Invalid read of size 8 in strncmp() from is_dst()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glibc (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
valgrind (Fedora) |
Unknown
|
Unknown
|
|||
valgrind (Ubuntu) |
Fix Released
|
High
|
Simon Chopin |
Bug Description
[Impact]
This bug makes valgrind detect memory error false positives in ld.so now that it started using strncmp. in is_dst. The fix is to extend the special treatment of strncmp done in libc.so to ld.so as well. The patch is already available upstream in a new release, this is just about cherry-picking it.
[Rationale]
Given that the false-positive is triggered in ld.so, it's fairly likely that quite a few users will hit it.
[Original report]
Valgrind reports this in gnome-shell on almost every run:
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x40067D6: _dl_dst_count (dl-load.c:253)
==34822== by 0x40067D6: expand_
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
==34822==
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x4006645: _dl_dst_substitute (dl-load.c:295)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: libc6 2.37-0ubuntu2
ProcVersionSign
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.0-0ubuntu2
Architecture: amd64
CasperMD5CheckR
Date: Tue Apr 4 18:01:17 2023
InstallationDate: Installed on 2022-11-28 (127 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Alpha amd64 (20221126)
SourcePackage: glibc
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in glibc (Ubuntu): | |
status: | New → Invalid |
Changed in valgrind (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
information type: | Public Security → Public |
Changed in valgrind (Ubuntu): | |
status: | In Progress → Confirmed |
description: | updated |
tags: | added: fixed-in-valgrind-3.20 fixed-upstream |
Changed in valgrind (Ubuntu): | |
assignee: | nobody → Simon Chopin (schopin) |
status: | Confirmed → In Progress |
tags: | added: focal jammy kinetic |
This is likely a duplicate of https:/ /bugzilla. redhat. com/show_ bug.cgi? id=2081583, which was fixed in valgrind in https:/ /bugs.kde. org/show_ bug.cgi? id=434764. Based on our analysis, it is not a security bug.