Bug#1050208: libc6: double free detected in tcache 2, then abort
control: reassign -1 openbsd-inetd
control: retitle -1 openbsd-inetd: double free detected in tcache 2, then abort
control: found -1 openbsd-inetd/0.20221205-1
Hi,
On 2023-08-22 14:32, Paul Szabo wrote:
> Package: libc6
> Version: 2.36-9+deb12u1
> Severity: important
>
> Dear Maintainer,
>
> I noticed an issue with malloc() or free(). I only noticed this
> recently, with libc6 version 2.36-9+deb12u1; reverting to previous
> 2.36-9 did not seem to help.
>
> The issue: sending SIGHUP to the inetd process (from package
> openbsd-inetd version 0.20221205-1) should cause it to re-load its
> configuration, but instead it elicits
>
> free(): double free detected in tcache 2
>
> and an abort. This is easiest seen (after "systemctl stop inetd") with
>
> root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs
> [1] 2431
> ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 server=/usr/sbin/identd
> free(): double free detected in tcache 2
> [1]+ Aborted inetd -d -i
> root#
>
> I believe that this "double free" is spurious, as there are no errors
> (but inetd reloads as expected) when using e.g.
It is not, it is also reported by valgrind:
==9356== Invalid free() / delete / delete[] / realloc()
==9356== at 0x484317B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356== by 0x10DB69: getconfigent (inetd.c:1176)
==9356== by 0x10EFFE: config (inetd.c:651)
==9356== by 0x48A0401: event_signal_closure (event.c:1369)
==9356== by 0x48A0401: event_process_active_single_queue (event.c:1678)
==9356== by 0x48A0C1E: event_process_active (event.c:1783)
==9356== by 0x48A0C1E: event_base_loop (event.c:2006)
==9356== by 0x10B9E2: main (inetd.c:475)
==9356== Address 0x50747e0 is 0 bytes inside a block of size 1 free'd
==9356== at 0x484317B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356== by 0x10DB69: getconfigent (inetd.c:1176)
==9356== by 0x10EFFE: config (inetd.c:651)
==9356== by 0x10B8C3: main (inetd.c:438)
==9356== Block was alloc'd at
==9356== at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356== by 0x4A82539: strdup (strdup.c:42)
==9356== by 0x10DBE7: newstr (inetd.c:1597)
==9356== by 0x10DBE7: getconfigent (inetd.c:1186)
==9356== by 0x10EFFE: config (inetd.c:651)
==9356== by 0x10B8C3: main (inetd.c:438)
It appears that is has been introduced in the latest upload of
openbsd-inetd in the default_v4v6 patch. The following patch seems to
fix the issue, but I haven't spent time to verify it is correct:
--- openbsd-inetd-0.20221205.orig/inetd.c
+++ openbsd-inetd-0.20221205/inetd.c
@@ -1172,8 +1172,10 @@ more:
cp = saved_cp;
saved_cp = NULL;
} else {
- if (saved_cp)
+ if (saved_cp) {
free(saved_cp);
+ saved_cp = NULL;
+ }
while ((cp = nextline(fconfig)) && *cp == '#')
;
I am therefore reassigning the bug to openbsd-inetd.
Regards
Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
aurelien@aurel32.net http://aurel32.net
Reply to: