Bug#1078154: libtickit-widget-scrollbox-perl: FTBFS with Perl 5.40: malloc_consolidate(): unaligned fastbin chunk detected

[Niko Tyni]

Control: reassign -1 libtickit 0.4.3-1.1 
Control: retitle -1 libtickit: use after free in tickit_window_destroy()
Control: tag -1 patch

On Sun, Aug 11, 2024 at 10:16:44AM +0300, Niko Tyni wrote:
> Control: reassign -1 libtickit-perl 0.73-1
> 
> On Wed, Aug 07, 2024 at 04:04:59PM +0300, Niko Tyni wrote:
> > Package: libtickit-widget-scrollbox-perl
> > Version: 0.12-1
> > Severity: important
> > Tags: trixie sid
> > User: debian-perl at lists.debian.org
> > Usertags: perl-5.40-transition
> > 
> > This package fails to build from source with Perl 5.40 (currently in
> > experimental.)
> 
> >   malloc_consolidate(): unaligned fastbin chunk detected
> 
> >   t/03input-mouse.t         (Wstat: 6 (Signal: ABRT) Tests: 14 Failed: 0)
> >     Non-zero wait status: 6
> 
> > This seems to be almost deterministic on perl.debian.net. The build
> > succeeded once with perl_5.40.0~rc1-1 but has failed consistently 12 times
> > now with perl_5.40.0-1 while building fine on sid / Perl 5.38 every time.
> 
> This is memory corruption in libtickit-perl, not specific to Perl
> 5.40. The current 5.40 build is apparently just more sensitive to
> it. There's past reports of similar issues in #1013526 and #1006658.
> I don't think they got ever fixed properly, they just stopped crashing
> by chance.
> 
> It shows well on current sid / Perl 5.38 with
> 
>   $ valgrind perl -MTickit -e '$w=Tickit->new()->rootwin; $w->make_sub(0,0,1,1); $w->expose'

Turns out this is a bug in the libtickit C library, which can overwrite
freed memory.

It's reproducible with this:

  #include <tickit.h>
  int main(void) {
        Tickit *t = tickit_new_stdtty();
        TickitRect rect = { .top = 0, .left = 0, .lines = 1, .cols = 1 };
        TickitWindow *w = tickit_get_rootwin(t);
        TickitWindow *w2 = tickit_window_new(w, rect, 0);
        tickit_window_expose(w, &rect);
        tickit_unref(t);
  }

which when run under valgrind shows

  ==3516376== Invalid write of size 8
  ==3516376==    at 0x48741CF: tickit_window_destroy (in /usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
  ==3516376==    by 0x4872395: tickit_unref (in /usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
  ==3516376==    by 0x1091F1: main (in /home/ntyni/1078154/a.out)
  ==3516376==  Address 0x4aba9c0 is 0 bytes inside a block of size 96 free'd
  ==3516376==    at 0x48451EF: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==3516376==    by 0x48741CE: tickit_window_destroy (in /usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
  ==3516376==    by 0x4872395: tickit_unref (in /usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
  ==3516376==    by 0x1091F1: main (in /home/ntyni/1078154/a.out)
  ==3516376==  Block was alloc'd at
  ==3516376==    at 0x4842808: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==3516376==    by 0x4874069: tickit_window_new (in /usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
  ==3516376==    by 0x1091CE: main (in /home/ntyni/1078154/a.out)
 
Proposed patch attached.
-- 
Niko Tyni   ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-a-use-after-free-error-in-tickit_window_destroy.patch
Type: text/x-diff
Size: 743 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20240811/e0778c34/attachment-0001.patch>