Bug 1258860 - local_sock() double free error
local_sock() double free error
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pcp (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Nathan Scott
Miloš Prchlík
: EasyFix, Patch, Reproducer
Depends On:
  Show dependency treegraph
Reported: 2015-09-01 08:22 EDT by Filip Krska
Modified: 2016-11-04 00:22 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1258846
Last Closed: 2016-11-04 00:22:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Filip Krska 2015-09-01 08:22:54 EDT
The related code is unchanged, so the double free is present here as well.

+++ This bug was initially created as a clone of Bug #1258846 +++

Description of problem:

pmdamemcache crashes with following backtrace:

Core was generated by `perl /var/lib/pcp/pmdas/memcache/pmdamemcache.pl'.
Program terminated with signal 6, Aborted.

#0  0x00007f9464552625 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f9464553e05 in abort () at abort.c:92
#2  0x00007f9464590537 in __libc_message (do_abort=2, fmt=0x7f9464678940 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007f9464595e66 in malloc_printerr (action=3, str=0x7f9464676a2e "free(): invalid pointer", ptr=<value optimized out>)
    at malloc.c:6336
#4  0x00007f946459897a in _int_free (av=0x7f94648afe80, p=0x7f94648afef8, have_lock=0) at malloc.c:4832
#5  0x00007f945de06d25 in __pmHostEntFree (hostent=0x15cb740) at auxconnect.c:39
#6  0x00007f945e265517 in local_sock (host=0x15cb780 "", port=11211, callback=0x16ba050, cookie=0) at local.c:209
#7  0x00007f945e273eaa in XS_PCP__PMDA_add_sock (my_perl=0x7633, cv=0x1693560) at PMDA.xs:1099
#8  0x00007f946588e815 in Perl_pp_entersub (my_perl=0x159f010) at pp_hot.c:2888
#9  0x00007f946588cb06 in Perl_runops_standard (my_perl=0x159f010) at run.c:40
#10 0x00007f94658350d8 in S_run_body (my_perl=0x159f010) at perl.c:2435
#11 perl_run (my_perl=0x159f010) at perl.c:2353
#12 0x0000000000400e74 in main (argc=2, argv=0x7ffcf217ad98, env=0x7ffcf217adb0) at perlmain.c:117

Version-Release number of selected component (if applicable):


How reproducible:

No reproducer known so far, abrt reports generated often in customer's environment

Steps to Reproduce:

Actual results:

Program terminated with signal 6, Aborted.

Expected results:

No abort

Additional info:

The same double free bug seem to be present in RHEL 7's, fedora master's pcp as well, upstream propagation needed.



local_sock(char *host, int port, scalar_t *callback, int cookie)
    __pmSockAddr *myaddr;
    __pmHostEnt  *servinfo = NULL;
    if ((servinfo = __pmGetAddrInfo(host)) == NULL) {
        __pmNotifyErr(LOG_ERR, "__pmGetAddrInfo (%s): %s", host, netstrerror());
        goto error;                     <------------ local.c:158
    __pmHostEntFree(servinfo);          < first free()
    if (sts < 0) {
        __pmNotifyErr(LOG_ERR, "__pmConnect (%s): %s", host, netstrerror());
        goto error;                     <------------ local.c:196
    if (fd >= 0)
    if (servinfo)
        __pmHostEntFree(servinfo);      <------------ local.c:209   second free()

We can get to line 209 only from line 196 (just after __pmHostEntFree(), so servinfo is already freed). We cannot get there from line 158 because servinfo would be NULL.
Comment 1 Nathan Scott 2015-09-01 23:51:25 EDT
Thanks for the detailed problem report and diagnosis Filip, this is now fixed upstream and will make its way into RHEL7 at the first available opportunity.
Comment 4 Miloš Prchlík 2016-08-20 07:12:59 EDT
Verified for build pcp-3.11.3-3.el7.
Comment 6 errata-xmlrpc 2016-11-04 00:22:31 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.