2209676 – valgrind errors on openscap memcheck

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2209676 - valgrind errors on openscap memcheck

Summary: valgrind errors on openscap memcheck

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2023-07-03
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	valgrind
Sub Component:
Version:	9.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Mark Wielaard
QA Contact:	Jesus Checa
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2211836
TreeView+	depends on / blocked

Reported:	2023-05-24 13:22 UTC by Matus Marhefka
Modified:	2023-11-07 09:35 UTC (History)
CC List:	4 users (show)
Fixed In Version:	valgrind-3.21.0-7.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2211836 (view as bug list)
Environment:	risk=low size=small priority=medium
Last Closed:	2023-11-07 08:30:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Input XML file for openscap needed to reproduce the issue (1.96 KB, application/xml) 2023-05-24 13:22 UTC, Matus Marhefka	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
KDE Software Compilation	470520	NOR	ASSIGNED	Multiple realloc zero errors crash in MC_(eq_Error)	2023-06-01 14:42:08 UTC
Red Hat Issue Tracker	RHELPLAN-158063	None	None	None	2023-05-24 13:25:06 UTC
Red Hat Product Errata	RHBA-2023:6395	None	None	None	2023-11-07 08:30:37 UTC

Description Matus Marhefka 2023-05-24 13:22:43 UTC

Created attachment 1966632 [details]
Input XML file for openscap needed to reproduce the issue

Description of problem:
valgrind errors on openscap memcheck, see the reproducer below. Snip of the log with error (full valgrind output (valgrind.out) is attached):

==33335== Memcheck, a memory error detector
==33335== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==33335== Using Valgrind-3.21.0 and LibVEX; rerun with -h for copyright info
==33335== Command: oscap oval eval rpmverifyfile.oval.xml
==33335== 
==33335== Thread 4 input_handler:
==33335== realloc() with size 0
==33335==    at 0x4849A40: realloc (vg_replace_malloc.c:1649)
==33335==    by 0x495A9CA: UnknownInlinedFun (seap-packet.c:209)
==33335==    by 0x495A9CA: SEAP_packet_recv.isra.0 (seap-packet.c:730)
==33335==    by 0x4931403: SEAP_recvmsg (seap.c:360)
==33335==    by 0x4934034: probe_input_handler (input_handler.c:102)
==33335==    by 0x4A57831: start_thread (in /usr/lib64/libc.so.6)
==33335==    by 0x49F7313: clone (in /usr/lib64/libc.so.6)
==33335==  Address 0x7e44fe0 is 0 bytes after a block of size 0 alloc'd
==33335==    at 0x484482F: malloc (vg_replace_malloc.c:431)
==33335==    by 0x495A40F: UnknownInlinedFun (seap-packet.c:110)
==33335==    by 0x495A40F: SEAP_packet_recv.isra.0 (seap-packet.c:730)
==33335==    by 0x4931403: SEAP_recvmsg (seap.c:360)
==33335==    by 0x4934034: probe_input_handler (input_handler.c:102)
==33335==    by 0x4A57831: start_thread (in /usr/lib64/libc.so.6)
==33335==    by 0x49F7313: clone (in /usr/lib64/libc.so.6)
==33335== 
Error:
  unknown error code 14

Memcheck: the 'impossible' happened:
   unknown error code in mc_eq_Error
...


Version-Release number of selected component (if applicable):
valgrind-3.21.0-2.el9.x86_64
openscap-1.3.7-1.el9.x86_64


How reproducible:
deterministic


Steps to Reproduce:
1. dnf -y install openscap-scanner valgrind
2. dnf -y debuginfo-install openscap
3. valgrind --leak-check=full oscap oval eval rpmverifyfile.oval.xml &>valgrind.out

Note: Tested on RHEL-9.3.0-20230516.0 compose, error occurs also without `--leak-check=full` parameter. File rpmverifyfile.oval.xml is attached.


Actual results:
valgrind errors on openscap memcheck with "unknown error code 14".


Expected results:
valgrind successfully performs openscap memcheck.


Additional info:

Comment 2 Mark Wielaard 2023-05-24 13:32:37 UTC

valgrind 3.21.0 warns by default on realloc with size zero (I am just about to publish an article about that). From the NEWS file:

  - Performs checks for the use of realloc with a size of zero.
    This is non-portable and a source of errors. If memcheck
    detects such a usage it will generate an error
      realloc() with size 0
    followed by the usual callstacks.
    A switch has been added to allow this to be turned off:
      --show-realloc-size-zero=yes|no [yes]

This was done because in the new C23 standard realloc with size zero in undefined behavior.

Could you try running with --show-realloc-size-zero=no ?

But even if that works then the following
Error:
  unknown error code 14

Memcheck: the 'impossible' happened:
   unknown error code in mc_eq_Error

Might be a real bug in valgrind. It is certainly not supposed to crash.

Comment 3 Matus Marhefka 2023-05-24 14:04:35 UTC

Thanks, adding `--show-realloc-size-zero=no` helps:

==24812== Memcheck, a memory error detector
==24812== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==24812== Using Valgrind-3.21.0 and LibVEX; rerun with -h for copyright info
==24812== Command: oscap oval eval rpmverifyfile.oval.xml
==24812== 
Definition oval:x:def:1: true
Evaluation done.
==24812== 
==24812== HEAP SUMMARY:
==24812==     in use at exit: 479 bytes in 14 blocks
==24812==   total heap usage: 270,994 allocs, 270,980 frees, 31,011,496 bytes allocated
==24812== 
==24812== LEAK SUMMARY:
==24812==    definitely lost: 0 bytes in 0 blocks
==24812==    indirectly lost: 0 bytes in 0 blocks
==24812==      possibly lost: 0 bytes in 0 blocks
==24812==    still reachable: 479 bytes in 14 blocks
==24812==         suppressed: 0 bytes in 0 blocks
==24812== Reachable blocks (those to which a pointer was found) are not shown.
==24812== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==24812== 
==24812== For lists of detected and suppressed errors, rerun with: -s
==24812== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

Comment 4 Florian Weimer 2023-05-24 14:07:21 UTC

Maybe we should change the valgrind default on glibc systems? For backwards compatibility, I think we need to stick to the current realloc behavior indefinitely.

Comment 5 Mark Wielaard 2023-05-24 16:01:03 UTC

(In reply to Matus Marhefka from comment #3)
> Thanks, adding `--show-realloc-size-zero=no` helps:

Thanks for testing that. I'll keep this bug open till I understand why the error/crash happens with the default --show-realloc-size-zero=yes.

Comment 6 Mark Wielaard 2023-05-24 16:06:05 UTC

(In reply to Florian Weimer from comment #4)
> Maybe we should change the valgrind default on glibc systems? For backwards
> compatibility, I think we need to stick to the current realloc behavior
> indefinitely.

Note that the actual behavior didn't change, it still defaults to what current glibc systems do (on Fedora/RHEL at least). But it does produce this extra warning by default now because it is likely a bug (or at least unportable code). But 3.21.0 does make it possible to also change the behavior, from NEWS again:

* The behaviour of realloc with a size of zero can now
  be changed for tools that intercept malloc. Those
  tools are memcheck, helgrind, drd, massif and dhat.
  Realloc implementations generally do one of two things
     - free the memory like free() and return NULL
       (GNU libc and ptmalloc).
     - either free the memory and then allocate a
       minimum sized block or just return the
       original pointer. Return NULL if the
       allocation of the minimum sized block fails
       (jemalloc, musl, snmalloc, Solaris, macOS).
  When Valgrind is configured and built it will
  try to match the OS and libc behaviour. However
  if you are using a non-default library to replace
  malloc and family (e.g., musl on a glibc Linux or
  tcmalloc on FreeBSD) then you can use a command line
  option to change the behaviour of Valgrind:
    --realloc-zero-bytes-frees=yes|no [yes on Linux glibc, no otherwise]

Comment 7 Mark Wielaard 2023-06-01 11:19:39 UTC

Found the bug in valgrind, the MC_(eq_Error) function didn't handle the new Err_ReallocSizeZero error (that function looks to see if an error is similar to a previous encountered one):

diff --git a/memcheck/mc_errors.c b/memcheck/mc_errors.c
index 00d6ec301..65210a220 100644
--- a/memcheck/mc_errors.c
+++ b/memcheck/mc_errors.c
@@ -1041,6 +1041,7 @@ Bool MC_(eq_Error) ( VgRes res, const Error* e1, const Error* e2 )
       case Err_IllegalMempool:
       case Err_Overlap:
       case Err_Cond:
+      case Err_ReallocSizeZero:
          return True;
 
       case Err_FishyValue:

Will discuss upstream and probably backport this fix if approved.

BTW. I think the code in openscap-scanner that valgrind now warns against should be rewritten as follows:

--- ./src/OVAL/probes/SEAP/seap-packet.c	2023-01-26 14:13:08.000000000 +0100
+++ ./src/OVAL/probes/SEAP/seap-packet.c	2023-06-01 13:09:35.458020809 +0200
@@ -206,9 +206,19 @@
         _A(attr_i >= (SEXP_list_length (sexp_msg) - 4)/2);
 
         seap_msg->attrs_cnt = attr_i;
-        void *new_attrs = realloc(seap_msg->attrs, sizeof(SEAP_attr_t) * seap_msg->attrs_cnt);
-        if (new_attrs != NULL || seap_msg->attrs_cnt == 0)
-                seap_msg->attrs = new_attrs;
+        if (seap_msg->attrs_cnt == 0) {
+                free (seap_msg->attrs);
+                seap_msg->attrs = NULL;
+        } else {
+                void *new_attrs = realloc(seap_msg->attrs, sizeof(SEAP_attr_t) * seap_msg->attrs_cnt);
+                if (new_attrs != NULL) {
+                        seap_msg->attrs = new_attrs;
+                } else {
+                        free (seap_msg->attrs);
+                        seap_msg->attrs = NULL;
+                        return (SEAP_ENOMEM);
+                }
+        }
         seap_msg->sexp = SEXP_list_last (sexp_msg);
 
         return (0);

Comment 12 errata-xmlrpc 2023-11-07 08:30:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (valgrind bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6395

Note You need to log in before you can comment on or make changes to this bug.