Bug#1050208: marked as done (openbsd-inetd: double free detected in tcache 2, then abort)

Wed, 23 Aug 2023 04:21:19 -0700 

Your message dated Wed, 23 Aug 2023 11:20:04 +0000
with message-id <[email protected]>
and subject line Bug#1050208: fixed in openbsd-inetd 0.20221205-2
has caused the Debian Bug report #1050208,
regarding openbsd-inetd: double free detected in tcache 2, then abort
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1050208: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050208
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libc6
Version: 2.36-9+deb12u1
Severity: important

Dear Maintainer,

I noticed an issue with malloc() or free(). I only noticed this
recently, with libc6 version 2.36-9+deb12u1; reverting to previous
2.36-9 did not seem to help.

The issue: sending SIGHUP to the inetd process (from package
openbsd-inetd version 0.20221205-1) should cause it to re-load its
configuration, but instead it elicits

  free(): double free detected in tcache 2

and an abort. This is easiest seen (after "systemctl stop inetd") with

  root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs
  [1] 2431
  ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 
server=/usr/sbin/identd
  free(): double free detected in tcache 2
  [1]+  Aborted                 inetd -d -i
  root# 

I believe that this "double free" is spurious, as there are no errors
(but inetd reloads as expected) when using e.g.

  root# LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=1 inetd -d -i & sleep 1; 
kill -HUP $!; sleep 1; jobs; kill $!; sleep 1; jobs
  [1] 2437
  ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 
server=/usr/sbin/identd
  REDO: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 
server=/usr/sbin/identd
  [1]+  Running                 LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 
inetd -d -i &
  [1]+  Done                    LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 
inetd -d -i
  root# 

No errors are shown with any value of MALLOC_CHECK_ from 0 to 20, or
even without any MALLOC_CHECK_ but with just LD_PRELOAD so with

  root# LD_PRELOAD=libc_malloc_debug.so inetd -d -i & sleep 1; kill -HUP $!; 
sleep 1; jobs; kill $!; sleep 1; jobs

Instead of LD_PRELOAD, some glibc tunables can also help to avoid the
"double free" error. The settings that I found to help were:

  GLIBC_TUNABLES=glibc.malloc.tcache_count=0
  GLIBC_TUNABLES=glibc.malloc.tcache_count=1

whereas none of the following helped:

  GLIBC_TUNABLES=glibc.malloc.tcache_count=2    # or 3, 4, ...
  GLIBC_TUNABLES=glibc.cpu.hwcaps=-avx
  GLIBC_TUNABLES=glibc.cpu.hwcaps=-sse
  GLIBC_TUNABLES=glibc.cpu.hwcap_mask=1099511627775

The issue is present on all of my machines that boot from "disk", with
amd64 or i386 architectures (both using an amd64 kernel, custom-built
from linux-source version 6.1.38-4); some of these are VMs inside
VirtualBox. I hope that the issue can be reproduced elsewhere.
Curiously, the issue does not seem present on same machines when booting
PXE and then NFS-mounted root (similar to LTSP), though the contents of
/usr/lib seem identical whether booting from disk or PXE; the PXE boot
sequence uses sysvinit, not systemd.

Thanks Aurelien for suggesting the glibc tunables (in bug #1041836).
Did not try gdb since I am not proficient with it, would not know what
to look for. Please suggest anything else I should try.

Thanks, Paul
-- 
Paul Szabo       [email protected]       www.maths.usyd.edu.au/u/psz
School of Mathematics and Statistics   University of Sydney    Australia



-- System Information:
Debian Release: 12.1
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1+pk12.06 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libc6 depends on:
ii  libgcc-s1  12.2.0-14

Versions of packages libc6 recommends:
ii  libidn2-0  2.3.3-1+b1

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.82
ii  glibc-doc              2.36-9+deb12u1
ii  libc-l10n              2.36-9+deb12u1
ii  libnss-nis             3.1-4
ii  libnss-nisplus         1.3-4
ii  locales                2.36-9+deb12u1

-- debconf information:
  glibc/restart-failed:
* glibc/upgrade: true
  glibc/kernel-not-supported:
  glibc/disable-screensaver:
* libraries/restart-without-asking: true
  glibc/kernel-too-old:
  glibc/restart-services:

--- End Message ---
--- Begin Message --- 
Source: openbsd-inetd
Source-Version: 0.20221205-2
Done: Marco d'Itri <[email protected]>

We believe that the bug you reported is fixed in the latest version of
openbsd-inetd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marco d'Itri <[email protected]> (supplier of updated openbsd-inetd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 23 Aug 2023 12:49:41 +0200
Source: openbsd-inetd
Architecture: source
Version: 0.20221205-2
Distribution: unstable
Urgency: medium
Maintainer: Marco d'Itri <[email protected]>
Changed-By: Marco d'Itri <[email protected]>
Closes: 1050208
Changes:
 openbsd-inetd (0.20221205-2) unstable; urgency=medium
 .
   * Updated the Debian patch default_v4v6 to fix fix a double free and
     a memory leak on configuration reloads. (Closes: #1050208)
Checksums-Sha1:
 cdddede7b47632a627e55f691ff15338061aaa7f 1392 openbsd-inetd_0.20221205-2.dsc
 50d9e840235828aedb0be040e886dabbcdf8241a 17572 
openbsd-inetd_0.20221205-2.debian.tar.xz
 e00be4363a19adc3c950273cbd5de01bee58913c 6061 
openbsd-inetd_0.20221205-2_amd64.buildinfo
Checksums-Sha256:
 590f44cdfdfdfa32ba0ad58808c35813576bbba50713673afd826f74103444a4 1392 
openbsd-inetd_0.20221205-2.dsc
 a0b160b64c4f7fde00898761ba3cb49969ebb34cda1a3e5938f0e1eeda1e0a2c 17572 
openbsd-inetd_0.20221205-2.debian.tar.xz
 2f165a1e9246a4403cba64f56357d99bcdace941096e46e8fe75f6924e420a8f 6061 
openbsd-inetd_0.20221205-2_amd64.buildinfo
Files:
 553fd9d0b1a878597435db1b92e57e6e 1392 net optional 
openbsd-inetd_0.20221205-2.dsc
 9f63b22b367130892ab4182642efaa1f 17572 net optional 
openbsd-inetd_0.20221205-2.debian.tar.xz
 361546a12a46f0f5231ca9785b5d44b3 6061 net optional 
openbsd-inetd_0.20221205-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQnKUXNg20437dCfobLPsM64d7XgQUCZOXlzgAKCRDLPsM64d7X
gUgjAP9PmAWGIcI5eAECrpkbi6pFeuEOidBNb5F4uyfCVTx64gD+N/aZDUU0bZrX
kVpJl4g8u2PA7cWHPfjNxjRgxeTV+A0=
=0YlE
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to