Bug 476513 - radeapclient on x86_64 *** glibc detected *** radeapclient: free(): invalid pointer: On RHEL5 x86_64
radeapclient on x86_64 *** glibc detected *** radeapclient: free(): invalid p...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: freeradius (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: John Dennis
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-15 06:52 EST by Martin Poole
Modified: 2013-04-12 16:00 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-16 04:29:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Poole 2008-12-15 06:52:06 EST
+++ This bug was initially created as a clone of Bug #476512 +++

Escalated to Bugzilla from IssueTracker

--- Additional comment from tao@redhat.com on 2008-12-15 06:45:29 EDT ---

On x86_64 build, create file:

# cat junk
User-Name = "groundwork"
NAS-IP-Address = 129.127.41.83
EAP-Code = Request
EAP-Id = 210
EAP-Type-Identity = "groundwork"
Message-Authenticator = 0x00
NAS-Port = 0

Run command :
cat junk |radeapclient tintin.services.adelaide.edu.au auth test1

Result is a ABORT due to invalid pointer free()

This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 245803

--- Additional comment from tao@redhat.com on 2008-12-15 06:45:32 EDT ---

I have grabbed a core, and done a quick analysis:


#  ulimit -c 1000000000
# cat junk |radeapclient tintin.services.adelaide.edu.au auth test1q

+++> About to send encoded packet:
        User-Name = "groundwork"
        NAS-IP-Address = 129.127.41.83
        EAP-Code = Request
        EAP-Id = 210
        EAP-Type-Identity = "groundwork"
        Message-Authenticator = 0x00
        NAS-Port = 0
*** glibc detected *** radeapclient: free(): invalid pointer:
0x000000001e0ed72c ***
======= Backtrace: =========
/lib64/libc.so.6[0x2b850bf32634]
/lib64/libc.so.6(cfree+0x8c)[0x2b850bf35c5c]
/usr/lib64/libeap-1.1.3.so(eap_basic_compose+0x2a0)[0x2b850ac74a60]
/usr/lib64/libeap-1.1.3.so(map_eap_types+0xe3)[0x2b850ac74b73]
radeapclient[0x40311d]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2b850bede8b4]
radeapclient[0x401bd9]
======= Memory map: ========
00400000-00405000 r-xp 00000000 fd:00 40730729                          
/usr/bin/radeapclient
00605000-00606000 rw-p 00005000 fd:00 40730729                          
/usr/bin/radeapclient
1e066000-1e197000 rw-p 1e066000 00:00 0 
2b850aa56000-2b850aa70000 r-xp 00000000 fd:00 72056871                  
/lib64/ld-2.5.so
2b850aa70000-2b850aa72000 rw-p 2b850aa70000 00:00 0 
2b850ac70000-2b850ac71000 r--p 0001a000 fd:00 72056871                  
/lib64/ld-2.5.so
2b850ac71000-2b850ac72000 rw-p 0001b000 fd:00 72056871                  
/lib64/ld-2.5.so
2b850ac72000-2b850ac7a000 r-xp 00000000 fd:00 41027137                  
/usr/lib64/libeap-1.1.3.so
2b850ac7a000-2b850ae79000 ---p 00008000 fd:00 41027137                  
/usr/lib64/libeap-1.1.3.so
2b850ae79000-2b850ae7a000 rw-p 00007000 fd:00 41027137                  
/usr/lib64/libeap-1.1.3.so
2b850ae7a000-2b850ae90000 r-xp 00000000 fd:00 41025636                  
/usr/lib64/libradius-1.1.3.so
2b850ae90000-2b850b08f000 ---p 00016000 fd:00 41025636                  
/usr/lib64/libradius-1.1.3.so
2b850b08f000-2b850b091000 rw-p 00015000 fd:00 41025636                  
/usr/lib64/libradius-1.1.3.so
2b850b091000-2b850b093000 rw-p 2b850b091000 00:00 0 
2b850b0af000-2b850b0b8000 r-xp 00000000 fd:00 72056853                  
/lib64/libcrypt-2.5.so
2b850b0b8000-2b850b2b7000 ---p 00009000 fd:00 72056853                  
/lib64/libcrypt-2.5.so
2b850b2b7000-2b850b2b8000 r--p 00008000 fd:00 72056853                  
/lib64/libcrypt-2.5.so
2b850b2b8000-2b850b2b9000 rw-p 00009000 fd:00 72056853                  
/lib64/libcrypt-2.5.so
2b850b2b9000-2b850b2e7000 rw-p 2b850b2b9000 00:00 0 
2b850b2e7000-2b850b2fc000 r-xp 00000000 fd:00 72056866                  
/lib64/libnsl-2.5.so
2b850b2fc000-2b850b4fb000 ---p 00015000 fd:00 72056866                  
/lib64/libnsl-2.5.so
2b850b4fb000-2b850b4fc000 r--p 00014000 fd:00 72056866                  
/lib64/libnsl-2.5.so
2b850b4fc000-2b850b4fd000 rw-p 00015000 fd:00 72056866                  
/lib64/libnsl-2.5.so
2b850b4fd000-2b850b500000 rw-p 2b850b4fd000 00:00 0 
2b850b500000-2b850b511000 r-xp 00000000 fd:00 72056882                  
/lib64/libresolv-2.5.so
2b850b511000-2b850b711000 ---p 00011000 fd:00 72056882                  
/lib64/libresolv-2.5.so
2b850b711000-2b850b712000 r--p 00011000 fd:00 72056882                  
/lib64/libresolv-2.5.so
2b850b712000-2b850b713000 rw-p 00012000 fd:00 72056882                  
/lib64/libresolv-2.5.so
2b850b713000-2b850b715000 rw-p 2b850b713000 00:00 0 
2b850b715000-2b850b72a000 r-xp 00000000 fd:00 72057005                  
/lib64/libpthread-2.5.so
2b850b72a000-2b850b929000 ---p 00015000 fd:00 72057005                  
/lib64/libpthread-2.5.so
2b850b929000-2b850b92a000 r--p 00014000 fd:00 72057005                  
/lib64/libpthread-2.5.so
2b850b92a000-2b850b92b000 rw-p 00015000 fd:00 72057005                  
/lib64/libpthread-2.5.so
2b850b92b000-2b850b92f000 rw-p 2b850b92b000 00:00 0 
2b850b92f000-2b850b972000 r-xp 00000000 fd:00 72056860                  
/lib64/libssl.so.0.9.8b
2b850b972000-2b850bb72000 ---p 00043000 fd:00 72056860                  
/lib64/libssl.so.0.9.8b
2b850bb72000-2b850bb78000 rw-p 00043000 fd:00 72056860                  
/lib64/libssl.so.0.9.8b
2b850bb78000-2b850bb79000 rw-p 2b850bb78000 00:00 0 
2b850bb79000-2b850bc9e000 r-xp 00000000 fd:00 72056847                  
/lib64/libcrypto.so.0.9.8b
2b850bc9e000-2b850be9e000 ---p 00125000 fd:00 72056847                  
/lib64/libcrypto.so.0.9.8b
2b850be9e000-2b850bebd000 rw-p 00125000 fd:00 72056847                  
/lib64/libcrypto.so.0.9.8b
2b850bebd000-2b850bec1000 rw-p 2b850bebd000 00:00 0 
2b850bec1000-2b850c00b000 r-xp 00000000 fd:00 72056892                  
/lib64/libc-2.5.so
2b850c00b000-2b850c20a000 ---p 0014a000 fd:00 72056892                  
/lib64/libc-2.5.so
2b850c20a000-2b850c20e000 r--p 00149000 fd:00 72056892                  
/lib64/libc-2.5.so
2b850c20e000-2b850c20f000 rw-p 0014d000 fd:00 72056892                  
/lib64/libc-2.5.so
2b850c20f000-2b850c214000 rw-p 2b850c20f000 00:00 0 
2b850c214000-2b850c240000 r-xp 00000000 fd:00 41026383                  
/usr/lib64/libgssapi_krb5.so.2.2
2b850c240000-2b850c440000 ---p 0002c000 fd:00 41026383                  
/usr/lib64/libgssapi_krb5.so.2.2
2b850c440000-2b850c442000 rw-p 0002c000 fd:00 41026383                  
/usr/lib64/libgssapi_krb5.so.2.2
2b850c442000-2b850c443000 rw-p 2b850c442000 00:00 0 
2b850c443000-2b850c4d2000 r-xp 00000000 fd:00 41026441                  
/usr/lib64/libkrb5.so.3.3
2b850c4d2000-2b850c6d2000 ---p 0008f000 fd:00 41026441                  
/usr/lib64/libkrb5.so.3.3
2b850c6d2000-2b850c6d6000 rw-p 0008f000 fd:00 41026441                  
/usr/lib64/libkrb5.so.3.3
2b850c6d6000-2b850c6d8000 r-xp 00000000 fd:00 72057012                  
/lib64/libcom_err.so.2.1
2b850c6d8000-2b850c8d7000 ---p 00002000 fd:00 72057012                  
/lib64/libcom_err.so.2.1
2b850c8d7000-2b850c8d8000 rw-p 00001000 fd:00 72057012                  
/lib64/libcom_err.so.2.1
2b850c8d8000-2b850c8fc000 r-xp 00000000 fd:00 41026427                  
/usr/lib64/libk5crypto.so.3.1
2b850c8fc000-2b850cafb000 ---p 00024000 fd:00 41026427                  
/usr/lib64/libk5crypto.so.3.1
2b850cafb000-2b850cafd000 rw-p 00023000 fd:00 41026427                  
/usr/lib64/libk5crypto.so.3.1
2b850cafd000-2b850cafe000 rw-p 2b850cafd000 00:00 0 
2b850cafe000-2b850cb00000 r-xp 00000000 fd:00 72056879                  
/lib64/libdl-2.5.so
2b850cb00000-2b850cd00000 ---p 00002000 fd:00 72056879                  
/lib64/libdl-2.5.so
2b850cd00000-2b850cd01000 r--p 00002000 fd:00 72056879                  
/lib64/libdl-2.5.so
2b850cd01000-2b850cd02000 rw-p 00003000 fd:00 72056879                  
/lib64/libdl-2.5.so
2b850cd02000-2b850cd16000 r-xp 00000000 fd:00 41025740                  
/usr/lib64/libz.so.1.2.3
2b850cd16000-2b850cf15000 ---p 00014000 fd:00 41025740                  
/usr/lib64/libz.so.1.2.3
2b850cf15000-2b850cf16000 rw-p 00013000 fd:00 41025740                  
/usr/lib64/libz.so.1.2.3
2b850cf16000-2b850cf1e000 r-xp 00000000 fd:00 41026446                  
/usr/lib64/libkrb5support.so.0.1
2b850cf1e000-2b850d11d000 ---p 00008000 fd:00 41026446                  
/usr/lib64/libkrb5support.so.0.1
2b850d11d000-2b850d11e000 rw-p 00007000 fd:00 41026446                  
/usr/lib64/libkrb5support.so.0.1
2b850d11e000-2b850d11f000 rw-p 2b850d11e000 00:00 0 
2b850d11f000-2b850d121000 r-xp 00000000 fd:00 72056905                  
/lib64/libkeyutils-1.2.so
2b850d121000-2b850d320000 ---p 00002000 fd:00 72056905                  
/lib64/libkeyutils-1.2.so
2b850d320000-2b850d321000 rw-p 00001000 fd:00 72056905                  
/lib64/libkeyutils-1.2.so
2b850d321000-2b850d336000 r-xp 00000000 fd:00 72056869                  
/lib64/libselinux.so.1
2b850d336000-2b850d536000 ---p 00015000 fd:00 72056869                  
/lib64/libselinux.so.1
2b850d536000-2b850d538000 rw-p 00015000 fd:00 72056869                  
/lib64/libselinux.so.1
2b850d538000-2b850d53a000 rw-p 2b850d538000 00:00 0 
2b850d53a000-2b850d575000 r-xp 00000000 fd:00 72056902                  
/lib64/libsepol.so.1
2b850d575000-2b850d775000 ---p 0003b000 fd:00 72056902                  
/lib64/libsepol.so.1
2b850d775000-2b850d776000 rw-p 0003b000 fd:00 72056902                  
/lib64/libsepol.so.1
2b850d776000-2b850d782000 rw-p 2b850d776000 00:00 0 
2b850d782000-2b850d78c000 r-xp 00000000 fd:00 72057116                  
/lib64/libnss_files-2.5.so
2b850d78c000-2b850d98b000 ---p 0000a000 fd:00 72057116                  
/lib64/libnss_files-2.5.so
2b850d98b000-2b850d98c000 r--p 00009000 fd:00 72057116                  
/lib64/libnss_files-2.5.so
2b850d98c000-2b850d98d000 rw-p 0000a000 fd:00 72057116                  
/lib64/libnss_files-2.5.so
2b850d98d000-2b850d991000 r-xp 00000000 fd:00 72056856                  
/lib64/libnss_dns-2.5.so
2b850d991000-2b850db90000 ---p 00004000 fd:00 72056856                  
/lib64/libnss_dns-2.5.so
2b850db90000-2b850db91000 r--p 00003000 fd:00 72056856                  
/lib64/libnss_dns-2.5.so
2b850db91000-2b850db92000 rw-p 00004000 fd:00 72056856                  
/lib64/libnss_dns-2.5.so
2b850dbb0000-2b850dbbd000 r-xp 00000000 fd:00 72056889                  
/lib64/libgcc_s-4.1.2-20080102.so.1
2b850dbbd000-2b850ddbd000 ---p 0000d000 fd:00 72056889                  
/lib64/libgcc_s-4.1.2-20080102.so.1
2b850ddbd000-2b850ddbe000 rw-p 0000d000 fd:00 72056889                  
/lib64/libgcc_s-4.1.2-20080102.so.1
2b8510000000-2b8510021000 rw-p 2b8510000000 00:00 0 
2b8510021000-2b8514000000 ---p 2b8510021000 00:00 0 
7fffa003e000-7fffa0054000 rw-p 7fffa003e000 00:00 0                     
[stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                 
[vdso]
Aborted (core dumped)


mkearey assigned to issue for GSS-APAC Australia/New Zealand Support.
Status set to: Waiting on Tech

This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 245803

--- Additional comment from tao@redhat.com on 2008-12-15 06:45:33 EDT ---

# gdb  `which radeapclient` core.24108
GNU gdb Red Hat Linux (6.5-37.el5_2.2rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging
symbols found)
Using host libthread_db library "/lib64/libthread_db.so.1".

Reading symbols from /usr/lib64/libeap-1.1.3.so...Reading symbols from
/usr/lib/debug/usr/lib64/libeap-1.1.3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libeap-1.1.3.so
Reading symbols from /usr/lib64/libradius-1.1.3.so...Reading symbols from
/usr/lib/debug/usr/lib64/libradius-1.1.3.so.debug...done.
done.
Loaded symbols for /usr/lib64/libradius-1.1.3.so
Reading symbols from /lib64/libcrypt.so.1...Reading symbols from
/usr/lib/debug/lib64/libcrypt-2.5.so.debug...done.
done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /lib64/libnsl.so.1...Reading symbols from
/usr/lib/debug/lib64/libnsl-2.5.so.debug...done.
done.
Loaded symbols for /lib64/libnsl.so.1
Reading symbols from /lib64/libresolv.so.2...Reading symbols from
/usr/lib/debug/lib64/libresolv-2.5.so.debug...done.
done.
Loaded symbols for /lib64/libresolv.so.2
Reading symbols from /lib64/libpthread.so.0...Reading symbols from
/usr/lib/debug/lib64/libpthread-2.5.so.debug...done.
done.
Loaded symbols for /lib64/libpthread.so.0
Reading symbols from /lib64/libssl.so.6...Reading symbols from
/usr/lib/debug/lib64/libssl.so.0.9.8b.debug...done.
done.
Loaded symbols for /lib64/libssl.so.6
Reading symbols from /lib64/libcrypto.so.6...Reading symbols from
/usr/lib/debug/lib64/libcrypto.so.0.9.8b.debug...done.
done.
Loaded symbols for /lib64/libcrypto.so.6
Reading symbols from /lib64/libc.so.6...Reading symbols from
/usr/lib/debug/lib64/libc-2.5.so.debug...done.
done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from
/usr/lib/debug/lib64/ld-2.5.so.debug...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /usr/lib64/libgssapi_krb5.so.2...Reading symbols from
/usr/lib/debug/usr/lib64/libgssapi_krb5.so.2.2.debug...done.
done.
Loaded symbols for /usr/lib64/libgssapi_krb5.so.2
Reading symbols from /usr/lib64/libkrb5.so.3...Reading symbols from
/usr/lib/debug/usr/lib64/libkrb5.so.3.3.debug...done.
done.
Loaded symbols for /usr/lib64/libkrb5.so.3
Reading symbols from /lib64/libcom_err.so.2...Reading symbols from
/usr/lib/debug/lib64/libcom_err.so.2.1.debug...done.
done.
Loaded symbols for /lib64/libcom_err.so.2
Reading symbols from /usr/lib64/libk5crypto.so.3...Reading symbols from
/usr/lib/debug/usr/lib64/libk5crypto.so.3.1.debug...done.
done.
Loaded symbols for /usr/lib64/libk5crypto.so.3
Reading symbols from /lib64/libdl.so.2...Reading symbols from
/usr/lib/debug/lib64/libdl-2.5.so.debug...done.
done.
Loaded symbols for /lib64/libdl.so.2
Reading symbols from /usr/lib64/libz.so.1...Reading symbols from
/usr/lib/debug/usr/lib64/libz.so.1.2.3.debug...done.
done.
Loaded symbols for /usr/lib64/libz.so.1
Reading symbols from /usr/lib64/libkrb5support.so.0...Reading symbols from
/usr/lib/debug/usr/lib64/libkrb5support.so.0.1.debug...done.
done.
Loaded symbols for /usr/lib64/libkrb5support.so.0
Reading symbols from /lib64/libkeyutils.so.1...done.
Loaded symbols for /lib64/libkeyutils.so.1
Reading symbols from /lib64/libselinux.so.1...done.
Loaded symbols for /lib64/libselinux.so.1
Reading symbols from /lib64/libsepol.so.1...done.
Loaded symbols for /lib64/libsepol.so.1
Reading symbols from /lib64/libnss_files.so.2...Reading symbols from
/usr/lib/debug/lib64/libnss_files-2.5.so.debug...done.
done.
Loaded symbols for /lib64/libnss_files.so.2
Reading symbols from /lib64/libnss_dns.so.2...Reading symbols from
/usr/lib/debug/lib64/libnss_dns-2.5.so.debug...done.
done.
Loaded symbols for /lib64/libnss_dns.so.2
Reading symbols from /lib64/libgcc_s.so.1...Reading symbols from
/usr/lib/debug/lib64/libgcc_s-4.1.2-20080102.so.1.debug...done.
done.
Loaded symbols for /lib64/libgcc_s.so.1
Core was generated by `radeapclient tintin.services.adelaide.edu.au auth
test1'.
Program terminated with signal 6, Aborted.
#0  0x00002b2535662155 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) up
#1  0x00002b2535663bf0 in *__GI_abort () at abort.c:88
88            raise (SIGABRT);
(gdb) up
#2  0x00002b253569c38b in __libc_message (do_abort=2, fmt=0x2b2535750d68
"*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
170           abort ();
(gdb) up
#3  0x00002b25356a3634 in _int_free (av=0x2b25359809a0, mem=<value
optimized out>) at malloc.c:5768
5768          __libc_message (action & 2,
(gdb) up
#4  0x00002b25356a6c5c in *__GI___libc_free (mem=0x6) at malloc.c:3545
3545      _int_free(ar_ptr, mem);
(gdb) up
#5  0x00002b25343e5a60 in eap_basic_compose (packet=0x4dd1510,
reply=0x7fff768e0140) at eapcommon.c:219
219                             free(reply->type.data);
(gdb) list
214                      * Zero length/No typedata is supported as long
as
215                      * type is defined
216                      */
217                     if (reply->type.data && reply->type.length > 0) {
218                             memcpy(&hdr->data[1], reply->type.data,
reply->type.length);
219                             free(reply->type.data);     <------- HERE
!!!
220                             reply->type.data = reply->packet +
EAP_HEADER_LEN + 1/*EAPtype*/;
221                     }
222             }
223
(gdb)

Summary edited.

This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 245803

--- Additional comment from tao@redhat.com on 2008-12-15 06:45:35 EDT ---

One up again :

(gdb) up
#6  0x00002b25343e5b73 in map_eap_types (req=0x4dd1510) at
eapcommon.c:389
389                     eap_basic_compose(req, &ep);
(gdb) list
384                     ep.code = eapcode;
385                     ep.id   = id;
386                     ep.type.type = eap_type;
387                     ep.type.length = vp->length;   
388                     ep.type.data = vp->strvalue;<--- Assigning ptr to
ptr
389                     eap_basic_compose(req, &ep);
390             }
391     }
392
393     /*
(gdb) 



Patch freeradius-1.0.1-rlm_eapcommon.patch attached seems to resolve the
problem.




This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 245803

--- Additional comment from mpoole@redhat.com on 2008-12-15 06:48:40 EDT ---

Created an attachment (id=326933)
patch for  free bug

This patch appears to correspond to the changes made in current (but abandoned) V1.1 upstream.  No return value checking, but meh.
Comment 1 RHEL Product and Program Management 2009-03-26 13:21:58 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 8 errata-xmlrpc 2009-12-16 04:29:22 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1678.html

Note You need to log in before you can comment on or make changes to this bug.