1533121 – libunistring is not thread safe and contains invalid memory accesses

Bug 1533121 - libunistring is not thread safe and contains invalid memory accesses

Summary: libunistring is not thread safe and contains invalid memory accesses

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libunistring
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Pádraig Brady
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1452750
TreeView+	depends on / blocked

Reported:	2018-01-10 14:05 UTC by Florian Weimer
Modified:	2018-03-01 10:19 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-03-01 10:19:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Florian Weimer 2018-01-10 14:05:10 UTC

It uses malloca, which uses global data without synchronization.  This can result in crashes or information leaks in multi-threaded programs:

  http://lists.gnu.org/archive/html/bug-gnulib/2018-01/msg00046.html

Furthermore, the following example program results in a valgrind warning:

#include <err.h>
#include <locale.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <uniconv.h>

int
main (void)
{
  if (setlocale (LC_ALL, "en_US.ISO-8859-1") == NULL)
    err (1, "setlocale");
  /* Try to provide better valgrind results.  */
  char *str = strdup ("non-idn.example");
  if (str == NULL)
    err (1, "strdup");
  unsigned char *result = u8_strconv_from_locale (str);
  if (result == NULL)
    errx (1, "u8_strconv_from_locale");
  printf ("[[%s]]\n", result);
  free (str);
  return 0;
}

==29579== Conditional jump or move depends on uninitialised value(s)
==29579==    at 0x4E4C61C: libunistring_freea (in /usr/lib64/libunistring.so.2.0.0)
==29579==    by 0x4E4EDA4: libunistring_mem_iconveha (in /usr/lib64/libunistring.so.2.0.0)
==29579==    by 0x4E55CFC: u8_conv_from_encoding (in /usr/lib64/libunistring.so.2.0.0)
==29579==    by 0x4E55FB7: u8_strconv_from_encoding (in /usr/lib64/libunistring.so.2.0.0)
==29579==    by 0x4006D9: main (unistring-uninit.c:17)
==29579==  Uninitialised value was created by a stack allocation
==29579==    at 0x4E4ED0C: libunistring_mem_iconveha (in /usr/lib64/libunistring.so.2.0.0)

Comment 1 Nikos Mavrogiannopoulos 2018-01-11 07:24:00 UTC

Adding these for reference:
http://lists.gnu.org/archive/html/bug-gnulib/2018-01/msg00046.html

Comment 2 Nikos Mavrogiannopoulos 2018-02-20 14:35:21 UTC

Florian if there is an upstream release with the fix and the fedora package includes would glibc be still blocked for F28?

Comment 3 Florian Weimer 2018-02-20 14:37:57 UTC

I'm not aware of any libunistring upstream fix.  The code was copied from gnulib, and it was fixed in:

commit 8a4aa2ec86c0e94c6ed548519b1660c6b1bac0c1
Author: Bruno Haible <bruno>
Date:   Fri Feb 2 19:32:02 2018 +0100

    malloca, xmalloca: Make multithread-safe.

Plus some subsequent cleanups.

I think this issue arises only on non-UTF-8 locales.  Since UTF-8 is the default in Fedora, I don't think it qualifies as a blocker.

Comment 4 Fedora End Of Life 2018-02-20 15:36:55 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 5 Florian Weimer 2018-02-28 20:35:30 UTC

libunistring 0.9.9 was released today, copying the fixes from gnulib.

Comment 6 Daiki Ueno 2018-03-01 10:19:44 UTC

Built it in all active branches and submitted the updates for F27 and F26.

Note You need to log in before you can comment on or make changes to this bug.