Debian Bug report logs - #594666
/usr/bin/tac: tac aborts

version graph

Package: coreutils; Maintainer for coreutils is Michael Stone <mstone@debian.org>; Source for coreutils is src:coreutils.

Reported by: Salvo Tomaselli <tiposchi@tiscali.it>

Date: Sat, 28 Aug 2010 08:09:02 UTC

Severity: normal

Tags: fixed-upstream

Found in version coreutils/8.5-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Michael Stone <mstone@debian.org>:
Bug#594666; Package coreutils. (Sat, 28 Aug 2010 08:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvo Tomaselli <tiposchi@tiscali.it>:
New Bug report received and forwarded. Copy sent to Michael Stone <mstone@debian.org>. (Sat, 28 Aug 2010 08:09:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvo Tomaselli <tiposchi@tiscali.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: /usr/bin/tac: tac aborts
Date: Sat, 28 Aug 2010 10:06:13 +0200
[Message part 1 (text/plain, inline)]
Package: coreutils
Version: 8.5-1
Severity: normal
File: /usr/bin/tac

Tac aborts when using it on a particular file.

*** glibc detected *** tac: double free or corruption (top): 0x00000000025c5030 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71b16)[0x7f1e8a939b16]
/lib/libc.so.6(cfree+0x6c)[0x7f1e8a93e88c]
tac[0x402660]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f1e8a8e6c4d]
tac[0x401999]
======= Memory map: ========
00400000-00417000 r-xp 00000000 08:04 17535                              /usr/bin/tac
00617000-00618000 rw-p 00017000 08:04 17535                              /usr/bin/tac
00618000-0061a000 rw-p 00000000 00:00 0 
025c4000-025e5000 rw-p 00000000 00:00 0                                  [heap]
7f1e84000000-7f1e84021000 rw-p 00000000 00:00 0 
7f1e84021000-7f1e88000000 ---p 00000000 00:00 0 
7f1e8a6b2000-7f1e8a6c8000 r-xp 00000000 08:04 23458                      /lib/libgcc_s.so.1
7f1e8a6c8000-7f1e8a8c7000 ---p 00016000 08:04 23458                      /lib/libgcc_s.so.1
7f1e8a8c7000-7f1e8a8c8000 rw-p 00015000 08:04 23458                      /lib/libgcc_s.so.1
7f1e8a8c8000-7f1e8aa20000 r-xp 00000000 08:04 1601                       /lib/libc-2.11.2.so
7f1e8aa20000-7f1e8ac1f000 ---p 00158000 08:04 1601                       /lib/libc-2.11.2.so
7f1e8ac1f000-7f1e8ac23000 r--p 00157000 08:04 1601                       /lib/libc-2.11.2.so
7f1e8ac23000-7f1e8ac24000 rw-p 0015b000 08:04 1601                       /lib/libc-2.11.2.so
7f1e8ac24000-7f1e8ac29000 rw-p 00000000 00:00 0 
7f1e8ac29000-7f1e8ac47000 r-xp 00000000 08:04 1616                       /lib/ld-2.11.2.so
7f1e8ac99000-7f1e8acbb000 rw-p 00000000 00:00 0 
7f1e8acbb000-7f1e8ae30000 r--p 00000000 08:04 3417                       /usr/lib/locale/locale-archive
7f1e8ae30000-7f1e8ae33000 rw-p 00000000 00:00 0 
7f1e8ae44000-7f1e8ae46000 rw-p 00000000 00:00 0 
7f1e8ae46000-7f1e8ae47000 r--p 0001d000 08:04 1616                       /lib/ld-2.11.2.so
7f1e8ae47000-7f1e8ae48000 rw-p 0001e000 08:04 1616                       /lib/ld-2.11.2.so
7f1e8ae48000-7f1e8ae49000 rw-p 00000000 00:00 0 
7fffad23e000-7fffad25f000 rw-p 00000000 00:00 0                          [stack]
7fffad297000-7fffad298000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Abortito

I know i don't have the debug version but to me the problem seems to be reproducible.
I attach the file that causes the problem.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.34.5-galatea (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages coreutils depends on:
ii  libacl1                       2.2.49-3   Access control list shared library
ii  libattr1                      1:2.4.44-2 Extended attribute shared library
ii  libc6                         2.11.2-2   Embedded GNU C Library: Shared lib
ii  libselinux1                   2.0.96-1   SELinux runtime shared libraries

coreutils recommends no packages.

coreutils suggests no packages.

-- no debconf information
[index.html (application/xml, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Stone <mstone@debian.org>:
Bug#594666; Package coreutils. (Sat, 28 Aug 2010 16:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jim Meyering <jim@meyering.net>:
Extra info received and forwarded to list. Copy sent to Michael Stone <mstone@debian.org>. (Sat, 28 Aug 2010 16:36:05 GMT) Full text and rfc822 format available.

Message #10 received at 594666@bugs.debian.org (full text, mbox):

From: Jim Meyering <jim@meyering.net>
To: Salvo Tomaselli <tiposchi@tiscali.it>
Cc: 594666@bugs.debian.org, bug-coreutils@gnu.org
Subject: Re: Bug#594666: /usr/bin/tac: tac aborts
Date: Sat, 28 Aug 2010 18:26:06 +0200
Salvo Tomaselli wrote:
> Package: coreutils
> Version: 8.5-1
> Severity: normal
> File: /usr/bin/tac
>
> Tac aborts when using it on a particular file.
>
> *** glibc detected *** tac: double free or corruption (top): 0x00000000025c5030 ***
...

Thank you for the report!
That is indeed a bug in the very latest.

For a stand-alone, minimal demonstrator, run this:

    valgrind tac <(printf %0$((2**14 + 1))d 0) > /dev/null

It prints this:

     Invalid free() / delete / delete[]
        at 0x4A04D72: free (vg_replace_malloc.c:325)
        by 0x402294: main (tac.c:669)
      Address 0x4c30040 is 0 bytes inside a block of size 16,388 free'd
        at 0x4A05255: realloc (vg_replace_malloc.c:476)
        by 0x4117B8: xrealloc (xmalloc.c:57)
        by 0x401A68: tac_seekable (tac.c:319)
        by 0x402379: main (tac.c:515)

Here is a fix:

From b3959fc691e606857a3c6e9b316ec34819972245 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Sat, 28 Aug 2010 17:45:29 +0200
Subject: [PATCH] tac: avoid double free

* src/tac.c (main): Reading a line longer than 16KiB would cause
tac to realloc its primary buffer.  Then, just before exit, tac
would mistakenly free the original (now free'd) buffer.
This bug was introduced by commit be6c13e7, "maint: always free a
buffer, to avoid even semblance of a leak".
* NEWS (Bug fixes): Mention it.
* tests/misc/tac (double-free): New test, to exercise this.
Reported by Salvo Tomaselli in <http://bugs.debian.org/594666>.
---
 NEWS           |    3 +++
 src/tac.c      |    6 ++++--
 tests/misc/tac |    6 ++++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 85f55a2..f29d311 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,9 @@ GNU coreutils NEWS                                    -*- outline -*-
   du -H and -L now consistently count pointed-to files instead of
   symbolic links, and correctly diagnose dangling symlinks.

+  tac would perform a double-free when given an input line longer than 16KiB.
+  [bug introduced in coreutils-8.3]
+
 ** New features

   cp now accepts the --attributes-only option to not copy file data,
diff --git a/src/tac.c b/src/tac.c
index cec9736..859e006 100644
--- a/src/tac.c
+++ b/src/tac.c
@@ -633,7 +633,6 @@ main (int argc, char **argv)
   if (! (read_size < half_buffer_size && half_buffer_size < G_buffer_size))
     xalloc_die ();
   G_buffer = xmalloc (G_buffer_size);
-  void *buf = G_buffer;
   if (sentinel_length)
     {
       strcpy (G_buffer, separator);
@@ -666,6 +665,9 @@ main (int argc, char **argv)
       error (0, errno, "-");
       ok = false;
     }
-  free (buf);
+
+  size_t offset = sentinel_length ? sentinel_length : 1;
+  free (G_buffer - offset);
+
   exit (ok ? EXIT_SUCCESS : EXIT_FAILURE);
 }
diff --git a/tests/misc/tac b/tests/misc/tac
index 7631049..4130c00 100755
--- a/tests/misc/tac
+++ b/tests/misc/tac
@@ -24,6 +24,9 @@ my $prog = 'tac';

 my $bad_dir = 'no/such/dir';

+# This must be longer than 16KiB to trigger the double free in coreutils-8.5.
+my $long_line = 'o' x (16 * 1024 + 1);
+
 my @Tests =
 (
   ['segfault', '-r', {IN=>"a\n"}, {IN=>"b\n"}, {OUT=>"a\nb\n"}],
@@ -67,6 +70,9 @@ my @Tests =
    {ERR_SUBST => "s,`$bad_dir': .*,...,"},
    {ERR => "$prog: cannot create temporary file in ...\n"},
    {EXIT => 1}],
+
+  # coreutils-8.5's tac would double-free its primary buffer.
+  ['double-free', {IN=>$long_line}, {OUT=>$long_line}],
 );

 @Tests = triple_test \@Tests;
--
1.7.2.2.510.g7180a




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Stone <mstone@debian.org>:
Bug#594666; Package coreutils. (Sun, 10 Jul 2011 09:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Benoît Knecht <benoit.knecht@fsfe.org>:
Extra info received and forwarded to list. Copy sent to Michael Stone <mstone@debian.org>. (Sun, 10 Jul 2011 09:18:10 GMT) Full text and rfc822 format available.

Message #15 received at 594666@bugs.debian.org (full text, mbox):

From: Benoît Knecht <benoit.knecht@fsfe.org>
To: 594666@bugs.debian.org
Cc: Salvo Tomaselli <tiposchi@tiscali.it>
Subject: Bug #594666: Fixed upstream (but not in Debian yet)
Date: Sun, 10 Jul 2011 11:15:18 +0200
tag 594666 fixed-upstream
thanks

This bug [1] has been fixed upstream [2] since version 8.6, but is not
fixed in Debian yet.

[1] http://bugs.debian.org/594666
[2] http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=777024889c0043004962834f4d9353cfa6847dd6

-- 
Benoît Knecht




Added tag(s) fixed-upstream. Request was from Benoît Knecht <benoit.knecht@fsfe.org> to control@bugs.debian.org. (Sun, 10 Jul 2011 09:18:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 10:50:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.