Bug#980037: libapt tries to access old memory area after mremap(,,MREMAP_MAYMOVE)

To: submit@bugs.debian.org
Subject: Bug#980037: libapt tries to access old memory area after mremap(,,MREMAP_MAYMOVE)
From: Topi Miettinen <toiwoton@gmail.com>
Date: Wed, 13 Jan 2021 12:08:39 +0200
Message-id: <[🔎] 41339287-45d3-797a-411f-88353f21eaaf@gmail.com>
Reply-to: Topi Miettinen <toiwoton@gmail.com>, 980037@bugs.debian.org

Package: libapt-pkg6.0
Version: 2.1.17

I'm using a patched kernel (upstream 5.10.0 +https://patchwork.kernel.org/project/linux-mm/patch/20201220180656.43843-1-toiwoton@gmail.com/)where mremap() always remaps memory to a different address to improveaddress space layout randomization, when remapping is allowed by thecaller with MREMAP_MAYMOVE flag and sysctl randomize_va_space is set tonew value of 3. Remapping the memory may happen also with non-patchedkernels too but it's much rarer event.


This seems to expose a bug in apt:

$ strace apt search apt
read(6, "led-Size: 289\nMaintainer: Debian"..., 32682) = 32682
read(6, " 30d94c7e581c7b46aa62d229ee7654f"..., 32116) = 32116
mremap(0x7e59a35ac000, 33554432, 34603008, MREMAP_MAYMOVE) = 0x5c24c86c3000

--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR,si_addr=0x7e59a5593e80} ---

+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)

The address 0x7e59a5593e80 refers to old memory area, which may not beaccessed after remapping.


$ gdb apt
(gdb) r search apt
Starting program: /usr/bin/apt search apt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after fork from child process 27645]
[Detaching after fork from child process 27646]
[Detaching after fork from child process 27647]
[Detaching after fork from child process 27648]

Program received signal SIGSEGV, Segmentation fault.

0x00007090d7a60f1c in pkgCacheGenerator::NewVersion(this=this@entry=0x26c5ff9fc990, Ver=..., VerStr=..., ParentPkg=...,Hash=Hash@entry=1269831082, Next=...) at ../apt-pkg/pkgcachegen.cc:876

warning: Source file is more recent than executable.
876        Ver->d = AllocateInMap<pkgCache::Version::Extra>();

It looks like DynamicMMap::Grow() is always called with Flags havingMovable flag set and then MREMAP_MAYMOVE is used. I suppose the bugcould be temporarily avoided by never setting Movable flag, but a betterfix would involve avoiding the accesses to old and invalid memory areas.


-Topi

Reply to:

Follow-Ups:
- Bug#980037: libapt tries to access old memory area after mremap(,,MREMAP_MAYMOVE)
  - From: Julian Andres Klode <jak@debian.org>
- Processed: Bug#980037 marked as pending in apt
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#980037: marked as done (libapt tries to access old memory area after mremap(,,MREMAP_MAYMOVE))
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: [INTL] I'm puzzled about the exact meaning of one string in apt doc 2.1.16
Next by Date: Re: [INTL] I'm puzzled about the exact meaning of one string in apt doc 2.1.16
Previous by thread: Re: [INTL] I'm puzzled about the exact meaning of one string in apt doc 2.1.16
Next by thread: Bug#980037: libapt tries to access old memory area after mremap(,,MREMAP_MAYMOVE)
Index(es):
- Date
- Thread