Debian Bug report logs - #849517
bash: invalid free() - address in brk data segment

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Harlan Lieberman-Berg <hlieberman@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bash: invalid free() - address in brk data segment

Date: Tue, 27 Dec 2016 22:47:44 -0500

Package: bash
Version: 4.4-2
Severity: normal

Dear Maintainer,

During testing of another package, I noticed that valgrind seems to
complain about bash on pretty much any invocation.

A minimal test case is: `valgrind -- bash -c ""`

This produces errors similar to:

==32208== Invalid free() / delete / delete[] / realloc()
==32208==    at 0x4C2BDDB: free (vg_replace_malloc.c:530)
==32208==    by 0x465B27: ??? (in /bin/bash)
==32208==    by 0x465F4F: run_unwind_frame (in /bin/bash)
==32208==    by 0x485B66: parse_and_execute (in /bin/bash)
==32208==    by 0x41F680: ??? (in /bin/bash)
==32208==    by 0x421531: main (in /bin/bash)
==32208==  Address 0x422f258 is in the brk data segment 0x4225000-0x423bfff

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bash depends on:
ii  base-files   9.7
ii  dash         0.5.8-2.3
ii  debianutils  4.8.1
ii  libc6        2.24-8
ii  libtinfo5    6.0+20161126-1

Versions of packages bash recommends:
ii  bash-completion  1:2.1-4.3

Versions of packages bash suggests:
pn  bash-doc  <none>

-- no debconf information

Sincerely,

-- 
Harlan Lieberman-Berg
~hlieberman

Message #10 received at 849517@bugs.debian.org (full text, mbox, reply):

From: Tim Ruehsen <tim.ruehsen@gmx.de>

To: 849517@bugs.debian.org

Subject: bash: invalid free() - address in brk data segment

Date: Thu, 16 Mar 2017 16:00:02 +0100

[Message part 1 (text/plain, inline)]

Dear maintainer,

this bug is still open, on Debian Sid (bash 4.4-4+b1).

And it breaks building software that relies on gnulib's Valgrind checking (m4/
valgrind-tests.m4, ./configure --enable-valgrind-tests).

A supposed valgrind 'make check' run won't detect any failures and returns 
with success due to valgrind testing being silently disabled.

This comes since the ./configure check expects
"valgrind -q --error-exitcode=1 --leak-check=full /bin/bash -c 'exit 0'"
to return with $? being 0.

But with the current bash version it returns $? being 1.
Thus, the valgrind checking is (silently) skipped.

IMO, this bug should be raised to IMPORTANT since building/testing of many 
packages is affected.

BTW, Debian building bash (debuild ) is broken (I will open another bug). I 
end up in a R shell:

$ debuild -b -uc -us
...
R .comment -R .note debian/bash.preinst
ARGUMENT '.comment' __ignored__

WARNING: unknown option '-R'

ARGUMENT '.note' __ignored__

ARGUMENT 'debian/bash.preinst' __ignored__


R version 3.3.3 (2017-03-06) -- "Another Canoe"
Copyright (C) 2017 The R Foundation for Statistical Computing
Platform: x86_64-pc-linux-gnu (64-bit)

R is free software and comes with ABSOLUTELY NO WARRANTY.
You are welcome to redistribute it under certain conditions.
Type 'license()' or 'licence()' for distribution details.

R is a collaborative project with many contributors.
Type 'contributors()' for more information and
'citation()' on how to cite R or R packages in publications.

Type 'demo()' for some demos, 'help()' for on-line help, or
'help.start()' for an HTML browser interface to help.
Type 'q()' to quit R.


Best Regards, Tim

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 849517@bugs.debian.org (full text, mbox, reply):

From: Reuben Thomas <rrt@sc3d.org>

To: 849517@bugs.debian.org

Subject: The valgrind diagnostic is a false positive

Date: Thu, 13 Apr 2017 11:36:43 +0100

[Message part 1 (text/plain, inline)]

See:

https://bugs.kde.org/show_bug.cgi?id=378732
https://lists.gnu.org/archive/html/bug-bash/2017-04/msg00042.html

​The problem, in short, is that valgrind does not intercept the malloc call
(which is made via bash's built-in malloc), but does intercept the free
call, and hence concludes that the free is invalid.

​A workaround is to build bash with --without-bash-malloc (but I presume
there's a good reason not to do that?).​

-- 
http://rrt.sc3d.org

[Message part 2 (text/html, inline)]

Message #20 received at 849517@bugs.debian.org (full text, mbox, reply):

From: Reuben Thomas <rrt@sc3d.org>

To: 849517@bugs.debian.org

Subject: Alternative fix

Date: Thu, 13 Apr 2017 22:02:31 +0100

[Message part 1 (text/plain, inline)]

A Valgrind maintainer pointed out that an alternative to disabling bash's
malloc is to configure bash with CPPFLAGS=-DDISABLE_MALLOC_WRAPPERS=1. This
disable the debugging wrappers that confuse valgrind.

I guess it's still preferable not to do that. The obvious alternative is to
ship either bash or valgrind with a suppression for this.

If a maintainer would express an opinion on what a reasonable solution
would be, and would like any help implementing it, I'd be happy to assist!

-- 
http://rrt.sc3d.org

[Message part 2 (text/html, inline)]

Message #25 received at 849517@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Reuben Thomas <rrt@sc3d.org>

Cc: 849517@bugs.debian.org

Subject: Re: Bug#849517: The valgrind diagnostic is a false positive

Date: Fri, 14 Apr 2017 14:47:39 +0200

* Reuben Thomas:

> ​A workaround is to build bash with --without-bash-malloc (but I presume
> there's a good reason not to do that?).​

FWIW, Fedora and Red Hat Enterprise Linux compile bash this way, so it
can't be *that* bad.

Message #30 received at 849517@bugs.debian.org (full text, mbox, reply):

From: Reuben Thomas <rrt@sc3d.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 849517@bugs.debian.org

Subject: Re: Bug#849517: The valgrind diagnostic is a false positive

Date: Fri, 14 Apr 2017 22:19:58 +0100

[Message part 1 (text/plain, inline)]

On 14 April 2017 at 13:47, Florian Weimer <fw@deneb.enyo.de> wrote:

> * Reuben Thomas:
>
> > ​A workaround is to build bash with --without-bash-malloc (but I presume
> > there's a good reason not to do that?).​
>
> FWIW, Fedora and Red Hat Enterprise Linux compile bash this way, so it
> can't be *that* bad.
>

​I hadn't appreciated that. It would seem to be a good way to fix this
problem and also avoid any bugs in bash's malloc; presumably the
performance hit is of relatively little interest given that bash is no
longer the default /bin/sh.

-- 
http://rrt.sc3d.org

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.