Bug 133092

Created attachment 86635 [details]
Stack Trace

Comment 2 Markus Ullmann (RETIRED) 2006-06-01 15:14:04 UTC

Hmm this is pretty much an upstream issue, would you mind reporting there?

Otherwise drop a note here and I'll report it for you

Could you please report it.

Thanks

Running tethereal also produces this bug:

# tethereal
Capturing on eth0
*** glibc detected *** free(): invalid pointer: 0xbfb38708 ***
Aborted

It doesn't crash immediately; it stays alive for a few milliseconds.  After running it over and over I managed to have tethereal print out a captured packet just before crashing:

# tethereal
Capturing on eth0
  0.000000  192.168.1.2 -> 255.255.255.255 UDP Source port: 3512  Destination port: 712
*** glibc detected *** free(): invalid pointer: 0xbfd717c8 ***
Aborted


I did a quick search in Ethereal's bug database but didn't come up with anything.  Has an upstream bug been filed?  If so, would someone kindly post a link to it?

Since this bug is not being noticed my a ton of people, I thought it might be related to the "hardened" use flag.  Sure enough, both the original poster and I have "hardened" in our use flags.  Perhaps this is a clue?

Here's my emerge --info:

Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r12-t3 i686)
=================================================================
System uname: 2.6.16-gentoo-r12-t3 i686 Intel(R) Pentium(R) M processor 1.70GHz
Gentoo Base System version 1.6.15
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium-m -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=pentium-m -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox sfperms strict userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://www.gtlib.gatech.edu/pub/gentoo http://gentoo.chem.wisc.edu/gentoo/ http://gentoo.cites.uiuc.edu/pub/gentoo/ "
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X acpi alsa apache2 apm arts avi berkdb bitmap-fonts bzip2 caps cdr cli crypt cups dbus directfb dlloader dri dvd eds emboss encode esd fbcon firefox flac foomaticdb fortran gdbm gif gnome gpm gstreamer gtk gtk2 hal hardened imlib ipv6 isdnlog jpeg kde libg++ libwww lm_sensors mad mailwrapper mikmod motif mp3 mpeg ncurses nls nptl nsplugin ogg opengl oss pam pcmcia pcre pdflib perl pic png pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode vorbis win32codecs xml xmms xorg xv zlib elibc_glibc input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics kernel_linux userland_GNU video_cards_fglrx video_cards_radeon video_cards_fbdev video_cards_vesa"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

I also have backtraces for ethereal and tethereal, which I will attach.

How I got the backtraces:
================================================================
# CFLAGS="-O2 -march=pentium-m -pipe -ggdb" CXXFLAGS="${CFLAGS}" LDFLAGS="-nopie" FEATURES="splitdebug" emerge ethereal
# ulimit -c unlimited
# ethereal
*** glibc detected *** free(): invalid pointer: 0xbfc980c8 ***
Aborted (core dumped)
# mv core ethereal.core
# gdb ethereal --core ethereal.core --batch --quiet -ex "thread apply all bt full" -ex "quit" > ethereal_backtrace.txt

warning: Can't read pathname for load map: Input/output error.
# tethereal
Capturing on eth0
*** glibc detected *** free(): invalid pointer: 0xbfc77d28 ***
Aborted (core dumped)
# mv core tethereal.core
# gdb tethereal --core tethereal.core --batch --quiet -ex "thread apply all bt full" -ex "quit" > tethereal_backtrace.txt

warning: Can't read pathname for load map: Input/output error.
================================================================

I'm not sure what those gdb warnings are about -- I hope this is the right way to get a useful backtrace.

Created attachment 91525 [details]
gdb backtrace for ethereal

Created attachment 91526 [details]
gdb backtrace for tethereal

reported upstream:  http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1001

I have confirmed that this is a hardened problem.  I compiled net-analyzer/wireshark-0.99.2 with various different gcc profiles to see what works.  The ones that worked are:

i686-pc-linux-gnu-3.4.6-hardenednossp
i686-pc-linux-gnu-3.4.6-hardenednopiessp
i686-pc-linux-gnu-3.4.6-vanilla

The ones that did not work are:

i686-pc-linux-gnu-3.4.6
i686-pc-linux-gnu-3.4.6-hardenednopie

So, it looks like SSP is the culprit.  Is there any way to modify the ebuild to turn off SSP as a workaround until upstream fixes the problem?

(In reply to comment #10)
> So, it looks like SSP is the culprit.  Is there any way to modify the ebuild 
> to turn off SSP as a workaround until upstream fixes the problem?

Apparently this is possible because the valgrind ebuild disables SSP.  Is anyone reading this bug anymore, or should I file a new bug?

Comment 12 Kevin F. Quinn (RETIRED) 2006-07-30 03:09:49 UTC

All you need to do to disable SSP in an ebuild is to add:

    filter-flags -fstack-protector # see bug #133092

in src_compile() before doing econf and emake.  Please make sure that at least the bug number is referenced so we can know why ssp is filtered, then if the problem is fixed in the future we know we can remove the filter.

Comment 13 Daniel Black (RETIRED) 2006-07-30 07:47:21 UTC

Thanks Richard and Kevin. Patch as per comment #11 added.

Matt thanks for your patience.

FYI, upstream is closing their bug as WONTFIX because they have definitively concluded that it is a compiler problem, not an Ethereal/Wireshark problem.  For the curious, the upstream bug (linked in comment #9) has lots of details.

Seems to be a duplicate of http://bugs.gentoo.org/show_bug.cgi?id=145974

Created attachment 101680 [details, diff]
wireshark-except-double-free.diff

Set catcher->except_obj.except_dyndata to NULL after beeing freed

(In reply to comment #15)
> Seems to be a duplicate of http://bugs.gentoo.org/show_bug.cgi?id=145974

This bug has already been resolved as a flaw in the gcc 3.4 SSP patch, verified through pain-staking disassembly of the compiled code.  The resolution was to turn off SSP.

The resolution shouldn't be "UPSTREAM".  It's not actually an upstream bug -- it's a hardened gcc bug.

Comment 18 Daniel Black (RETIRED) 2006-11-12 03:33:54 UTC

*** Bug 145974 has been marked as a duplicate of this bug. ***

Comment 19 Daniel Black (RETIRED) 2006-11-12 03:56:20 UTC

thanks a7x and didier for getting to the bottom of this.  Frederic Heem  thanks for the patch.

Added wireshark-0.99.4-r1 for your compiling pleasure.

is it safe to omit "filter-flags -fstack-protector" from the ebuild now?