Ubuntu
nano package

/bin/nano:*** Error in `nano': double free or corruption (!prev): ADDR ***

Bug #1572807 reported by errors.ubuntu.com bug bridge
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nano (Ubuntu)
Fix Released
High
Unassigned

Bug Description

The Ubuntu Error Tracker has been receiving reports about a problem regarding nano. This problem was most recently seen with version 2.5.3-2, the problem page at https://errors.ubuntu.com/problem/7dd7f74a72fca06513544d8af66b623efa15b26c contains more details.

Tags: trusty xenial
Revision history for this message
Benno Schulenberg (bennoschulenberg) wrote :

I am logged in on Launchpad, why must I log in again (on Ubuntu One) to access the above information? I do not want to log in again, nor create another account. Just give me the info about the problem.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nano (Ubuntu):
status: New → Confirmed
Revision history for this message
Brian Murray (brian-murray) wrote :
Download full text (6.7 KiB)

It's possible the stacktrace in the Error Tracker contains sensitive information, that's why access to it is restricted and it's not automatically added to the bug report here.

Here's the Stacktrace though:

#0 0x00007f38ce77e428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
        resultvar = 0
        pid = 6528
        selftid = 6528
#1 0x00007f38ce78002a in __GI_abort () at abort.c:89
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x2020202020383939, sa_sigaction = 0x2020202020383939}, sa_mask = {__val = {2314885530818453536, 2314885530818453536, 7091318039310988591, 3257288213055174703, 7955377262162766188, 3420042391722602357, 8029123697353646951, 7017503717531088228, 4049692876519860323, 3472328519700276835, 3559641648514610989, 8606977229197436472, 3472328296226648109, 3475143045726351408, 3703708260188037168, 3472387704235647800}}, sa_flags = 1714892080, sa_restorer = 0x4f}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f38ce7c07ea in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f38ce8d92e0 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
        ap = <error reading variable ap (Attempt to dereference a generic pointer.)>
        fd = 4
        on_2 = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#3 0x00007f38ce7c8e0a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7f38ce8d9410 "double free or corruption (!prev)", action=3) at malloc.c:5004
        buf = "0000000000692690"
        cp = <optimized out>
        ar_ptr = <optimized out>
        str = 0x7f38ce8d9410 "double free or corruption (!prev)"
        action = 3
#4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3865
        size = <optimized out>
        fb = <optimized out>
        nextchunk = <optimized out>
        nextsize = <optimized out>
        nextinuse = <optimized out>
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
        errstr = <optimized out>
        locked = <optimized out>
#5 0x00007f38ce7cc98c in __GI___libc_free (mem=mem@entry=0x692690) at malloc.c:2966
        ar_ptr = <optimized out>
        p = 0x692680
        hook = <optimized out>
#6 0x0000000000408b56 in do_lockfile (filename=filename@entry=0x7ffee0fb074d "**removed**/COMMIT_EDITMSG") at ../../src/files.c:374
        readtot = <optimized out>
        promptstr = 0x692690 "File **removed**/COMMIT_EDITMSG is being edited (by **removed** with nano 2.5.3, PID 12547); continue?"
        readamt = <optimized out>
        lockbuf = <optimized out>
        ans = 1
        namecopy1 = <optimized out>
        namecopy2 = <optimized out>
        locknamesize = <optimized out>
        lockfilename = 0x6999c0 "**removed**/.COMMIT_EDITMSG.swp"
        lockprog = "nano 2.5.3"
        lockuser = "khazizovroman\000\000\000"
        fileinfo = {st_dev = 2050, st_ino = 3733172, st_nlink = 1, st_mode = 33204, st_uid = 1000, st_gid = 1000, __pad0 = 0, st_rdev = 0, st_size = 1024, st_blksize = 4096, st_blocks = 8, st_...

Read more...

Alberto Salvia Novella (es20490446e)
Changed in nano (Ubuntu):
importance: Undecided → High
Revision history for this message
Benno Schulenberg (bennoschulenberg) wrote :

(Oh! For some reason I am not getting all of the bug mail from Launchpad. At least: I missed notifications about this bug.)

Hm... It seems that free() on Ubuntu checks that nothing was written outside of the allocated space? Does malloc() put a "canary" at the tail?

Anyway, I am pretty sure that the patch attached to bug #1641592 will fix this crash. It is same patch as the second one attached to https://lists.gnu.org/archive/html/nano-devel/2016-04/msg00075.html, which was applied upstream nearly a year ago.

Revision history for this message
Benno Schulenberg (bennoschulenberg) wrote :

As the patch for bug #1641592 has been released to Xenial, it means that this bug has been fixed too.

Changed in nano (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.