Memory corruption in getpwnam, gethostbyname - what component is this?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a habit of setting:

  export GLIBC_TUNABLES=glibc.malloc.check=1:glibc.malloc.perturb=99

which causes glibc to do extra malloc integrity checks.  In Rawhide at
the moment I'm seeing memory corruption in calls like getpwnam and
gethostbyname.  Unfortunately I don't have a simple reproducer yet,
but two example stack traces are below.  I have the latest glibc and
systemd.

Questions: Has anyone seen this before, and what component should I
file the bug against?

Rich.

Core was generated by `tar -C /var/tmp/supermin36875b.tmpdir/base.d -xf -'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  malloc_check_get_size (mem=0x0)
    at /usr/src/debug/glibc-2.34.9000-15.fc36.x86_64/malloc/malloc-check.c:39
39    magic = (((uintptr_t) p >> 3) ^ ((uintptr_t) p >> 11)) & 0xFF;
(gdb) bt
#0  malloc_check_get_size (mem=0x0)
    at /usr/src/debug/glibc-2.34.9000-15.fc36.x86_64/malloc/malloc-check.c:39
#1  malloc_usable_size (mem=0x0) at malloc-debug.c:405
#2  0x00007f0eed847f1a in varlink_read (v=0x55c537e3e1c0)
    at ../src/shared/varlink.c:508
#3  varlink_process.isra.0 (v=0x55c537e3e1c0) at ../src/shared/varlink.c:959
#4  0x00007f0eed83790a in defer_callback (s=<optimized out>, 
    userdata=<optimized out>) at ../src/shared/varlink.c:1862
#5  0x00007f0eed840e21 in source_dispatch (s=0x55c537e471c0)
    at ../src/libsystemd/sd-event/sd-event.c:3544
#6  0x00007f0eed834d4c in sd_event_dispatch (e=<optimized out>)
    at ../src/libsystemd/sd-event/sd-event.c:4078
#7  sd_event_run (timeout=18446744073709551615, e=<optimized out>)
    at ../src/libsystemd/sd-event/sd-event.c:4139
#8  userdb_process.part.0.lto_priv.0 (iterator=0x55c537e3e410, 
    ret_user_record=0x7ffc22b7dd98, ret_group_record=0x0, ret_user_name=0x0, 
    ret_group_name=0x0) at ../src/shared/userdb.c:594
#9  0x00007f0eed836212 in userdb_process (ret_group_name=0x0, 
    ret_user_name=0x0, ret_group_record=0x0, ret_user_record=0x7ffc22b7dd98, 
    iterator=0x55c537e3e410) at ../src/shared/userdb.c:530
#10 userdb_by_name (name=0x55c537e39109 "mockbuild", flags=9, 
    ret=0x7ffc22b7dd98) at ../src/shared/userdb.c:640
#11 0x00007f0eed81cb2c in userdb_getpwnam (errnop=<synthetic pointer>, 
    buflen=1024, buffer=0x55c537e37370 "debuginfod", 
    pwd=0x7f0eee3ee520 <resbuf>, name=0x55c537e39109 "mockbuild")
    at ../src/nss-systemd/userdb-glue.c:20
#12 _nss_systemd_getpwnam_r (name=0x55c537e39109 "mockbuild", 
    pwd=0x7f0eee3ee520 <resbuf>, buffer=0x55c537e37370 "debuginfod", 
    buflen=1024, errnop=0x7f0eee143690) at ../src/nss-systemd/nss-systemd.c:330
#13 0x00007f0eee2c7f00 in __getpwnam_r (
    name=name@entry=0x55c537e39109 "mockbuild", 
    resbuf=resbuf@entry=0x7f0eee3ee520 <resbuf>, buffer=<optimized out>, 
    buflen=buflen@entry=1024, result=result@entry=0x7ffc22b7df30)
    at ../nss/getXXbyYY_r.c:273
#14 0x00007f0eee2c7964 in getpwnam (name=name@entry=0x55c537e39109 "mockbuild")
    at ../nss/getXXbyYY.c:135
#15 0x000055c5360ad519 in uname_to_uid (
    uname=uname@entry=0x55c537e39109 "mockbuild", 
    uidp=uidp@entry=0x55c5361043b4 <current_stat_info+116>)
    at /usr/src/debug/tar-1.34-2.fc35.x86_64/src/names.c:545
#16 0x000055c5360adcb0 in decode_header (header=0x55c537e39000, 
    stat_info=stat_info@entry=0x55c536104340 <current_stat_info>, 
    format_pointer=format_pointer@entry=0x55c5361042c8 <current_format>, 
    do_user_group=do_user_group@entry=1)
    at /usr/src/debug/tar-1.34-2.fc35.x86_64/src/list.c:698
#17 0x000055c5360b1a41 in read_and (
    do_something=0x55c53609cc40 <extract_archive>)
    at /usr/src/debug/tar-1.34-2.fc35.x86_64/src/list.c:194
#18 0x000055c536090fce in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/tar-1.34-2.fc35.x86_64/src/tar.c:2806


Core was generated by `/home/rjones/d/nbdkit/server/nbdkit -v -P test-vddk-real.pid -U /tmp/nbdkit-tes'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  malloc_check_get_size (mem=0x0)
    at /usr/src/debug/glibc-2.34.9000-15.fc36.x86_64/malloc/malloc-check.c:39
39    magic = (((uintptr_t) p >> 3) ^ ((uintptr_t) p >> 11)) & 0xFF;
[Current thread is 1 (Thread 0x7f24e77c3640 (LWP 1291663))]
#0  malloc_check_get_size (mem=0x0)
    at /usr/src/debug/glibc-2.34.9000-15.fc36.x86_64/malloc/malloc-check.c:39
#1  malloc_usable_size (mem=0x0) at malloc-debug.c:405
#2  0x00007f24e6fa999b in greedy_realloc0 (p=p@entry=0x7f24e77c10b0, 
    need=need@entry=2, size=size@entry=16) at ../src/basic/alloc-util.c:87
#3  0x00007f24e6fa9b13 in netlink_container_parse (m=m@entry=0x55ef631e2f90, 
    container=0x55ef631e2fa0, rta=0x55ef631ed208, rt_len=<optimized out>)
    at ../src/libsystemd/sd-netlink/netlink-message.c:1078
#4  0x00007f24e6fad7ec in sd_netlink_message_rewind (genl=<optimized out>, 
    m=<optimized out>) at ../src/libsystemd/sd-netlink/netlink-message.c:1324
#5  socket_read_message (rtnl=<optimized out>)
    at ../src/libsystemd/sd-netlink/netlink-socket.c:375
#6  sd_netlink_read (usec=0, ret=0x7f24e77c1290, serial=<optimized out>, 
    rtnl=<optimized out>) at ../src/libsystemd/sd-netlink/sd-netlink.c:700
#7  sd_netlink_call (rtnl=<optimized out>, message=<optimized out>, 
    ret=0x7f24e77c1290, usec=0)
    at ../src/libsystemd/sd-netlink/sd-netlink.c:743
#8  0x00007f24e6fb018e in local_addresses (af=2, ret=0x7f24e77c1368, 
    ifindex=0, context=0x0) at ../src/shared/local-addresses.c:90
#9  0x00007f24e6fb10b9 in _nss_myhostname_gethostbyname3_r (
    name=<optimized out>, af=<optimized out>, host=0x7f24e77c1590, 
    buffer=0x7f24e77c1740 "\177", buflen=1024, errnop=0x7f24e77c34b8, 
    h_errnop=0x7f24e77c1584, ttlp=0x0, canonp=0x0)
    at ../src/nss-myhostname/nss-myhostname.c:373
#10 0x00007f24e6fb13cb in _nss_myhostname_gethostbyname_r (
    name=0x7f24e77c15f1 "pick.home.annexia.org", host=0x7f24e77c1590, 
    buffer=0x7f24e77c1740 "\177", buflen=1024, errnop=0x7f24e77c34b8, 
    h_errnop=0x7f24e77c1584) at ../src/nss-myhostname/nss-myhostname.c:514
#11 0x00007f24ed6c523b in __gethostbyname_r (
    name=0x7f24e77c15f1 "pick.home.annexia.org", resbuf=0x7f24e77c1590, 
    buffer=<optimized out>, buflen=1024, result=<optimized out>, 
    h_errnop=0x7f24e77c1584) at ../nss/getXXbyYY_r.c:273
[stack goes into some proprietary code after this point]

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux