RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1999819 - segfault due to not properly handling realloc pointer return change [rhel-7.9.z]
Summary: segfault due to not properly handling realloc pointer return change [rhel-7.9.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: fltk
Version: 7.9
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Tomas Pelka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-31 18:35 UTC by Paulo Andrade
Modified: 2022-11-02 16:41 UTC (History)
4 users (show)

Fixed In Version: fltk-1.3.4-3.el7_9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-02 16:38:38 UTC
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fltk fltk issues 451 0 None open Segfault if using very large selections 2022-06-20 14:33:29 UTC
Red Hat Issue Tracker RHELPLAN-95759 0 None None None 2021-08-31 18:36:16 UTC
Red Hat Product Errata RHBA-2022:7345 0 None None None 2022-11-02 16:38:40 UTC

Description Paulo Andrade 2021-08-31 18:35:29 UTC 
This is a segfault in vncviewer:

(gdb) bt
#0  0x00007ffff4d48387 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff4d49a78 in __GI_abort () at abort.c:90
#2  0x00007ffff4d8aed7 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff4e9d350 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196
#3  0x00007ffff4d93299 in malloc_printerr (ar_ptr=0x7ffff50d9760 <main_arena>, ptr=<optimized out>, str=0x7ffff4e9d478 "double free or corruption (!prev)", action=3) at malloc.c:4967
#4  _int_free (av=0x7ffff50d9760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3843
#5  0x00007ffff7192679 in XFree (data=<optimized out>) at XlibInt.c:1590
#6  0x00007ffff7950701 in fl_handle (thisevent=...) at Fl_x.cxx:1379
#7  0x00007ffff7952532 in do_queued_events () at Fl_x.cxx:210
#8  0x00007ffff79529f3 in fl_wait (time_to_wait=<optimized out>) at Fl_x.cxx:276
#9  0x00007ffff78f386f in Fl::wait (time_to_wait=<optimized out>) at Fl.cxx:607
#10 0x000000000042bd26 in run_mainloop () at /usr/src/debug/tigervnc-1.8.0/vncviewer/vncviewer.cxx:139
#11 0x000000000041d445 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/tigervnc-1.8.0/vncviewer/vncviewer.cxx:613

(gdb) f 6
#6  0x00007ffff7950701 in fl_handle (thisevent=...) at Fl_x.cxx:1379
1379	    if (sn_buffer) {XFree(sn_buffer); sn_buffer = 0;}

checking the contents of sn_buffer, it is an almost 300k long selection.

The problem is in the call:

                if (actual == fl_INCR) {
		  bytesread = getIncrData(sn_buffer, xevent.xselection, *(long*)portion);
		  XFree(portion);
		  break;
		}

because getIncrData has prototype:

static long getIncrData(uchar* &data, const XSelectionEvent& selevent, long lower_bound)

and the argument might change in the line:

        if (total + num_bytes > (size_t)lower_bound) data = (uchar*)realloc(data, total + num_bytes);

so, there are 2 issues if realloc changes the pointer.
  First it causes a leak.
  Second, it causes memory corruption, as the calling code keeps using the base pointer.
Comment 3 Jan Grulich 2021-10-13 11:43:34 UTC 
Hi, I've been trying to reproduce this issue on RHEL 7, RHEL 8 or Fedora 35, but I'm unable to. Can you tell me how to reproduce this issue step by step?
Comment 4 Paulo Andrade 2021-10-13 12:20:40 UTC 
It is not trivial to reproduce.

Realloc might return the same pointer, and if that happens, the problem does
not happen.

It might also corrupt memory that does not trigger a segfault.

The problem happens when realloc cannot grow (or prefer when shrinking) the
memory, and needs to relocate it.

Needs to keep selecting very large amounts of text, and somehow cause some
memory fragmentation.

Should be easier to reproduce if incrementally making larger selections.

Could also instrument with gdb, to do something like:

(gdb) call malloc(65536)
(gdb) call free($)

on separate breakpoints around the realloc calls. Likely mixing and not using
only 65536, or it might just keep using the same pointer.

Based on coredump data, of the two cases, the user frequently selects very
large amounts of text; likely to cut&paste from different editors or different
windows, possibly on shells on different servers.
Comment 5 Jan Grulich 2022-06-20 11:53:52 UTC 
I spent again some time trying to reproduce this, but I don't even get to the point where the faulty code is called.

Were you able to reproduce it? Can you help me with a reproducer? I don't get the "SelectionNotify" event and not sure under what circumstances it is supposed to be send.
Comment 6 RHEL Program Management 2022-06-20 11:54:00 UTC 
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.
Comment 7 Jan Grulich 2022-06-20 11:55:40 UTC 
Sorry, I didn't intend to close it yet.
Comment 9 Paulo Andrade 2022-06-20 12:19:16 UTC 
(In reply to Jan Grulich from comment #5)
> I spent again some time trying to reproduce this, but I don't even get to
> the point where the faulty code is called.
> 
> Were you able to reproduce it? Can you help me with a reproducer? I don't
> get the "SelectionNotify" event and not sure under what circumstances it is
> supposed to be send.

  You should get SelectionNotify in a procedure like:

1. Use some text editor, select text.
2. Use another text editor, select new text.

  Likely easier to reproduce with Xt or Motif based applications.

  The problem happens when there is a small selection buffer, then, it is
changed to a very large one, of several megabytes.

  The crash happens because the code does not properly handle memory relocation
when realloc changes the base pointer.

  If realloc uses the same base pointer, no problem will happen.

  If you running under gdb, you can insert a few calls like:

(gdb) call malloc(4096)
(gdb) call malloc(65536)

and other values.

to force a leak and memory fragmentation, so that realloc changes the base
pointer. 


  Basically, the patch would be to change from:

                if (actual == fl_INCR) {
		  bytesread = getIncrData(sn_buffer, xevent.xselection, *(long*)portion);
		  XFree(portion);
		  break;
		}
...
static long getIncrData(uchar* &data, const XSelectionEvent& selevent, long lower_bound)
...
        if (total + num_bytes > (size_t)lower_bound) data = (uchar*)realloc(data, total + num_bytes);


to:


                if (actual == fl_INCR) {
		  bytesread = getIncrData(&sn_buffer, xevent.xselection, *(long*)portion);
		  XFree(portion);
		  break;
		}
...
static long getIncrData(uchar **data, const XSelectionEvent& selevent, long lower_bound)
...
        if (total + num_bytes > (size_t)lower_bound) *data = (uchar*)realloc(*data, total + num_bytes);
Comment 10 Jan Grulich 2022-06-20 13:50:59 UTC 
I'm still not able to get the code to call "getIncrData()", no idea why. Without being able to reproduce I'm not likely to move forward.

What is your way to reproduce it? How do you start Tigervnc and what desktop and apps you run on the server to test this?
Comment 11 Paulo Andrade 2022-06-20 14:23:14 UTC 
  I am not able to reproduce the issue. I saw a few reports about it.

  Command line appears to be somewhat like:

.../usr/bin/Xvnc :1 -auth .../.Xauthority -depth 24 -desktop Xvnc -fp catalogue:/etc/X11/fontpath.d -geometry 1920x1200 -pn -rfbauth .../.vnc/passwd -rfbport 5901 -rfbwait 30000 -desktop user@hist::1 -MaxCutText 100000000 -AlwaysShared -AcceptSetDesktopSize=0 -UseIPv6=0 -dpi 100 -cc 4

  Looking a bit more around, I found related link:

https://github.com/TigerVNC/tigervnc/issues/961
[Support for INCR in Xvnc (large clipboard)]

  Maybe the above command line shows an approach for very large copy&paste.

  Checking coredumps, it appears user is doing copy/cut & paste of very large
text buffers in the desktop; might be faster or easier to user than using
scp or a network driver...

  I see the bug is still present in upstream fltk. I will open an upstream
issue as well.
Comment 12 Jan Grulich 2022-07-11 06:45:23 UTC 
Looks upstream pushed some fixes to this issue. We can backport them to RHEL 7.
Comment 13 Jan Grulich 2022-07-11 06:46:56 UTC 
We would like to backport following changes:
1) https://github.com/Albrecht-S/fltk/commit/5e46e3380887dcd30dc7ea582496bbd9a6a4d70c
2) https://github.com/Albrecht-S/fltk/commit/7ed06a7b65c6f91da50b6664c742208ce520a983
Comment 14 Tomas Popela 2022-07-11 07:03:18 UTC 
(In reply to Jan Grulich from comment #12)
> Looks upstream pushed some fixes to this issue. We can backport them to RHEL
> 7.

Jan: Before I will approve it for z-stream - would it be possible to create a scratch build with these changes included?

Paulo: Could the customer test such a scratch build?
Comment 15 Jan Grulich 2022-07-11 07:30:22 UTC 
Scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=46481435

And because the scratch build will be gone soon I downloaded x86_64 packages and uploaded them here: https://jgrulich.fedorapeople.org/fltk/
Comment 17 Steve Barcomb 2022-10-18 13:10:11 UTC 
The customer reported that the test package set worked without issues.
Comment 25 errata-xmlrpc 2022-11-02 16:38:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (fltk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7345
Note You need to log in before you can comment on or make changes to this bug.