[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#980037: marked as done (libapt tries to access old memory area after mremap(,,MREMAP_MAYMOVE))

Your message dated Wed, 13 Jan 2021 17:03:33 +0000
with message-id <E1kzjYT-000J0i-82@fasolo.debian.org>
and subject line Bug#980037: fixed in apt 2.1.18
has caused the Debian Bug report #980037,
regarding libapt tries to access old memory area after mremap(,,MREMAP_MAYMOVE)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
980037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980037
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libapt-pkg6.0
Version: 2.1.17
I'm using a patched kernel (upstream 5.10.0 + https://patchwork.kernel.org/project/linux-mm/patch/20201220180656.43843-1-toiwoton@gmail.com/) where mremap() always remaps memory to a different address to improve address space layout randomization, when remapping is allowed by the caller with MREMAP_MAYMOVE flag and sysctl randomize_va_space is set to new value of 3. Remapping the memory may happen also with non-patched kernels too but it's much rarer event. 

This seems to expose a bug in apt:

$ strace apt search apt
read(6, "led-Size: 289\nMaintainer: Debian"..., 32682) = 32682
read(6, " 30d94c7e581c7b46aa62d229ee7654f"..., 32116) = 32116
mremap(0x7e59a35ac000, 33554432, 34603008, MREMAP_MAYMOVE) = 0x5c24c86c3000
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7e59a5593e80} --- 
+++ killed by SIGSEGV (core dumped) +++
Segmentation fault (core dumped)
The address 0x7e59a5593e80 refers to old memory area, which may not be accessed after remapping. 

$ gdb apt
(gdb) r search apt
Starting program: /usr/bin/apt search apt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after fork from child process 27645]
[Detaching after fork from child process 27646]
[Detaching after fork from child process 27647]
[Detaching after fork from child process 27648]

Program received signal SIGSEGV, Segmentation fault.
0x00007090d7a60f1c in pkgCacheGenerator::NewVersion (this=this@entry=0x26c5ff9fc990, Ver=..., VerStr=..., ParentPkg=..., Hash=Hash@entry=1269831082, Next=...) at ../apt-pkg/pkgcachegen.cc:876 
warning: Source file is more recent than executable.
876        Ver->d = AllocateInMap<pkgCache::Version::Extra>();
It looks like DynamicMMap::Grow() is always called with Flags having Movable flag set and then MREMAP_MAYMOVE is used. I suppose the bug could be temporarily avoided by never setting Movable flag, but a better fix would involve avoiding the accesses to old and invalid memory areas. 

-Topi

--- End Message ---
--- Begin Message --- 
Source: apt
Source-Version: 2.1.18
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 980037@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 13 Jan 2021 17:37:30 +0100
Source: apt
Architecture: source
Version: 2.1.18
Distribution: unstable
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 980037
Changes:
 apt (2.1.18) unstable; urgency=high
 .
   * pkgcachegen: Avoid write to old cache for Version::Extra (Closes: #980037)
   * Adjust apt-mark test for dpkg 1.20.7
Checksums-Sha1:
 f6e6c8274cef70ddbae3ba5dcb5fda1bf02de221 2784 apt_2.1.18.dsc
 fd89e96a58ef4be3ce8a58287a50029a747e1127 2192808 apt_2.1.18.tar.xz
 44b115f7804f909d3cb04688d7220bd9d6d1bbcb 7494 apt_2.1.18_source.buildinfo
Checksums-Sha256:
 0aaef5cc2260d31d2415fcf5aaa3fdfacf882b2771e234ab2235998a0fefb2ec 2784 apt_2.1.18.dsc
 224ade1bc189303b0620c55ac278cb419fdff7693765e6e864f82cf73bd3c766 2192808 apt_2.1.18.tar.xz
 e5692724c7e7c8b341e87871e6b34d3bfa7b58148cd87f1254282bba6a9dea48 7494 apt_2.1.18_source.buildinfo
Files:
 7d81937a165ec28d6478d9c4d7a489ed 2784 admin important apt_2.1.18.dsc
 afb2d84eef3255343bfc0d2624378638 2192808 admin important apt_2.1.18.tar.xz
 322870c4bc5f518f8c00e4bf2eb85282 7494 admin important apt_2.1.18_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAl//Ig8PHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xKtkQAKQ7p4hnav7lgnoYeTDp7d2Tm+6aH2V2QbBv
UGRui5mOoxSVTQZzFdrPDy88ACwu85W7jDbHkMSTs68cmcnud+pt/CRmStrFtmFu
dJgvKSyon7863aeUJBgs6TUa2QyffymPWGu0BhUg3LTyy3XHDXYsY4SHPZhSZ0TQ
OzwHJRN9VyfNUzR+AcAD6we5f1zqWHZFesueBtD5p7gxmMIWO4bHO4ymJUF/b62J
AFt2VKSYG3q3McSZ7PyXop1SkUg1mlH5OnFvDZsqoHenDFo4fOc7VbNFOanRmzCX
PwonXZf05AT/S+JW08kdND2oQmOQyH5EVnNRxtYdgdLsrAAJOOPyl7uDwxPPsgg+
5Z+GtWUmgPsAyOFONAp/oD99oRG0MyjJycjbANpdSfhDRimmJMGtUGD8OXHyZd4M
L9IZQc1pi5RWRmDtpfpyaFQx019CaN8Z0DPvgrcDvNIfcCnRkzRzValmdKxzocun
3zB5xl6pjTIC+wHNwwWs1dCwUuVx7IDFM512GKiMyxZHlgpKFtog093DSpkxSnH8
bz+STo+oABgKtrym9AeBlhvLtPA2QXimLvwCq84H1HAOF0Ng/CtIybmOy2UHjym3
RryQ2gKCo1pmSiZm6YucOy+M4FEegtxyKVzjdhoKD2x61EH25nQVv0pP3mCRK25X
JvMdArTP
=gMt6
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: