Bug#264884: marked as done (globfree() double-frees)

To: Steve Langasek <vorlon@dodds.net>
Cc: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Subject: Bug#264884: marked as done (globfree() double-frees)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 19 Oct 2004 19:03:04 -0700
Message-id: <[🔎] handler.264884.D264884.10982373032428.ackdone@bugs.debian.org>
In-reply-to: <20041020015501.GA17321@mauritius.dodds.net>
References: <20041020015501.GA17321@mauritius.dodds.net> <1092166421.2750.10.camel@laptop1>

Your message dated Tue, 19 Oct 2004 18:55:01 -0700
with message-id <20041020015501.GA17321@mauritius.dodds.net>
and subject line glibc 2.2.3.2.ds1-18 in testing
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Aug 2004 19:34:06 +0000
>From licquia@progeny.com Tue Aug 10 12:34:06 2004
Return-path: <licquia@progeny.com>
Received: from jeffindy.licquia.org [216.37.46.185] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BucNq-0003qU-00; Tue, 10 Aug 2004 12:34:06 -0700
Received: from sentinel.licquia.org (unknown [192.168.53.1])
	by jeffindy.licquia.org (Postfix) with ESMTP id 213921BB87
	for <submit@bugs.debian.org>; Tue, 10 Aug 2004 14:34:05 -0500 (EST)
Received: from server2.internal.licquia.org (server2.internal.licquia.org [192.168.50.4])
	by sentinel.licquia.org (Postfix) with ESMTP id BA4CCD520
	for <submit@bugs.debian.org>; Tue, 10 Aug 2004 14:34:00 -0500 (EST)
Received: by server2.internal.licquia.org (Postfix, from userid 1000)
	id 3A79A10A6FE; Tue, 10 Aug 2004 14:33:59 -0500 (EST)
Received: from [192.168.52.2] (laptop1.internal.licquia.org [192.168.52.2]) by
	server2.internal.licquia.org (tmda-ofmipd) with ESMTP;
	Tue, 10 Aug 2004 14:33:53 -0500 (EST)
Subject: globfree() double-frees
To: submit@bugs.debian.org
Content-Type: multipart/mixed; boundary="=-perGxb8PrZ9vxIFVr6vr"
Message-Id: <1092166421.2750.10.camel@laptop1>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 
Date: Tue, 10 Aug 2004 14:33:42 -0500
From: Jeff Licquia <licquia@progeny.com>
X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew)
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.5 required=4.0 tests=BAYES_30,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--=-perGxb8PrZ9vxIFVr6vr
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Package: libc6
Version: 2.3.2.ds1-13
Severity: serious
Tags: patch

Certain kinds of problems in glob() result in a GLOB_ABORTED return
value.  In these circumstances, the glob_t passed in is likely to
contain partial results (per POSIX), and thus, globfree() needs to be
called to prevent a memory leak.

Unfortunately, glob() itself calls globfree() under certain
circumstances.  Calling globfree() again (which is legal and in fact
mandated under POSIX) causes certain portions of the structure to be
double-freed.  Under many circumstances, this results in infinite loops
or SIGSEGV during the next malloc.

The best way to fix it is for globfree() to do housekeeping on the
glob_t it's freeing, by setting gl_pathc to 0 and gl_pathv to NULL. 
Then, when globfree() is called the second time, it knows to do
nothing.  A patch to that effect is attached (in debian/patches form).

(This is the same bug, basically, as 260767, except that the source of
the double-free I complained about has now been discovered.)

The severity is serious because this bug causes the LSB tests to hang,
specifically /tset/LSB.os/genuts/glob/T.glob 30.


--=-perGxb8PrZ9vxIFVr6vr
Content-Disposition: attachment; filename=globfree-clear-pathc.dpatch
Content-Type: application/x-shellscript; name=globfree-clear-pathc.dpatch
Content-Transfer-Encoding: 7bit

#! /bin/sh -e

# All lines beginning with `# DP:' are a description of the patch.
# DP: Description: Patch to make globfree() clear pglob->gl_pathc
# DP: Related bugs: 
# DP: Dpatch author: 
# DP: Patch author: Jeff Licquia <licquia@progeny.com>
# DP: Upstream status: Not submitted
# DP: Status Details: 
# DP: Date: 2004-07-22

PATCHLEVEL=1

if [ $# -ne 2 ]; then
    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
    exit 1
fi
case "$1" in
    -patch) patch -d "$2" -f --no-backup-if-mismatch -p$PATCHLEVEL < $0;;
    -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p$PATCHLEVEL < $0;;
    *)
	echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
	exit 1
esac
exit 0

# append the patch here and adjust the -p? flag in the patch calls.
--- glibc-2.3.2-old/sysdeps/generic/glob.c	2004-07-26 17:49:07.000000000 -0400
+++ glibc-2.3.2/sysdeps/generic/glob.c	2004-07-26 17:51:14.000000000 -0400
@@ -1105,6 +1105,8 @@
 	if (pglob->gl_pathv[pglob->gl_offs + i] != NULL)
 	  free ((__ptr_t) pglob->gl_pathv[pglob->gl_offs + i]);
       free ((__ptr_t) pglob->gl_pathv);
+      pglob->gl_pathc = 0;
+      pglob->gl_pathv = NULL;
     }
 }
 #if defined _LIBC && !defined globfree

--=-perGxb8PrZ9vxIFVr6vr--

---------------------------------------
Received: (at 264884-done) by bugs.debian.org; 20 Oct 2004 01:55:03 +0000
>From vorlon@dodds.net Tue Oct 19 18:55:03 2004
Return-path: <vorlon@dodds.net>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (localhost.localdomain) [66.93.39.86] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CK5gt-0000cp-00; Tue, 19 Oct 2004 18:55:03 -0700
Received: by localhost.localdomain (Postfix, from userid 1000)
	id 772B9171D37; Tue, 19 Oct 2004 18:55:01 -0700 (PDT)
Date: Tue, 19 Oct 2004 18:55:01 -0700
From: Steve Langasek <vorlon@dodds.net>
To: 259211-done@bugs.debian.org, 264884-done@bugs.debian.org,
	266637-done@bugs.debian.org
Subject: glibc 2.2.3.2.ds1-18 in testing
Message-ID: <20041020015501.GA17321@mauritius.dodds.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040722i
Delivered-To: 264884-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 
X-CrossAssassin-Score: 2

Version -18 of glibc is now in testing, therefore I am now closing these
bugs again.

-- 
Steve Langasek
postmodern programmer

Reply to:

Prev by Date: Bug#266637: marked as done (libc6-dev: kerberos4kth-dev misspelled in Replaces)
Next by Date: Bug#277439: marked as done (glibc should avoid using services listed in "services" when picking a RPC port)
Previous by thread: Bug#266637: marked as done (libc6-dev: kerberos4kth-dev misspelled in Replaces)
Next by thread: Bug#221566: marked as done (libc6: apt-get post-install script returns error exit status 139)
Index(es):
- Date
- Thread