Bug#1073916: libc6: aio cleanup function __aio_freemem reads uninitialized memory

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1073916: libc6: aio cleanup function __aio_freemem reads uninitialized memory
From: Thomas Jahns <jahns@dkrz.de>
Date: Thu, 20 Jun 2024 09:31:48 +0200
Message-id: <[🔎] 171886870882.2817535.13540271702380842572.reportbug@localhost>
Reply-to: Thomas Jahns <jahns@dkrz.de>, 1073916@bugs.debian.org

Package: libc6
Version: 2.36-9+deb12u7
Severity: normal
Tags: patch

Dear Maintainer,

not sure how exploitable this is, but running programs that use aio_write
causes uninitialized memory access on exit.

This has been fixed upstream about a year ago, but the patch has seemingly not
be integrated in Debian bookworm:

<https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=rt/aio_misc.c;h=4b850b1ab602a2ef9575c3313a979d88574024d6;hp=49ec0aa293d8b36a16ecc951b71d3f98d5e254b1;hb=0cee4aa92f5b9b213856c8ba1ab84c34d73c943b;hpb=5473a1747a7bd10a7a271c7e01e942711a707bb8>

<https://sourceware.org/git/?p=glibc.git;a=commit;h=0cee4aa92f5b9b213856c8ba1ab84c34d73c943b>

>From a look at the patch, and the code in version 2.36 that's used to build the
package, it should be trivial to apply the patch also in stable, since the
affected loop is identical and the variable names still the same.

Kind regards, Thomas


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 6.1.0-21-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libc6 depends on:
ii  libgcc-s1  12.2.0-14

Versions of packages libc6 recommends:
ii  libidn2-0  2.3.3-1+b1

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.82
ii  glibc-doc              2.36-9+deb12u7
ii  libc-l10n              2.36-9+deb12u7
ii  libnss-nis             3.1-4
ii  libnss-nisplus         1.3-4
ii  locales                2.36-9+deb12u7

-- debconf information excluded

>From 0cee4aa92f5b9b213856c8ba1ab84c34d73c943b Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 12 Apr 2023 00:12:02 +0200
Subject: [PATCH] aio: Fix freeing memory

The content of the pool array is initialized only until pool_size,
pointers between pool_size and pool_max_size were not initialized by the
realloc call in get_elem so they should not be freed.

This fixes aio tests crashing at their termination on GNU/Hurd.
---
 rt/aio_misc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rt/aio_misc.c b/rt/aio_misc.c
index 49ec0aa293..4b850b1ab6 100644
--- a/rt/aio_misc.c
+++ b/rt/aio_misc.c
@@ -702,7 +702,7 @@ __aio_freemem (void)
 {
   size_t row;
 
-  for (row = 0; row < pool_max_size; ++row)
+  for (row = 0; row < pool_size; ++row)
     free (pool[row]);
 
   free (pool);
-- 
2.43.0

Reply to:

Prev by Date: Bug#1061248: marked as done (glibc: DEP17: move most files but rtld to /usr)
Next by Date: Processed: notfixed 1061248 in palo/2.25
Previous by thread: Problema
Next by thread: Processed: notfixed 1061248 in palo/2.25
Index(es):
- Date
- Thread