257179 – [PATCH] sys-apps/sandbox-1.3.3 memory corruption free(): Invalid argument

Bug 257179 - [PATCH] sys-apps/sandbox-1.3.3 memory corruption free(): Invalid argument

Summary: [PATCH] sys-apps/sandbox-1.3.3 memory corruption free(): Invalid argument

Status:	RESOLVED FIXED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Sandbox (show other bugs)
Hardware:	All All

Importance:	High critical (vote)
Assignee:	Sandbox Maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-02-01 03:11 UTC by Maximilian Grothusmann
Modified:	2009-02-13 07:39 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
We always need our own strndup() (0001-We-always-need-our-own-strndup.patch,2.19 KB, patch) 2009-02-01 03:12 UTC, Maximilian Grothusmann	Details \| Diff
calloc/realloc/strdup: Don't use xzalloc/xmalloc (0001-calloc-realloc-strdup-Don-t-use-xzalloc-xmalloc.patch,1.81 KB, patch) 2009-02-01 03:54 UTC, Maximilian Grothusmann	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maximilian Grothusmann 2009-02-01 03:11:04 UTC

When logging an error, write_logfile() will copy a string with strndup() and free() it later. As the libc strndup() won't use our own malloc(), free() will fail, printing an error message and not actually freeing the memory.

Reproducible: Always

Steps to Reproduce:
$ sandbox touch /

Actual Results:  
ACCESS DENIED  open_wr:   /
sandbox memory corruption free(0x08ce9968): Invalid argument
/usr/lib/libsandbox.so[0xb7f94d61]
/usr/lib/libsandbox.so[0xb7f93d76]
/usr/lib/libsandbox.so[0xb7f949c0]
/usr/lib/libsandbox.so[0xb7f94c3d]
/usr/lib/libsandbox.so(open64+0x6f)[0xb7f9668e]
touch[0x804db0b]
touch[0x80497d2]
/lib/libc.so.6(__libc_start_main+0xe2)[0xb7e56622]
touch[0x8048e51]
ACCESS DENIED  utimensat: /
sandbox memory corruption free(0x08ce9d60): Invalid argument
/usr/lib/libsandbox.so[0xb7f94d61]
/usr/lib/libsandbox.so[0xb7f93d76]
/usr/lib/libsandbox.so[0xb7f949c0]
/usr/lib/libsandbox.so(utimensat+0x31)[0xb7f951ae]
touch[0x804d74d]
touch[0x804961f]
/lib/libc.so.6(__libc_start_main+0xe2)[0xb7e56622]
touch[0x8048e51]
touch: cannot touch `/': Permission denied
--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
[...]


Expected Results:  
ACCESS DENIED  open_wr:   /
ACCESS DENIED  utimensat: /
touch: cannot touch `/': Permission denied
--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
[...]


Patch follows.

Comment 1 Maximilian Grothusmann 2009-02-01 03:12:28 UTC

Created attachment 180504 [details, diff]
We always need our own strndup()

Comment 2 Maximilian Grothusmann 2009-02-01 03:23:52 UTC

Remark: Why are you using xcalloc/xmalloc in calloc/realloc/strdup? Isn't that backwards? It makes xcalloc/xrealloc/xstrdup bogus, as those then check for things that can't happen.

Comment 3 Maximilian Grothusmann 2009-02-01 03:54:49 UTC

Created attachment 180505 [details, diff]
calloc/realloc/strdup: Don't use xzalloc/xmalloc

Attaching a patch regarding comment #2, in case you agree with me. :)

Comment 4 SpanKY gentoo-dev

2009-02-01 07:33:41 UTC

better to avoid all the weird overhead in the first place (and thus avoid strndup propagation).  thanks for the patches though and tracking this down ... i had noticed there was an issue, but hadnt looked into what was causing it.

http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=6b0d80b98ba7da7facd9b4be901905fe25516d11

Comment 5 Serkan Kaba (RETIRED) gentoo-dev

2009-02-01 20:19:03 UTC

Plese, don't close the bug until it's fixed in tree.

Comment 6 SpanKY gentoo-dev

2009-02-01 20:23:59 UTC

i track git.  fixes will propagate into the tree eventually.  the bug in question isnt a big deal and doesnt break any code that isnt already broken.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-04 19:35:59 UTC

*** Bug 257488 has been marked as a duplicate of this bug. ***

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-04 19:37:03 UTC

*** Bug 257116 has been marked as a duplicate of this bug. ***

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-04 19:40:18 UTC

Are these real duplicates?

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-05 15:50:25 UTC

*** Bug 257701 has been marked as a duplicate of this bug. ***

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-05 15:51:31 UTC

Is there a fix yet for the py object problem itself? How is it related to this sandbox problem?

Comment 12 SpanKY gentoo-dev

2009-02-05 16:01:42 UTC

those are not duplicates.  this issue is about the display problem and nothing else.  stop duping/re-opening.

Comment 13 Jeroen Roovers (RETIRED) gentoo-dev

2009-02-05 17:04:54 UTC

(In reply to comment #12)
> stop duping/re-opening.

Sorry, but that's completely nonsensical.

Comment 14 SpanKY gentoo-dev

2009-02-05 20:50:16 UTC

no it isnt.  this bug has nothing to do with .py/.pyc sandbox violations.  marking those as dupes of this or re-opening this bug is wrong.

Comment 15 SpanKY gentoo-dev

2009-02-13 07:39:27 UTC

Comment on attachment 180505 [details, diff]
calloc/realloc/strdup: Don't use xzalloc/xmalloc

sorry, i'd forgotten about this one ... ive applied this fix in git now, thanks

http://git.overlays.gentoo.org/gitweb/?p=proj/sandbox.git;a=commitdiff;h=541bbacc5a7b5f2f98ce9b64d05b8e3bb94ca211