Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 705636 - app-portage/portage-utils-0.84: qcheck fails, free(): double free detected in tcache 2
Summary: app-portage/portage-utils-0.84: qcheck fails, free(): double free detected in...
Status: RESOLVED FIXED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Tools (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Fabian Groffen
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-17 05:30 UTC by Georgy Yakovlev
Modified: 2020-01-18 10:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Georgy Yakovlev archtester gentoo-dev 2020-01-17 05:30:40 UTC 
emerge --info portage-utils
Portage 2.3.84 (python 3.6.9-final-0, default/linux/powerpc/ppc64/17.0/64bit-userland/little-endian, gcc-9.2.0, glibc-2.30-r3, 5.4.12-gentoo ppc64le)
=================================================================
                         System Settings
=================================================================
System uname: Linux-5.4.12-gentoo-ppc64le-POWER9,_altivec_supported-with-gentoo-2.6
KiB Mem:   535134016 total, 494344896 free
KiB Swap:  134217472 total, 134217472 free
Timestamp of repository gentoo: Fri, 17 Jan 2020 00:46:10 +0000
Head commit of repository gentoo: 10912411990cb17b299096aa8d08abbea667a052

sh bash 5.0_p11
ld GNU ld (Gentoo 2.33.1 p2) 2.33.1
ccache version 3.7.7 [disabled]
app-shells/bash:          5.0_p11::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.30.1::gentoo
dev-lang/python:          2.7.17-r1::gentoo, 3.6.10::gentoo
dev-util/ccache:          3.7.7::gentoo
dev-util/cmake:           3.16.2-r1::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/openrc:          0.42.1::gentoo
sys-apps/sandbox:         2.18::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake:       1.16.1-r2::gentoo
sys-devel/binutils:       2.33.1-r1::gentoo
sys-devel/gcc:            8.3.0-r3::gentoo, 9.2.0-r3::gentoo
sys-devel/gcc-config:     2.2::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 5.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.30-r3::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: git
    sync-uri: https://anongit.gentoo.org/git/repo/sync/gentoo.git
    priority: -1000
    sync-git-clone-extra-opts: -b master
    sync-git-verify-commit-signature: true

rust-dev
    location: /home/ya/src/rust-dev-overlay
    masters: gentoo

crossdev
    location: /var/db/repos/crossdev
    masters: gentoo
    priority: 10

Installed sets: @mycompress
ACCEPT_KEYWORDS="ppc64"
ACCEPT_LICENSE="@FREE"
CBUILD="powerpc64le-unknown-linux-gnu"
CFLAGS="-mcpu=native -O2 -pipe -frecord-gcc-switches -fdiagnostics-show-option"
CHOST="powerpc64le-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-mcpu=native -O2 -pipe -frecord-gcc-switches -fdiagnostics-show-option"
DISTDIR="/var/cache/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner --ask-enter-invalid --jobs=128 --load-average 128 --quiet-build"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-mcpu=native -O2 -pipe -frecord-gcc-switches -fdiagnostics-show-option"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs cgroup collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox mount-sandbox multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned sandbox sfperms sign splitdebug strict strict-keepdir unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-mcpu=native -O2 -pipe -frecord-gcc-switches -fdiagnostics-show-option"
GENTOO_MIRRORS="https://gentoo.osuosl.org/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--defsym=__gentoo_check_ldflags__=0"
LINGUAS="en"
MAKEOPTS="--jobs=88 --load-average=128"
PKGDIR="/var/cache/binpkgs/powerpc64le-unknown-linux-gnu"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X acl alsa altivec berkdb branding bzip2 cairo caps cli crypt cups cxx dbus dri elogind exif filecaps flac fontconfig fortran gdbm gif gpm gtk iconv icu introspection ipv6 jpeg lcms libnotify mp3 mp4 mpeg ncurses nptl numa ogg opengl openmp pam pango pcre png policykit ppc64 readline seccomp split-usr ssl startup-notification svg tcpd truetype udev udisks unicode upower usb vim-syntax xattr xcb xml xscreensaver zlib" ABI_PPC="64" ADA_TARGET="gnat_2018" ALSA_CARDS="emu10k1" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_PPC="altivec vsx vsx3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python3_6" RUBY_TARGETS="ruby24" USERLAND="GNU" VIDEO_CARDS="amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

app-portage/portage-utils-0.84::gentoo was built with the following:
USE="openmp qmanifest qtegrity -libressl -nls -static"
CFLAGS="-mcpu=native -O2 -pipe -frecord-gcc-switches -fdiagnostics-show-option -ggdb"
CXXFLAGS="-mcpu=native -O2 -pipe -frecord-gcc-switches -fdiagnostics-show-option -ggdb"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs cgroup collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles installsources ipc-sandbox mount-sandbox multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned sandbox sfperms sign splitdebug strict strict-keepdir unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"


some gdb

Reading symbols from qcheck...
Reading symbols from /usr/lib/debug//usr/bin/q.debug...
(gdb) run
Starting program: /usr/bin/qcheck zfs
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
free(): double free detected in tcache 2

Program received signal SIGABRT, Aborted.
0x00007ffff78a39cc in __libc_signal_restore_set (set=0x7fffffffdee8) at ../sysdeps/unix/sysv/linux/internal-signals.h:84
84        return INTERNAL_SYSCALL (rt_sigprocmask, err, 4, SIG_SETMASK, set, NULL,
(gdb) where
#0  0x00007ffff78a39cc in __libc_signal_restore_set (set=0x7fffffffdee8) at ../sysdeps/unix/sysv/linux/internal-signals.h:84
#1  __GI_raise (sig=<optimized out>) at ../sysdeps/unix/sysv/linux/raise.c:48
#2  0x00007ffff7883f2c in __GI_abort () at abort.c:79
#3  0x00007ffff78f200c in __libc_message (action=<optimized out>, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:181
#4  0x00007ffff78fedc4 in malloc_printerr (str=<optimized out>, str@entry=0x7ffff7a0b148 "free(): double free detected in tcache 2") at malloc.c:5339
#5  0x00007ffff7901764 in _int_free (av=0x7ffff7a60c60 <main_arena>, p=0x100090570, have_lock=<optimized out>) at malloc.c:4201
#6  0x00000001000467d0 in tree_next_pkg_int (cat_ctx=0x1000a7410) at tree.c:406
#7  0x0000000100046c38 in tree_foreach_pkg (sort=<optimized out>, query=<optimized out>, priv=<optimized out>, callback=<optimized out>,
    ctx=<optimized out>) at tree.c:1317
#8  tree_foreach_pkg (ctx=0x1000a8f30, callback=0x10000f3d0 <qcheck_cb>, priv=0x7fffffffe528, sort=<optimized out>, query=<optimized out>) at tree.c:1298
#9  0x00000001000109a8 in qcheck_main (argc=<optimized out>, argv=<optimized out>) at qcheck.c:431
#10 0x000000010000eb70 in q_main (argc=<optimized out>, argv=0x7fffffffeb58) at q.c:116
#11 0x0000000100009f40 in main (argc=<optimized out>, argv=0x7fffffffeb58) at main.c:1055


happens both on 0.84 and on 9999 2020-01-06 16:03:07 +0100 commit 88bd510b4bd83123cd8c1c4920a8e655584ea2db
Comment 1 Larry the Git Cow gentoo-dev 2020-01-17 08:22:08 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage-utils.git/commit/?id=0c691939a77d0056ced7f06d5142c1952f917fee

commit 0c691939a77d0056ced7f06d5142c1952f917fee
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-01-17 08:21:07 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-01-17 08:21:07 +0000

    libq/tree: avoid double free in sorted case for tree_next_pkg_int
    
    Thanks Georgy Yakovlev for the report with stacktrace.
    
    Bug: https://bugs.gentoo.org/705636
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 libq/tree.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 Fabian Groffen gentoo-dev 2020-01-17 08:22:48 UTC 
would you be so kind to confirm with -9999?
Comment 3 Georgy Yakovlev archtester gentoo-dev 2020-01-17 08:27:34 UTC 
thanks for quick fix!

I came to the same conclusion that this free(name); is to blame and tree_close_pkg did it already, but was not sure.

confirm fix working

Checking app-shells/bash ...
  * 45 out of 45 files are good
Comment 4 Larry the Git Cow gentoo-dev 2020-01-18 10:20:31 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0187f93bb969f52c05bd5bb5059ce43d3b4d2fd

commit c0187f93bb969f52c05bd5bb5059ce43d3b4d2fd
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-01-18 10:19:20 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-01-18 10:20:23 +0000

    app-portage/portage-utils-0.84-r1: fix crash seen with qcheck
    
    Closes: https://bugs.gentoo.org/705636
    Package-Manager: Portage-2.3.79, Repoman-2.3.16
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 .../{portage-utils-0.84.ebuild => portage-utils-0.84-r1.ebuild}    | 7 +++++++
 1 file changed, 7 insertions(+)