cp, mv, install: data loss due to free memory read

Bug #1073514 reported by C de-Avillez on 2012-10-31
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
coreutils (Ubuntu)
High
Colin Watson
Precise
High
Colin Watson
Quantal
High
Colin Watson
Raring
High
Colin Watson

Bug Description

[Impact] cp/mv/install may read from freed memory in cases of very fragmented and sparse input files, sometimes producing corrupt output.
[Test case] The following command should succeed, with no output:
  rm -f j j2 && perl -e 'for (1..600) { sysseek (*STDOUT, 4096, 1) && syswrite (*STDOUT, "a" x 1024) or die "$!" }' > j && valgrind --quiet --error-exitcode=3 cp j j2 && cmp j j2
[Regression potential] cp being what it is, ordinary use of a system for a while should be sufficient regression-testing.

Original report follows:

This was originally reported as happening on copying larges in highly-fragmented filesystems, and affects coreutils from 8.11 to 8.19 (8.20 has just been released with the fix included).

Ubuntu versions affected:
 * Precise (8.13)
 * Quantal (8.13)
 * Raring (8.13)

Upstream bug: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=12656
Uptream ML thread: http://lists.gnu.org/archive/html/bug-coreutils/2012-10/msg00090.html

Upstream commits:
* 64aef5fb9afecc023a6e719da161dbbf450908b8 (actual patch, and test)
* 0aeaa506ad9dd09479a298e4febe79b55c10a0e2 (adjust NEWS to point out mv and install are also affected)

A test has been added to check for this error: tests/cp/fiemap-FMR.sh

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: coreutils 8.13-3.2ubuntu2
ProcVersionSignature: Ubuntu 3.5.0-18.29-generic 3.5.7
Uname: Linux 3.5.0-18-generic x86_64
ApportVersion: 2.6.1-0ubuntu6
Architecture: amd64
CheckboxSubmission: c8a7d84e13c3b258e707f056604eb0e0
CheckboxSystem: d00f84de8a555815fa1c4660280da308
Date: Wed Oct 31 05:24:37 2012
InstallationDate: Installed on 2012-10-21 (9 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
MarkForUpload: True
SourcePackage: coreutils
UpgradeStatus: No upgrade log present (probably fresh install)

C de-Avillez (hggdh2) wrote :
Colin Watson (cjwatson) on 2012-11-07
Changed in coreutils (Ubuntu Raring):
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson) on 2012-11-08
description: updated
Changed in coreutils (Ubuntu Raring):
status: New → Triaged
Changed in coreutils (Ubuntu Quantal):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Changed in coreutils (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
milestone: none → ubuntu-12.04.2
Colin Watson (cjwatson) on 2012-11-08
Changed in coreutils (Ubuntu Raring):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package coreutils - 8.13-3.2ubuntu7

---------------
coreutils (8.13-3.2ubuntu7) raring; urgency=low

  * Backport require_valgrind_ so that tests work better.
  * Make valgrind failures non-fatal; we don't have sufficiently accurate
    suppressions for linker startup issues on all architectures. However,
    do still run those tests and check for corrupted output.
  * Don't build-depend on valgrind on armhf, as it apparently breaks there.
 -- Colin Watson <email address hidden> Fri, 09 Nov 2012 10:01:28 +0000

Changed in coreutils (Ubuntu Raring):
status: In Progress → Fix Released
Colin Watson (cjwatson) on 2012-11-09
Changed in coreutils (Ubuntu Quantal):
status: Triaged → In Progress
Colin Watson (cjwatson) on 2012-11-09
Changed in coreutils (Ubuntu Precise):
status: Triaged → In Progress

Hello C, or anyone else affected,

Accepted coreutils into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/coreutils/8.13-3.2ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in coreutils (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in coreutils (Ubuntu Precise):
status: In Progress → Fix Committed
Brian Murray (brian-murray) wrote :

Hello C, or anyone else affected,

Accepted coreutils into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/coreutils/8.13-3ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Javier López (javier-lopez) wrote :

Hi,

I've tested successfully the -proposed updates for precise

$ cat /etc/issue
Ubuntu 12.04 LTS \n \l

$ apt-cache policy coreutils
coreutils:
  Installed: 8.13-3ubuntu3.2
  Candidate: 8.13-3ubuntu3.2
  Version table:
 *** 8.13-3ubuntu3.2 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     8.13-3ubuntu3 0
        500 http://us.archive.ubuntu.com/ubuntu/ precise/main i386 Packages

$ rm -f j j2 && perl -e 'for (1..600) { sysseek (*STDOUT, 4096, 1) && syswrite (*STDOUT, "a" x 1024) or die "$!" }' > j && valgrind --quiet --error-exitcode=3 cp j j2 && cmp j j2

With no output

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Javier López (javier-lopez) wrote :

Hi,

I've tested successfully the -proposed updates for quantal

$ cat /etc/issue
Ubuntu 12.10 \n \l

% apt-cache policy coreutils
coreutils:
  Installed: 8.13-3.2ubuntu2.1
  Candidate: 8.13-3.2ubuntu2.1
  Version table:
 *** 8.13-3.2ubuntu2.1 0
        500 http://us.archive.ubuntu.com/ubuntu/ quantal-proposed/main i386 Packages
        100 /var/lib/dpkg/status
     8.13-3.2ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ quantal/main i386 Packages

$ rm -f j j2 && perl -e 'for (1..600) { sysseek (*STDOUT, 4096, 1) && syswrite (*STDOUT, "a" x 1024) or die "$!" }' > j && valgrind --quiet --error-exitcode=3 cp j j2 && cmp j j2

With no output, I'm adding the verification-done tag

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

tags: added: precise verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package coreutils - 8.13-3.2ubuntu2.1

---------------
coreutils (8.13-3.2ubuntu2.1) quantal-proposed; urgency=low

  * Backport upstream patch to avoid data-corrupting free-memory-read in
    cp/mv/install when dealing with a very fragmented and sparse input file
    on certain filesystems (LP: #1073514).
  * Build-depend on valgrind (except on armhf, where it breaks) in order to
    be able to run the test for the above fix.
  * Fix 99_sort_-u_data_loss.dpatch so that the added test is actually run.
  * Backport require_valgrind_ so that tests work better.
  * Make valgrind failures non-fatal; we don't have sufficiently accurate
    suppressions for linker startup issues on all architectures. However,
    do still run those tests and check for corrupted output.
 -- Colin Watson <email address hidden> Fri, 09 Nov 2012 13:30:42 +0000

Changed in coreutils (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package coreutils - 8.13-3ubuntu3.2

---------------
coreutils (8.13-3ubuntu3.2) precise-proposed; urgency=low

  * Backport upstream patch to avoid data-corrupting free-memory-read in
    cp/mv/install when dealing with a very fragmented and sparse input file
    on certain filesystems (LP: #1073514).
  * Build-depend on valgrind (except on armhf, where it breaks) in order to
    be able to run the test for the above fix.
  * Fix 99_sort_-u_data_loss.dpatch so that the added test is actually run.
  * Backport require_valgrind_ so that tests work better.
  * Make valgrind failures non-fatal; we don't have sufficiently accurate
    suppressions for linker startup issues on all architectures. However,
    do still run those tests and check for corrupted output.
 -- Colin Watson <email address hidden> Fri, 09 Nov 2012 14:23:10 +0000

Changed in coreutils (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers