Package: libc6 Version: 2.36-9+deb12u7 Severity: normal Tags: patch Dear Maintainer,
not sure how exploitable this is, but running programs that use aio_write causes uninitialized memory access on exit. This has been fixed upstream about a year ago, but the patch has seemingly not be integrated in Debian bookworm: <https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=rt/aio_misc.c;h=4b850b1ab602a2ef9575c3313a979d88574024d6;hp=49ec0aa293d8b36a16ecc951b71d3f98d5e254b1;hb=0cee4aa92f5b9b213856c8ba1ab84c34d73c943b;hpb=5473a1747a7bd10a7a271c7e01e942711a707bb8> <https://sourceware.org/git/?p=glibc.git;a=commit;h=0cee4aa92f5b9b213856c8ba1ab84c34d73c943b> >From a look at the patch, and the code in version 2.36 that's used to build the package, it should be trivial to apply the patch also in stable, since the affected loop is identical and the variable names still the same. Kind regards, Thomas -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 6.1.0-21-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libc6 depends on: ii libgcc-s1 12.2.0-14 Versions of packages libc6 recommends: ii libidn2-0 2.3.3-1+b1 Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.82 ii glibc-doc 2.36-9+deb12u7 ii libc-l10n 2.36-9+deb12u7 ii libnss-nis 3.1-4 ii libnss-nisplus 1.3-4 ii locales 2.36-9+deb12u7 -- debconf information excluded
>From 0cee4aa92f5b9b213856c8ba1ab84c34d73c943b Mon Sep 17 00:00:00 2001 From: Samuel Thibault <samuel.thiba...@ens-lyon.org> Date: Wed, 12 Apr 2023 00:12:02 +0200 Subject: [PATCH] aio: Fix freeing memory The content of the pool array is initialized only until pool_size, pointers between pool_size and pool_max_size were not initialized by the realloc call in get_elem so they should not be freed. This fixes aio tests crashing at their termination on GNU/Hurd. --- rt/aio_misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rt/aio_misc.c b/rt/aio_misc.c index 49ec0aa293..4b850b1ab6 100644 --- a/rt/aio_misc.c +++ b/rt/aio_misc.c @@ -702,7 +702,7 @@ __aio_freemem (void) { size_t row; - for (row = 0; row < pool_max_size; ++row) + for (row = 0; row < pool_size; ++row) free (pool[row]); free (pool); -- 2.43.0