Univention Bugzilla – Bug 36878
AddressSanitizer error in libapt-pkg4.12
Last modified: 2019-01-03 07:18:19 CET
For the fun of it I compiled the listener with the gcc-4.9.1 options -fsanitize=address -fno-omit-frame-pointer (on i386) and below is the abort message I get, when the ldap_exentsion.py listener module is included. Looks like the python module "apt" or something in apt.apt_pkg is not 100% correct with itss memory handling. The same issue appears when I include the udm_extension.py listener and it again disappears when I uncomment the "import apt" line from it: ============================================================================= root@master80:/usr/lib/univention-directory-listener/system# /usr/sbin/univention-directory-listener -F -b dc=ar40s3,dc=qa -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -d 2 -x -ZZ -D cn=admin,dc=ar40s3,dc=qa -y /etc/ldap.secret 18.11.14 15:01:49.854 DEBUG_INIT ================================================================= ==18211==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb525bcfe at pc 0xb7251c34 bp 0xbfa11c38 sp 0xbfa11818 READ of size 6 at 0xb525bcfe thread T0 #0 0xb7251c33 (/usr/lib/i386-linux-gnu/libasan.so.1+0x27c33) #1 0xa650e79d (/usr/lib/i386-linux-gnu/libapt-pkg.so.4.12+0x3979d) #2 0xa6510eb0 in ReadConfigFile(Configuration&, std::string const&, bool const&, unsigned int const&) (/usr/lib/i386-linux-gnu/libapt-pkg.so.4.12+0x3beb0) #3 0xa6512552 in ReadConfigDir(Configuration&, std::string const&, bool const&, unsigned int const&) (/usr/lib/i386-linux-gnu/libapt-pkg.so.4.12+0x3d552) #4 0xa655cf39 in pkgInitConfig(Configuration&) (/usr/lib/i386-linux-gnu/libapt-pkg.so.4.12+0x87f39) #5 0xb438cdcd (/usr/lib/python2.7/dist-packages/apt_pkg.so+0x13dcd) #6 0xb6ff88e2 in PyCFunction_Call (/usr/lib/libpython2.7.so.1.0+0x10d8e2) #7 0xb6f20539 in PyEval_EvalFrameEx (/usr/lib/libpython2.7.so.1.0+0x35539) #8 0xb6f213a1 in PyEval_EvalCodeEx (/usr/lib/libpython2.7.so.1.0+0x363a1) #9 0xb6f214e2 in PyEval_EvalCode (/usr/lib/libpython2.7.so.1.0+0x364e2) #10 0xb6f66ea1 in PyImport_ExecCodeModuleEx (/usr/lib/libpython2.7.so.1.0+0x7bea1) #11 0xb7010f87 (/usr/lib/libpython2.7.so.1.0+0x125f87) #12 0xb6f581eb (/usr/lib/libpython2.7.so.1.0+0x6d1eb) #13 0xb701168a (/usr/lib/libpython2.7.so.1.0+0x12668a) #14 0xb6fcd1aa (/usr/lib/libpython2.7.so.1.0+0xe21aa) #15 0xb7011b95 in PyImport_ImportModuleLevel (/usr/lib/libpython2.7.so.1.0+0x126b95) #16 0xb6f627e2 (/usr/lib/libpython2.7.so.1.0+0x777e2) #17 0xb6ff8938 in PyCFunction_Call (/usr/lib/libpython2.7.so.1.0+0x10d938) #18 0xb6ff784f in PyObject_Call (/usr/lib/libpython2.7.so.1.0+0x10c84f) #19 0xb6ff81fa in PyEval_CallObjectWithKeywords (/usr/lib/libpython2.7.so.1.0+0x10d1fa) #20 0xb6f1caa7 in PyEval_EvalFrameEx (/usr/lib/libpython2.7.so.1.0+0x31aa7) #21 0xb6f213a1 in PyEval_EvalCodeEx (/usr/lib/libpython2.7.so.1.0+0x363a1) #22 0xb6f214e2 in PyEval_EvalCode (/usr/lib/libpython2.7.so.1.0+0x364e2) #23 0xb6f66ea1 in PyImport_ExecCodeModuleEx (/usr/lib/libpython2.7.so.1.0+0x7bea1) #24 0xb7010f87 (/usr/lib/libpython2.7.so.1.0+0x125f87) #25 0xb701168a (/usr/lib/libpython2.7.so.1.0+0x12668a) #26 0xb6fcd139 (/usr/lib/libpython2.7.so.1.0+0xe2139) #27 0xb7011bd5 in PyImport_ImportModuleLevel (/usr/lib/libpython2.7.so.1.0+0x126bd5) #28 0xb6f627e2 (/usr/lib/libpython2.7.so.1.0+0x777e2) #29 0xb6ff8938 in PyCFunction_Call (/usr/lib/libpython2.7.so.1.0+0x10d938) #30 0xb6ff784f in PyObject_Call (/usr/lib/libpython2.7.so.1.0+0x10c84f) #31 0xb6ff81fa in PyEval_CallObjectWithKeywords (/usr/lib/libpython2.7.so.1.0+0x10d1fa) #32 0xb6f1caa7 in PyEval_EvalFrameEx (/usr/lib/libpython2.7.so.1.0+0x31aa7) #33 0xb6f213a1 in PyEval_EvalCodeEx (/usr/lib/libpython2.7.so.1.0+0x363a1) #34 0xb6f214e2 in PyEval_EvalCode (/usr/lib/libpython2.7.so.1.0+0x364e2) #35 0xb6f66ea1 in PyImport_ExecCodeModuleEx (/usr/lib/libpython2.7.so.1.0+0x7bea1) #36 0x804ec9f (/usr/sbin/univention-directory-listener+0x804ec9f) #37 0x804f3d8 (/usr/sbin/univention-directory-listener+0x804f3d8) #38 0x805219e (/usr/sbin/univention-directory-listener+0x805219e) #39 0x8052327 (/usr/sbin/univention-directory-listener+0x8052327) #40 0x805310f (/usr/sbin/univention-directory-listener+0x805310f) #41 0x804d4eb (/usr/sbin/univention-directory-listener+0x804d4eb) #42 0xb6ce6e45 in __libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x16e45) 0xb525bcfe is located 0 bytes to the right of 14-byte region [0xb525bcf0,0xb525bcfe) allocated by thread T0 here: #0 0xb7278f44 in operator new(unsigned int) (/usr/lib/i386-linux-gnu/libasan.so.1+0x4ef44) #1 0xb6c7b2c4 in std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (/usr/lib/i386-linux-gnu/libstdc++.so.6+0xb42c4) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x36a4b740: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x36a4b750: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd 0x36a4b760: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x36a4b770: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x36a4b780: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd =>0x36a4b790: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 00[06] 0x36a4b7a0: fa fa fd fd fa fa fd fd fa fa fa fa fa fa fd fd 0x36a4b7b0: fa fa fa fa fa fa fa fa fa fa fd fd fa fa fa fa 0x36a4b7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a4b7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36a4b7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==18211==ABORTING =============================================================================
Not a bug in the Listener, but in APT itself, as re-compiling APT with DIST=unstable DEB_CXXFLAGS_APPEND='-fsanitize=address -fno-omit-frame-pointer' pdebuild --use-pdebuild-internal fails its own unit test: ==30255==ERROR: LeakSanitizer: detected memory leaks Direct leak of 1212 byte(s) in 2 object(s) allocated from: #0 0x2b576e59a1ba in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x941ba) #1 0x2b57706e17db in __getdelim (/lib/x86_64-linux-gnu/libc.so.6+0x697db) #2 0x2b57706eb359 in _IO_file_xsputn (/lib/x86_64-linux-gnu/libc.so.6+0x73359) Direct leak of 480 byte(s) in 4 object(s) allocated from: #0 0x2b576e599e9a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x93e9a) #1 0x2b57706e1797 in __getdelim (/lib/x86_64-linux-gnu/libc.so.6+0x69797) #2 0x2b57706eb359 in _IO_file_xsputn (/lib/x86_64-linux-gnu/libc.so.6+0x73359) Direct leak of 34 byte(s) in 1 object(s) allocated from: #0 0x2b576e565b8f in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x5fb8f) #1 0x2b576df5fb0e in helperCreateTemporaryFile(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, FileFd&, char**, char const*) /var/tmp/apt-1.0.9.8.1/test/libapt/file-helpers.cc:60 #2 0x2b576dfaebf3 in SourceListTest_ParseFileDeb822_Test::TestBody() /var/tmp/apt-1.0.9.8.1/test/libapt/sourcelist_test.cc:24 #3 0x2b576e06d61b in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /usr/src/gtest/src/gtest.cc:2078 #4 0x2b576e06d61b in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /usr/src/gtest/src/gtest.cc:2114 #5 0x2b576e05b211 in testing::Test::Run() /usr/src/gtest/src/gtest.cc:2151 #6 0x2b576e05b668 in testing::Test::Run() /usr/src/gtest/src/gtest.cc:2142 #7 0x2b576e05b668 in testing::TestInfo::Run() /usr/src/gtest/src/gtest.cc:2326 #8 0x2b576e05bb4b in testing::TestInfo::Run() /usr/src/gtest/src/gtest.cc:2301 #9 0x2b576e05bb4b in testing::TestCase::Run() /usr/src/gtest/src/gtest.cc:2444 #10 0x2b576e05c83c in testing::TestCase::Run() /usr/src/gtest/src/gtest.cc:4353 #11 0x2b576e05c83c in testing::internal::UnitTestImpl::RunAllTests() /usr/src/gtest/src/gtest.cc:4315 #12 0x2b576e06e21b in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /usr/src/gtest/src/gtest.cc:2078 #13 0x2b576e06e21b in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /usr/src/gtest/src/gtest.cc:2114 #14 0x2b576e05d182 in testing::UnitTest::Run() /usr/src/gtest/src/gtest.cc:3926 #15 0x2b576df5b0b6 in RUN_ALL_TESTS() /usr/include/gtest/gtest.h:2288 #16 0x2b576df5b0b6 in main /var/tmp/apt-1.0.9.8.1/test/libapt/gtest_runner.cc:5 #17 0x2b577069886f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2086f) Also: gcc-4.9 is not officially supported by UCD so → INVALID UCS bug
Also seen in Jessie / UCS 4.2 interim-1 with gcc 4:4.9.2-2 and apt 1.0.9.8.4.
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.