb0) at perlmain.c:117

Version-Release number of selected component (if applicable):

pcp-3.10.3-3.el6.x86_64
perl-PCP-PMDA-3.10.3-3.el6.x86_64

How reproducible:

No reproducer known so far, abrt reports generated often in customer's environment

Steps to Reproduce:
1.
2.
3.

Actual results:

Program terminated with signal 6, Aborted.

Expected results:

No abort

Additional info:

The same double free bug seem to be present in RHEL 7's, fedora master's pcp as well, upstream propagation needed.

Hypothesis:

pcp-3.10.3/src/perl/PMDA/local.c:

int
local_sock(char *host, int port, scalar_t *callback, int cookie)
{
    __pmSockAddr *myaddr;
    __pmHostEnt  *servinfo = NULL;
...
    if ((servinfo = __pmGetAddrInfo(host)) == NULL) {
        __pmNotifyErr(LOG_ERR, "__pmGetAddrInfo (%s): %s", host, netstrerror());
        goto error;                     <------------ local.c:158
...
    __pmHostEntFree(servinfo);          < first free()
...
    if (sts < 0) {
        __pmNotifyErr(LOG_ERR, "__pmConnect (%s): %s", host, netstrerror());
        goto error;                     <------------ local.c:196
    }
...
 error:
    if (fd >= 0)
        __pmCloseSocket(fd);
    if (servinfo)
        __pmHostEntFree(servinfo);      <------------ local.c:209   second free()

We can get to line 209 only from line 196 (just after __pmHostEntFree(), so servinfo is already freed). We cannot get there from line 158 because servinfo would be NULL.
Comment 1 Nathan Scott 2015-09-01 23:51:29 EDT
Thanks for the detailed problem report and diagnosis Filip, this is now fixed upstream and will make its way into RHEL6 at the first available opportunity.
Comment 4 Miloš Prchlík 2016-02-08 04:53:03 EST
Verified for build pcp-3.10.9-5.el6.
Comment 6 errata-xmlrpc 2016-05-10 17:13:10 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0825.html

Note You need to log in before you can comment on or make changes to this bug.