Bug 730952 - sed: double free or corruption when building sssd
Summary: sed: double free or corruption when building sssd
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 15
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Jeff Law
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 757881 757887 757888
TreeView+ depends on / blocked
 
Reported: 2011-08-16 11:15 UTC by Pavel Březina
Modified: 2016-11-24 15:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 757700 757881 757887 757888 (view as bug list)
Environment:
Last Closed: 2012-01-25 18:29:00 UTC


Attachments (Terms of Use)
core dump (444.00 KB, application/octet-stream)
2011-08-16 11:15 UTC, Pavel Březina
no flags Details
Possible input for sed (11.64 KB, application/octet-stream)
2011-08-18 07:55 UTC, Pavel Březina
no flags Details
zip file with reproducers (1.56 KB, application/zip)
2011-11-28 12:18 UTC, Paolo Bonzini
no flags Details
untested patch (892 bytes, patch)
2011-11-28 13:09 UTC, Paolo Bonzini
no flags Details | Diff
better patch (4.55 KB, patch)
2011-11-28 17:46 UTC, Paolo Bonzini
no flags Details | Diff

Description Pavel Březina 2011-08-16 11:15:07 UTC
Created attachment 518464 [details]
core dump

Description of problem:
sed: double free or corruption when building sssd

Version-Release number of selected component (if applicable):
GNU sed version 4.2.

How reproducible:
always

Steps to Reproduce:
(I don't know how to reproduce it using sed only)
1. git clone git://git.fedorahosted.org/git/sssd.git .
2. git checkout 5bf2314b9f64099cd4e88b8f3498d986d97e1ac6
3. autoreconf -if
4. ./configure
5. LANG="cs_CZ.UTF8" make prerelease-rpms
  
Actual results:
*** glibc detected *** sed: double free or corruption (!prev): 0x0000000002158080 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3be427703a]
/lib64/libc.so.6[0x3be42c0349]
/lib64/libc.so.6[0x3be42c50bc]
/lib64/libc.so.6(re_search+0x18)[0x3be42c5ac8]
sed[0x4078a2]
sed[0x406d6c]
sed[0x407570]
sed[0x40237c]
/lib64/libc.so.6(__libc_start_main+0xed)[0x3be422139d]
sed[0x402469]
======= Memory map: ========
00400000-00410000 r-xp 00000000 08:03 20447269                           /bin/sed
0060f000-00610000 rw-p 0000f000 08:03 20447269                           /bin/sed
00610000-00619000 rw-p 00000000 00:00 0
0080f000-00811000 rw-p 0000f000 08:03 20447269                           /bin/sed
02150000-02171000 rw-p 00000000 00:00 0                                  [heap]
3be3e00000-3be3e1f000 r-xp 00000000 08:03 11538960                       /lib64/ld-2.14.so
3be401e000-3be401f000 r--p 0001e000 08:03 11538960                       /lib64/ld-2.14.so
3be401f000-3be4020000 rw-p 0001f000 08:03 11538960                       /lib64/ld-2.14.so
3be4020000-3be4021000 rw-p 00000000 00:00 0
3be4200000-3be438f000 r-xp 00000000 08:03 11538961                       /lib64/libc-2.14.so
3be438f000-3be458e000 ---p 0018f000 08:03 11538961                       /lib64/libc-2.14.so
3be458e000-3be4592000 r--p 0018e000 08:03 11538961                       /lib64/libc-2.14.so
3be4592000-3be4593000 rw-p 00192000 08:03 11538961                       /lib64/libc-2.14.so
3be4593000-3be4599000 rw-p 00000000 00:00 0
3be4a00000-3be4a02000 r-xp 00000000 08:03 11538964                       /lib64/libdl-2.14.so
3be4a02000-3be4c02000 ---p 00002000 08:03 11538964                       /lib64/libdl-2.14.so
3be4c02000-3be4c03000 r--p 00002000 08:03 11538964                       /lib64/libdl-2.14.so
3be4c03000-3be4c04000 rw-p 00003000 08:03 11538964                       /lib64/libdl-2.14.so
3be6200000-3be621d000 r-xp 00000000 08:03 11538970                       /lib64/libselinux.so.1
3be621d000-3be641c000 ---p 0001d000 08:03 11538970                       /lib64/libselinux.so.1
3be641c000-3be641d000 r--p 0001c000 08:03 11538970                       /lib64/libselinux.so.1
3be641d000-3be641e000 rw-p 0001d000 08:03 11538970                       /lib64/libselinux.so.1
3be641e000-3be641f000 rw-p 00000000 00:00 0
3fb4e00000-3fb4e15000 r-xp 00000000 08:03 11538984                       /lib64/libgcc_s-4.6.0-20110603.so.1
3fb4e15000-3fb5014000 ---p 00015000 08:03 11538984                       /lib64/libgcc_s-4.6.0-20110603.so.1
3fb5014000-3fb5015000 rw-p 00014000 08:03 11538984                       /lib64/libgcc_s-4.6.0-20110603.so.1
2ab18dabf000-2ab18dac0000 rw-p 00000000 00:00 0
2ab18dada000-2ab18dadd000 rw-p 00000000 00:00 0
2ab18dadd000-2ab193eff000 r--p 00000000 08:03 10355505                   /usr/lib/locale/locale-archive
2ab193eff000-2ab193f06000 r--s 00000000 08:03 10486788                   /usr/lib64/gconv/gconv-modules.cache
2ab193f06000-2ab193f09000 rw-p 00000000 00:00 0
7fff2738a000-7fff273ab000 rw-p 00000000 00:00 0                          [stack]
7fff273ff000-7fff27400000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Expected results:
RPMs created.

Additional info:
core file in attachment

file core:
core.18362: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'sed /\//!d;s|^|sssd-1.7.0/|;s,/[^/]*$,,'

backtrace:
#0  0x00002b628b6d32d5 in raise () from /lib64/libc.so.6
#1  0x00002b628b6d4beb in abort () from /lib64/libc.so.6
#2  0x00002b628b70ebce in __libc_message () from /lib64/libc.so.6
#3  0x00002b628b71503a in malloc_printerr () from /lib64/libc.so.6
#4  0x00002b628b75e459 in re_search_internal () from /lib64/libc.so.6
#5  0x00002b628b7631cc in re_search_stub () from /lib64/libc.so.6
#6  0x00002b628b763bd8 in re_search () from /lib64/libc.so.6
#7  0x00000000004078a2 in ?? ()
#8  0x0000000000406d6c in ?? ()
#9  0x0000000000407570 in ?? ()
#10 0x000000000040237c in ?? ()
#11 0x00002b628b6bf39d in __libc_start_main () from /lib64/libc.so.6
#12 0x0000000000402469 in ?? ()
#13 0x00007fffa416cdc8 in ?? ()
#14 0x000000000000001c in ?? ()
#15 0x0000000000000002 in ?? ()
#16 0x00007fffa416e452 in ?? ()
#17 0x00007fffa416e456 in ?? ()
#18 0x0000000000000000 in ?? ()

Comment 1 Paolo Bonzini 2011-08-17 23:21:51 UTC
Can you get the input?  It might as well be a glibc bug.

Comment 2 Pavel Březina 2011-08-18 07:55:09 UTC
Created attachment 518816 [details]
Possible input for sed

Comment 3 Pavel Březina 2011-08-18 07:59:13 UTC
It looks like the sed is called from Makefile, line 6171. If I'm correct, the input in the attachment is the one that is passed to sed. But

LANG="cs_CZ.UTF8" sed '/\//!d;s|^|sssd-1.7.0/|;s,/[^/]*$$,,' < input

does not reproduce the error :-(.

Comment 4 Paolo Bonzini 2011-11-28 12:18:44 UTC
Created attachment 537445 [details]
zip file with reproducers

valgrind reports a problem with this in all UTF-8 locales:

echo 'abcdefghijklmnopqrstuvwxy' | valgrind sed -e 's/\(.*z[^z]*z.*\)//p'

This was dumbed down from a reproducer from Terje Braten.  There may be other problems, so I attach less reduced versions of the input.

"sh updmap_edit tmp2.small" hangs after printing a malloc error.

"SED='valgrind sed' sh updmap_edit tmp1.small" prints:

==21135== Invalid write of size 8
==21135==    at 0x338F28936A: __GI_memset (memset.S:339)
==21135==    by 0x338F2C9DDB: clean_state_log_if_needed (regexec.c:1749)
==21135==    by 0x338F2D091F: re_search_internal (regexec.c:2554)
==21135==    by 0x338F2D50EB: re_search_stub (regexec.c:463)
==21135==    by 0x338F2D5B67: re_search (regexec.c:326)
==21135==    by 0x4078C1: match_regex (regexp.c:252)
==21135==    by 0x4058FE: match_an_address_p (execute.c:959)
==21135==    by 0x406F14: execute_program (execute.c:1011)
==21135==    by 0x40758F: process_files (execute.c:1857)
==21135==    by 0x4023AB: main (sed.c:366)
==21135==  Address 0x4db0ee8 is 0 bytes after a block of size 136 alloc'd
==21135==    at 0x4A075B2: realloc (vg_replace_malloc.c:525)
==21135==    by 0x338F2C9CAE: extend_buffers (regexec.c:4126)
==21135==    by 0x338F2D0AFE: re_search_internal (regexec.c:1164)
==21135==    by 0x338F2D50EB: re_search_stub (regexec.c:463)
==21135==    by 0x338F2D5B67: re_search (regexec.c:326)
==21135==    by 0x4078C1: match_regex (regexp.c:252)
==21135==    by 0x4058FE: match_an_address_p (execute.c:959)
==21135==    by 0x406F14: execute_program (execute.c:1011)
==21135==    by 0x40758F: process_files (execute.c:1857)
==21135==    by 0x4023AB: main (sed.c:366)
==21135== 

"sh updmap_edit tmp1.med" crashes.

"SED='valgrind sed' sh updmap_edit tmp1.med" prints:

==21112== Invalid read of size 8
==21112==    at 0x338F28F49D: _wordcopy_fwd_dest_aligned (wordcopy.c:205)
==21112==    by 0x338F2890DB: __GI_memmove (memmove.c:76)
==21112==    by 0x338F2C6001: re_string_reconstruct (regex_internal.c:675)
==21112==    by 0x338F2CFC6F: re_search_internal (regexec.c:829)
==21112==    by 0x338F2D50EB: re_search_stub (regexec.c:463)
==21112==    by 0x338F2D5B67: re_search (regexec.c:326)
==21112==    by 0x4078C1: match_regex (regexp.c:252)
==21112==    by 0x406D9B: execute_program (execute.c:1189)
==21112==    by 0x40758F: process_files (execute.c:1857)
==21112==    by 0x4023AB: main (sed.c:366)
==21112==  Address 0x4c951f8 is 216 bytes inside a block of size 220 alloc'd
==21112==    at 0x4A075B2: realloc (vg_replace_malloc.c:525)
==21112==    by 0x338F2C4DCF: re_string_realloc_buffers (regex_internal.c:143)
==21112==    by 0x338F2C9C86: extend_buffers (regexec.c:4116)
==21112==    by 0x338F2D0AFE: re_search_internal (regexec.c:1164)
==21112==    by 0x338F2D50EB: re_search_stub (regexec.c:463)
==21112==    by 0x338F2D5B67: re_search (regexec.c:326)
==21112==    by 0x4078C1: match_regex (regexp.c:252)
==21112==    by 0x406D9B: execute_program (execute.c:1189)
==21112==    by 0x40758F: process_files (execute.c:1857)
==21112==    by 0x4023AB: main (sed.c:366)
==21112==

Comment 5 Paolo Bonzini 2011-11-28 13:09:47 UTC
Created attachment 537469 [details]
untested patch

The bug is that mctx->input.mbs is

   %fourier-alt-itaalic -s -0.168exnansi
   0         1
   012345678901234^

with cur_idx pointing to the "a" at &mctx->input.mbs[15], which is also the last character (valid_len = 16).  "aa" is a multicharacter collation element in the bokmal locale, so re_string_elem_size_at returns 2 and clean_state_log_if_needed accesses one item past the allocated memory.

Testing the attached glibc patch.

Comment 6 Paolo Bonzini 2011-11-28 17:46:43 UTC
Created attachment 537575 [details]
better patch

The memmoves are a slow path, so it does not work to add zeros there.  We need to hack into findidx.

Comment 7 Jeff Law 2011-11-28 20:48:53 UTC
Paulo,

In comment #4 you mention that one of the tests hangs after printing a malloc error.  It just so happens that I'm trying to pull together some of Andreas's work which is supposed to fix the deadlocks in malloc's error case handling.

Can you file a new BZ with the tester for that problem so that it can be tracked independently?

Thanks,
Jeff

Comment 8 Paolo Bonzini 2011-11-28 21:38:39 UTC
Done, bug 757881.


Note You need to log in before you can comment on or make changes to this bug.