Control: reassign -1 libtickit 0.4.3-1.1
Control: retitle -1 libtickit: use after free in tickit_window_destroy()
Control: tag -1 patch
On Sun, Aug 11, 2024 at 10:16:44AM +0300, Niko Tyni wrote:
> Control: reassign -1 libtickit-perl 0.73-1
>
> On Wed, Aug 07, 2024 at 04:04:59PM +0300, Niko Tyni wrote:
> > Package: libtickit-widget-scrollbox-perl
> > Version: 0.12-1
> > Severity: important
> > Tags: trixie sid
> > User: debian-p...@lists.debian.org
> > Usertags: perl-5.40-transition
> >
> > This package fails to build from source with Perl 5.40 (currently in
> > experimental.)
>
> > malloc_consolidate(): unaligned fastbin chunk detected
>
> > t/03input-mouse.t (Wstat: 6 (Signal: ABRT) Tests: 14 Failed: 0)
> > Non-zero wait status: 6
>
> > This seems to be almost deterministic on perl.debian.net. The build
> > succeeded once with perl_5.40.0~rc1-1 but has failed consistently 12 times
> > now with perl_5.40.0-1 while building fine on sid / Perl 5.38 every time.
>
> This is memory corruption in libtickit-perl, not specific to Perl
> 5.40. The current 5.40 build is apparently just more sensitive to
> it. There's past reports of similar issues in #1013526 and #1006658.
> I don't think they got ever fixed properly, they just stopped crashing
> by chance.
>
> It shows well on current sid / Perl 5.38 with
>
> $ valgrind perl -MTickit -e '$w=Tickit->new()->rootwin;
> $w->make_sub(0,0,1,1); $w->expose'
Turns out this is a bug in the libtickit C library, which can overwrite
freed memory.
It's reproducible with this:
#include <tickit.h>
int main(void) {
Tickit *t = tickit_new_stdtty();
TickitRect rect = { .top = 0, .left = 0, .lines = 1, .cols = 1 };
TickitWindow *w = tickit_get_rootwin(t);
TickitWindow *w2 = tickit_window_new(w, rect, 0);
tickit_window_expose(w, &rect);
tickit_unref(t);
}
which when run under valgrind shows
==3516376== Invalid write of size 8
==3516376== at 0x48741CF: tickit_window_destroy (in
/usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
==3516376== by 0x4872395: tickit_unref (in
/usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
==3516376== by 0x1091F1: main (in /home/ntyni/1078154/a.out)
==3516376== Address 0x4aba9c0 is 0 bytes inside a block of size 96 free'd
==3516376== at 0x48451EF: free (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==3516376== by 0x48741CE: tickit_window_destroy (in
/usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
==3516376== by 0x4872395: tickit_unref (in
/usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
==3516376== by 0x1091F1: main (in /home/ntyni/1078154/a.out)
==3516376== Block was alloc'd at
==3516376== at 0x4842808: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==3516376== by 0x4874069: tickit_window_new (in
/usr/lib/x86_64-linux-gnu/libtickit.so.3.0.0)
==3516376== by 0x1091CE: main (in /home/ntyni/1078154/a.out)
Proposed patch attached.
--
Niko Tyni nt...@debian.org
>From b3b6452841fc224f2fd5c3b8f63f4b33955dd6d4 Mon Sep 17 00:00:00 2001
From: Niko Tyni <nt...@debian.org>
Date: Sun, 11 Aug 2024 10:56:07 +0100
Subject: [PATCH] Fix a use-after-free error in tickit_window_destroy()
Bug-Debian: https://bugs.debian.org/1078154
---
src/window.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/window.c b/src/window.c
index 89594dd..7248d2d 100644
--- a/src/window.c
+++ b/src/window.c
@@ -379,8 +379,8 @@ void tickit_window_destroy(TickitWindow *win)
for(TickitWindow *child = win->first_child; child; /**/) {
TickitWindow *next = child->next;
- tickit_window_unref(child);
child->parent = NULL;
+ tickit_window_unref(child);
child = next;
}
--
2.45.2
