Bug#1022185: nfs-utils: blkmapd crash

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1022185: nfs-utils: blkmapd crash
From: Andreas Hasenack <andreas@canonical.com>
Date: Fri, 21 Oct 2022 11:57:04 -0300
Message-id: <[🔎] CANYNYEHJhdSmr=YrLzhrk4jcfRF=r5gwFyW1EsMBXD8gUOYuOQ@mail.gmail.com>
Reply-to: Andreas Hasenack <andreas@canonical.com>, 1022185@bugs.debian.org

Package: nfs-utils
Version: 1:2.6.2-1+b1
Severity: normal

Dear Maintainer,

Under certain conditions, blkmapd can crash due to calling free() on a
pointer that wasn't malloc()ed. The reproducer I list below using a
debian sid VM went as far as isolating it to having LVM Logical
Volumes on SCSI disks, but this does not exclude other scenarios.

The struct bl_serial *serial structure is allocated via
bl_create_scsi_string() which does a malloc for it, but the code later
on was doing a free() on the data element of this structure and only
then on the structure itself. That first free() is incorrect, as the
data element was never malloc()ed separatedly.

This was first brought up by lixiaokeng via
https://www.spinics.net/lists/linux-nfs/msg87598.html, but not
acknowledged back then.

Here is a reproducer using a VM. It assumes you can add a SCSI disk to
it, which in my steps below is /dev/sdb.

# apt install nfs-kernel-server lvm2
# systemctl stop nfs-blkmapd.service
# pvcreate /dev/sdb
# vgcreate vg0 /dev/sdb
# lvcreate -ntest -L100M vg0
# blkmapd -f
blkmapd: open pipe file /run/rpc_pipefs/nfs/blocklayout failed: No
such file or directory
double free or corruption (out)
Aborted

Note the message about blocklayout is not relevant for this bug.

In gdb:
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>,
signo=signo@entry=6, no_tid=no_tid@entry=0) at
./nptl/pthread_kill.c:44
#1  0x00007ffff7c895df in __pthread_kill_internal (signo=6,
threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  0x00007ffff7c3da02 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#3  0x00007ffff7c28469 in __GI_abort () at ./stdlib/abort.c:79
#4  0x00007ffff7c7d888 in __libc_message
(action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7db66fb "%s\n") at
../sysdeps/posix/libc_fatal.c:155
#5  0x00007ffff7c9322a in malloc_printerr
(str=str@entry=0x7ffff7db9340 "double free or corruption (out)") at
./malloc/malloc.c:5659
#6  0x00007ffff7c95198 in _int_free (av=0x7ffff7df4c60 <main_arena>,
p=0x555555567ad0, have_lock=<optimized out>, have_lock@entry=0) at
./malloc/malloc.c:4583
#7  0x00007ffff7c978df in __GI___libc_free (mem=<optimized out>) at
./malloc/malloc.c:3386
#8  0x000055555555745e in bl_add_disk (filepath=0x7fffffffd2b0
"/dev/dm-0") at ./utils/blkmapd/device-discovery.c:245
#9  bl_discover_devices () at ./utils/blkmapd/device-discovery.c:276
#10 0x00005555555567cd in main (argc=<optimized out>, argv=<optimized
out>) at ./utils/blkmapd/device-discovery.c:558

The crash is caused by this erroneous free on a pointer that is not
malloc()ed:  https://salsa.debian.org/kernel-team/nfs-utils/-/blob/master/utils/blkmapd/device-discovery.c#L245

I sent a ping to upstream again[1], and in Ubuntu for now I'll just
remove the faulty free(serial->data) in the 3 places in that function.


1. https://lore.kernel.org/linux-nfs/CANYNYEG=utJ2pe+FtMWh8O+dz63R2wbzOC7ZVrvoqD=U04WL5g@mail.gmail.com/T/#u

Reply to:

Follow-Ups:
- Bug#1022185: nfs-utils: blkmapd crash
  - From: Diederik de Haas <didi.debian@cknow.org>
- Processed: Re: Bug#1022185: nfs-utils: blkmapd crash
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: linux-signed-i386_6.0.2+1.b1_source.changes ACCEPTED into unstable
Next by Date: Bug#1022068: linux: kernel NULL pointer dereference in nouveau driver on Thinkpad W541
Previous by thread: linux-signed-i386_6.0.2+1.b1_source.changes ACCEPTED into unstable
Next by thread: Bug#1022185: nfs-utils: blkmapd crash
Index(es):
- Date
- Thread