Bug#1073916: marked as done (libc6: aio cleanup function __aio_freemem reads uninitialized memory)

To: Aurelien Jarno <aurel32@debian.org>
Subject: Bug#1073916: marked as done (libc6: aio cleanup function __aio_freemem reads uninitialized memory)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 16 Aug 2024 20:48:21 +0000
Message-id: <[🔎] handler.1073916.D1073916.17238412311512653.ackdone@bugs.debian.org>
Reply-to: 1073916@bugs.debian.org
References: <E1sf3qn-005xHi-Av@fasolo.debian.org> <171886870882.2817535.13540271702380842572.reportbug@localhost>

Your message dated Fri, 16 Aug 2024 20:47:09 +0000
with message-id <E1sf3qn-005xHi-Av@fasolo.debian.org>
and subject line Bug#1073916: fixed in glibc 2.36-9+deb12u8
has caused the Debian Bug report #1073916,
regarding libc6: aio cleanup function __aio_freemem reads uninitialized memory
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1073916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073916
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libc6: aio cleanup function __aio_freemem reads uninitialized memory
From: Thomas Jahns <jahns@dkrz.de>
Date: Thu, 20 Jun 2024 09:31:48 +0200
Message-id: <171886870882.2817535.13540271702380842572.reportbug@localhost>

Package: libc6
Version: 2.36-9+deb12u7
Severity: normal
Tags: patch

Dear Maintainer,

not sure how exploitable this is, but running programs that use aio_write
causes uninitialized memory access on exit.

This has been fixed upstream about a year ago, but the patch has seemingly not
be integrated in Debian bookworm:

<https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=rt/aio_misc.c;h=4b850b1ab602a2ef9575c3313a979d88574024d6;hp=49ec0aa293d8b36a16ecc951b71d3f98d5e254b1;hb=0cee4aa92f5b9b213856c8ba1ab84c34d73c943b;hpb=5473a1747a7bd10a7a271c7e01e942711a707bb8>

<https://sourceware.org/git/?p=glibc.git;a=commit;h=0cee4aa92f5b9b213856c8ba1ab84c34d73c943b>

>From a look at the patch, and the code in version 2.36 that's used to build the
package, it should be trivial to apply the patch also in stable, since the
affected loop is identical and the variable names still the same.

Kind regards, Thomas


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf

Kernel: Linux 6.1.0-21-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CPU_OUT_OF_SPEC, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libc6 depends on:
ii  libgcc-s1  12.2.0-14

Versions of packages libc6 recommends:
ii  libidn2-0  2.3.3-1+b1

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.82
ii  glibc-doc              2.36-9+deb12u7
ii  libc-l10n              2.36-9+deb12u7
ii  libnss-nis             3.1-4
ii  libnss-nisplus         1.3-4
ii  locales                2.36-9+deb12u7

-- debconf information excluded

>From 0cee4aa92f5b9b213856c8ba1ab84c34d73c943b Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 12 Apr 2023 00:12:02 +0200
Subject: [PATCH] aio: Fix freeing memory

The content of the pool array is initialized only until pool_size,
pointers between pool_size and pool_max_size were not initialized by the
realloc call in get_elem so they should not be freed.

This fixes aio tests crashing at their termination on GNU/Hurd.
---
 rt/aio_misc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rt/aio_misc.c b/rt/aio_misc.c
index 49ec0aa293..4b850b1ab6 100644
--- a/rt/aio_misc.c
+++ b/rt/aio_misc.c
@@ -702,7 +702,7 @@ __aio_freemem (void)
 {
   size_t row;
 
-  for (row = 0; row < pool_max_size; ++row)
+  for (row = 0; row < pool_size; ++row)
     free (pool[row]);
 
   free (pool);
-- 
2.43.0

--- End Message ---

--- Begin Message ---

To: 1073916-close@bugs.debian.org
Subject: Bug#1073916: fixed in glibc 2.36-9+deb12u8
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Fri, 16 Aug 2024 20:47:09 +0000
Message-id: <E1sf3qn-005xHi-Av@fasolo.debian.org>
Reply-to: Aurelien Jarno <aurel32@debian.org>

Source: glibc
Source-Version: 2.36-9+deb12u8
Done: Aurelien Jarno <aurel32@debian.org>

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1073916@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 15 Aug 2024 11:10:46 +0200
Source: glibc
Architecture: source
Version: 2.36-9+deb12u8
Distribution: bookworm
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1073916
Changes:
 glibc (2.36-9+deb12u8) bookworm; urgency=medium
 .
   * debian/patches/git-updates.diff: update from upstream stable branch:
     - debian/patches/kfreebsd/submitted-auxv.diff: refreshed.
     - debian/patches/any/local-CVE-2024-2961-iso-2022-cn-ext.diff: upstreamed.
     - debian/patches/any/local-CVE-2024-33599-nscd.diff: upstreamed.
     - debian/patches/any/local-CVE-2024-33600-nscd.diff: upstreamed.
     - debian/patches/any/local-CVE-2024-33601-33602-nscd.diff: upstreamed.
     - Fixes ffsll() performance issue depending on code alignment.
     - Fixes memmove/memset on sparc32.
     - Fixes pthread_cancel on sparc32.
     - Fixes a possible crash in _dl_start_user on arm32.
     - Fixes poor malloc/free performance due to lock contentions between
       threads when using core pinning.
     - Uses 64-bit time_t in testsuite on 32-bit systems.
     - Fixes rseq support when built against newer kernel headers.
     - Performance improvements for string functions on arm64.
     - Disables arm64 SVE functions on kernel <= 6.2.0 due to performance
       issues.
     - Fixes ld.so crash on powerpc64* when built with GCC 14.
     - Fixes ld.so crash on amd64 when built with APX enabled.
     - Fixes __WORDSIZE definition on sparc32 with sparcv9.
     - Fixes getutxent() on 32-bit architecture with _TIME_BITS=64.
     - Fixes y2038 regression in nscd following CVE-2024-33601 and
       CVE-2024-33602 fix.
     - Fixes build with --enable-hardcoded-path-in-tests with newer linkers.
     - Fixes crash in wcsncmp() in z13/vector-optimized s390 implementation.
     - Fixes rseq extension mechanism.
     - Fixes misc/tst-preadvwritev2 and misc/tst-preadvwritev64v2 with kernel
       6.9+.
     - Fixes freeing uninitialized memory in libc_freeres_fn().  Closes:
       #1073916.
Checksums-Sha1:
 69928dbd537c9ebf71fe214265a20ed82eeddc56 9761 glibc_2.36-9+deb12u8.dsc
 708cea4e40868bca5139c21c6c5dd8022bee3b5e 882628 glibc_2.36-9+deb12u8.debian.tar.xz
 453adbdc3d7f494b33441079066673ca1c9d8fbd 9821 glibc_2.36-9+deb12u8_source.buildinfo
Checksums-Sha256:
 e70cecffe49d8e792f5744773a2d432b87a541aa19bec34bcca81f6af1c42341 9761 glibc_2.36-9+deb12u8.dsc
 7717540a54107bf1afdd46bad9ada75f1770111b8d533f7412c487beebbfcaaf 882628 glibc_2.36-9+deb12u8.debian.tar.xz
 3bbeafa4ef1b8a1912d9045eee98c2f96458ea53b55ea4729f70a69fed5f1d9d 9821 glibc_2.36-9+deb12u8_source.buildinfo
Files:
 be60d4352072ccfe7c2b14bbbe9ab10e 9761 libs required glibc_2.36-9+deb12u8.dsc
 f499c78da0917b64190aa4274809e321 882628 libs required glibc_2.36-9+deb12u8.debian.tar.xz
 0bc9804cc01bab6b4e7c73d3cafeb638 9821 libs required glibc_2.36-9+deb12u8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAma9yAcACgkQE4jA+Jno
M2uVKA//Scf4XjyQ2iAaIArsud4eYG5gNYEdnPR7KhqzG5IGYsxLkTvuNYDpqUbq
QWL+crysdgRvRDFgXqR6nZp+TBNx5E1QJIjIN3fjl/0eFKLqi+bziV6IZbH/xwsj
nsrlM9THuAbEn/YnX1oRpkKhHwdMpiHniXWqyJ9gs1TFUgssUHY7ROaIKcYMDgVz
eTp2z3HsEyfubFzepKgddGh5nP3NptFqMoMxM5gLCfitxG1B/h8glem+K63V9Mwn
olkHMMe8jEewwZmKMyG75auxbgmq+dyzlKBzoOVG0Gl2V/69cLwHNVZHeKh0Jnm8
tjnu3zkhQTPkFPzLXrm4PChe3DBWAdQJeot1kzs+YhzbZci7DJMzJ0WK+SPKdvHO
tTNfCPCFsbLpT1PkdpFfP5hFeGkt3LAwqlzd5N5wvuXftleS/E6v1KHoQ7ATd5L4
1cWnwx2ulWVPzXFA4+hefrAbd6nORCYL/6E1W/YchifdUrsOvu7OlWEbfFuGiA6Y
pheF1ld3GlMnIPbH8D3Vl4wkbJCC6rq7jAlUQMgVP6NuOoUAAQnHo7eSW4qm7VrG
wjNINTHLfh1cMEVp2DdWHpHpP6MCuWxh8ZaRhidmUxYVLPBFuSaVEFT4PoYp22QB
ZQ20jV0vZ7Vq8j/Feuwpwh6Mo6KerIxm0aOuyxLTvbaLMGFx7lc=
=TtiX
-----END PGP SIGNATURE-----

Attachment: pgpmSt0xD1Dgd.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: glibc_2.31-13+deb11u11_source.changes ACCEPTED into oldstable-proposed-updates
Next by Date: [Git][glibc-team/glibc][sid] debian/debhelper.in/libc-dev.install.hurd-amd64: Add missing libm-2.39.a
Previous by thread: glibc_2.31-13+deb11u11_source.changes ACCEPTED into oldstable-proposed-updates
Next by thread: [Git][glibc-team/glibc][sid] debian/debhelper.in/libc-dev.install.hurd-amd64: Add missing libm-2.39.a
Index(es):
- Date
- Thread