On Wed, Oct 27, 2021 at 10:10:35PM +0200, Lennart Poettering wrote:
On Mi, 27.10.21 20:34, Richard W.M. Jones (rjones(a)redhat.com) wrote:
> I have a habit of setting:
>
> export GLIBC_TUNABLES=glibc.malloc.check=1:glibc.malloc.perturb=99
>
> which causes glibc to do extra malloc integrity checks. In Rawhide at
> the moment I'm seeing memory corruption in calls like getpwnam and
> gethostbyname. Unfortunately I don't have a simple reproducer yet,
> but two example stack traces are below. I have the latest glibc and
> systemd.
>
> Questions: Has anyone seen this before, and what component should I
> file the bug against?
>
> Rich.
>
> Core was generated by `tar -C /var/tmp/supermin36875b.tmpdir/base.d -xf -'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 malloc_check_get_size (mem=0x0)
> at /usr/src/debug/glibc-2.34.9000-15.fc36.x86_64/malloc/malloc-check.c:39
> 39 magic = (((uintptr_t) p >> 3) ^ ((uintptr_t) p >> 11)) &
0xFF;
> (gdb) bt
> #0 malloc_check_get_size (mem=0x0)
> at /usr/src/debug/glibc-2.34.9000-15.fc36.x86_64/malloc/malloc-check.c:39
> #1 malloc_usable_size (mem=0x0) at malloc-debug.c:405
> #2 0x00007f0eed847f1a in varlink_read (v=0x55c537e3e1c0)
> at ../src/shared/varlink.c:508
This is nss-systemd code, i.e. this is triggered by systemd code.
It seems those "extra malloc integrity checks" can't cope with
malloc_usable_size(NULL) being called. According to the man page it's
a supported call (and returns 0), but I figue the e. m. i. c. don't
handle this.
Hence smells to me as if this was a bug in glibc, to handle the
special case of NULL here.
Fair enough, thanks Lennart, Zbigniew. I have filed a bug against glibc:
https://sourceware.org/bugzilla/show_bug.cgi?id=28506
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages.
http://libguestfs.org