Debian Bug report logs - #887640
SIGSEGVs in libcdio: double free or corruption

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Schwinge <thomas@codesourcery.com>

To: <submit@bugs.debian.org>

Subject: SIGSEGVs in libcdio: double free or corruption

Date: Thu, 18 Jan 2018 16:07:37 +0100

[Message part 1 (text/plain, inline)]

Package: libcdio
Version: 1.0.0-2


Hi!

I'm attaching two patches to resolve the following two problems.


With, for example, the eponymous audio CD by Regarde les hommes tomber:

    $ gdb -q --args cd-info /dev/sr1
    [...]
    CD-TEXT for Track  7:
            TITLE: The Fall
    double free or corruption (!prev)
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51      ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff72d6cf7 in __GI_abort () at abort.c:90
    #2  0x00007ffff7317f87 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff741dbd8 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff731e27a in malloc_printerr (str=str@entry=0x7ffff741f848 "double free or corruption (!prev)") at malloc.c:5354
    #4  0x00007ffff731ffdc in _int_free (av=0x7ffff7651c20 <main_arena>, p=0x5555557614e0, have_lock=<optimized out>) at malloc.c:4281
    #5  0x00007ffff79a96b3 in cdio_generic_free (p_user_data=0x55555575f6d0) at _cdio_generic.c:111
    #6  0x00007ffff79acc6d in cdio_destroy (p_cdio=0x5555557611b0) at device.c:365
    #7  0x0000555555558c5d in myexit (cdio=<optimized out>, rc=0) at util.c:45
    #8  0x00005555555571d2 in main (argc=<optimized out>, argv=<optimized out>) at cd-info.c:1316

Reproducible with upstream release-1.0.0.  No longer reproducible with
release-1.1.0.  Bisected to be fixed by commit
2800f003aaee077f4009f525caf6c8b14a38ec47.  That one confirmed to fix the
problem with Debian's 1.0.0-2 package, too.  Patch attached for your
convenience.


With, for example, the audio CD "The Age of Cataclysm" by Cryptic
Wintermoon:

    $ gdb -q --args cd-info /dev/sr1
    [...]
    CD Analysis Report
    double free or corruption (top)
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51      ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
    (gdb) bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff72d6cf7 in __GI_abort () at abort.c:90
    #2  0x00007ffff7317f87 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff741dbd8 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
    #3  0x00007ffff731e27a in malloc_printerr (str=str@entry=0x7ffff741f808 "double free or corruption (top)") at malloc.c:5354
    #4  0x00007ffff731ffac in _int_free (av=0x7ffff7651c20 <main_arena>, p=0x555555761350, have_lock=<optimized out>) at malloc.c:4273
    #5  0x00007ffff79aa937 in get_cdtext_generic (p_user_data=0x55555575f6d0) at _cdio_generic.c:300
    #6  0x000055555555861f in print_cdtext_info (i_first_track=1 '\001', i_tracks=<optimized out>, p_cdio=0x5555557611b0) at cd-info.c:437
    #7  print_analysis (ms_offset=0, cdio_iso_analysis=..., fs=1, first_data=-1, num_audio=13, i_tracks=13 '\r', i_first_track=1 '\001', p_cdio=0x5555557611b0, track_format=<optimized out>) at cd-info.c:668
    #8  0x0000555555557776 in main (argc=<optimized out>, argv=<optimized out>) at cd-info.c:1251

Reproducible with upstream release-1.0.0, and release-1.1.0.  No longer
reproducible with release-2.0.0.  Bisected to be fixed by commit
f6f9c48fb40b8a1e8218799724b0b61a7161eb1d.  That one confirmed to fix the
problem with Debian's 1.0.0-2 package, too.  Patch attached for your
convenience.


Grüße
 Thomas

[0001-Remove-duplicate-free.patch (text/x-diff, inline)]

From 2800f003aaee077f4009f525caf6c8b14a38ec47 Mon Sep 17 00:00:00 2001
From: "R. Bernstein" <rocky@gnu.org>
Date: Wed, 6 Dec 2017 09:10:51 -0500
Subject: [PATCH] Remove duplicate free...

Now that cdio_destroy cleans up after itself better
---
 lib/driver/_cdio_generic.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/driver/_cdio_generic.c b/lib/driver/_cdio_generic.c
index 9e920bbe..e84ee314 100644
--- a/lib/driver/_cdio_generic.c
+++ b/lib/driver/_cdio_generic.c
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2004-2009, 2011-2013
+  Copyright (C) 2004-2009, 2011-2013, 2017
   Rocky Bernstein <rocky@gnu.org>
 
   This program is free software: you can redistribute it and/or modify
@@ -108,7 +108,6 @@ cdio_generic_free (void *p_user_data)
 
   if (NULL != p_env->cdtext) {
       cdtext_destroy(p_env->cdtext);
-      free(p_env->cdtext);
       p_env->cdtext = NULL;
   }
 
-- 
2.15.1

[0002-Fix-double-free-courtesy-of-Chris-Clayton.patch (text/x-diff, inline)]

From f6f9c48fb40b8a1e8218799724b0b61a7161eb1d Mon Sep 17 00:00:00 2001
From: "R. Bernstein" <rocky@gnu.org>
Date: Fri, 22 Dec 2017 16:06:57 -0500
Subject: [PATCH] Fix double free courtesy of Chris Clayton

---
 lib/driver/_cdio_generic.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/driver/_cdio_generic.c b/lib/driver/_cdio_generic.c
index d40ac0d9..ae820d25 100644
--- a/lib/driver/_cdio_generic.c
+++ b/lib/driver/_cdio_generic.c
@@ -296,7 +296,6 @@ get_cdtext_generic (void *p_user_data)
 
       if(len <= 0 || 0 != cdtext_data_init (p_env->cdtext, &p_cdtext_data[4], len)) {
         p_env->b_cdtext_error = true;
-        cdtext_destroy (p_env->cdtext);
         free(p_env->cdtext);
         p_env->cdtext = NULL;
       }
-- 
2.15.1

Message #10 received at 887640@bugs.debian.org (full text, mbox, reply):

From: Thomas Schwinge <thomas@codesourcery.com>

To: <887640@bugs.debian.org>

Subject: Re: SIGSEGVs in libcdio: double free or corruption

Date: Sat, 24 Feb 2018 12:08:56 +0100

Hi!

For avoidance of doubt:

On Thu, 18 Jan 2018 16:07:37 +0100, I wrote:
>     $ gdb -q --args cd-info /dev/sr1
>     [...]
>     CD-TEXT for Track  7:
>             TITLE: The Fall
>     double free or corruption (!prev)
>     
>     Program received signal SIGABRT, Aborted.

>     $ gdb -q --args cd-info /dev/sr1
>     [...]
>     CD Analysis Report
>     double free or corruption (top)
>     
>     Program received signal SIGABRT, Aborted.

I'm not reporting these issues against the auxilliary "cd-info" program,
but instead I saw problems with gvfs/the rhythmbox music player.  As can
be seen by the two patches I provided, the problem really is in libcdio
proper and usage of the "cd-info" program here was just for illustration
purposes.


Grüße
 Thomas

Message #15 received at 887640@bugs.debian.org (full text, mbox, reply):

From: Rocky Bernstein <rocky@gnu.org>

To: Thomas Schwinge <thomas@codesourcery.com>, 887640@bugs.debian.org

Subject: Re: Bug#887640: SIGSEGVs in libcdio: double free or corruption

Date: Sat, 24 Feb 2018 07:55:31 -0500

[Message part 1 (text/plain, inline)]

Hi -

Both of these issues were addressed in libcdio 2.0.0 and that is the way I
would recommend fixing. The reason we went from 1.1 to 2.x was because it
was pointed out that it would better follow the guidelines of semantic
version since one of the API was changed in an incompatible way. So 1.x
should be deprecated. Also the library numbers have been bumped as a
result.

As I look at  Debian packages for libcdio, I think it is early enough in
the packaging of the 1.x that changing to 2.0 rather than 1.x wouldn't be a
big deal. Right?

I am sorry for the hassle.


On Thu, Jan 18, 2018 at 10:07 AM, Thomas Schwinge <thomas@codesourcery.com>
wrote:

> Package: libcdio
> Version: 1.0.0-2
>
>
> Hi!
>
> I'm attaching two patches to resolve the following two problems.
>
>
> With, for example, the eponymous audio CD by Regarde les hommes tomber:
>
>     $ gdb -q --args cd-info /dev/sr1
>     [...]
>     CD-TEXT for Track  7:
>             TITLE: The Fall
>     double free or corruption (!prev)
>
>     Program received signal SIGABRT, Aborted.
>     __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
>     51      ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis
> nicht gefunden.
>     (gdb) bt
>     #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/
> raise.c:51
>     #1  0x00007ffff72d6cf7 in __GI_abort () at abort.c:90
>     #2  0x00007ffff7317f87 in __libc_message (action=action@entry=do_abort,
> fmt=fmt@entry=0x7ffff741dbd8 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
>     #3  0x00007ffff731e27a in malloc_printerr (str=str@entry=0x7ffff741f848
> "double free or corruption (!prev)") at malloc.c:5354
>     #4  0x00007ffff731ffdc in _int_free (av=0x7ffff7651c20 <main_arena>,
> p=0x5555557614e0, have_lock=<optimized out>) at malloc.c:4281
>     #5  0x00007ffff79a96b3 in cdio_generic_free
> (p_user_data=0x55555575f6d0) at _cdio_generic.c:111
>     #6  0x00007ffff79acc6d in cdio_destroy (p_cdio=0x5555557611b0) at
> device.c:365
>     #7  0x0000555555558c5d in myexit (cdio=<optimized out>, rc=0) at
> util.c:45
>     #8  0x00005555555571d2 in main (argc=<optimized out>, argv=<optimized
> out>) at cd-info.c:1316
>
> Reproducible with upstream release-1.0.0.  No longer reproducible with
> release-1.1.0.  Bisected to be fixed by commit
> 2800f003aaee077f4009f525caf6c8b14a38ec47.  That one confirmed to fix the
> problem with Debian's 1.0.0-2 package, too.  Patch attached for your
> convenience.
>
>
> With, for example, the audio CD "The Age of Cataclysm" by Cryptic
> Wintermoon:
>
>     $ gdb -q --args cd-info /dev/sr1
>     [...]
>     CD Analysis Report
>     double free or corruption (top)
>
>     Program received signal SIGABRT, Aborted.
>     __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
>     51      ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis
> nicht gefunden.
>     (gdb) bt
>     #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/
> raise.c:51
>     #1  0x00007ffff72d6cf7 in __GI_abort () at abort.c:90
>     #2  0x00007ffff7317f87 in __libc_message (action=action@entry=do_abort,
> fmt=fmt@entry=0x7ffff741dbd8 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
>     #3  0x00007ffff731e27a in malloc_printerr (str=str@entry=0x7ffff741f808
> "double free or corruption (top)") at malloc.c:5354
>     #4  0x00007ffff731ffac in _int_free (av=0x7ffff7651c20 <main_arena>,
> p=0x555555761350, have_lock=<optimized out>) at malloc.c:4273
>     #5  0x00007ffff79aa937 in get_cdtext_generic
> (p_user_data=0x55555575f6d0) at _cdio_generic.c:300
>     #6  0x000055555555861f in print_cdtext_info (i_first_track=1 '\001',
> i_tracks=<optimized out>, p_cdio=0x5555557611b0) at cd-info.c:437
>     #7  print_analysis (ms_offset=0, cdio_iso_analysis=..., fs=1,
> first_data=-1, num_audio=13, i_tracks=13 '\r', i_first_track=1 '\001',
> p_cdio=0x5555557611b0, track_format=<optimized out>) at cd-info.c:668
>     #8  0x0000555555557776 in main (argc=<optimized out>, argv=<optimized
> out>) at cd-info.c:1251
>
> Reproducible with upstream release-1.0.0, and release-1.1.0.  No longer
> reproducible with release-2.0.0.  Bisected to be fixed by commit
> f6f9c48fb40b8a1e8218799724b0b61a7161eb1d.  That one confirmed to fix the
> problem with Debian's 1.0.0-2 package, too.  Patch attached for your
> convenience.
>
>
> Grüße
>  Thomas
>
>
>

[Message part 2 (text/html, inline)]

Message #20 received at 887640@bugs.debian.org (full text, mbox, reply):

From: Jack Underwood <juichenieder-debbie@yahoo.co.uk>

To: "887640@bugs.debian.org" <887640@bugs.debian.org>

Cc: Matthias Klose <doko@debian.org>

Subject: Re: SIGSEGVs in libcdio: double free or corruption

Date: Sat, 24 Feb 2018 23:28:35 +0000 (UTC)

Hey,
I have been lurking following the progress on this since I discovered this bug reported on
gvfs-backends https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886278 which I traced back to libcdio.


And yes, as I commented there, the solution seems to get 2.0.0 out.

> As I look at  Debian packages for libcdio, I think it is early enough in
> the packaging of the 1.x that changing to 2.0 rather than 1.x wouldn't be a
> big deal. Right?


1.0.0 has already been packaged, and from what I can see from the NEWS file, the ABI changed twice
between 1.0.0 and 2.0 (once to 1.1 and then again to 2.0), which AFAIK means it needs a transition
to recompile dependent programmes on the new version.
http://git.savannah.gnu.org/cgit/libcdio.git/tree/NEWS?id=908ec296cdffbee8bfe9ff9196caa13a49262b91

Matthias Klose, whom I have CC'ed here, uploaded 2.0.0 to experimental on the 30th January,
which auto-generated the transition tracker for this:

https://release.debian.org/transitions/html/auto-libcdio.html

I don't know the current state of play, Matthias Klose stated back in November 2017 that they were

orphaning libcdio but still doing the then current transition, i.e. from 0.83 (libcdio13) to 0.94 (libcdio16),
and they did the Ubuntu transition as well which they did before getting the all clear to begin the transition
from experimental to unstable.  No transition was needed from 0.94 to 1.0.0 as there was no ABI change.


I would offer to take take over the orphaned package, but I don't know how much time it would take (I have very little time at the moment), and I know almost nothing about packaging, so far only working on upstream projects in python.

The current Ubuntu transition exists here, but the Ubuntu transitioning process seems even more unclear than
the Debian one:
http://people.canonical.com/~ubuntu-archive/transitions/html/html/libcdio.html

Okay, that documents everything I know so far about the status of this.

Best,
Jack

Send a report that this bug log contains spam.