754026 – getaddrinfo causes invalid free of noai6ai_cached

Bug 754026 - getaddrinfo causes invalid free of noai6ai_cached

Summary: getaddrinfo causes invalid free of noai6ai_cached

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	glibc
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Andreas Schwab
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (6):	753470 753733 753736 754019 754283 754434 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-11-15 07:38 UTC by Matt McCutchen
Modified:	2018-10-26 09:43 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-11-16 17:04:37 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Test program (630 bytes, text/x-csrc) 2011-11-15 07:38 UTC, Matt McCutchen	no flags	Details
View All

Description Matt McCutchen 2011-11-15 07:38:33 UTC

Created attachment 533697 [details]
Test program

Description of problem:
On my Dell Latitude D620, with no wired network connection and the wireless connection disabled by the hardware kill switch, calling getaddrinfo("localhost") several times in a row causes an invalid free.  This is with unmodified /etc/hosts and unmodified glibc configuration files (rpm -V glibc) except for /etc/localtime.

Version-Release number of selected component (if applicable):
glibc-2.14.90-16.x86_64

How reproducible:
Almost always on my system.

Steps to Reproduce:
1. Download attached test.c.
2. make test
3. Offline with wireless hardware-disabled: valgrind ./test

Actual results:
[valgrind header]
resolve one
==3271== Invalid free() / delete / delete[]
==3271==    at 0x4C2962E: free (vg_replace_malloc.c:366)
==3271==    by 0x4F459B7: __free_in6ai (check_pf.c:426)
==3271==    by 0x4F0D444: getaddrinfo (getaddrinfo.c:2560)
==3271==    by 0x4005F4: _resolve_addr (in /home/matt/test/gai-invalid-free/test)
==3271==    by 0x400652: main (in /home/matt/test/gai-invalid-free/test)
==3271==  Address 0x51e3390 is 0 bytes inside data symbol "noai6ai_cached"
==3271== 
resolve one
resolve one
[valgrind footer]

Expected results:
[valgrind header]
resolve one
resolve one
resolve one
[valgrind footer]

Additional info:
After I upgraded from F15 to F16, this problem caused cupsd to crash, which caused gnome-settings-daemon to hang and ultimately led to the GNOME "Oh no! Something has gone wrong" screen.  The test case is a simplified version of what cupsd was doing via libaudit.

Comment 1 Andreas Schwab 2011-11-15 09:22:22 UTC

*** Bug 754019 has been marked as a duplicate of this bug. ***

Comment 2 Andreas Schwab 2011-11-15 10:27:26 UTC

*** Bug 753470 has been marked as a duplicate of this bug. ***

Comment 3 Jeff Law 2011-11-16 04:03:51 UTC

*** Bug 754283 has been marked as a duplicate of this bug. ***

Comment 4 Emiel Kollof 2011-11-16 15:21:52 UTC

This also crashes firefox, google chrome, yum update. Basically anything that tries to resolve stuff. I get the exact same error and trace.

Comment 5 Jeff Law 2011-11-16 16:36:36 UTC

*** Bug 754434 has been marked as a duplicate of this bug. ***

Comment 6 Jeff Law 2011-11-16 16:41:36 UTC

*** Bug 753736 has been marked as a duplicate of this bug. ***

Comment 7 Matt McCutchen 2011-11-16 17:04:37 UTC

The affected update has been unpushed.

Comment 8 Theodore Lee 2011-11-17 00:30:14 UTC

*** Bug 753733 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.