[Bug 2015216] Re: Invalid read of size 8 in strncmp() from is_dst()
Simon Chopin
2015216 at bugs.launchpad.net
Wed Apr 5 08:07:45 UTC 2023
As I understand it, there is a fundamental inaccuracy in Valgrind's
machine emulation. It's not emulating hardware but rather some kind of C
machine model, with some extra bells & whistles when it interacts with
the OS. That works very well because pretty much everything in our
systems boils down to C code (I'd be curious to see how valgrind and
golang play together, though).
Glibc is also implementing that C machine model against actual hardware,
and is thus sometimes stepping outside of it to take advantage of
hardware specificities that valgrind doesn't know about. Valgrind is
aware of it, that's why it's been intercepting calls to glibc functions
that don't play by its rules.
Now, I dig a bit further into the issue, and it turns out that Valgrind
has suppression files to, well, suppress some outputs that are known
false positives. There's a file for glibc in the upstream sources, but
it isn't shipped in our package. I'll be looking into that.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to valgrind in Ubuntu.
https://bugs.launchpad.net/bugs/2015216
Title:
Invalid read of size 8 in strncmp() from is_dst()
Status in glibc package in Ubuntu:
Invalid
Status in valgrind package in Ubuntu:
In Progress
Status in valgrind package in Fedora:
Unknown
Bug description:
[Impact]
This bug makes valgrind detect memory error false positives in ld.so
now that it started using strncmp. in is_dst. The fix is to extend the
special treatment of strncmp done in libc.so to ld.so as well. The
patch is already available upstream in a new release, this is just
about cherry-picking it.
[Rationale]
Given that the false-positive is triggered in ld.so, it's fairly
likely that quite a few users will hit it.
[Original report]
Valgrind reports this in gnome-shell on almost every run:
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x40067D6: _dl_dst_count (dl-load.c:253)
==34822== by 0x40067D6: expand_dynamic_string_token (dl-load.c:395)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
==34822==
==34822== Invalid read of size 8
==34822== at 0x40264A8: strncmp (strcmp-sse2.S:162)
==34822== by 0x400554E: is_dst (dl-load.c:216)
==34822== by 0x4006645: _dl_dst_substitute (dl-load.c:295)
==34822== by 0x4006981: fillin_rpath.isra.0 (dl-load.c:483)
==34822== by 0x4006CB2: decompose_rpath (dl-load.c:654)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== Address 0xe5c00a9 is 9 bytes inside a block of size 15 alloc'd
==34822== at 0x4843828: malloc (vg_replace_malloc.c:381)
==34822== by 0x402628E: malloc (rtld-malloc.h:56)
==34822== by 0x402628E: strdup (strdup.c:42)
==34822== by 0x4006C44: decompose_rpath (dl-load.c:629)
==34822== by 0x40092DF: cache_rpath (dl-load.c:696)
==34822== by 0x40092DF: _dl_map_object (dl-load.c:2114)
==34822== by 0x4002934: openaux (dl-deps.c:64)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x4002D6E: _dl_map_object_deps (dl-deps.c:232)
==34822== by 0x400CE5E: dl_open_worker_begin (dl-open.c:592)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C2E9: dl_open_worker (dl-open.c:782)
==34822== by 0x40014DC: _dl_catch_exception (dl-catch.c:237)
==34822== by 0x400C6BB: _dl_open (dl-open.c:884)
ProblemType: Bug
DistroRelease: Ubuntu 23.04
Package: libc6 2.37-0ubuntu2
ProcVersionSignature: Ubuntu 6.2.0-18.18-generic 6.2.6
Uname: Linux 6.2.0-18-generic x86_64
ApportVersion: 2.26.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
Date: Tue Apr 4 18:01:17 2023
InstallationDate: Installed on 2022-11-28 (127 days ago)
InstallationMedia: Ubuntu 23.04 "Lunar Lobster" - Alpha amd64 (20221126)
SourcePackage: glibc
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2015216/+subscriptions
More information about the foundations-bugs
mailing list