From unknown Sun Jun 22 11:42:44 2025 X-Loop: help-debbugs@gnu.org Subject: bug#6936: Bug#594666: /usr/bin/tac: tac aborts Resent-From: Jim Meyering Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 28 Aug 2010 16:25:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 6936 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Salvo Tomaselli Cc: 594666@bugs.debian.org, 6936@debbugs.gnu.org X-Debbugs-Original-Cc: 594666@bugs.debian.org, bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.12830126899604 (code B ref -1); Sat, 28 Aug 2010 16:25:02 +0000 Received: (at submit) by debbugs.gnu.org; 28 Aug 2010 16:24:49 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpOD3-0002Ur-9M for submit@debbugs.gnu.org; Sat, 28 Aug 2010 12:24:49 -0400 Received: from mail.gnu.org ([199.232.76.166] helo=mx10.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpOD1-0002Um-Cv for submit@debbugs.gnu.org; Sat, 28 Aug 2010 12:24:48 -0400 Received: from lists.gnu.org ([199.232.76.165]:54511) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1OpOET-0000sy-Uh for submit@debbugs.gnu.org; Sat, 28 Aug 2010 12:26:17 -0400 Received: from [140.186.70.92] (port=48721 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OpOES-000166-45 for bug-coreutils@gnu.org; Sat, 28 Aug 2010 12:26:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OpOEQ-0004bA-SK for bug-coreutils@gnu.org; Sat, 28 Aug 2010 12:26:16 -0400 Received: from smtp1-g21.free.fr ([212.27.42.1]:37905) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpOEQ-0004aF-85 for bug-coreutils@gnu.org; Sat, 28 Aug 2010 12:26:14 -0400 Received: from mx.meyering.net (unknown [82.230.74.64]) by smtp1-g21.free.fr (Postfix) with ESMTP id 0E46A940149 for ; Sat, 28 Aug 2010 18:26:07 +0200 (CEST) Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000) id 9FB19C51; Sat, 28 Aug 2010 18:26:06 +0200 (CEST) From: Jim Meyering In-Reply-To: <20100828080613.10072.83561.reportbug@localhost> (Salvo Tomaselli's message of "Sat, 28 Aug 2010 10:06:13 +0200") References: <20100828080613.10072.83561.reportbug@localhost> Date: Sat, 28 Aug 2010 18:26:06 +0200 Message-ID: <87iq2u7lgh.fsf@meyering.net> Lines: 113 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-Spam-Score: -4.0 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.3 (-----) Salvo Tomaselli wrote: > Package: coreutils > Version: 8.5-1 > Severity: normal > File: /usr/bin/tac > > Tac aborts when using it on a particular file. > > *** glibc detected *** tac: double free or corruption (top): 0x00000000025c5030 *** ... Thank you for the report! That is indeed a bug in the very latest. For a stand-alone, minimal demonstrator, run this: valgrind tac <(printf %0$((2**14 + 1))d 0) > /dev/null It prints this: Invalid free() / delete / delete[] at 0x4A04D72: free (vg_replace_malloc.c:325) by 0x402294: main (tac.c:669) Address 0x4c30040 is 0 bytes inside a block of size 16,388 free'd at 0x4A05255: realloc (vg_replace_malloc.c:476) by 0x4117B8: xrealloc (xmalloc.c:57) by 0x401A68: tac_seekable (tac.c:319) by 0x402379: main (tac.c:515) Here is a fix: >From b3959fc691e606857a3c6e9b316ec34819972245 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sat, 28 Aug 2010 17:45:29 +0200 Subject: [PATCH] tac: avoid double free * src/tac.c (main): Reading a line longer than 16KiB would cause tac to realloc its primary buffer. Then, just before exit, tac would mistakenly free the original (now free'd) buffer. This bug was introduced by commit be6c13e7, "maint: always free a buffer, to avoid even semblance of a leak". * NEWS (Bug fixes): Mention it. * tests/misc/tac (double-free): New test, to exercise this. Reported by Salvo Tomaselli in . --- NEWS | 3 +++ src/tac.c | 6 ++++-- tests/misc/tac | 6 ++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 85f55a2..f29d311 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,9 @@ GNU coreutils NEWS -*- outline -*- du -H and -L now consistently count pointed-to files instead of symbolic links, and correctly diagnose dangling symlinks. + tac would perform a double-free when given an input line longer than 16KiB. + [bug introduced in coreutils-8.3] + ** New features cp now accepts the --attributes-only option to not copy file data, diff --git a/src/tac.c b/src/tac.c index cec9736..859e006 100644 --- a/src/tac.c +++ b/src/tac.c @@ -633,7 +633,6 @@ main (int argc, char **argv) if (! (read_size < half_buffer_size && half_buffer_size < G_buffer_size)) xalloc_die (); G_buffer = xmalloc (G_buffer_size); - void *buf = G_buffer; if (sentinel_length) { strcpy (G_buffer, separator); @@ -666,6 +665,9 @@ main (int argc, char **argv) error (0, errno, "-"); ok = false; } - free (buf); + + size_t offset = sentinel_length ? sentinel_length : 1; + free (G_buffer - offset); + exit (ok ? EXIT_SUCCESS : EXIT_FAILURE); } diff --git a/tests/misc/tac b/tests/misc/tac index 7631049..4130c00 100755 --- a/tests/misc/tac +++ b/tests/misc/tac @@ -24,6 +24,9 @@ my $prog = 'tac'; my $bad_dir = 'no/such/dir'; +# This must be longer than 16KiB to trigger the double free in coreutils-8.5. +my $long_line = 'o' x (16 * 1024 + 1); + my @Tests = ( ['segfault', '-r', {IN=>"a\n"}, {IN=>"b\n"}, {OUT=>"a\nb\n"}], @@ -67,6 +70,9 @@ my @Tests = {ERR_SUBST => "s,`$bad_dir': .*,...,"}, {ERR => "$prog: cannot create temporary file in ...\n"}, {EXIT => 1}], + + # coreutils-8.5's tac would double-free its primary buffer. + ['double-free', {IN=>$long_line}, {OUT=>$long_line}], ); @Tests = triple_test \@Tests; -- 1.7.2.2.510.g7180a From unknown Sun Jun 22 11:42:44 2025 X-Loop: help-debbugs@gnu.org Subject: bug#6936: Bug#594666: /usr/bin/tac: tac aborts Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 28 Aug 2010 19:18:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 6936 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.128302308014101 (code B ref -1); Sat, 28 Aug 2010 19:18:01 +0000 Received: (at submit) by debbugs.gnu.org; 28 Aug 2010 19:18:00 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpQud-0003fO-CK for submit@debbugs.gnu.org; Sat, 28 Aug 2010 15:17:59 -0400 Received: from mail.gnu.org ([199.232.76.166] helo=mx10.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpQub-0003fJ-0f for submit@debbugs.gnu.org; Sat, 28 Aug 2010 15:17:57 -0400 Received: from lists.gnu.org ([199.232.76.165]:46095) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1OpQw3-0001ks-Pw for submit@debbugs.gnu.org; Sat, 28 Aug 2010 15:19:27 -0400 Received: from [140.186.70.92] (port=37848 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OpQw1-0005L7-Ll for bug-coreutils@gnu.org; Sat, 28 Aug 2010 15:19:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OpQw0-0007PW-21 for bug-coreutils@gnu.org; Sat, 28 Aug 2010 15:19:25 -0400 Received: from vms173005pub.verizon.net ([206.46.173.5]:63212) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpQvz-0007PG-Tf for bug-coreutils@gnu.org; Sat, 28 Aug 2010 15:19:24 -0400 Received: from [192.168.1.10] ([unknown] [71.189.109.235]) by vms173005.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0L7V007EOMZFZLF5@vms173005.mailsrvcs.net> for bug-coreutils@gnu.org; Sat, 28 Aug 2010 14:18:51 -0500 (CDT) Message-id: <4C79611A.1030904@cs.ucla.edu> Date: Sat, 28 Aug 2010 12:18:50 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6 MIME-version: 1.0 References: <20100828080613.10072.83561.reportbug@localhost> <87iq2u7lgh.fsf@meyering.net> In-reply-to: <87iq2u7lgh.fsf@meyering.net> Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 7bit X-detected-operating-system: by eggs.gnu.org: Solaris 10 (1203?) X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-Spam-Score: -4.1 (----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -4.2 (----) On 08/28/2010 09:26 AM, Jim Meyering wrote: > This bug was introduced by commit be6c13e7, "maint: always free a > buffer, to avoid even semblance of a leak". Hah! I've always been suspicious of these unnecessary free()s, i.e., free()s that are put in only to make 'valgrind' happy. How about if we do these unnecessary free()s only if 'lint' is defined? That would make the production software more reliable. From unknown Sun Jun 22 11:42:44 2025 X-Loop: help-debbugs@gnu.org Subject: bug#6936: Bug#594666: /usr/bin/tac: tac aborts Resent-From: Jim Meyering Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Sat, 28 Aug 2010 19:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 6936 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: Paul Eggert Cc: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.128302551715050 (code B ref -1); Sat, 28 Aug 2010 19:59:02 +0000 Received: (at submit) by debbugs.gnu.org; 28 Aug 2010 19:58:37 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpRXv-0003uh-TK for submit@debbugs.gnu.org; Sat, 28 Aug 2010 15:58:36 -0400 Received: from mail.gnu.org ([199.232.76.166] helo=mx10.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpRXt-0003uc-0L for submit@debbugs.gnu.org; Sat, 28 Aug 2010 15:58:34 -0400 Received: from lists.gnu.org ([199.232.76.165]:50282) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1OpRZM-0001zE-3o for submit@debbugs.gnu.org; Sat, 28 Aug 2010 16:00:04 -0400 Received: from [140.186.70.92] (port=51553 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OpRZJ-0004ap-W2 for bug-coreutils@gnu.org; Sat, 28 Aug 2010 16:00:02 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OpRZI-0002lO-JQ for bug-coreutils@gnu.org; Sat, 28 Aug 2010 16:00:01 -0400 Received: from smtp1-g21.free.fr ([212.27.42.1]:46496) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpRZI-0002l9-0w for bug-coreutils@gnu.org; Sat, 28 Aug 2010 16:00:00 -0400 Received: from mx.meyering.net (unknown [82.230.74.64]) by smtp1-g21.free.fr (Postfix) with ESMTP id CEBEE940041; Sat, 28 Aug 2010 21:59:53 +0200 (CEST) Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000) id 6785FD7F0; Sat, 28 Aug 2010 21:59:52 +0200 (CEST) From: Jim Meyering In-Reply-To: <4C79611A.1030904@cs.ucla.edu> (Paul Eggert's message of "Sat, 28 Aug 2010 12:18:50 -0700") References: <20100828080613.10072.83561.reportbug@localhost> <87iq2u7lgh.fsf@meyering.net> <4C79611A.1030904@cs.ucla.edu> Date: Sat, 28 Aug 2010 21:59:52 +0200 Message-ID: <87sk1y5wzr.fsf@meyering.net> Lines: 60 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-Spam-Score: -5.3 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.3 (-----) Paul Eggert wrote: > On 08/28/2010 09:26 AM, Jim Meyering wrote: > >> This bug was introduced by commit be6c13e7, "maint: always free a >> buffer, to avoid even semblance of a leak". > > Hah! I've always been suspicious of these unnecessary free()s, > i.e., free()s that are put in only to make 'valgrind' happy. > > How about if we do these unnecessary free()s only if 'lint' > is defined? That would make the production software more > reliable. Hi Paul, It's a close call, especially given this actual bug. However, for me at least, this is similar to compiler warnings in that freeing unconditionally makes for cleaner output from leak-checking tools like valgrind, and thus, desirable. In addition, guarding the free inside #ifdef lint...#endif would expose the "possibly leaked" condition to any unsuspecting developer who builds without -Dlint. We've had a few reports like that: the solution is simply to tell such folks to use -Dlint, but preventing reports altogether is even better. Another point against such a change is that it'd add an in-function #ifdef. On the other hand, there is precedent for this sort of a guard in e.g., shuf.c and mktemp.c. In addition, when configuring with --enable-gcc-warnings, you automatically get -Dlint, so maybe it makes sense. I'm tempted to push this, but could go either way: >From 9e837201ba6d8974de8e09c1d359c16ecab12584 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sat, 28 Aug 2010 21:54:17 +0200 Subject: [PATCH] tac: suppress technically unneeded "free" * src/tac.c (main): Guard final free with #ifdef lint. Suggested by Paul Eggert. --- src/tac.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/tac.c b/src/tac.c index 859e006..dbfe2b0 100644 --- a/src/tac.c +++ b/src/tac.c @@ -666,8 +666,10 @@ main (int argc, char **argv) ok = false; } +#ifdef lint size_t offset = sentinel_length ? sentinel_length : 1; free (G_buffer - offset); +#endif exit (ok ? EXIT_SUCCESS : EXIT_FAILURE); } -- 1.7.2.2.510.g7180a From unknown Sun Jun 22 11:42:44 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Jim Meyering Subject: bug#6936: closed (Re: Bug#594666: /usr/bin/tac: tac aborts) Message-ID: References: <8739hdjinl.fsf@rho.meyering.net> <87iq2u7lgh.fsf@meyering.net> X-Gnu-PR-Message: they-closed 6936 X-Gnu-PR-Package: coreutils Reply-To: 6936@debbugs.gnu.org Date: Sun, 07 Aug 2011 16:24:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1312734242-7091-1" This is a multi-part message in MIME format... ------------=_1312734242-7091-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #6936: Bug#594666: /usr/bin/tac: tac aborts which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 6936@debbugs.gnu.org. --=20 6936: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D6936 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1312734242-7091-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 6936-done) by debbugs.gnu.org; 7 Aug 2011 16:23:39 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qq68Y-0001pk-PS for submit@debbugs.gnu.org; Sun, 07 Aug 2011 12:23:39 -0400 Received: from mx.meyering.net ([82.230.74.64]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1Qq68W-0001pc-Pi for 6936-done@debbugs.gnu.org; Sun, 07 Aug 2011 12:23:37 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id C36D7600AC for <6936-done@debbugs.gnu.org>; Sun, 7 Aug 2011 18:22:38 +0200 (CEST) From: Jim Meyering To: 6936-done@debbugs.gnu.org Subject: Re: Bug#594666: /usr/bin/tac: tac aborts In-Reply-To: <87iq2u7lgh.fsf@meyering.net> (Jim Meyering's message of "Sat, 28 Aug 2010 18:26:06 +0200") References: <20100828080613.10072.83561.reportbug@localhost> <87iq2u7lgh.fsf@meyering.net> Date: Sun, 07 Aug 2011 18:22:38 +0200 Message-ID: <8739hdjinl.fsf@rho.meyering.net> Lines: 49 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -6.1 (------) X-Debbugs-Envelope-To: 6936-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.1 (------) Jim Meyering wrote: > Salvo Tomaselli wrote: >> Package: coreutils >> Version: 8.5-1 >> Severity: normal >> File: /usr/bin/tac >> >> Tac aborts when using it on a particular file. >> >> *** glibc detected *** tac: double free or corruption (top): >> 0x00000000025c5030 *** > ... > > Thank you for the report! > That is indeed a bug in the very latest. > > For a stand-alone, minimal demonstrator, run this: > > valgrind tac <(printf %0$((2**14 + 1))d 0) > /dev/null > > It prints this: > > Invalid free() / delete / delete[] > at 0x4A04D72: free (vg_replace_malloc.c:325) > by 0x402294: main (tac.c:669) > Address 0x4c30040 is 0 bytes inside a block of size 16,388 free'd > at 0x4A05255: realloc (vg_replace_malloc.c:476) > by 0x4117B8: xrealloc (xmalloc.c:57) > by 0x401A68: tac_seekable (tac.c:319) > by 0x402379: main (tac.c:515) > > Here is a fix: > >>>From b3959fc691e606857a3c6e9b316ec34819972245 Mon Sep 17 00:00:00 2001 > From: Jim Meyering > Date: Sat, 28 Aug 2010 17:45:29 +0200 > Subject: [PATCH] tac: avoid double free > > * src/tac.c (main): Reading a line longer than 16KiB would cause > tac to realloc its primary buffer. Then, just before exit, tac > would mistakenly free the original (now free'd) buffer. > This bug was introduced by commit be6c13e7, "maint: always free a > buffer, to avoid even semblance of a leak". > * NEWS (Bug fixes): Mention it. > * tests/misc/tac (double-free): New test, to exercise this. > Reported by Salvo Tomaselli in . This was fixed long ago. Marking as "done". ------------=_1312734242-7091-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 28 Aug 2010 16:24:49 +0000 Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpOD3-0002Ur-9M for submit@debbugs.gnu.org; Sat, 28 Aug 2010 12:24:49 -0400 Received: from mail.gnu.org ([199.232.76.166] helo=mx10.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpOD1-0002Um-Cv for submit@debbugs.gnu.org; Sat, 28 Aug 2010 12:24:48 -0400 Received: from lists.gnu.org ([199.232.76.165]:54511) by monty-python.gnu.org with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60) (envelope-from ) id 1OpOET-0000sy-Uh for submit@debbugs.gnu.org; Sat, 28 Aug 2010 12:26:17 -0400 Received: from [140.186.70.92] (port=48721 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1OpOES-000166-45 for bug-coreutils@gnu.org; Sat, 28 Aug 2010 12:26:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1OpOEQ-0004bA-SK for bug-coreutils@gnu.org; Sat, 28 Aug 2010 12:26:16 -0400 Received: from smtp1-g21.free.fr ([212.27.42.1]:37905) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1OpOEQ-0004aF-85 for bug-coreutils@gnu.org; Sat, 28 Aug 2010 12:26:14 -0400 Received: from mx.meyering.net (unknown [82.230.74.64]) by smtp1-g21.free.fr (Postfix) with ESMTP id 0E46A940149 for ; Sat, 28 Aug 2010 18:26:07 +0200 (CEST) Received: by rho.meyering.net (Acme Bit-Twister, from userid 1000) id 9FB19C51; Sat, 28 Aug 2010 18:26:06 +0200 (CEST) From: Jim Meyering To: Salvo Tomaselli Subject: Re: Bug#594666: /usr/bin/tac: tac aborts In-Reply-To: <20100828080613.10072.83561.reportbug@localhost> (Salvo Tomaselli's message of "Sat, 28 Aug 2010 10:06:13 +0200") References: <20100828080613.10072.83561.reportbug@localhost> Date: Sat, 28 Aug 2010 18:26:06 +0200 Message-ID: <87iq2u7lgh.fsf@meyering.net> Lines: 113 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by monty-python.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit Cc: 594666@bugs.debian.org, bug-coreutils@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -5.3 (-----) Salvo Tomaselli wrote: > Package: coreutils > Version: 8.5-1 > Severity: normal > File: /usr/bin/tac > > Tac aborts when using it on a particular file. > > *** glibc detected *** tac: double free or corruption (top): 0x00000000025c5030 *** ... Thank you for the report! That is indeed a bug in the very latest. For a stand-alone, minimal demonstrator, run this: valgrind tac <(printf %0$((2**14 + 1))d 0) > /dev/null It prints this: Invalid free() / delete / delete[] at 0x4A04D72: free (vg_replace_malloc.c:325) by 0x402294: main (tac.c:669) Address 0x4c30040 is 0 bytes inside a block of size 16,388 free'd at 0x4A05255: realloc (vg_replace_malloc.c:476) by 0x4117B8: xrealloc (xmalloc.c:57) by 0x401A68: tac_seekable (tac.c:319) by 0x402379: main (tac.c:515) Here is a fix: >From b3959fc691e606857a3c6e9b316ec34819972245 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Sat, 28 Aug 2010 17:45:29 +0200 Subject: [PATCH] tac: avoid double free * src/tac.c (main): Reading a line longer than 16KiB would cause tac to realloc its primary buffer. Then, just before exit, tac would mistakenly free the original (now free'd) buffer. This bug was introduced by commit be6c13e7, "maint: always free a buffer, to avoid even semblance of a leak". * NEWS (Bug fixes): Mention it. * tests/misc/tac (double-free): New test, to exercise this. Reported by Salvo Tomaselli in . --- NEWS | 3 +++ src/tac.c | 6 ++++-- tests/misc/tac | 6 ++++++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 85f55a2..f29d311 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,9 @@ GNU coreutils NEWS -*- outline -*- du -H and -L now consistently count pointed-to files instead of symbolic links, and correctly diagnose dangling symlinks. + tac would perform a double-free when given an input line longer than 16KiB. + [bug introduced in coreutils-8.3] + ** New features cp now accepts the --attributes-only option to not copy file data, diff --git a/src/tac.c b/src/tac.c index cec9736..859e006 100644 --- a/src/tac.c +++ b/src/tac.c @@ -633,7 +633,6 @@ main (int argc, char **argv) if (! (read_size < half_buffer_size && half_buffer_size < G_buffer_size)) xalloc_die (); G_buffer = xmalloc (G_buffer_size); - void *buf = G_buffer; if (sentinel_length) { strcpy (G_buffer, separator); @@ -666,6 +665,9 @@ main (int argc, char **argv) error (0, errno, "-"); ok = false; } - free (buf); + + size_t offset = sentinel_length ? sentinel_length : 1; + free (G_buffer - offset); + exit (ok ? EXIT_SUCCESS : EXIT_FAILURE); } diff --git a/tests/misc/tac b/tests/misc/tac index 7631049..4130c00 100755 --- a/tests/misc/tac +++ b/tests/misc/tac @@ -24,6 +24,9 @@ my $prog = 'tac'; my $bad_dir = 'no/such/dir'; +# This must be longer than 16KiB to trigger the double free in coreutils-8.5. +my $long_line = 'o' x (16 * 1024 + 1); + my @Tests = ( ['segfault', '-r', {IN=>"a\n"}, {IN=>"b\n"}, {OUT=>"a\nb\n"}], @@ -67,6 +70,9 @@ my @Tests = {ERR_SUBST => "s,`$bad_dir': .*,...,"}, {ERR => "$prog: cannot create temporary file in ...\n"}, {EXIT => 1}], + + # coreutils-8.5's tac would double-free its primary buffer. + ['double-free', {IN=>$long_line}, {OUT=>$long_line}], ); @Tests = triple_test \@Tests; -- 1.7.2.2.510.g7180a ------------=_1312734242-7091-1--