[Bug 2015216] Re: Invalid read of size 8 in strncmp() from is_dst()
Simon Chopin
2015216 at bugs.launchpad.net
Wed Apr 5 11:25:07 UTC 2023
Again, I don't have any deep knowledge of Valgrind. Regarding
portability, it still needs pretty intimate knowledge of the underlying
system since real world programs don't just use malloc() to get
addresses, there are stuff like mmap() to take into account. Also,
tracking *access* would likely require hooking into very lowlevel
machinery.
Regarding the suppression files, the glibc suppression file is actually
merged into the default suppression and so is shipped in the package,
but it's tailored to the build-time version of glibc, and based on the
file patterns it probably doesn't work on Debian-based systems anyway. I
confirmed this by rebuilding the current package (without the patch),
and the strncmp issue still shows (I'm using the test program outlined
at https://bugs.kde.org/show_bug.cgi?id=434764 ).
I'll file a bug in Debian for the suppression file pattern, but in the
mean time we still want the patch.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to valgrind in Ubuntu.
https://bugs.launchpad.net/bugs/2015216
Title:
Invalid read of size 8 in strncmp() from is_dst()
Status in glibc package in Ubuntu:
Invalid
Status in valgrind package in Ubuntu:
In Progress
Status in valgrind package in Fedora:
Unknown
Bug description:
[Impact]
This bug makes valgrind detect memory error false positives in ld.so
now that it started using strncmp. in is_dst. The fix is to extend the
special treatment of strncmp done in libc.so to ld.so as well. The
patch is already available upstream in a new release, this is just
about cherry-picking it.
[Rationale]
Given that the false-positive is triggered in ld.so, it's fairly
likely that quite a few users will hit it.
[Original report]
Valgrind reports this in gnome-shell on almost every run:
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x40067D6: _dl_dst_count (dl-load.c:253)
==34822== by 0x40067D6: expand_dynamic_string_token (dl-load.c:395)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
==34822==
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x4006645: _dl_dst_substitute (dl-load.c:295)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: libc6 2.37-0ubuntu2
ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
Date: Tue Apr 4 18:01:17 2023
InstallationDate: Installed on 2022-11-28 (127 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Alpha amd64 (20221126)
SourcePackage: glibc
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2015216/+subscriptions
More information about the foundations-bugs
mailing list