Bug#1073916: libc6: aio cleanup function __aio_freemem reads uninitialized memory
Package: libc6
Version: 2.36-9+deb12u7
Severity: normal
Tags: patch
Dear Maintainer,
not sure how exploitable this is, but running programs that use aio_write
causes uninitialized memory access on exit.
This has been fixed upstream about a year ago, but the patch has seemingly not
be integrated in Debian bookworm:
<https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=rt/aio_misc.c;h=4b850b1ab602a2ef9575c3313a979d88574024d6;hp=49ec0aa293d8b36a16ecc951b71d3f98d5e254b1;hb=0cee4aa92f5b9b213856c8ba1ab84c34d73c943b;hpb=5473a1747a7bd10a7a271c7e01e942711a707bb8>
<https://sourceware.org/git/?p=glibc.git;a=commit;h=0cee4aa92f5b9b213856c8ba1ab84c34d73c943b>
>From a look at the patch, and the code in version 2.36 that's used to build the
package, it should be trivial to apply the patch also in stable, since the
affected loop is identical and the variable names still the same.
Kind regards, Thomas
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 6.1.0-21-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libc6 depends on:
ii libgcc-s1 12.2.0-14
Versions of packages libc6 recommends:
ii libidn2-0 2.3.3-1+b1
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.82
ii glibc-doc 2.36-9+deb12u7
ii libc-l10n 2.36-9+deb12u7
ii libnss-nis 3.1-4
ii libnss-nisplus 1.3-4
ii locales 2.36-9+deb12u7
-- debconf information excluded
>From 0cee4aa92f5b9b213856c8ba1ab84c34d73c943b Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 12 Apr 2023 00:12:02 +0200
Subject: [PATCH] aio: Fix freeing memory
The content of the pool array is initialized only until pool_size,
pointers between pool_size and pool_max_size were not initialized by the
realloc call in get_elem so they should not be freed.
This fixes aio tests crashing at their termination on GNU/Hurd.
---
rt/aio_misc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rt/aio_misc.c b/rt/aio_misc.c
index 49ec0aa293..4b850b1ab6 100644
--- a/rt/aio_misc.c
+++ b/rt/aio_misc.c
@@ -702,7 +702,7 @@ __aio_freemem (void)
{
size_t row;
- for (row = 0; row < pool_max_size; ++row)
+ for (row = 0; row < pool_size; ++row)
free (pool[row]);
free (pool);
--
2.43.0
Reply to: