874659 – memory corruption on git shortlog

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 874659 - memory corruption on git shortlog

Summary: memory corruption on git shortlog

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	git
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Stodulka
QA Contact:	Andrej Dzilský
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Duplicates (1):	1111149 (view as bug list)
Depends On:
Blocks:	1254457 1355829 1359264
TreeView+	depends on / blocked

Reported:	2012-11-08 15:35 UTC by Eric Blake
Modified:	2017-03-21 10:00 UTC (History)
CC List:	6 users (show)
Fixed In Version:	git-1.7.1-7.el6
Doc Type:	Bug Fix
Doc Text:	"git shortlog" no longer crashes due to using freed memory Previously, when email address entries differed only in case, the `.mailmap` feature of the "git shortlog" command did not replace a duplicate email entry with a strdup pointer, and freed memory was referenced. Consequently, Git terminated unexpectedly due to using already freed memory. A patch has been applied, which ensures that memory is freed before these entries are replaced, and "git shortlog" correctly uses only allocated memory.
Clone Of:
Environment:
Last Closed:	2017-03-21 10:00:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
abrt report, as logged to a file (33.94 KB, text/plain) 2012-11-08 15:36 UTC, Eric Blake	no flags	Details
patch (738 bytes, patch) 2014-12-11 22:26 UTC, Petr Stodulka	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0640	0	normal	SHIPPED_LIVE	git bug fix update	2017-03-21 12:31:15 UTC

Description Eric Blake 2012-11-08 15:35:58 UTC

Description of problem:
When running 'git shortlog' on libvirt.git, I got a glibc warning about a double free.  I reproduced with a fresh clone, so that there is nothing in my working directory that could be impacting things.

Version-Release number of selected component (if applicable):
git-1.7.1-2.el6_0.1.x86_64

How reproducible:
100%

Steps to Reproduce:
1. git clone git://libvirt.org/libvirt.git libvirt-tmp1
2. cd libvirt-tmp1
3. git shortlog >/dev/null
  
Actual results:
*** glibc detected *** git: double free or corruption (fasttop): 0x00000000022cd770 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3403e760e6]
git[0x489835]
git[0x4b6378]
git[0x456e42]
git[0x45780e]
git[0x404171]
git[0x404352]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3403e1ecdd]
git[0x403b79]
======= Memory map: ========
00400000-00510000 r-xp 00000000 fd:00 1869296                            /usr/bin/git
00710000-00716000 rw-p 00110000 fd:00 1869296                            /usr/bin/git
00716000-00761000 rw-p 00000000 00:00 0 
00915000-00916000 rw-p 00115000 fd:00 1869296                            /usr/bin/git
022cd000-02bde000 rw-p 00000000 00:00 0                                  [heap]
3403a00000-3403a20000 r-xp 00000000 fd:00 1704105                        /lib64/ld-2.12.so
3403c1f000-3403c20000 r--p 0001f000 fd:00 1704105                        /lib64/ld-2.12.so
3403c20000-3403c21000 rw-p 00020000 fd:00 1704105                        /lib64/ld-2.12.so
3403c21000-3403c22000 rw-p 00000000 00:00 0 
3403e00000-3403f8a000 r-xp 00000000 fd:00 1704116                        /lib64/libc-2.12.so
3403f8a000-3404189000 ---p 0018a000 fd:00 1704116                        /lib64/libc-2.12.so
3404189000-340418d000 r--p 00189000 fd:00 1704116                        /lib64/libc-2.12.so
340418d000-340418e000 rw-p 0018d000 fd:00 1704116                        /lib64/libc-2.12.so
340418e000-3404193000 rw-p 00000000 00:00 0 
3404a00000-3404a17000 r-xp 00000000 fd:00 1704122                        /lib64/libpthread-2.12.so
3404a17000-3404c17000 ---p 00017000 fd:00 1704122                        /lib64/libpthread-2.12.so
3404c17000-3404c18000 r--p 00017000 fd:00 1704122                        /lib64/libpthread-2.12.so
3404c18000-3404c19000 rw-p 00018000 fd:00 1704122                        /lib64/libpthread-2.12.so
3404c19000-3404c1d000 rw-p 00000000 00:00 0 
3404e00000-3404e15000 r-xp 00000000 fd:00 1704133                        /lib64/libz.so.1.2.3
3404e15000-3405014000 ---p 00015000 fd:00 1704133                        /lib64/libz.so.1.2.3
3405014000-3405015000 r--p 00014000 fd:00 1704133                        /lib64/libz.so.1.2.3
3405015000-3405016000 rw-p 00015000 fd:00 1704133                        /lib64/libz.so.1.2.3
3c48e00000-3c48e16000 r-xp 00000000 fd:00 1704106                        /lib64/libgcc_s-4.4.7-20120601.so.1
3c48e16000-3c49015000 ---p 00016000 fd:00 1704106                        /lib64/libgcc_s-4.4.7-20120601.so.1
3c49015000-3c49016000 rw-p 00015000 fd:00 1704106                        /lib64/libgcc_s-4.4.7-20120601.so.1
7f625964e000-7f62596cf000 rw-p 00000000 00:00 0 
7f6259731000-7f625f263000 r--p 00000000 fd:03 1596243                    /home/dummy/libvirt-tmp1/.git/objects/pack/pack-6d7c059456c60b4ed58bccc2b2059134112cfaeb.pack
7f625f263000-7f625f4f3000 r--p 00000000 fd:03 1585480                    /home/dummy/libvirt-tmp1/.git/objects/pack/pack-6d7c059456c60b4ed58bccc2b2059134112cfaeb.idx
7f625f4f3000-7f625f4f6000 rw-p 00000000 00:00 0 
7f625f50f000-7f625f512000 rw-p 00000000 00:00 0 
7fff8defd000-7fff8df12000 rw-p 00000000 00:00 0                          [stack]
7fff8dfe5000-7fff8dfe6000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


Expected results:
no memory corruption

Additional info:

Comment 1 Eric Blake 2012-11-08 15:36:39 UTC

Created attachment 640886 [details]
abrt report, as logged to a file

Comment 2 Eric Blake 2012-11-08 15:37:58 UTC

In case it matters, my clone of libvirt.git happened at upstream commit e124f49890742097c7d418d05d671c28340861a1

Comment 4 RHEL Program Management 2013-10-14 00:17:13 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 5 Ondrej Oprala 2014-06-19 13:39:03 UTC

*** Bug 1111149 has been marked as a duplicate of this bug. ***

Comment 6 Petr Stodulka 2014-12-11 22:26:53 UTC

Created attachment 967403 [details]
patch

This bug is already fixed in upstream (commit d8d2eb7d6b5e48c2bcb0e71a770f8a05375ac03e). Patch is corrected for actual rhel-6.6 version of git 1.7.1. Memory for entries 'mail' and 'name' of structure mailmap_entry is free only before replacing now.

Comment 12 errata-xmlrpc 2017-03-21 10:00:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0640.html

Note You need to log in before you can comment on or make changes to this bug.