Open mike2307 opened 5 years ago
The corresponding bugzilla ticket is https://bugzilla.redhat.com/show_bug.cgi?id=1761232
Most issues like this are upstream memory corruption bugs uncovered by hardened_malloc. It uncovers latent memory corruption bugs as part of mitigating exploitation. However, in this case, I see _int_free
in the backtrace which indicates that glibc malloc is being at least partially used. I think something unusual is happening here. The malloc implementation isn't being properly substituted via the mechanism you're using, perhaps due to something odd about how the software is compiled / linked. Even though glibc officially supports using linker preloading for malloc replacement, there are edge cases that aren't supported properly by them. I'm curious if you encounter a crash using jemalloc or another malloc implementation via the same replacement mechanism that you're using.
When using jemalloc, sssd works. I'm getting some SELinux errors regarding unix_chkpwd instead...
In the RPM spec file of the failing library, I see a dependency to library called 'talloc'. See libldb.spec.txt. Maybe that's related somehow...
By the way; This is the method I'm using to replace the malloc/free calls:
# cat /etc/ld.so.preload
/usr/local/lib64/libhardened_malloc.so
The library is compiled with all settings to their defaults, using the latest version on master.
I ran the application with
LD_PRELOAD=/usr/local/lib64/libhardened_malloc.so LD_DEBUG=all sssd 2> hardened.txt
LD_PRELOAD=/usr/local/lib64/libjemalloc.so LD_DEBUG=all sssd 2> jemalloc.txt
The output is attached sssdtest.tar.gz.
The interesting part starts at hardened.txt, line 134592. From that point onwards, libhardened_malloc is not considered any more when looking up symbols.
The matching section in jemalloc.txt start at line 138061. libjemalloc however is used for resolving symbols just fine afterwards...
Edit: Seems like i misaligned the two files. Actually the look quite similar. But one works; the other not. Maybe the debug output contains some hints elsewhere...
@mike2307 Is this still an issue?
@thestinger Yes, this issue is still valid.
@mike2307 Can you try with v6 of hardened_malloc? There have been various little fixes over time since I last asked.
@thestinger: No, sorry. The issue is still present with the latest version.
sssd on fedora 31 reports a segementation fault when running with lib hardened malloc.
Package version: sssd-common-2.2.2-1.fc31 Crashing function: ldb_kv_dn_list_load
Stack trace: