[xml/sgml-pkgs] Bug#496125: Bug#496125: libxml2: security fix does double free / segfaults (breaks Gnome apps)

Christian Jaeger christian at jaeger.mine.nu
Sat Aug 23 20:49:22 UTC 2008 

Christian Jaeger wrote:
> Mike Hommey wrote:
>> Could you check what svg file is being opened here[1] ?, and check what
>> xmllint has to say about it ? (theorically, it should segfault too)
>
> Hm, I'm still seeing segfaults, now when *quitting* Galeon (but only 
> in ~10% of cases).
>
> I would be glad for a way to run an application under gdb so that when 
> it segfaults a "bt full" is spit automatically to a file I give, i.e. 
> some "with-gdb-backtrace-to $file $app $arguments". Can't get that to 
> run right now, and copy pasting from the console is tedious and I'm 
> not sure it's even broken in some cases (by that builtin pager that I 
> cannot seem to get switched off).

Ok, got such a script to work now (I've put it up at 
http://christian.jaeger.mine.nu/scratch/gdb/with-gdb-backtrace-to). But 
interestingly the problem I'm seeing when quitting Galeon do not happen 
when run under gdb from the start. D'oh.

So when I start Galeon (/usr/bin/galeon fewfwef) (since the segfault on 
quit only happens when I first open an url), then attach with gdb and 
then quit it:

$ gdb /usr/bin/galeon $galeonpid
..
(gdb) cont
Continuing.
# now I quit galeon from Galeon's menu
[Thread 0x41838950 (LWP 15524) exited]
[Thread 0x40b4e950 (LWP 15525) exited]
[Thread 0x42294950 (LWP 15520) exited]
[Thread 0x43a97950 (LWP 15529) exited]
[Thread 0x43296950 (LWP 15528) exited]
[Thread 0x44298950 (LWP 15530) exited]
[Thread 0x42a95950 (LWP 15523) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f0ea72fa780 (LWP 15517)]
0x00007f0ea2e12a67 in malloc_consolidate () from /lib/libc.so.6
# backtrace see attachment (although from a different run, thus adresses will not be the same)
(gdb) cont
Continuing.
^C^C^C^C
# I can't get gdb to stop Galeon anymore, I have to kill -9 $galeonpid. Strange.



strace -p $galeonpid shows

futex(0x7fa43612f9e0, FUTEX_WAIT_PRIVATE, 2, NULL

Running "strace /usr/bin/galeon" will get strace killed by glibc because of:

...
[pid 15677] read(32, "\375\375\375\377QQQ\371\t\t\t\317\0\0\0\27\0\0\0\4\0\0\0\10\0\0\0003\0\0\0005\0"..., 4096) = 4096
[pid 15677] lseek(32, 73728, SEEK_SET)  = 73728
[pid 15677] close(32)                   = 0
[pid 15677] munmap(0x7f7933a12000, 4096) = 0
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000006567d0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fc387300968]
/lib/libc.so.6[0x7fc38730369f]
/lib/libc.so.6(__libc_malloc+0x98)[0x7fc387304a98]
strace[0x408380]
strace[0x4058de]
strace[0x404616]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fc3872ab1a6]
strace[0x401f69]
======= Memory map: ========
00400000-00447000 r-xp 00000000 fe:06 120651                             /usr/bin/strace
00647000-00648000 rw-p 00047000 fe:06 120651                             /usr/bin/strace
00648000-00677000 rw-p 00648000 00:00 0                                  [heap]
7fc380000000-7fc380021000 rw-p 7fc380000000 00:00 0 
7fc380021000-7fc384000000 ---p 7fc380021000 00:00 0 
7fc387076000-7fc38708c000 r-xp 00000000 fe:06 222679                     /lib/libgcc_s.so.1
7fc38708c000-7fc38728c000 ---p 00016000 fe:06 222679                     /lib/libgcc_s.so.1
7fc38728c000-7fc38728d000 rw-p 00016000 fe:06 222679                     /lib/libgcc_s.so.1
7fc38728d000-7fc3873d7000 r-xp 00000000 fe:06 29913                      /lib/libc-2.7.so
7fc3873d7000-7fc3875d6000 ---p 0014a000 fe:06 29913                      /lib/libc-2.7.so
7fc3875d6000-7fc3875d9000 r--p 00149000 fe:06 29913                      /lib/libc-2.7.so
7fc3875d9000-7fc3875db000 rw-p 0014c000 fe:06 29913                      /lib/libc-2.7.so
7fc3875db000-7fc3875e0000 rw-p 7fc3875db000 00:00 0 
7fc3875e0000-7fc3875fc000 r-xp 00000000 fe:06 29929                      /lib/ld-2.7.so
7fc3877da000-7fc3877dc000 rw-p 7fc3877da000 00:00 0 
7fc3877f8000-7fc3877fb000 rw-p 7fc3877f8000 00:00 0 
7fc3877fb000-7fc3877fd000 rw-p 0001b000 fe:06 29929                      /lib/ld-2.7.so
7fff8f7e8000-7fff8f7fd000 rw-p 7ffffffea000 00:00 0                      [stack]
7fff8f7ff000-7fff8f800000 r-xp 7fff8f7ff000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
[pid 15677] select(Aborted


Well, I seem to be fighting with about the 4th bug right now while 
looking into the "gnome breakage from yesterday" problem. Strange, could 
this all be related, i.e. some upgrade to glibc (introducing some malloc 
breakage) breaking everyhing else?

I'm attaching the backtrace as file "galeon-backtrace-on-quit.txt".

This mail has all been with the older libxml2, 2.6.32.dfsg-2. I'll write 
another mail when I get to install 2.6.32.dfsg-2+lenny again. Any news 
on your front?

Christian.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: galeon-backtrace-on-quit.txt
Url: http://lists.alioth.debian.org/pipermail/debian-xml-sgml-pkgs/attachments/20080823/283bff68/attachment.txt

More information about the debian-xml-sgml-pkgs mailing list