Debian Bug report logs - #1022185
nfs-utils: blkmapd crash

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andreas Hasenack <andreas@canonical.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nfs-utils: blkmapd crash

Date: Fri, 21 Oct 2022 11:57:04 -0300

Package: nfs-utils
Version: 1:2.6.2-1+b1
Severity: normal

Dear Maintainer,

Under certain conditions, blkmapd can crash due to calling free() on a
pointer that wasn't malloc()ed. The reproducer I list below using a
debian sid VM went as far as isolating it to having LVM Logical
Volumes on SCSI disks, but this does not exclude other scenarios.

The struct bl_serial *serial structure is allocated via
bl_create_scsi_string() which does a malloc for it, but the code later
on was doing a free() on the data element of this structure and only
then on the structure itself. That first free() is incorrect, as the
data element was never malloc()ed separatedly.

This was first brought up by lixiaokeng via
https://www.spinics.net/lists/linux-nfs/msg87598.html, but not
acknowledged back then.

Here is a reproducer using a VM. It assumes you can add a SCSI disk to
it, which in my steps below is /dev/sdb.

# apt install nfs-kernel-server lvm2
# systemctl stop nfs-blkmapd.service
# pvcreate /dev/sdb
# vgcreate vg0 /dev/sdb
# lvcreate -ntest -L100M vg0
# blkmapd -f
blkmapd: open pipe file /run/rpc_pipefs/nfs/blocklayout failed: No
such file or directory
double free or corruption (out)
Aborted

Note the message about blocklayout is not relevant for this bug.

In gdb:
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>,
signo=signo@entry=6, no_tid=no_tid@entry=0) at
./nptl/pthread_kill.c:44
#1  0x00007ffff7c895df in __pthread_kill_internal (signo=6,
threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  0x00007ffff7c3da02 in __GI_raise (sig=sig@entry=6) at
../sysdeps/posix/raise.c:26
#3  0x00007ffff7c28469 in __GI_abort () at ./stdlib/abort.c:79
#4  0x00007ffff7c7d888 in __libc_message
(action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7db66fb "%s\n") at
../sysdeps/posix/libc_fatal.c:155
#5  0x00007ffff7c9322a in malloc_printerr
(str=str@entry=0x7ffff7db9340 "double free or corruption (out)") at
./malloc/malloc.c:5659
#6  0x00007ffff7c95198 in _int_free (av=0x7ffff7df4c60 <main_arena>,
p=0x555555567ad0, have_lock=<optimized out>, have_lock@entry=0) at
./malloc/malloc.c:4583
#7  0x00007ffff7c978df in __GI___libc_free (mem=<optimized out>) at
./malloc/malloc.c:3386
#8  0x000055555555745e in bl_add_disk (filepath=0x7fffffffd2b0
"/dev/dm-0") at ./utils/blkmapd/device-discovery.c:245
#9  bl_discover_devices () at ./utils/blkmapd/device-discovery.c:276
#10 0x00005555555567cd in main (argc=<optimized out>, argv=<optimized
out>) at ./utils/blkmapd/device-discovery.c:558

The crash is caused by this erroneous free on a pointer that is not
malloc()ed:  https://salsa.debian.org/kernel-team/nfs-utils/-/blob/master/utils/blkmapd/device-discovery.c#L245

I sent a ping to upstream again[1], and in Ubuntu for now I'll just
remove the faulty free(serial->data) in the 3 places in that function.


1. https://lore.kernel.org/linux-nfs/CANYNYEG=utJ2pe+FtMWh8O+dz63R2wbzOC7ZVrvoqD=U04WL5g@mail.gmail.com/T/#u

Message #10 received at 1022185@bugs.debian.org (full text, mbox, reply):

From: Diederik de Haas <didi.debian@cknow.org>

To: 1022185@bugs.debian.org

Subject: Re: Bug#1022185: nfs-utils: blkmapd crash

Date: Fri, 21 Oct 2022 17:30:51 +0200

[Message part 1 (text/plain, inline)]

Control: forwarded -1 https://lore.kernel.org/linux-nfs/CANYNYEG=utJ2pe+FtMWh8O+dz63R2wbzOC7ZVrvoqD=U04WL5g@mail.gmail.com/
Control: tag -1 upstream

On vrijdag 21 oktober 2022 16:57:04 CEST Andreas Hasenack wrote:
> I sent a ping to upstream again[1], and in Ubuntu for now I'll just
> remove the faulty free(serial->data) in the 3 places in that function.
> 
> 1. https://lore.kernel.org/linux-nfs/CANYNYEG=utJ2pe+FtMWh8O+dz63R2wbzOC7ZVrvo
> qD=U04WL5g@mail.gmail.com/T/#u

Updating metadata accordingly

[signature.asc (application/pgp-signature, inline)]

Message #21 received at 1022185-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1022185-close@bugs.debian.org

Subject: Bug#1022185: fixed in nfs-utils 1:2.6.2-2

Date: Thu, 24 Nov 2022 23:22:09 +0000

Source: nfs-utils
Source-Version: 1:2.6.2-2
Done: Salvatore Bonaccorso <carnil@debian.org>

We believe that the bug you reported is fixed in the latest version of
nfs-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1022185@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated nfs-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 24 Nov 2022 23:42:20 +0100
Source: nfs-utils
Architecture: source
Version: 1:2.6.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian kernel team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1022185
Changes:
 nfs-utils (1:2.6.2-2) unstable; urgency=medium
 .
   [ Debian Janitor ]
   * Update lintian override info to new format on line 2.
 .
   [ Salvatore Bonaccorso ]
   * blkmapd: fix coredump in bl_add_disk (Closes: #1022185)
Checksums-Sha1: 
 b866bd08b5bd40ecb1ee7207e772ddaf01933010 2554 nfs-utils_2.6.2-2.dsc
 d54eecfdb1553edb39469e9438fffd36d251f067 49792 nfs-utils_2.6.2-2.debian.tar.xz
Checksums-Sha256: 
 808ecf8db7f16fa61624e12366980bac70f8f2c8e491c5f6e7dd8eb3b8565cee 2554 nfs-utils_2.6.2-2.dsc
 e6dc5553a281a1fe8110a1a4717af758730038c997ed31f21670607cec044724 49792 nfs-utils_2.6.2-2.debian.tar.xz
Files: 
 14e9580e1ffcbb6e1cee7ad58d0fc132 2554 net optional nfs-utils_2.6.2-2.dsc
 f4f0fbde867d0e713949f2146d3c8018 49792 net optional nfs-utils_2.6.2-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmN/9uFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E6+QQAIggUvlVwtgVSGCUAQK6hp3tkzjqhQH6
+vZNOsXqL6AnwKV6kUr85ox8N4/ABGktrSC4cQ9knpLP+qJTKSK2KhWeK5aqgj/+
ese4X/YYS0Kyi1D6zH5E+WEbDglkVOlLs49AZAP4FrOiTd8uNVNHVdE8ScRzfAzU
APVFQfcZOC+sJGuDOXGR/6NSxwtU2L4vZ7rwjZ8qckyOtllDtIXzGidAOs9+PZ+l
zDCXRP0XfrQ+i6/uG88BPSaPbLLIPtM/KU9vjQfmeprdbzL7h7Odtzm1aw0aHZe3
XQ04F87fTlq6Teepko18a6rJYGQkOAA1ItS8iH0iqcl2hC0OpKI2eHyNUVl9Gxam
O3pZimv16hgDjY+5eFbm+vEqx7m/cPP2tpG/5xziw2bqRajOEytDhDt+y2lVmhjy
sqDi8g8MmoPgRcT/QK1vwjoQXZ1/b1GT77akMgxUhdTqLDZYvEv13nfuoJH4y3R6
dJO9JUeG5tFixr/ktZrSWVbkLlHYVnEeMbR0iN8vKeey/9cmExWzsackRir4/3Gs
CjMLsbeebyUN50SSRiJ+VACKwsdfGEznNjQNWUC44u6f6o8hKM4GGG+NhdaXsFZB
V2vtEFBiqoKdvBTq8vQhq+tVmjmnk2U8f8N6TEsdtiuoqZb4tArDQULeX09f06OS
BN46LInFuROg
=Zgwl
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.