[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[christian@jaeger.mine.nu: Bug#496125: [xml/sgml-pkgs] Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)]

> Christian DEBARBIERI a écrit :
> J'ai cerné un peu plus le pb.
> dmesg retourne des SEGFAULT pour python et gnome-panel dans
> libc-2.7.so
> 
> A priori une maj de python en sid.
> je regarde pour passer en version lenny.
> 
> Aplus.

Ce mail en parle entre autres. L'auteur évoque un essai de passage à
Lenny, comme toi pour résoudre le blocage.

-- 
Stéphane Aulery                            Melius est parum cum justitia
<lkppo@free.fr>                        Quam multi fructus cum iniquitate
                                                             (Pr. XV, 8)
--- Begin Message --- 
Christian Jaeger wrote:

Mike Hommey wrote:

Could you check what svg file is being opened here[1] ?, and check what
xmllint has to say about it ? (theorically, it should segfault too)
Hm, I'm still seeing segfaults, now when *quitting* Galeon (but only in ~10% of cases).
I would be glad for a way to run an application under gdb so that when it segfaults a "bt full" is spit automatically to a file I give, i.e. some "with-gdb-backtrace-to $file $app $arguments". Can't get that to run right now, and copy pasting from the console is tedious and I'm not sure it's even broken in some cases (by that builtin pager that I cannot seem to get switched off).
Ok, got such a script to work now (I've put it up at http://christian.jaeger.mine.nu/scratch/gdb/with-gdb-backtrace-to). But interestingly the problem I'm seeing when quitting Galeon do not happen when run under gdb from the start. D'oh.
So when I start Galeon (/usr/bin/galeon fewfwef) (since the segfault on quit only happens when I first open an url), then attach with gdb and then quit it: 

$ gdb /usr/bin/galeon $galeonpid
..
(gdb) cont
Continuing.
# now I quit galeon from Galeon's menu
[Thread 0x41838950 (LWP 15524) exited]
[Thread 0x40b4e950 (LWP 15525) exited]
[Thread 0x42294950 (LWP 15520) exited]
[Thread 0x43a97950 (LWP 15529) exited]
[Thread 0x43296950 (LWP 15528) exited]
[Thread 0x44298950 (LWP 15530) exited]
[Thread 0x42a95950 (LWP 15523) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f0ea72fa780 (LWP 15517)]
0x00007f0ea2e12a67 in malloc_consolidate () from /lib/libc.so.6
# backtrace see attachment (although from a different run, thus adresses will not be the same)
(gdb) cont
Continuing.
^C^C^C^C
# I can't get gdb to stop Galeon anymore, I have to kill -9 $galeonpid. Strange.



strace -p $galeonpid shows

futex(0x7fa43612f9e0, FUTEX_WAIT_PRIVATE, 2, NULL

Running "strace /usr/bin/galeon" will get strace killed by glibc because of:

...
[pid 15677] read(32, "\375\375\375\377QQQ\371\t\t\t\317\0\0\0\27\0\0\0\4\0\0\0\10\0\0\0003\0\0\0005\0"..., 4096) = 4096
[pid 15677] lseek(32, 73728, SEEK_SET)  = 73728
[pid 15677] close(32)                   = 0
[pid 15677] munmap(0x7f7933a12000, 4096) = 0
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000006567d0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fc387300968]
/lib/libc.so.6[0x7fc38730369f]
/lib/libc.so.6(__libc_malloc+0x98)[0x7fc387304a98]
strace[0x408380]
strace[0x4058de]
strace[0x404616]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fc3872ab1a6]
strace[0x401f69]
======= Memory map: ========
00400000-00447000 r-xp 00000000 fe:06 120651                             /usr/bin/strace
00647000-00648000 rw-p 00047000 fe:06 120651                             /usr/bin/strace
00648000-00677000 rw-p 00648000 00:00 0                                  [heap]
7fc380000000-7fc380021000 rw-p 7fc380000000 00:00 0 7fc380021000-7fc384000000 ---p 7fc380021000 00:00 0 7fc387076000-7fc38708c000 r-xp 00000000 fe:06 222679 /lib/libgcc_s.so.1 
7fc38708c000-7fc38728c000 ---p 00016000 fe:06 222679                     /lib/libgcc_s.so.1
7fc38728c000-7fc38728d000 rw-p 00016000 fe:06 222679                     /lib/libgcc_s.so.1
7fc38728d000-7fc3873d7000 r-xp 00000000 fe:06 29913                      /lib/libc-2.7.so
7fc3873d7000-7fc3875d6000 ---p 0014a000 fe:06 29913                      /lib/libc-2.7.so
7fc3875d6000-7fc3875d9000 r--p 00149000 fe:06 29913                      /lib/libc-2.7.so
7fc3875d9000-7fc3875db000 rw-p 0014c000 fe:06 29913                      /lib/libc-2.7.so
7fc3875db000-7fc3875e0000 rw-p 7fc3875db000 00:00 0 7fc3875e0000-7fc3875fc000 r-xp 00000000 fe:06 29929 /lib/ld-2.7.so 7fc3877da000-7fc3877dc000 rw-p 7fc3877da000 00:00 0 7fc3877f8000-7fc3877fb000 rw-p 7fc3877f8000 00:00 0 7fc3877fb000-7fc3877fd000 rw-p 0001b000 fe:06 29929 /lib/ld-2.7.so 
7fff8f7e8000-7fff8f7fd000 rw-p 7ffffffea000 00:00 0                      [stack]
7fff8f7ff000-7fff8f800000 r-xp 7fff8f7ff000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
[pid 15677] select(Aborted
Well, I seem to be fighting with about the 4th bug right now while looking into the "gnome breakage from yesterday" problem. Strange, could this all be related, i.e. some upgrade to glibc (introducing some malloc breakage) breaking everyhing else? 

I'm attaching the backtrace as file "galeon-backtrace-on-quit.txt".
This mail has all been with the older libxml2, 2.6.32.dfsg-2. I'll write another mail when I get to install 2.6.32.dfsg-2+lenny again. Any news on your front? 

Christian.


#0  0x00007f387cceba67 in malloc_consolidate () from /lib/libc.so.6
No symbol table info available.
#1  0x00007f387ccee2e6 in _int_malloc () from /lib/libc.so.6
No symbol table info available.
#2  0x00007f387ccefa98 in malloc () from /lib/libc.so.6
No symbol table info available.
#3  0x00007f3874b6adb9 in PL_DHashTableInit (table=0x7fff8930f288, ops=0x7f387cfc69f8, data=<value optimized out>, entrySize=<value optimized out>, capacity=10313776) at pldhash.c:243
	log2 = 15818384
	nbytes = 524288
#4  0x00007f3874ba370f in GCGraphBuilder (this=0x7fff8930f250, aGraph=<value optimized out>, aRuntimes=<value optimized out>) at nsCycleCollector.cpp:1269
No locals.
#5  0x00007f3874ba3d5e in nsCycleCollector::BeginCollection (this=0x7f38811b2010) at nsCycleCollector.cpp:2310
	builder = {<nsCycleCollectionTraversalCallback> = {_vptr.nsCycleCollectionTraversalCallback = 0x7f38752b6290}, mNodeBuilder = {mNextBlock = 0x7f38811b2080, mNext = @0x7f38811b2088, mBlockEnd = 0x0}, mEdgeBuilder = {mCurrent = 0x7f38811b2090, mBlockEnd = 0x7f38811b2090, mNextBlockPtr = 0x7f38811b2098}, mPtrToNodeMap = {ops = 0x7f38752e28a0, data = 0x0, hashShift = 17, maxAlphaFrac = 192 'À', minAlphaFrac = 64 '@', entrySize = 16, entryCount = 0, removedCount = 0, generation = 0, entryStore = 0x84b8c0 "\002"}, mCurrPi = 0x7fff8930f470, mRuntimes = 0x7f38811b2020}
#6  0x00007f387446d9fe in XPCCycleCollectGCCallback (cx=0x8801f0, status=JSGC_MARK_END) at nsXPConnect.cpp:440
	ok = <value optimized out>
#7  0x00007f38753339f5 in ?? () from /usr/lib/xulrunner-1.9/libmozjs.so
No symbol table info available.
#8  0x00007f387446cdf4 in nsXPConnect::Collect (this=0x87a210) at nsXPConnect.cpp:529
	cycleCollectionContext = {<nsAXPCNativeCallContext> = {_vptr.nsAXPCNativeCallContext = 0x7f387515f140}, mState = XPCCallContext::HAVE_CONTEXT, mXPC = 0x87a210, mThreadData = 0x84b6a0, mXPCContext = 0x8808f0, mJSContext = 0x8801f0, mContextPopRequired = 1, mDestroyJSContextInDestructor = 0, mCallerLanguage = XPCContext::LANG_NATIVE, mPrevCallerLanguage = XPCContext::LANG_UNKNOWN, mPrevCallContext = 0x0, mOperandJSObject = 0x2f720, mCurrentJSObject = 0x20, mFlattenedJSObject = 0x80, mWrapper = 0x7fff8930f5f8, mTearOff = 0x7f3874bf3eb0, mScriptableInfo = 0x12a13d0, mSet = 0x900000068, mInterface = 0x75706d6f00000004, mMember = 0x20, mName = 139880591813088, mStaticMemberIsLocal = 18089984, mArgc = 0, mArgv = 0x7fff89310b10, mRetVal = 0x7fff8930f5f8, mExceptionWasThrown = -2128928752, mReturnValueWasSet = 32568, mMethodIndex = 0, mCallee = 0x0, mStringWrapperData = "\005\000\000\000\000\000\000\000p°y\000\000\000\000\000\000\000\000\0008\177\000\000 s1\211ÿ\177\000\000PÁ¶t8\177\000\000\000\000\000\000\000\000\000"}
	cx = (JSContext *) 0x8801f0
#9  0x00007f3874ba3ebe in nsCycleCollector::Collect (this=0x7f38811b2010, aTryCollections=5) at nsCycleCollector.cpp:2250
	collected = 13115424
	obs = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
	whiteNodes = {<nsTPtrArray<PtrInfo>> = {<nsTArray<PtrInfo*>> = {<nsTArray_base> = {static sEmptyHdr = {mLength = 0, mCapacity = 0, mIsAutoArray = 0}, mHdr = 0x7fff8930f618}, <No data fields>}, <No data fields>}, mAutoBuf = "\000\000\000\000 \017\000\200`\rý\000\000\000\000\000\001\000\000\000\000\000\000\000\000\0371\211ÿ\177\000\000ð\0361\211ÿ\177\000\000°\026\021\001", '\0' <repeats 28 times>, "`Ã+\001\000\000\000\000r\000\000\000q\000\000\000\000\000\000\000\002\000\000\000?\000\000\000>\000\000\000`Ã+\001\000\000\000\000r\000\000\000q\000\000\000\000\000\000\000\002\000\000\000?\000\000\000>", '\0' <repeats 11 times>, "Ð\023*\001\000\000\000\000p\236\031\001\000\000\000\000Ù§at8\177\000\000 \t1\211ÿ\177\000\000\020Ã+\001\000\000\000\000\000\n1\211ÿ\177\000\000\020Ã+\001\000\000\000\000\000\b\024\001\000\000\000\000×ãat8\177\000\000x\v1"...}
	totalCollections = 0
#10 0x00007f3874ba3fec in nsCycleCollector::Shutdown (this=0x7f387cfc69e0) at nsCycleCollector.cpp:2471
No locals.
#11 0x00007f3874ba400a in nsCycleCollector_shutdown () at nsCycleCollector.cpp:2932
No locals.
#12 0x00007f3874b7328f in NS_ShutdownXPCOM_P (servMgr=0x0) at nsXPComInit.cpp:811
	rv = <value optimized out>
	moduleLoaders = {<nsCOMPtr_base> = {mRawPtr = 0x1003900}, <No data fields>}
#13 0x00007f38744663f4 in XRE_TermEmbedding () at nsEmbedFunctions.cpp:160
No locals.
#14 0x00007f3874459604 in EmbedPrivate::PopStartup () at EmbedPrivate.cpp:565
No locals.
#15 0x000000000047cdd6 in ?? ()
No symbol table info available.
#16 0x00007f387da41e98 in IA__g_object_unref (_object=<value optimized out>) at /build/buildd/glib2.0-2.16.4/gobject/gobject.c:1793
	object = (GObject *) 0x79a8c0
	__PRETTY_FUNCTION__ = "IA__g_object_unref"
#17 0x0000000000443045 in ?? ()
No symbol table info available.
#18 0x00007f387da41e98 in IA__g_object_unref (_object=<value optimized out>) at /build/buildd/glib2.0-2.16.4/gobject/gobject.c:1793
	object = (GObject *) 0x76bc30
	__PRETTY_FUNCTION__ = "IA__g_object_unref"
#19 0x00007f387da41e98 in IA__g_object_unref (_object=<value optimized out>) at /build/buildd/glib2.0-2.16.4/gobject/gobject.c:1793
	object = (GObject *) 0xc82020
	__PRETTY_FUNCTION__ = "IA__g_object_unref"
#20 0x00007f387ee1224b in IA__gtk_main_do_event (event=0x12b7c30) at /scratch/build-area/gtk+2.0-2.12.11/gtk/gtkmain.c:1556
	event_widget = (GtkWidget *) 0xc82020
	grab_widget = (GtkWidget *) 0xc82020
	window_group = (GtkWindowGroup *) 0x0
	rewritten_event = (GdkEvent *) 0x0
	tmp_list = <value optimized out>
	__PRETTY_FUNCTION__ = "IA__gtk_main_do_event"
#21 0x00007f387ea73f8c in gdk_event_dispatch (source=<value optimized out>, callback=<value optimized out>, user_data=<value optimized out>) at /scratch/build-area/gtk+2.0-2.12.11/gdk/x11/gdkevents-x11.c:2351
	display = <value optimized out>
	event = <value optimized out>
#22 0x00007f387d7aa892 in IA__g_main_context_dispatch (context=0x792540) at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2012
No locals.
#23 0x00007f387d7ae01d in g_main_context_iterate (context=0x792540, block=1, dispatch=1, self=<value optimized out>) at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2645
	max_priority = 2147483647
	timeout = 3510
	some_ready = 1
	nfds = 12
	allocated_nfds = <value optimized out>
	fds = (GPollFD *) 0x103bf50
	__PRETTY_FUNCTION__ = "g_main_context_iterate"
#24 0x00007f387d7ae54d in IA__g_main_loop_run (loop=0xc0d410) at /build/buildd/glib2.0-2.16.4/glib/gmain.c:2853
	self = (GThread *) 0x75ee20
	__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#25 0x00007f387f74f336 in bonobo_main () from /usr/lib/libbonobo-2.so.0
No symbol table info available.
#26 0x000000000043d7b3 in main ()
No symbol table info available.

--- End Message ---
Reply to: