21046 – bug16159 seems to have happened again

Bug 21046 - bug16159 seems to have happened again

Summary: bug16159 seems to have happened again

Status:	RESOLVED MOVED

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	malloc (show other bugs)
Version:	2.17

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:	21754
Blocks:
	Show dependency tree / graph

Reported:	2017-01-13 02:27 UTC by Chen Wei
Modified:	2017-07-12 00:07 UTC (History)
CC List:	1 user (show)

See Also:	16159 https://bugzilla.redhat.com/show_bug.cgi?id=1418919
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
more gdb info in attchment (4.48 KB, text/plain) 2017-01-13 02:27 UTC, Chen Wei	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chen Wei 2017-01-13 02:27:25 UTC

Created attachment 9751 [details]
more gdb info in attchment

But recently, I met the deadlock problem again.
centOS 7.2 with glibc-2.17, which has already back ported the patch fff94fa(Avoid deadlock in malloc on backtrace (BZ #16159))
The main problem is the process does not abort, it hangs. M_CHECK_ACTION parameter is default value 3.
Backtrace from gdb is similar with BZ #16159, but different expection reason detected.
The 1st expection triggered by calling free func. The pointer to free is an address of array(calloc), and out-of-bounds access before.
So the 1st expection is "free(): invalid next size (normal)" and in malloc_printerr func malloc report the 2nd error
"malloc(): smallbin double linked list corrupted", then it hangs around in:
pthread_once
__GI___backtrace
More details please see attachment
========================= hung thread bt info ==========================
(gdb) thr 20
[Switching to thread 20 (Thread 0x7fa5a8edc700 (LWP 193380))]
#0  pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:94
94		jmp	6b
(gdb) bt
#0  pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:94
#1  0x00007fa5b6e606dc in __GI___backtrace (array=array@entry=0x7fa5a8eda2b0, size=size@entry=64) at ../sysdeps/x86_64/backtrace.c:103
#2  0x00007fa5b6dcb314 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fa5b6ed4e48 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:176
#3  0x00007fa5b6dd1144 in malloc_printerr (action=<optimized out>, str=0x7fa5b6ed4fe0 "malloc(): smallbin double linked list corrupted", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5036
#4  0x00007fa5b6dd3f97 in _int_malloc (av=0x7fa588000020, bytes=7809933825095528041) at malloc.c:3396
#5  0x00007fa5b6dd6194 in __GI___libc_malloc (bytes=56) at malloc.c:2909
#6  0x00007fa5ba948238 in _dl_map_object_deps (map=map@entry=0x7fa5bab4a538, preloads=preloads@entry=0x0, npreloads=npreloads@entry=0, trace_mode=trace_mode@entry=0, open_mode=open_mode@entry=-2147483648) at dl-deps.c:515
#7  0x00007fa5ba94e89b in dl_open_worker (a=a@entry=0x7fa5a8edae98) at dl-open.c:269
#8  0x00007fa5ba94a1b4 in _dl_catch_error (objname=objname@entry=0x7fa5a8edae88, errstring=errstring@entry=0x7fa5a8edae90, mallocedp=mallocedp@entry=0x7fa5a8edae80, operate=operate@entry=0x7fa5ba94e700 <dl_open_worker>, 
    args=args@entry=0x7fa5a8edae98) at dl-error.c:177
#9  0x00007fa5ba94e1ab in _dl_open (file=0x7fa5b6ed13c6 "libgcc_s.so.1", mode=-2147483647, caller_dlopen=<optimized out>, nsid=-2, argc=2, argv=0x7ffcac68a628, env=0x7ffcac68a640) at dl-open.c:650
#10 0x00007fa5b6e86fd2 in do_dlopen (ptr=ptr@entry=0x7fa5a8edb0a0) at dl-libc.c:87
#11 0x00007fa5ba94a1b4 in _dl_catch_error (objname=0x7fa5a8edb080, errstring=0x7fa5a8edb090, mallocedp=0x7fa5a8edb070, operate=0x7fa5b6e86f90 <do_dlopen>, args=0x7fa5a8edb0a0) at dl-error.c:177
#12 0x00007fa5b6e87092 in dlerror_run (args=0x7fa5a8edb0a0, operate=0x7fa5b6e86f90 <do_dlopen>) at dl-libc.c:46
#13 __GI___libc_dlopen_mode (name=name@entry=0x7fa5b6ed13c6 "libgcc_s.so.1", mode=mode@entry=-2147483647) at dl-libc.c:163
#14 0x00007fa5b6e605c5 in init () at ../sysdeps/x86_64/backtrace.c:52
#15 0x00007fa5b7123bb0 in pthread_once () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_once.S:103
#16 0x00007fa5b6e606dc in __GI___backtrace (array=array@entry=0x7fa5a8edb360, size=size@entry=64) at ../sysdeps/x86_64/backtrace.c:103
#17 0x00007fa5b6dcb314 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fa5b6ed4e48 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:176
#18 0x00007fa5b6dd26d3 in malloc_printerr (ar_ptr=0x7fa588000020, ptr=<optimized out>, str=0x7fa5b6ed4e90 "free(): invalid next size (normal)", action=3) at malloc.c:5036
#19 _int_free (av=0x7fa588000020, p=<optimized out>, have_lock=0) at malloc.c:3856

Comment 1 Florian Weimer 2017-01-30 13:58:27 UTC

Please report this on https://bugzilla.redhat.com/, with a exact glibc version number.  This could be a problem with the downstream backport.

Please also include backtraces from all threads in the report.  Thanks.