https://bugzilla.redhat.com/show_bug.cgi?id=1258862
Bug ID: 1258862
Summary: local_sock() double free error
Product: Fedora
Version: 23
Component: pcp
Keywords: EasyFix, Patch
Severity: medium
Priority: medium
Assignee: nathans@xxxxxxxxxx
Reporter: fkrska@xxxxxxxxxx
QA Contact: extras-qa@xxxxxxxxxxxxxxxxx
CC: brolley@xxxxxxxxxx, fche@xxxxxxxxxx, lberk@xxxxxxxxxx,
mgoodwin@xxxxxxxxxx, nathans@xxxxxxxxxx,
pcp@xxxxxxxxxxx, qe-baseos-tools@xxxxxxxxxx,
scox@xxxxxxxxxx
The related code in Fedora/master is unchanged, so the double free is present
here as well. Needed to propagate through upstream.
+++ This bug was initially created as a clone of Bug #1258846 +++
Description of problem:
pmdamemcache crashes with following backtrace:
Core was generated by `perl /var/lib/pcp/pmdas/memcache/pmdamemcache.pl'.
Program terminated with signal 6, Aborted.
#0 0x00007f9464552625 in raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007f9464553e05 in abort () at abort.c:92
#2 0x00007f9464590537 in __libc_message (do_abort=2, fmt=0x7f9464678940 "***
glibc detected *** %s: %s: 0x%s ***\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3 0x00007f9464595e66 in malloc_printerr (action=3, str=0x7f9464676a2e
"free(): invalid pointer", ptr=<value optimized out>)
at malloc.c:6336
#4 0x00007f946459897a in _int_free (av=0x7f94648afe80, p=0x7f94648afef8,
have_lock=0) at malloc.c:4832
#5 0x00007f945de06d25 in __pmHostEntFree (hostent=0x15cb740) at
auxconnect.c:39
#6 0x00007f945e265517 in local_sock (host=0x15cb780 "127.0.0.1", port=11211,
callback=0x16ba050, cookie=0) at local.c:209
#7 0x00007f945e273eaa in XS_PCP__PMDA_add_sock (my_perl=0x7633, cv=0x1693560)
at PMDA.xs:1099
#8 0x00007f946588e815 in Perl_pp_entersub (my_perl=0x159f010) at pp_hot.c:2888
#9 0x00007f946588cb06 in Perl_runops_standard (my_perl=0x159f010) at run.c:40
#10 0x00007f94658350d8 in S_run_body (my_perl=0x159f010) at perl.c:2435
#11 perl_run (my_perl=0x159f010) at perl.c:2353
#12 0x0000000000400e74 in main (argc=2, argv=0x7ffcf217ad98,
env=0x7ffcf217adb0) at perlmain.c:117
Version-Release number of selected component (if applicable):
pcp-3.10.3-3.el6.x86_64
perl-PCP-PMDA-3.10.3-3.el6.x86_64
How reproducible:
No reproducer known so far, abrt reports generated often in customer's
environment
Steps to Reproduce:
1.
2.
3.
Actual results:
Program terminated with signal 6, Aborted.
Expected results:
No abort
Additional info:
The same double free bug seem to be present in RHEL 7's, fedora master's pcp as
well, upstream propagation needed.
Hypothesis:
pcp-3.10.3/src/perl/PMDA/local.c:
int
local_sock(char *host, int port, scalar_t *callback, int cookie)
{
__pmSockAddr *myaddr;
__pmHostEnt *servinfo = NULL;
...
if ((servinfo = __pmGetAddrInfo(host)) == NULL) {
__pmNotifyErr(LOG_ERR, "__pmGetAddrInfo (%s): %s", host,
netstrerror());
goto error; <------------ local.c:158
...
__pmHostEntFree(servinfo); < first free()
...
if (sts < 0) {
__pmNotifyErr(LOG_ERR, "__pmConnect (%s): %s", host, netstrerror());
goto error; <------------ local.c:196
}
...
error:
if (fd >= 0)
__pmCloseSocket(fd);
if (servinfo)
__pmHostEntFree(servinfo); <------------ local.c:209 second
free()
We can get to line 209 only from line 196 (just after __pmHostEntFree(), so
servinfo is already freed). We cannot get there from line 158 because servinfo
would be NULL.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=OQuV55AkgU&a=cc_unsubscribe
|