[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1050208: libc6: double free detected in tcache 2, then abort

control: reassign -1 openbsd-inetd
control: retitle -1 openbsd-inetd: double free detected in tcache 2, then abort
control: found -1 openbsd-inetd/0.20221205-1

Hi,

On 2023-08-22 14:32, Paul Szabo wrote:
> Package: libc6
> Version: 2.36-9+deb12u1
> Severity: important
> 
> Dear Maintainer,
> 
> I noticed an issue with malloc() or free(). I only noticed this
> recently, with libc6 version 2.36-9+deb12u1; reverting to previous
> 2.36-9 did not seem to help.
> 
> The issue: sending SIGHUP to the inetd process (from package
> openbsd-inetd version 0.20221205-1) should cause it to re-load its
> configuration, but instead it elicits
> 
>   free(): double free detected in tcache 2
> 
> and an abort. This is easiest seen (after "systemctl stop inetd") with
> 
>   root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs
>   [1] 2431
>   ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 server=/usr/sbin/identd
>   free(): double free detected in tcache 2
>   [1]+  Aborted                 inetd -d -i
>   root# 
> 
> I believe that this "double free" is spurious, as there are no errors
> (but inetd reloads as expected) when using e.g.

It is not, it is also reported by valgrind:

==9356== Invalid free() / delete / delete[] / realloc()
==9356==    at 0x484317B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==    by 0x10DB69: getconfigent (inetd.c:1176)
==9356==    by 0x10EFFE: config (inetd.c:651)
==9356==    by 0x48A0401: event_signal_closure (event.c:1369)
==9356==    by 0x48A0401: event_process_active_single_queue (event.c:1678)
==9356==    by 0x48A0C1E: event_process_active (event.c:1783)
==9356==    by 0x48A0C1E: event_base_loop (event.c:2006)
==9356==    by 0x10B9E2: main (inetd.c:475)
==9356==  Address 0x50747e0 is 0 bytes inside a block of size 1 free'd
==9356==    at 0x484317B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==    by 0x10DB69: getconfigent (inetd.c:1176)
==9356==    by 0x10EFFE: config (inetd.c:651)
==9356==    by 0x10B8C3: main (inetd.c:438)
==9356==  Block was alloc'd at
==9356==    at 0x48407B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==9356==    by 0x4A82539: strdup (strdup.c:42)
==9356==    by 0x10DBE7: newstr (inetd.c:1597)
==9356==    by 0x10DBE7: getconfigent (inetd.c:1186)
==9356==    by 0x10EFFE: config (inetd.c:651)
==9356==    by 0x10B8C3: main (inetd.c:438)

It appears that is has been introduced in the latest upload of
openbsd-inetd in the default_v4v6 patch. The following patch seems to
fix the issue, but I haven't spent time to verify it is correct:

--- openbsd-inetd-0.20221205.orig/inetd.c
+++ openbsd-inetd-0.20221205/inetd.c
@@ -1172,8 +1172,10 @@ more:
 	    cp = saved_cp;
 	    saved_cp = NULL;
 	} else {
-		if (saved_cp)
+		if (saved_cp) {
 		    free(saved_cp);
+		    saved_cp = NULL;
+		}
 
 	while ((cp = nextline(fconfig)) && *cp == '#')
 		;

I am therefore reassigning the bug to openbsd-inetd.

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                     http://aurel32.net
Reply to: