[pkg-lxc-devel] Bug#843427: lxc-ls -f aborts with Glibc invalid pointer to free()
Andrea
andreakarimodm at gmail.com
Sun Nov 6 16:07:40 UTC 2016
Package: lxc
Version: 1:2.0.5-1
Severity: important
lxc-ls -f fails attempting to free an invalid pointer, a user after free maybe?
I use containers created by unpriviledged users. I enabled all this by roughly following this guide https://myles.sh/configuring-lxc-unprivileged-containers-in-debian-jessie/ .
The same command on the same lxc path (with -P option) performed under the root user doesn't produce this behaviour.
I would also like to specify that the folder containing the containers has a mix of root-only and user-level containers.
It looks like so:
$ ls -l ~/.local/share/lxc/
total 88
drwxr-xr-x 1 root root 22 Nov 3 19:17 cont1
drwxrwx--- 1 2000000 user 36 Oct 22 10:59 cont2
drwxrwx--- 1 root root 54 Sep 27 15:07 cont3
drwxrwx--- 1 2000000 user 48 Jul 8 01:51 cont4
drwxr-x--- 1 2000000 user 48 Jun 23 10:14 cont5
drwxrwx--- 1 2000000 user 50 Jul 22 16:22 cont6
drwxrwx--- 1 2000000 user 44 Nov 4 11:46 cont7
drwxr-x--- 1 2000000 user 48 Jun 7 18:43 cont8
drwxrwx--- 1 2000000 user 42 Sep 21 16:15 cont9
drwxrwx--- 1 2000000 user 56 Sep 21 17:13 cont10
Please note that 2000000 is a subuid assigned to 'user'.
Abort runtime info:
$ lxc-ls -f
*** Error in `lxc-ls': free(): invalid pointer: 0x00007f219ee45b58 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f219eb1dbcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fa6)[0x7f219eb23fa6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7779e)[0x7f219eb2479e]
/usr/lib/x86_64-linux-gnu/liblxc.so.1(lxc_free_array+0x2a)[0x7f219fb2a6da]
/usr/lib/x86_64-linux-gnu/liblxc.so.1(+0x239a1)[0x7f219fb129a1]
/usr/lib/x86_64-linux-gnu/liblxc.so.1(+0x24da0)[0x7f219fb13da0]
/usr/lib/x86_64-linux-gnu/liblxc.so.1(+0x24f0f)[0x7f219fb13f0f]
/usr/lib/x86_64-linux-gnu/liblxc.so.1(freezer_state+0x2f)[0x7f219fb26c2f]
/usr/lib/x86_64-linux-gnu/liblxc.so.1(lxc_getstate+0x11)[0x7f219fb40971]
/usr/lib/x86_64-linux-gnu/liblxc.so.1(+0x656f1)[0x7f219fb546f1]
lxc-ls[0x402c27]
lxc-ls(main+0xfa)[0x40188a]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f219eacd2b1]
lxc-ls(_start+0x2a)[0x40252a]
======= Memory map: ========
00400000-00405000 r-xp 00000000 00:14 2944553 /usr/bin/lxc-ls
00604000-00605000 r--p 00004000 00:14 2944553 /usr/bin/lxc-ls
00605000-00606000 rw-p 00005000 00:14 2944553 /usr/bin/lxc-ls
023a6000-023c7000 rw-p 00000000 00:00 0 [heap]
7f2198000000-7f2198021000 rw-p 00000000 00:00 0
7f2198021000-7f219c000000 ---p 00000000 00:00 0
7f219e41f000-7f219e435000 r-xp 00000000 00:14 3636042 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f219e435000-7f219e634000 ---p 00016000 00:14 3636042 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f219e634000-7f219e635000 r--p 00015000 00:14 3636042 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f219e635000-7f219e636000 rw-p 00016000 00:14 3636042 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f219e636000-7f219e638000 r-xp 00000000 00:14 3284553 /lib/x86_64-linux-gnu/libdl-2.24.so
7f219e638000-7f219e838000 ---p 00002000 00:14 3284553 /lib/x86_64-linux-gnu/libdl-2.24.so
7f219e838000-7f219e839000 r--p 00002000 00:14 3284553 /lib/x86_64-linux-gnu/libdl-2.24.so
7f219e839000-7f219e83a000 rw-p 00003000 00:14 3284553 /lib/x86_64-linux-gnu/libdl-2.24.so
7f219e83a000-7f219e8ac000 r-xp 00000000 00:14 2016581 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7f219e8ac000-7f219eaab000 ---p 00072000 00:14 2016581 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7f219eaab000-7f219eaac000 r--p 00071000 00:14 2016581 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7f219eaac000-7f219eaad000 rw-p 00072000 00:14 2016581 /lib/x86_64-linux-gnu/libpcre.so.3.13.3
7f219eaad000-7f219ec42000 r-xp 00000000 00:14 3284550 /lib/x86_64-linux-gnu/libc-2.24.so
7f219ec42000-7f219ee41000 ---p 00195000 00:14 3284550 /lib/x86_64-linux-gnu/libc-2.24.so
7f219ee41000-7f219ee45000 r--p 00194000 00:14 3284550 /lib/x86_64-linux-gnu/libc-2.24.so
7f219ee45000-7f219ee47000 rw-p 00198000 00:14 3284550 /lib/x86_64-linux-gnu/libc-2.24.so
7f219ee47000-7f219ee4b000 rw-p 00000000 00:00 0
7f219ee4b000-7f219ee63000 r-xp 00000000 00:14 3284565 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f219ee63000-7f219f062000 ---p 00018000 00:14 3284565 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f219f062000-7f219f063000 r--p 00017000 00:14 3284565 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f219f063000-7f219f064000 rw-p 00018000 00:14 3284565 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f219f064000-7f219f068000 rw-p 00000000 00:00 0
7f219f068000-7f219f06a000 r-xp 00000000 00:14 3284569 /lib/x86_64-linux-gnu/libutil-2.24.so
7f219f06a000-7f219f269000 ---p 00002000 00:14 3284569 /lib/x86_64-linux-gnu/libutil-2.24.so
7f219f269000-7f219f26a000 r--p 00001000 00:14 3284569 /lib/x86_64-linux-gnu/libutil-2.24.so
7f219f26a000-7f219f26b000 rw-p 00002000 00:14 3284569 /lib/x86_64-linux-gnu/libutil-2.24.so
7f219f26b000-7f219f299000 r-xp 00000000 00:14 245418 /lib/x86_64-linux-gnu/libseccomp.so.2.3.1
7f219f299000-7f219f499000 ---p 0002e000 00:14 245418 /lib/x86_64-linux-gnu/libseccomp.so.2.3.1
7f219f499000-7f219f4af000 r--p 0002e000 00:14 245418 /lib/x86_64-linux-gnu/libseccomp.so.2.3.1
7f219f4af000-7f219f4b0000 rw-p 00044000 00:14 245418 /lib/x86_64-linux-gnu/libseccomp.so.2.3.1
7f219f4b0000-7f219f4d5000 r-xp 00000000 00:14 3460417 /lib/x86_64-linux-gnu/libselinux.so.1
7f219f4d5000-7f219f6d4000 ---p 00025000 00:14 3460417 /lib/x86_64-linux-gnu/libselinux.so.1
7f219f6d4000-7f219f6d5000 r--p 00024000 00:14 3460417 /lib/x86_64-linux-gnu/libselinux.so.1
7f219f6d5000-7f219f6d6000 rw-p 00025000 00:14 3460417 /lib/x86_64-linux-gnu/libselinux.so.1
7f219f6d6000-7f219f6d8000 rw-p 00000000 00:00 0
7f219f6d8000-7f219f6e8000 r-xp 00000000 00:14 3181170 /lib/x86_64-linux-gnu/libapparmor.so.1.4.0
7f219f6e8000-7f219f8e7000 ---p 00010000 00:14 3181170 /lib/x86_64-linux-gnu/libapparmor.so.1.4.0
7f219f8e7000-7f219f8e8000 r--p 0000f000 00:14 3181170 /lib/x86_64-linux-gnu/libapparmor.so.1.4.0
7f219f8e8000-7f219f8e9000 rw-p 00010000 00:14 3181170 /lib/x86_64-linux-gnu/libapparmor.so.1.4.0
7f219f8e9000-7f219f8ed000 r-xp 00000000 00:14 249803 /lib/x86_64-linux-gnu/libcap.so.2.25
7f219f8ed000-7f219faed000 ---p 00004000 00:14 249803 /lib/x86_64-linux-gnu/libcap.so.2.25
7f219faed000-7f219faee000 r--p 00004000 00:14 249803 /lib/x86_64-linux-gnu/libcap.so.2.25
7f219faee000-7f219faef000 rw-p 00005000 00:14 249803 /lib/x86_64-linux-gnu/libcap.so.2.25
7f219faef000-7f219fb7e000 r-xp 00000000 00:14 2944502 /usr/lib/x86_64-linux-gnu/liblxc.so.1.2.0
7f219fb7e000-7f219fd7d000 ---p 0008f000 00:14 2944502 /usr/lib/x86_64-linux-gnu/liblxc.so.1.2.0
7f219fd7d000-7f219fd7f000 r--p 0008e000 00:14 2944502 /usr/lib/x86_64-linux-gnu/liblxc.so.1.2.0
7f219fd7f000-7f219fd82000 rw-p 00090000 00:14 2944502 /usr/lib/x86_64-linux-gnu/liblxc.so.1.2.0
7f219fd82000-7f219fda5000 r-xp 00000000 00:14 3284546 /lib/x86_64-linux-gnu/ld-2.24.so
7f219ff66000-7f219ff6c000 rw-p 00000000 00:00 0
7f219ffa0000-7f219ffa4000 rw-p 00000000 00:00 0
7f219ffa4000-7f219ffa5000 r--p 00022000 00:14 3284546 /lib/x86_64-linux-gnu/ld-2.24.so
7f219ffa5000-7f219ffa6000 rw-p 00023000 00:14 3284546 /lib/x86_64-linux-gnu/ld-2.24.so
7f219ffa6000-7f219ffa7000 rw-p 00000000 00:00 0
7fff2511a000-7fff2513b000 rw-p 00000000 00:00 0 [stack]
7fff25168000-7fff2516a000 r--p 00000000 00:00 0 [vvar]
7fff2516a000-7fff2516c000 r-xp 00000000 00:00 0 [vdso]
Aborted
I used gdb and lxc-dbg to generate a corefile (let me know if you need me to send it to you). I will post here the compact and
extended backtrace of the execution:
(gdb) target core core.4957
[New LWP 4957]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/bin/lxc-ls -f'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
58 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1 0x00007ffff6b3940a in __GI_abort () at abort.c:89
#2 0x00007ffff6b75bd0 in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7ffff6c6ac70 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff6b7bfa6 in malloc_printerr (action=3, str=0x7ffff6c6780d "free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5046
#4 0x00007ffff6b7c79e in _int_free (av=0x7ffff6e9db00 <main_arena>, p=0x7ffff6e9db48 <main_arena+72>, have_lock=0) at malloc.c:3902
#5 0x00007ffff7b826da in lxc_free_array (array=0x60d8a0, element_free_fn=0x4012b0 <free at plt>) at utils.c:884
#6 0x00007ffff7b6a9a1 in lxc_cgroup_hierarchy_free (h=0x60d860) at cgroups/cgfs.c:1801
#7 lxc_cgroup_put_meta (meta_data=meta_data at entry=0x60c510) at cgroups/cgfs.c:637
#8 0x00007ffff7b6bda0 in lxc_cgroup_put_meta (meta_data=0x60c510) at cgroups/cgfs.c:1303
#9 lxc_cgroup_get_hierarchy_abs_path (subsystem=subsystem at entry=0x7fffffffdcf0 "freezer", name=name at entry=0x6062c0 "cf", lxcpath=lxcpath at entry=0x606010 "/home/karimo/.local/share/lxc") at cgroups/cgfs.c:1326
#10 0x00007ffff7b6bf0f in lxc_cgroupfs_get (filename=0x7ffff7bb886c "freezer.state", value=0x7fffffffdd80 "\350\003", len=100, name=0x6062c0 "cf", lxcpath=0x606010 "/home/karimo/.local/share/lxc") at cgroups/cgfs.c:1379
#11 0x00007ffff7b7ec2f in freezer_state (name=name at entry=0x6062c0 "cf", lxcpath=lxcpath at entry=0x606010 "/home/karimo/.local/share/lxc") at freezer.c:45
#12 0x00007ffff7b98971 in lxc_getstate (name=0x6062c0 "cf", lxcpath=0x606010 "/home/karimo/.local/share/lxc") at state.c:74
#13 0x00007ffff7bac6f1 in do_lxcapi_state (c=0x6060c0) at lxccontainer.c:423
#14 lxcapi_state (c=0x6060c0) at lxccontainer.c:427
#15 0x0000000000402c27 in ls_get (m=m at entry=0x7fffffffe020, size=size at entry=0x7fffffffe028, args=args at entry=0x6051c0 <my_args>, basepath=basepath at entry=0x4038f5 "", parent=parent at entry=0x0, lvl=lvl at entry=0, lockpath=0x7fffffffe030, len_lockpath=<optimized out>,
grps_must=0x0, grps_must_len=0) at tools/lxc_ls.c:402
#16 0x000000000040188a in main (argc=<optimized out>, argv=<optimized out>) at tools/lxc_ls.c:251
(gdb) bt full
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
set = {__val = {0, 3486175777717118566, 7378697628691542064, 2319406791624189495, 3472328228581767026, 3472310704041635888, 3966017812923691066, 3775817725723960934, 7378697426660503600, 3472328331496929126, 3472310978873881120, 3467824696600309808,
729636054439574064, 7378645952437315127, 7378645706714656824, 3472382405132117606}}
pid = <optimized out>
tid = <optimized out>
#1 0x00007ffff6b3940a in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x3030333230303020, sa_sigaction = 0x3030333230303020}, sa_mask = {__val = {2320533833988972592, 2321100061070078515, 2314885530818453536, 2314885530818453536, 3414407380868276256, 7794943938178463864,
8461814194867891817, 3761119431852583983, 7378697426077446958, 3472328524770457446, 7365468305578407725, 8606977229197436518, 3472328296226648109, 3475143045726351408, 7378645556122361904, 140737488346032}}, sa_flags = 80, sa_restorer = 0x7fffffffdbb0}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007ffff6b75bd0 in __libc_message (do_abort=do_abort at entry=2, fmt=fmt at entry=0x7ffff6c6ac70 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
ap = {{gp_offset = 40, fp_offset = 1664050040, overflow_arg_area = 0x7fffffffdbc0, reg_save_area = 0x7fffffffdb50}}
fd = 3
on_2 = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
#3 0x00007ffff6b7bfa6 in malloc_printerr (action=3, str=0x7ffff6c6780d "free(): invalid pointer", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:5046
buf = "00007ffff6e9db58"
cp = <optimized out>
ar_ptr = <optimized out>
ptr = <optimized out>
str = 0x7ffff6c6780d "free(): invalid pointer"
action = 3
#4 0x00007ffff6b7c79e in _int_free (av=0x7ffff6e9db00 <main_arena>, p=0x7ffff6e9db48 <main_arena+72>, have_lock=0) at malloc.c:3902
size = <optimized out>
fb = <optimized out>
nextchunk = <optimized out>
nextsize = <optimized out>
nextinuse = <optimized out>
prevsize = <optimized out>
bck = <optimized out>
fwd = <optimized out>
errstr = <optimized out>
locked = <optimized out>
__func__ = "_int_free"
#5 0x00007ffff7b826da in lxc_free_array (array=0x60d8a0, element_free_fn=0x4012b0 <free at plt>) at utils.c:884
p = 0x60d8a0
#6 0x00007ffff7b6a9a1 in lxc_cgroup_hierarchy_free (h=0x60d860) at cgroups/cgfs.c:1801
No locals.
#7 lxc_cgroup_put_meta (meta_data=meta_data at entry=0x60c510) at cgroups/cgfs.c:637
i = 0
#8 0x00007ffff7b6bda0 in lxc_cgroup_put_meta (meta_data=0x60c510) at cgroups/cgfs.c:1303
No locals.
#9 lxc_cgroup_get_hierarchy_abs_path (subsystem=subsystem at entry=0x7fffffffdcf0 "freezer", name=name at entry=0x6062c0 "cf", lxcpath=lxcpath at entry=0x606010 "/home/karimo/.local/share/lxc") at cgroups/cgfs.c:1326
meta = 0x60c510
base_info = 0x0
info = <optimized out>
mp = <optimized out>
result = 0x0
#10 0x00007ffff7b6bf0f in lxc_cgroupfs_get (filename=0x7ffff7bb886c "freezer.state", value=0x7fffffffdd80 "\350\003", len=100, name=0x6062c0 "cf", lxcpath=0x606010 "/home/karimo/.local/share/lxc") at cgroups/cgfs.c:1379
subsystem = 0x7fffffffdcf0 "freezer"
p = <optimized out>
path = <optimized out>
ret = -1
#11 0x00007ffff7b7ec2f in freezer_state (name=name at entry=0x6062c0 "cf", lxcpath=lxcpath at entry=0x606010 "/home/karimo/.local/share/lxc") at freezer.c:45
v = "\350\003", '\000' <repeats 14 times>, "\070\003\000\000\000\000\000\000\000\020\000\000\000\000\000\000\200d`", '\000' <repeats 13 times>, "\001\000\000\000\000\000\000\000\020``\000\000\000\000\000\300b`\000\000\000\000\000\300b`\000\000\000\000\000(\000\000\000\000\000\000\000\020``\000\000\000\000\000\300b`"
#12 0x00007ffff7b98971 in lxc_getstate (name=0x6062c0 "cf", lxcpath=0x606010 "/home/karimo/.local/share/lxc") at state.c:74
state = <optimized out>
#13 0x00007ffff7bac6f1 in do_lxcapi_state (c=0x6060c0) at lxccontainer.c:423
s = <optimized out>
#14 lxcapi_state (c=0x6060c0) at lxccontainer.c:427
reset_config = true
#15 0x0000000000402c27 in ls_get (m=m at entry=0x7fffffffe020, size=size at entry=0x7fffffffe028, args=args at entry=0x6051c0 <my_args>, basepath=basepath at entry=0x4038f5 "", parent=parent at entry=0x0, lvl=lvl at entry=0, lockpath=0x7fffffffe030, len_lockpath=<optimized out>,
grps_must=0x0, grps_must_len=0) at tools/lxc_ls.c:402
name = 0x60e270 "cf"
state_tmp = <optimized out>
running = <optimized out>
num = 9
ret = -1
containers = 0x60e220
path = 0x606040 "/home/karimo/.local/share/lxc"
tmp = <optimized out>
check = <optimized out>
l = <optimized out>
c = 0x6060c0
i = 0
#16 0x000000000040188a in main (argc=<optimized out>, argv=<optimized out>) at tools/lxc_ls.c:251
ret = 1
max_len = {name_length = 4, state_length = 5, groups_length = 6, interface_length = 9, ipv4_length = 4, ipv6_length = 4, init_length = 3, ram_length = 3, swap_length = <optimized out>, autostart_length = <optimized out>}
grps = 0x0
ngrps = <optimized out>
ls_arr = 0x0
ls_size = 0
status = <optimized out>
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (600, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages lxc depends on:
ii init-system-helpers 1.45
ii libapparmor1 2.10.95-5
ii libc6 2.24-5
ii libcap2 1:2.25-1
ii liblxc1 1:2.0.5-1
ii libseccomp2 2.3.1-2
ii libselinux1 2.6-1
ii lsb-base 9.20161101
ii python3 3.5.1-4
pn python3:any <none>
Versions of packages lxc recommends:
ii bridge-utils 1.5-9
ii debootstrap 1.0.86
ii dirmngr 2.1.15-8
ii dnsmasq-base 2.76-4
ii gnupg 2.1.15-8
ii iptables 1.6.0-4
ii libpam-cgfs 2.0.4-1
ii lxcfs 2.0.4-1
ii openssl 1.1.0b-2
ii rsync 3.1.2-1
ii uidmap 1:4.2-3.2
Versions of packages lxc suggests:
ii apparmor 2.10.95-5
ii btrfs-tools 4.7.3-1
ii lua5.2 5.2.4-1.1+b1
ii lvm2 2.02.164-1
-- Configuration Files:
/etc/lxc/default.conf changed [not included]
-- no debconf information
More information about the Pkg-lxc-devel
mailing list