[Bug locale/24677] New: free error in __libio_codecvt_out with e.g. UTF-8 locales

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] New: free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

            Bug ID: 24677
           Summary: free error in __libio_codecvt_out with e.g. UTF-8
                    locales
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: locale
          Assignee: unassigned at sourceware dot org
          Reporter: manuel.lauss at gmail dot com
  Target Milestone: ---

on current glibc head:

# LC_ALL=C rev << EOF
> lksdlkfskjld
> EOF
dljksfkldskl

# LC_ALL=de_AT.UTF-8 rev << EOF
lksdlkfskjld
EOF
dljksfkldskl
free(): double free detected in tcache 2
Aborted (core dumped)


(gdb) bt
#0  0x00007f65a7182a7a in __libio_codecvt_out
(codecvt=codecvt@entry=0x7f65a72bd8e8 <_IO_wide_data_1+104>, statep=<optimized
out>,
    from_start=from_start@entry=0x1f1a6f0 L"3.21.5-eroctq/tq-ved\n",
from_end=from_end@entry=0x1f1a744 L"",
from_stop=from_stop@entry=0x7ffd55b12890,
    to_start=<optimized out>, to_end=0x7ffd55b128b0 "", to_stop=0x7ffd55b12898)
at iofwide.c:135
#1  0x00007f65a7182107 in __GI__IO_wdo_write (fp=fp@entry=0x7f65a72be6a0
<_IO_2_1_stdout_>, data=0x1f1a6f0 L"3.21.5-eroctq/tq-ved\n", to_do=21) at
wfileops.c:75
#2  0x00007f65a7187bc5 in _IO_new_file_close_it (fp=fp@entry=0x7f65a72be6a0
<_IO_2_1_stdout_>) at fileops.c:136
#3  0x00007f65a717a9cc in _IO_new_fclose (fp=0x7f65a72be6a0 <_IO_2_1_stdout_>)
at iofclose.c:53
#4  0x00000000004017ae in ?? ()
#5  0x00007f65a7144f13 in __run_exit_handlers (status=0, listp=0x7f65a72bd718
<__exit_funcs>, run_list_atexit=run_list_atexit@entry=true,
    run_dtors=run_dtors@entry=true) at exit.c:108
#6  0x00007f65a71450ca in __GI_exit (status=<optimized out>) at exit.c:139
#7  0x00007f65a712e1d2 in __libc_start_main (main=0x4011f0, argc=1,
argv=0x7ffd55b12ab8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>,
    stack_end=0x7ffd55b12aa8) at ../csu/libc-start.c:342
#8  0x00000000004016ba in ?? ()

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
This looks to me a double-free bug in rev:

==21== Invalid read of size 8
==21==    at 0x48C62ED: __libio_codecvt_out (in /usr/lib64/libc-2.29.9000.so)
==21==    by 0x48C59D6: _IO_wdo_write (in /usr/lib64/libc-2.29.9000.so)
==21==    by 0x48CB4DC: _IO_file_close_it@@GLIBC_2.2.5 (in
/usr/lib64/libc-2.29.9000.so)
==21==    by 0x48BE655: fclose@@GLIBC_2.2.5 (in /usr/lib64/libc-2.29.9000.so)
==21==    by 0x1099E1: close_stream (closestream.h:24)
==21==    by 0x1099E1: close_stdout (closestream.h:42)
==21==    by 0x4887C06: __run_exit_handlers (in /usr/lib64/libc-2.29.9000.so)
==21==    by 0x4887DBF: exit (in /usr/lib64/libc-2.29.9000.so)
==21==    by 0x4871199: (below main) (in /usr/lib64/libc-2.29.9000.so)
==21==  Address 0x4a1c9f0 is 0 bytes inside a block of size 208 free'd
==21==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==21==    by 0x48733CE: __gconv_close_transform (in
/usr/lib64/libc-2.29.9000.so)
==21==    by 0x48BE6C0: fclose@@GLIBC_2.2.5 (in /usr/lib64/libc-2.29.9000.so)
==21==    by 0x10968F: main (rev.c:176)

It's similar to the gnulib issue discussed here (and in subsequent months):
https://lists.gnu.org/r/bug-gnulib/2019-04/msg00059.html

But the util-linux rev case is slightly different because there is a genuine
double-free on stdin here.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

--- Comment #2 from Manuel Lauss <manuel.lauss at gmail dot com> ---
> But the util-linux rev case is slightly different because there is a genuine
> double-free on stdin here.

can trigger also with files:

# rev test.txt
rentner
free(): double free detected in tcache 2
Aborted (core dumped)
# LC_ALL=C rev test.txt
rentner
#

Why does setting locale to C not trigger the free error?

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://github.com/karelzak
                   |                            |/util-linux/issues/807

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Manuel Lauss <manuel.lauss at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from Manuel Lauss <manuel.lauss at gmail dot com> ---
Oh now I see it, nevermind.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
   Last reconfirmed|                            |2019-06-13
         Resolution|INVALID                     |---
     Ever confirmed|0                           |1

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
For stdout, this is actually a glibc bug.  This also shows a double-free in
valgrind:

#include <err.h>
#include <locale.h>
#include <stdio.h>
#include <wchar.h>

int
main (void)
{
  if (setlocale (LC_ALL, "") == NULL)
    err (1, "setlocale");
  if (fwide (stdin, 1) != 1)
    err (1, "fwide (stdin)");
  if (fwide (stdout, 1) != 1)
    err (1, "fwide (stdout)");
  FILE *fp = fopen ("/etc/passwd", "r");
  if (fp == NULL)
    err (1, "fopen");
  fwide (fp, 1);
  if (fclose (fp) != 0)
    err (1, "fclose (fp)");
  if (fclose (stdin) != 0)
    err (1, "fclose (stdin)");
  if (fclose (stdout) != 0)
    err (1, "fclose (stdout)");
  if (fclose (stderr) != 0)
    err (1, "fclose (stderr)");
  return 0;
}

But there is no double-close of a file stream.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |ASSIGNED
           Assignee|unassigned at sourceware dot org   |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Patch posted: https://sourceware.org/ml/libc-alpha/2019-07/msg00223.html

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=24583

--- Comment #6 from Florian Weimer <fweimer at redhat dot com> ---
I believe this was introduced by the fix for bug 24583:

commit 7e740ab2e7be7d83b75513aa406e0b10875f7f9c
Author: Florian Weimer <[hidden email]>
Date:   Tue May 21 10:34:21 2019 +0200

    libio: Fix gconv-related memory leak [BZ #24583]

    struct gconv_fcts for the C locale is statically allocated,
    and __gconv_close_transform deallocates the steps object.
    Therefore this commit introduces __wcsmbs_close_conv to avoid
    freeing the statically allocated steps objects.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.redhat.com
                   |                            |/show_bug.cgi?id=1732406

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=50ce3eae5ba304650459d4441d7d246a7cefc26f

commit 50ce3eae5ba304650459d4441d7d246a7cefc26f
Author: Florian Weimer <[hidden email]>
Date:   Thu Jul 18 17:27:24 2019 +0200

    gconv: Check reference count in __gconv_release_cache  [BZ #24677]

    This fixes a regression introduced in commit
    7e740ab2e7be7d83b75513aa406e0b10875f7f9c ("libio: Fix gconv-related
    memory leak [BZ #24583]").

    __gconv_release_cache is only ever called with heap-allocated
    arrays which contain at least one member.  The statically allocated
    ASCII steps are filtered out by __wcsmbs_close_conv.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.30
              Flags|                            |security-

--- Comment #8 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for glibc 2.30.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0bfddfc9444ed6154da7e70bae6a1b4809b88c93

commit 0bfddfc9444ed6154da7e70bae6a1b4809b88c93
Author: Florian Weimer <[hidden email]>
Date:   Wed Jul 31 11:43:59 2019 +0200

    iconv: Revert steps array reference counting changes

    The changes introduce a memory leak for gconv steps arrays whose
    first element is an internal conversion, which has a fixed
    reference count which is not decremented.  As a result, after the
    change in commit 50ce3eae5ba304650459d4441d7d246a7cefc26f, the steps
    array is never freed, resulting in an unbounded memory leak.

    This reverts commit 50ce3eae5ba304650459d4441d7d246a7cefc26f
    ("gconv: Check reference count in __gconv_release_cache
    [BZ #24677]") and commit 7e740ab2e7be7d83b75513aa406e0b10875f7f9c
    ("libio: Fix gconv-related memory leak [BZ #24583]").  It
    reintroduces bug 24583.  (Bug 24677 was just a regression caused by
    the second commit.)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug locale/24677] free error in __libio_codecvt_out with e.g. UTF-8 locales

giuliomoro at yahoo dot it
In reply to this post by giuliomoro at yahoo dot it
https://sourceware.org/bugzilla/show_bug.cgi?id=24677

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |WORKSFORME
   Target Milestone|2.30                        |---

--- Comment #10 from Florian Weimer <fweimer at redhat dot com> ---
This was fixed by reverting the incorrect fix for bug 24583.  Changing the
resolution to WORKSFORME to drop this bug from reporting.

--
You are receiving this mail because:
You are on the CC list for the bug.