Bug 732989 - sftp always exits with invalid pointer
sftp always exits with invalid pointer
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: libedit (Show other bugs)
rawhide
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Kamil Dudka
Fedora Extras Quality Assurance
: EasyFix, Patch
: 728413 732286 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-24 08:00 EDT by Tomáš Bžatek
Modified: 2015-03-03 18:01 EST (History)
12 users (show)

See Also:
Fixed In Version: libedit-3.0-4.20110227cvs.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-09 01:24:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomáš Bžatek 2011-08-24 08:00:49 EDT
Description of problem:
sftp command always fails with 
*** glibc detected *** /usr/bin/sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***
on program exit

Version-Release number of selected component (if applicable):
glibc-2.14.90-5.x86_64
openssh-5.8p2-20.fc17.x86_64

How reproducible:
always

Steps to Reproduce:
$ sftp localhost
tbzatek@localhost's password: 
Connected to localhost.
sftp> ^D
*** glibc detected *** sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***
*** glibc detected *** sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***
*** glibc detected *** sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***
*** glibc detected *** sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***

Additional info:
Where should I place breakpoint in gdb to catch this?
Comment 1 Jan F. Chadima 2011-08-25 04:31:07 EDT
*** Bug 732286 has been marked as a duplicate of this bug. ***
Comment 2 Jan F. Chadima 2011-08-25 04:33:15 EDT
(In reply to comment #0)
> Description of problem:
> sftp command always fails with 
> *** glibc detected *** /usr/bin/sftp: free(): invalid pointer:
> 0xd8d8d8d8d8d8d8d8 ***
> on program exit
> 
> Version-Release number of selected component (if applicable):
> glibc-2.14.90-5.x86_64
> openssh-5.8p2-20.fc17.x86_64
> 
> How reproducible:
> always
> 

I unsuccessfuly tried to reproduce it.


> Steps to Reproduce:
> $ sftp localhost
> tbzatek@localhost's password: 
> Connected to localhost.
> sftp> ^D
> *** glibc detected *** sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***
> *** glibc detected *** sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***
> *** glibc detected *** sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***
> *** glibc detected *** sftp: free(): invalid pointer: 0xd8d8d8d8d8d8d8d8 ***
> 
> Additional info:
> Where should I place breakpoint in gdb to catch this?

int
sftp_server_main(int argc, char **argv, struct passwd *user_pw)
Comment 3 Jan F. Chadima 2011-08-25 04:35:49 EDT
*** Bug 728413 has been marked as a duplicate of this bug. ***
Comment 4 Hin-Tak Leung 2011-08-25 06:24:30 EDT
Hmm, I am a bit annoyed that (1) the earlier bug report was closed as a duplicate of a later one - with little additional information - it would only be fair to close an earlier report as duplicate of a later one if the 2nd bug report was accompanied by a fix, (2) the newer bug report is not viewable without logging on.

While I understand the latter might be a security issue, considered that the first one is still open to public's viewing, it doesn't make sense to protect the 2nd... Likewise, although Bug 732286 looks related (mem=0xe0e0e0e0e0e0e0e0), I'd rather it is closed as duplicate if/when there is a diagnosis/fix here, and it does not make sense to protect a later report if the earlier one is still viewable to public.

Anyway, since there are two people who consistently reproduce this bug, I hope something good can come out soon.
Comment 5 Tomas Mraz 2011-08-25 07:06:55 EDT
I do not really think this is a Security sensitive bug as the sftp process is running with the user credentials.
Comment 6 Josh Bressers 2011-08-25 07:13:01 EDT
I can get sftp to segfault if I run sftp with the environment variable MALLOC_PERTURB_=106 set.
Comment 7 Hin-Tak Leung 2011-08-25 07:22:53 EDT
(In reply to comment #6)
> I can get sftp to segfault if I run sftp with the environment variable
> MALLOC_PERTURB_=106 set.

Indeed I have these from "export":
declare -x MALLOC_CHECK_="1"
declare -x MALLOC_PERTURB_="145"

They came from "/etc/sysconfig/debug" - beside those those, 
it also set a 3rd variable:
export G_SLICE=debug-blocks

"/etc/sysconfig/debug" comes from a package called debugmode-9.30-2.fc15.x86_64,
 initscripts-9.30-2.fc15.src.rpm as is.
Comment 8 Jan F. Chadima 2011-08-25 08:42:54 EDT
the problem is caused by the EdiLine destructor called from sftp.
Comment 9 Tomas Mraz 2011-08-25 09:41:09 EDT
Yes, there is clear bug in the libedit el_end() - there is an use of memory after free.
Comment 10 Kamil Dudka 2011-08-25 09:50:30 EDT
This should fix it:

diff --git a/src/el.c b/src/el.c
index 168734c..d41bb3b 100644
--- a/src/el.c
+++ b/src/el.c
@@ -139,13 +139,13 @@ el_end(EditLine *el)
    sig_end(el);

    el_free((ptr_t) el->el_prog);
-   el_free((ptr_t) el);
 #ifdef WIDECHAR
    el_free((ptr_t) el->el_scratch.cbuff);
    el_free((ptr_t) el->el_scratch.wbuff);
    el_free((ptr_t) el->el_lgcyconv.cbuff);
    el_free((ptr_t) el->el_lgcyconv.wbuff);
 #endif
+   el_free((ptr_t) el);
 }
Comment 11 Kamil Dudka 2011-08-26 06:54:42 EDT
fixed in libedit-3.0-3.20110802cvs.fc17
Comment 12 Fedora Update System 2011-08-26 07:32:00 EDT
libedit-3.0-4.20110227cvs.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/libedit-3.0-4.20110227cvs.fc16
Comment 13 Fedora Update System 2011-08-26 07:32:03 EDT
libedit-3.0-4.20110227cvs.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/libedit-3.0-4.20110227cvs.fc15
Comment 14 Fedora Update System 2011-08-26 10:17:52 EDT
Package libedit-3.0-4.20110227cvs.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libedit-3.0-4.20110227cvs.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/libedit-3.0-4.20110227cvs.fc16
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2011-09-09 01:23:57 EDT
libedit-3.0-4.20110227cvs.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2011-09-09 12:55:38 EDT
libedit-3.0-4.20110227cvs.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.