Bug 2087520 - anaconda (Python) crashes with gnutls 3.7.5: free(): invalid next size (fast)
Summary: anaconda (Python) crashes with gnutls 3.7.5: free(): invalid next size (fast)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnutls
Version: rawhide
Hardware: All
OS: Linux
high
urgent
Target Milestone: ---
Assignee: Zoltan Fridrich
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-17 22:09 UTC by Adam Williamson
Modified: 2022-06-12 01:16 UTC (History)
6 users (show)

Fixed In Version: gnutls-3.7.6-1.fc36 gnutls-3.7.6-1.fc35
Doc Type: Bug Fix
Doc Text:
Cause: gnutls_realloc_zero is set as gmp reallocfunc Consequence: programs using gmp might break due to heap corruption Fix: fix invalid write in gnutls_realloc_zero when new_size < old_size Result: no heap corruption when gnutls_realloc_zero is used in gmp
Clone Of:
Environment:
Last Closed: 2022-06-01 01:24:19 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-454 0 None None None 2022-05-17 22:12:21 UTC

Description Adam Williamson 2022-05-17 22:09:30 UTC
openQA testing shows that anaconda consistently crashes when running against gnutls 3.7.5. The crash seems to be actually in Python itself, and an error message `free(): invalid next size (fast)` is shown. I don't have a full backtrace yet (this is slightly inconvenient to get for anaconda Python crashes).

I suspect this is the same as upstream https://gitlab.com/gnutls/gnutls/-/issues/1367 - I'll try and fix Jeremy comes up with there.

We have untagged gnutls-3.7.5-1.fc37 from Rawhide for now to avoid this breaking composes.

Comment 1 Zoltan Fridrich 2022-05-18 12:21:02 UTC
(In reply to Adam Williamson from comment #0)
> openQA testing shows that anaconda consistently crashes when running against
> gnutls 3.7.5. The crash seems to be actually in Python itself, and an error
> message `free(): invalid next size (fast)` is shown. I don't have a full
> backtrace yet (this is slightly inconvenient to get for anaconda Python
> crashes).
> 
> I suspect this is the same as upstream
> https://gitlab.com/gnutls/gnutls/-/issues/1367 - I'll try and fix Jeremy
> comes up with there.
> 
> We have untagged gnutls-3.7.5-1.fc37 from Rawhide for now to avoid this
> breaking composes.

Within the release 3.7.5 we started using custom gmp memory allocator functions in order to increase the security level by nullifying memory. However, we did not realize that our gnutls_realloc_zero function was already broken (could cause heap corruption) and setting it as reallocfunc for gmp might have broken stuff. This upstream MR should fix this issue https://gitlab.com/gnutls/gnutls/-/merge_requests/1592

Comment 2 Zoltan Fridrich 2022-05-18 12:29:49 UTC
Created attachment 1880807 [details]
Patch fixing the gnutls_realloc_zero funcion

Comment 3 Fedora Update System 2022-05-27 13:21:30 UTC
FEDORA-2022-d46bf7581b has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2022-d46bf7581b

Comment 4 Fedora Update System 2022-05-27 13:21:31 UTC
FEDORA-2022-93d7c9e45d has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-93d7c9e45d

Comment 5 Fedora Update System 2022-05-27 13:21:34 UTC
FEDORA-2022-8568c6f3ac has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-8568c6f3ac

Comment 6 Fedora Update System 2022-05-28 02:06:29 UTC
FEDORA-2022-93d7c9e45d has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-93d7c9e45d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-93d7c9e45d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2022-05-28 02:23:27 UTC
FEDORA-2022-8568c6f3ac has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-8568c6f3ac`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8568c6f3ac

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2022-05-28 02:39:27 UTC
FEDORA-2022-d46bf7581b has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-d46bf7581b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-d46bf7581b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-06-01 01:24:19 UTC
FEDORA-2022-93d7c9e45d has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Fedora Update System 2022-06-12 01:16:15 UTC
FEDORA-2022-8568c6f3ac has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.