Bug#1041836: libc6 2.36-9+deb12u1 double free abort

To: Paul Szabo <paul.szabo@sydney.edu.au>, 1041836@bugs.debian.org
Subject: Bug#1041836: libc6 2.36-9+deb12u1 double free abort
From: Aurelien Jarno <aurel32@debian.org>
Date: Wed, 9 Aug 2023 23:24:52 +0200
Message-id: <[🔎] ZNQEJOmjhHfRpCdR@aurel32.net>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 1041836@bugs.debian.org
In-reply-to: <[🔎] c37fde56-1030-4819-b59d-0ce30e92c647@sydney.edu.au>
References: <169017315036.10181.711257644926784572.reportbug@charlie.y.n> <[🔎] c37fde56-1030-4819-b59d-0ce30e92c647@sydney.edu.au> <169017315036.10181.711257644926784572.reportbug@charlie.y.n>

Hi,

What you reported seems unrelated to the original issue. It's better to
open a new bug if you believe there is in issue in glibc.

On 2023-08-09 10:46, Paul Szabo wrote:
> Maybe related: seems that the default for "mcheck" or MALLOC_CHECK_ has
> changed.
> 
> I observe an oddity. I only noticed this recently, with libc6 version
> 2.36-9+deb12u1; reverting to previous 2.36-9 did not seem to help.
> 
> The issue. Sending SIGHUP to the inetd(8) process should cause it to
> re-load its configuration, but instead it elicits
> 
>   free(): double free detected in tcache 2
> 
> and an abort. This is easiest seen (after "systemctl stop inetd") with
> 
>   root# inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs
>   [1] 2431
>   ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 server=/usr/sbin/identd
>   free(): double free detected in tcache 2
>   [1]+  Aborted                 inetd -d -i
>   root# 

This is very likely a bug in inetd. There is no default value in
MALLOC_CHECK_, by default a fast memory allocator which is not tolerant
against simple errors is used, and thus just aborts in that case.

> Sanity(?) is restored by using MALLOC_CHECK_=0 (needs LD_PRELOAD):
> 
>   root# LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 inetd -d -i & sleep 1; kill -HUP $!; sleep 1; jobs; kill $!; sleep 1; jobs
>   [1] 2437
>   ADD: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 server=/usr/sbin/identd
>   REDO: ident proto=tcp4, wait.max=1.256 user:group=identd:(default) builtin=0 server=/usr/sbin/identd
>   [1]+  Running                 LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 inetd -d -i &
>   [1]+  Done                    LD_PRELOAD=libc_malloc_debug.so MALLOC_CHECK_=0 inetd -d -i
>   root# 
> 
> To compound the oddity, the value of MALLOC_CHECK_ or even its presence
> seems ignored, just the LD_PRELOAD=libc_malloc_debug.so "fixes" the
> issue.

Since glibc 2.34, the debugging features in malloc such as the
MALLOC_CHECK_ environment variable are not built-in anymore and require
to preload the libc_malloc_debug.so library. This allows one to change
the level of checks through the MALLOC_CHECK_ environment variable.

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                     http://aurel32.net

Reply to:

Follow-Ups:
- Bug#1041836: libc6 2.36-9+deb12u1 double free abort
  - From: Paul Szabo <paul.szabo@sydney.edu.au>

References:
- Bug#1041836: libc6 2.36-9+deb12u1 double free abort
  - From: Paul Szabo <paul.szabo@sydney.edu.au>

Prev by Date: [Git][glibc-team/tzdata] Pushed new tag debian/2023c-10
Next by Date: Processing of tzdata_2023c-10_source.changes
Previous by thread: Bug#1041836: libc6 2.36-9+deb12u1 double free abort
Next by thread: Bug#1041836: libc6 2.36-9+deb12u1 double free abort
Index(es):
- Date
- Thread