Invalid free while running docker build

Status changed to 'Confirmed' because the bug affects multiple users.

A fix could be ported, or a package could be upgraded to v0.6.2. See https://github.com/docker/docker-credential-helpers/pull/29/commits/79f93e5e69abc2ead458d19f4577b64b7e35c504

I agree with @anatoly.borodin - in fact the commit https://github.com/docker/docker-credential-helpers/commit/73e5f5dbfea31ee3b81111ebbf189785fa69731c and pull request https://github.com/docker/docker-credential-helpers/pull/29/commits/79f93e5e69abc2ead458d19f4577b64b7e35c504 are the same fix. It's a crying shame that @aidanh010 filed this with a link to a fix last year but then it was somehow forgotten about...

diff --git a/secretservice/secretservice_linux.go b/secretservice/secretservice_linux.go
index 95a1310..383b0c2 100644
--- a/secretservice/secretservice_linux.go
+++ b/secretservice/secretservice_linux.go
@@ -93,7 +93,7 @@ func (h Secretservice) List() (map[string]string, error) {
  var listLenC C.uint
  err := C.list(credsLabelC, &pathsC, &acctsC, &listLenC)
  if err != nil {
- defer C.free(unsafe.Pointer(err))
+ defer C.g_error_free(err)
   return nil, errors.New("Error from list function in secretservice_linux.c likely due to error in secretservice library")
  }
  defer C.freeListData(&pathsC, listLenC)

Hello, we are also affected by this bug.

dpkg -l | grep docker
ii docker-compose 1.17.1-2 all Punctual, lightweight development environments using Docker
ii docker.io 18.09.7-0ubuntu1~18.04.3 amd64 Linux container runtime
ii golang-docker-credential-helpers 0.5.0-2 amd64 Use native stores to safeguard Docker credentials
ii python-docker 2.5.1-1 all Python wrapper to access docker.io's control socket
ii python-dockerpty 0.4.1-1 all Pseudo-tty handler for docker Python client (Python 2.x)
ii python-dockerpycreds 0.2.1-1 all Python bindings for the docker credentials store API

What does the packag "golang-github-docker-docker-credential-helpers" do?
->It stores username and password used for `docker login` to "docker registries" in a "safer way".

When does the bug manifest/occur?
->The bug occurs for instance when running `docker build`.

How to get rid of this bug (considering in Ubuntu 18.04 this package is still not fixed month after the report is filed)?
-> The bug can be circumvented (especially for those pointless, crazy cases like `docker build` where the credentials appear to be not even necessary) by disabling this "security for your credentials feature" eithe by:
 a) removing the @&(#* package via:
   `dpkg -r --force-depends golang-docker-credential-helpers`
 b) by setting a bogus credential helper program
   `printf '{ "credsStore":"bogus" }\n' > ~/.docker/config.json`

Option b) comes with less side affects (collateral damage) than option a) wich would make `apt` complain about the "broken/missing" package.

Status changed to 'Confirmed' because the bug affects multiple users.

(For anyone who comes across this one of the upstream issues (https://github.com/docker/docker-credential-helpers/issues/103#issuecomment-576854271 ) mentions the problem goes away if `pass` package is also installed and this seemed to make the issue disappear for me too)

It works for me.
I confirm that error is not displayed anymore if package 'pass' is installed.

This is a debdiff to apply the fix proposed in https://github.com/docker/docker-credential-helpers/pull/29 to bionic.

Thanks for the patch and for working on this bug, Athos.

A few comments:

- Since this is an SRU, the version will be a bit different than in a normal upload to a development version. In this particular case, the version should be:

  0.5.0-2ubuntu0.1

- The "Origin:" DEP-3 header should contain the direct link to the commit. It should also specify if this patch is a backport or if it was applied cleanly from upstream. For example:

  Origin: upstream, https://link.to.commit

or

  Origin: backport, https://link.to.commit

Other than that, the patch LGTM.

The SRU template also LGTM, but there's a small nit in the Test Case section: the "docker build" command expects the directory where the build will happen as an argument, so I think the command should be:

   docker build -t golang-docker-credential-helpers:test .

Other than that, I followed the reproduction steps and verified that (1) the error is indeed hapening, and (2) it is fixed by this patch.

Let me know when you update the patch and I can upload it. Thanks.

Thanks for the review, Sergio.

I addressed your comments and pushed the proposed fix to the following PPA:

https://launchpad.net/~athos-ribeiro/+archive/ubuntu/lp-1813003-docker-credential-helpers/+packages

Thanks for addressing the comments, Athos.

Uploaded:

$ dput golang-github-docker-docker-credential-helpers_0.5.0-2ubuntu0.1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/golang-github-docker-docker-credential-helpers/golang-github-docker-docker-credential-helpers_0.5.0-2ubuntu0.1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/golang-github-docker-docker-credential-helpers/golang-github-docker-docker-credential-helpers_0.5.0-2ubuntu0.1.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading golang-github-docker-docker-credential-helpers_0.5.0-2ubuntu0.1.dsc: done.
  Uploading golang-github-docker-docker-credential-helpers_0.5.0-2ubuntu0.1.debian.tar.xz: done.
  Uploading golang-github-docker-docker-credential-helpers_0.5.0-2ubuntu0.1_source.buildinfo: done.
  Uploading golang-github-docker-docker-credential-helpers_0.5.0-2ubuntu0.1_source.changes: done.
Successfully uploaded packages.

Thanks for the review and upload, Sergio!

I verified that the patch is applied in Impish.

Won't this need a subsequent rebuild of other packages for this change to have any effect? Have you tested the outcome against your PPA?

Hi Robie,

I verified that it is not necessary to rebuild other packages in this case. Just updating golang-docker-credential-helpers_0.5.0-2ubuntu0.1_amd64.deb inside a VM is enough to fix the issue and have the "docker build" stop manifesting the error. But maybe Athos would like to complement this info somehow.

Hi Robie,

This will not need a subsequent rebuild of other packages here since it is the binary package (and not the -dev one) which is triggering the reported issue.

However, may the bogus call to free manifest in any other form for any other binary package building against the golang -dev package in question, then they may need a rebuild.

I did test this change against a locally built package (built from the same sources pushed to that PPA). I just re-triggered my tests against the package (x86_64) available in that PPA just to make sure everything is working as expected here.

Ah, I see now - it actually ships a binary. Thank you for confirming!

Hello Sitsofe, or anyone else affected,

Accepted golang-github-docker-docker-credential-helpers into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/golang-github-docker-docker-credential-helpers/0.5.0-2ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I tested this in a bionic lxc container with the following steps:

# install affected golang-docker-credential-helpers version 0.5.0-2
apt update && apt install -y docker.io golang-docker-credential-helpers
# prepare Dockerfile and run build
mkdir /tmp/dummy-docker-build
cd /tmp/dummy-docker-build
cat <<EOF > Dockerfile
FROM ubuntu:focal
LABEL hello=label
EOF
docker build -t testing . # This will get the error to be reproduced.
# then we can enable -proposed and upgrade golang-docker-credential-helpers
cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF
# install fixed golang-docker-credential-helpers version 0.5.0-2ubuntu0.1
apt update
apt install -y golang-docker-credential-helpers
# Finally, re-run the build command and verify the error no long occurs
docker build -t testing .

Hence, I confirm the issue if fixed by the package in -proposed.

This bug was fixed in the package golang-github-docker-docker-credential-helpers - 0.5.0-2ubuntu0.1

---------------
golang-github-docker-docker-credential-helpers (0.5.0-2ubuntu0.1) bionic; urgency=medium

  * d/p/free_unsafe_pointer_fix.patch: fix invalid free call when running docker
    build (LP: #1813003)

 -- Athos Ribeiro <email address hidden> Tue, 10 Aug 2021 09:43:00 -0300

The verification of the Stable Release Update for golang-github-docker-docker-credential-helpers has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.