Memory corruption (using memory after freeing) in GNU Make

Bug #1348150 reported by Andris
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
make-dfsg (Fedora)
New
Undecided
Unassigned
make-dfsg (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Trusty
Confirmed
Undecided
Unassigned
Utopic
Invalid
Undecided
Unassigned

Bug Description

I'm getting memory corruption (accessing memory after freeing) in GNU Make on trivial Makefile

#---------------------------------------------------------------
release: CXXFLAGS ?= -O2 -mfpmath=sse
debug: CXXFLAGS ?= -g
CXXFLAGS ?= -O2 -g

release debug all:
        @echo $(CXXFLAGS)
        @echo $(CXX)
#---------------------------------------------------------------

when providing value of CXXFLAGS in command line. For example

make CXXFLAGS=-O2

Reproduced on:

Ubuntu 14.04 LTS x86_64
Ubuntu 12.04.4 LTS i686 (really chroot)

Also reproduced with GNU Make-3.82 from ftp.gnu.org compiled from sources. Did not happen with GNU Make 4.0 from ftp.gnu.org

Valgrind error messages (package installed on Ubuntu 14.04 LTS x86_64):
==4354== Memcheck, a memory error detector
==4354== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4354== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==4354== Command: make CXXFLAGS=-O3
==4354==
==4354== Invalid read of size 1
==4354== at 0x4C2E0E2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4354== by 0x4EC066D: strdup (strdup.c:41)
==4354== by 0x4122B8: ??? (in /usr/bin/make)
==4354== by 0x416070: ??? (in /usr/bin/make)
==4354== by 0x416BA3: ??? (in /usr/bin/make)
==4354== by 0x416F73: ??? (in /usr/bin/make)
==4354== by 0x403216: ??? (in /usr/bin/make)
==4354== by 0x4E58EC4: (below main) (libc-start.c:287)
==4354== Address 0x520e880 is 0 bytes inside a block of size 4 free'd
==4354== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4354== by 0x416067: ??? (in /usr/bin/make)
==4354== by 0x416BA3: ??? (in /usr/bin/make)
==4354== by 0x416F73: ??? (in /usr/bin/make)
==4354== by 0x403216: ??? (in /usr/bin/make)
==4354== by 0x4E58EC4: (below main) (libc-start.c:287)
==4354==
==4354== Invalid read of size 1
==4354== at 0x4C2E0F4: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4354== by 0x4EC066D: strdup (strdup.c:41)
==4354== by 0x4122B8: ??? (in /usr/bin/make)
==4354== by 0x416070: ??? (in /usr/bin/make)
==4354== by 0x416BA3: ??? (in /usr/bin/make)
==4354== by 0x416F73: ??? (in /usr/bin/make)
==4354== by 0x403216: ??? (in /usr/bin/make)
==4354== by 0x4E58EC4: (below main) (libc-start.c:287)
==4354== Address 0x520e881 is 1 bytes inside a block of size 4 free'd
==4354== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4354== by 0x416067: ??? (in /usr/bin/make)
==4354== by 0x416BA3: ??? (in /usr/bin/make)
==4354== by 0x416F73: ??? (in /usr/bin/make)
==4354== by 0x403216: ??? (in /usr/bin/make)
==4354== by 0x4E58EC4: (below main) (libc-start.c:287)
==4354==
==4354== Invalid read of size 2
==4354== at 0x4C2FDC0: __GI_memcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4354== by 0x4122B8: ??? (in /usr/bin/make)
==4354== by 0x416070: ??? (in /usr/bin/make)
==4354== by 0x416BA3: ??? (in /usr/bin/make)
==4354== by 0x416F73: ??? (in /usr/bin/make)
==4354== by 0x403216: ??? (in /usr/bin/make)
==4354== by 0x4E58EC4: (below main) (libc-start.c:287)
==4354== Address 0x520e880 is 0 bytes inside a block of size 4 free'd
==4354== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4354== by 0x416067: ??? (in /usr/bin/make)
==4354== by 0x416BA3: ??? (in /usr/bin/make)
==4354== by 0x416F73: ??? (in /usr/bin/make)
==4354== by 0x403216: ??? (in /usr/bin/make)
==4354== by 0x4E58EC4: (below main) (libc-start.c:287)
==4354==

From similar test with make-3.82 I'm getting:

==24068== Memcheck, a memory error detector
==24068== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==24068== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==24068== Command: make-3.82 CXXFLAGS=-O3
==24068==
==24068== Invalid read of size 1
==24068== at 0x4C2E0E2: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24068== by 0x4EC066D: strdup (strdup.c:41)
==24068== by 0x412E88: xstrdup (misc.c:413)
==24068== by 0x416B8B: eval (read.c:1818)
==24068== by 0x417469: eval_makefile (read.c:423)
==24068== by 0x417823: read_all_makefiles (read.c:257)
==24068== by 0x403410: main (main.c:1659)
==24068== Address 0x521c650 is 0 bytes inside a block of size 4 free'd
==24068== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24068== by 0x416B82: eval (read.c:1817)
==24068== by 0x417469: eval_makefile (read.c:423)
==24068== by 0x417823: read_all_makefiles (read.c:257)
==24068== by 0x403410: main (main.c:1659)
==24068==
==24068== Invalid read of size 1
==24068== at 0x4C2E0F4: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24068== by 0x4EC066D: strdup (strdup.c:41)
==24068== by 0x412E88: xstrdup (misc.c:413)
==24068== by 0x416B8B: eval (read.c:1818)
==24068== by 0x417469: eval_makefile (read.c:423)
==24068== by 0x417823: read_all_makefiles (read.c:257)
==24068== by 0x403410: main (main.c:1659)
==24068== Address 0x521c651 is 1 bytes inside a block of size 4 free'd
==24068== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24068== by 0x416B82: eval (read.c:1817)
==24068== by 0x417469: eval_makefile (read.c:423)
==24068== by 0x417823: read_all_makefiles (read.c:257)
==24068== by 0x403410: main (main.c:1659)
==24068==
==24068== Invalid read of size 2
==24068== at 0x4C2FDC0: __GI_memcpy (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24068== by 0x412E88: xstrdup (misc.c:413)
==24068== by 0x416B8B: eval (read.c:1818)
==24068== by 0x417469: eval_makefile (read.c:423)
==24068== by 0x417823: read_all_makefiles (read.c:257)
==24068== by 0x403410: main (main.c:1659)
==24068== Address 0x521c650 is 0 bytes inside a block of size 4 free'd
==24068== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24068== by 0x416B82: eval (read.c:1817)
==24068== by 0x417469: eval_makefile (read.c:423)
==24068== by 0x417823: read_all_makefiles (read.c:257)
==24068== by 0x403410: main (main.c:1659)
==24068==

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: make 3.81-8.2ubuntu3
ProcVersionSignature: Ubuntu 3.13.0-32.57-generic 3.13.11.4
Uname: Linux 3.13.0-32-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: KDE
Date: Thu Jul 24 14:35:00 2014
Dependencies:
 gcc-4.9-base 4.9.1-1 [origin: unknown]
 libc6 2.19-0ubuntu6
 libgcc1 1:4.9.1-1 [origin: unknown]
 multiarch-support 2.19-0ubuntu6
InstallationDate: Installed on 2014-07-07 (17 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: make-dfsg
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Andris (andris-pavenis) wrote :
Revision history for this message
Andris (andris-pavenis) wrote :

This fixes the problem with make-3.82 from GNU Make GIT repo (git://git.savannah.gnu.org/make.git).

Tested on Fedora 20 x86_64.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-Fix-memory-corruption-use-after-free.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Andris (andris-pavenis) wrote :

Tested patch also against Ubunto 14.04 source package of make. It fixes the memory corruption.
Additionally also tested for "real world" build where I initially detected the bug. No problems also there

Changed in make-dfsg (Ubuntu Utopic):
status: New → Invalid
Changed in make-dfsg (Ubuntu Trusty):
status: New → Confirmed
Changed in make-dfsg (Ubuntu Precise):
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in make-dfsg (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.