| 2023-04-04 10:04:00 |
Daniel van Vugt |
bug |
|
|
added bug |
| 2023-04-04 10:04:14 |
Daniel van Vugt |
information type |
Public |
Private Security |
|
| 2023-04-04 10:04:40 |
Daniel van Vugt |
information type |
Private Security |
Public Security |
|
| 2023-04-04 10:22:58 |
Florian Weimer |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=2081583 |
|
| 2023-04-04 10:22:58 |
Florian Weimer |
bug watch added |
|
https://bugs.kde.org/show_bug.cgi?id=434764 |
|
| 2023-04-04 15:02:09 |
Simon Chopin |
bug task added |
|
valgrind (Ubuntu) |
|
| 2023-04-04 18:19:03 |
Simon Chopin |
glibc (Ubuntu): status |
New |
Invalid |
|
| 2023-04-04 18:19:09 |
Simon Chopin |
valgrind (Ubuntu): status |
New |
In Progress |
|
| 2023-04-04 18:19:19 |
Simon Chopin |
valgrind (Ubuntu): importance |
Undecided |
High |
|
| 2023-04-04 18:22:21 |
Simon Chopin |
information type |
Public Security |
Public |
|
| 2023-04-04 18:45:20 |
Simon Chopin |
valgrind (Ubuntu): status |
In Progress |
Confirmed |
|
| 2023-04-04 18:49:54 |
Simon Chopin |
description |
Valgrind reports this in gnome-shell on almost every run:
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x40067D6: _dl_dst_count (dl-load.c:253)
==34822== by 0x40067D6: expand_dynamic_string_token (dl-load.c:395)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
==34822==
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x4006645: _dl_dst_substitute (dl-load.c:295)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: libc6 2.37-0ubuntu2
ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
Date: Tue Apr 4 18:01:17 2023
InstallationDate: Installed on 2022-11-28 (127 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Alpha amd64 (20221126)
SourcePackage: glibc
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
This bug makes valgrind detect memory error false positives in ld.so now that it started using strncmp. in is_dst. The fix is to extend the special treatment of strncmp done in libc.so to ld.so as well. The patch is already available upstream in a new release, this is just about cherry-picking it.
[Rationale]
Given that the false-positive is triggered in ld.so, it's fairly likely that quite a few users will hit it.
[Original report]
Valgrind reports this in gnome-shell on almost every run:
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x40067D6: _dl_dst_count (dl-load.c:253)
==34822== by 0x40067D6: expand_dynamic_string_token (dl-load.c:395)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
==34822==
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x4006645: _dl_dst_substitute (dl-load.c:295)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: libc6 2.37-0ubuntu2
ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
Date: Tue Apr 4 18:01:17 2023
InstallationDate: Installed on 2022-11-28 (127 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Alpha amd64 (20221126)
SourcePackage: glibc
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2023-04-04 18:50:43 |
Simon Chopin |
attachment added |
|
valgrind.debdiff https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2015216/+attachment/5661028/+files/valgrind.debdiff |
|
| 2023-04-04 18:51:16 |
Simon Chopin |
bug |
|
|
added subscriber Ubuntu Release Team |
| 2023-04-05 03:57:03 |
Daniel van Vugt |
bug task added |
|
valgrind (Fedora) |
|
| 2023-04-05 04:00:45 |
Daniel van Vugt |
tags |
amd64 apport-bug lunar |
amd64 apport-bug fixed-in-valgrind-3.20 fixed-upstream lunar |
|
| 2023-04-05 04:01:12 |
Daniel van Vugt |
valgrind (Ubuntu): assignee |
|
Simon Chopin (schopin) |
|
| 2023-04-05 04:01:20 |
Daniel van Vugt |
valgrind (Ubuntu): status |
Confirmed |
In Progress |
|
| 2023-04-05 04:04:19 |
Daniel van Vugt |
tags |
amd64 apport-bug fixed-in-valgrind-3.20 fixed-upstream lunar |
amd64 apport-bug fixed-in-valgrind-3.20 fixed-upstream focal jammy kinetic lunar |
|
| 2023-04-06 08:32:18 |
Launchpad Janitor |
valgrind (Ubuntu): status |
In Progress |
Fix Released |
|
