Bug 608130

Summary:	sys-apps/openrc-{0.22.4.0.34.11,0.38.2}: double free or corruption (fasttop)
Product:	Gentoo Linux	Reporter:	Marcin Mirosław <bug>
Component:	Current packages	Assignee:	OpenRC Team <openrc>
Status:	RESOLVED WORKSFORME
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Marcin Mirosław 2017-02-03 14:43:27 UTC

I'm not sure if I will reproduce it once more with openrc compiled with debug. Anyway, I run command `rc`, after a few moments, while php-fpm service was started I hitted ctrl+c. Then I got coredmp and mentioned error.


# echo "bt"|gdb -q /sbin/rc 'core-1486129475-0-6-!sbin!rc-2706'                                                                                                                            
Reading symbols from /sbin/rc...(no debugging symbols found)...done.
[New LWP 2706]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `rc'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00000331206f8e17 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) #0  0x00000331206f8e17 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00000331206fa36a in __GI_abort () at abort.c:89
#2  0x0000033120736a3d in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x33120832a28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x000003312073c656 in malloc_printerr (action=3, str=0x33120832b80 "double free or corruption (fasttop)", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5004
#4  0x000003312073ceae in _int_free (av=0x33120a62b80 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3865
#5  0x00000016c5bf93cc in ?? ()
#6  0x0000033120a62618 in _nl_current_default_domain () from /lib64/libc.so.6
#7  0xb2b4784cd6caf400 in ?? ()
#8  0x0000000000000001 in ?? ()
#9  0x0000000000000001 in ?? ()
#10 0x0000033120a62618 in _nl_current_default_domain () from /lib64/libc.so.6
#11 0x00000331206fb9e2 in __run_exit_handlers (status=-944503216, listp=0x397046d9c80, run_list_atexit=run_list_atexit@entry=true) at exit.c:82
#12 0x00000331206fba44 in __GI_exit (status=<optimized out>) at exit.c:104
#13 0x0000033120c70176 in eerrorx () from /lib64/libeinfo.so.1
#14 0x00000016c5bf8e0d in ?? ()
#15 0x0000000000000000 in ?? ()
(gdb) quit


Reproducible: Always




Portage 2.3.0 (python 3.4.5-final-0, hardened/linux/amd64, gcc-4.9.4, glibc-2.23-r3, 4.4.8-hardened-r1 x86_64)
=================================================================
System uname: Linux-4.4.8-hardened-r1-x86_64-Intel_Xeon_E3-12xx_v2_-Ivy_Bridge-with-gentoo-2.3
KiB Mem:     3261720 total,    846572 free
KiB Swap:     524284 total,    523992 free
Timestamp of repository gentoo: Tue, 24 Jan 2017 05:15:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
ccache version 3.2.4 [enabled]
app-shells/bash:          4.3_p48-r1::gentoo
dev-lang/perl:            5.22.3_rc4::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/ccache:          3.2.4::gentoo
dev-util/cmake:           3.6.3::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.22.4::gentoo
sys-apps/sandbox:         2.10-r1::gentoo
sys-devel/autoconf:       2.69::gentoo
sys-devel/automake:       1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.9.4::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r2::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r3::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://gentoo-mirror.in.xxx.pl/gentoo-portage/
    priority: -1000
    sync-rsync-extra-opts: -O

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=core2 -mtune=native         -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops         -ftracer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.0/ext-active/ /etc/php/apache2-php7.1/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cgi-php7.1/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/php/cli-php7.1/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=core2 -mtune=native         -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops         -ftracer"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs ccache cgroup collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://gentoo.mirror.pw.edu.pl/ http://ftp.vectranet.pl/gentoo/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="-O"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl acpi amd64 bash-completion caps cli cracklib cxx dri hardened iconv idn justify mmxext modules multilib ncurses nls nptl openmp pax_kernel pcre pie postgres readline seccomp session sse3 ssp ssse3 threads unicode urandom vhosts vim-syntax xattr xtpax" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="alias authz_host authn_core authz_core dir env expires headers include info log_config logio mime mime_magic rewrite setenvif status unique_id unixd userdir usertrack vhost_alias" APACHE2_MPMS="itk" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NGINX_MODULES_HTTP="access auth_basic browser charset fastcgi gzip gzip_static headers_more limit_conn limit_req proxy realip referer rewrite userid" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="tarpit"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON

Comment 1 Marcin Mirosław 2017-02-03 15:21:46 UTC

It can be reproduced in this way:
- stop some service(s)
- enter `rc`
- quickly hit ctrl+c

Comment 2 Marcin Mirosław 2018-10-09 10:22:48 UTC

with sys-apps/openrc-0.34.11:

# echo "bt" | gdb -q /sbin/rc 'core-1539070510-0-6-!sbin!rc-17858'
Reading symbols from /sbin/rc...(no debugging symbols found)...done.
[New LWP 17858]
Core was generated by `rc'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      }
(gdb) #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007fe6cb709a77 in __GI_abort () at abort.c:90
#2  0x00007fe6cb74e988 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fe6cb85f741 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007fe6cb7563c8 in malloc_printerr (str=str@entry=0x7fe6cb861278 "double free or corruption (fasttop)") at malloc.c:5368
#4  0x00007fe6cb758275 in _int_free (av=0x7fe6cba91aa0 <main_arena>, p=0x2356270, have_lock=<optimized out>) at malloc.c:4237
#5  0x0000000000404cd4 in ?? ()
#6  0x00007fe6cb70b148 in __run_exit_handlers (status=1, listp=0x7fe6cba91578 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:83
#7  0x00007fe6cb70b1aa in __GI_exit (status=<optimized out>) at exit.c:105
#8  0x00007fe6cbc9dd9a in eerrorx () from /lib64/libeinfo.so.1
#9  0x000000000040483b in ?? ()
#10 <signal handler called>
#11 0x00007fe6cb79f52e in __GI___waitpid (pid=17860, stat_loc=0x7ffc5943aa24, options=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
#12 0x0000000000406d48 in ?? ()
#13 0x000000000040431f in ?? ()
#14 0x00007fe6cb6f2eda in __libc_start_main (main=0x402ee0, argc=1, argv=0x7ffc5943bd68, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc5943bd58)
    at ../csu/libc-start.c:308
#15 0x000000000040445a in ?? ()
(gdb) quit

Comment 3 Marcin Mirosław 2018-10-09 10:24:59 UTC

With 0.38.2:

# echo "bt" | gdb -q /sbin/rc 'core-1539080623-0-6-!sbin!rc-2480'
Reading symbols from /sbin/rc...Reading symbols from /usr/lib64/debug//sbin/rc.debug...done.
done.
[New LWP 2480]
Core was generated by `rc'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      }
(gdb) #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f46537c7a77 in __GI_abort () at abort.c:90
#2  0x00007f465380c988 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f465391d741 "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007f46538143c8 in malloc_printerr (str=str@entry=0x7f465391f278 "double free or corruption (fasttop)") at malloc.c:5368
#4  0x00007f4653816275 in _int_free (av=0x7f4653b4faa0 <main_arena>, p=0x55667e2eaa20, have_lock=<optimized out>) at malloc.c:4237
#5  0x000055667dd9f2dc in cleanup () at rc.c:152
#6  0x00007f46537c9148 in __run_exit_handlers (status=status@entry=1, listp=0x7f4653b4f578 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true)
    at exit.c:83
#7  0x00007f46537c91aa in __GI_exit (status=status@entry=1) at exit.c:105
#8  0x00007f46541681a9 in __RC_eerrorx (fmt=0x55667dda2b1d "%s: caught %s, aborting") at libeinfo.c:762
#9  0x000055667dd9f8b8 in handle_signal (sig=2) at rc.c:429
#10 <signal handler called>
#11 0x00007f465385d52e in __GI___waitpid (pid=pid@entry=2514, stat_loc=stat_loc@entry=0x7ffe7ead7e64, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
#12 0x000055667dda206f in rc_waitpid (pid=2514) at rc-plugin.c:118
#13 0x000055667dd9e20c in do_start_services (parallel=false, start_services=<optimized out>) at rc.c:683
#14 main (argc=<optimized out>, argv=<optimized out>) at rc.c:1085
(gdb) quit

Comment 4 Sam James archtester

2024-02-17 06:29:26 UTC

Can you still hit this?

If so, would you mind running it under Valgrind? (It might be hard to hit though because it can slow things down). If not, maybe try ASAN instead.

Comment 5 Marcin Mirosław 2024-02-18 16:35:18 UTC

6 years later... Sorry, I don't care it.