← Back to team overview

kernel-packages team mailing list archive

[Bug 1008600] Re: segfault in namehint API (valgrind aplay -L prints scary warnings)

 

This bug was fixed in the package alsa-lib - 1.0.27.2-3ubuntu2

---------------
alsa-lib (1.0.27.2-3ubuntu2) trusty; urgency=low

  * Fix-access-of-freed-memory-in-namehints.patch:
    Some applications using the namehints API might
    occasionally crash (LP: #1008600)
 -- David Henningsson <david.henningsson@xxxxxxxxxxxxx>   Fri, 07 Feb 2014 08:33:55 +0100

** Changed in: alsa-lib (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to alsa-lib in Ubuntu.
https://bugs.launchpad.net/bugs/1008600

Title:
  segfault in namehint API (valgrind aplay -L prints scary warnings)

Status in “alsa-lib” package in Ubuntu:
  Fix Released

Bug description:
  valgrind reports a lot of scary errors when run on aplay -L , it looks
  like the alsa snd_device_name_hint function is doing some dangerous
  stuff:

  ==30818== Memcheck, a memory error detector
  ==30818== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
  ==30818== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
  ==30818== Command: aplay -L
  ==30818== 
  ==30818== Invalid read of size 8
  ==30818==    at 0x50653F0: snd_config_iterator_next (conf.c:3885)
  ==30818==    by 0x5070732: snd_device_name_hint (namehint.c:506)
  ==30818==    by 0x403DE8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x4094A8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x556576C: (below main) (libc-start.c:226)
  ==30818==  Address 0x5e0c8f8 is 40 bytes inside a block of size 72 free'd
  ==30818==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==30818==    by 0x5065E94: snd_config_delete (conf.c:1850)
  ==30818==    by 0x5066425: parse_defs (conf.c:1200)
  ==30818==    by 0x50667E5: snd_config_load1 (conf.c:1661)
  ==30818==    by 0x5066A0C: config_file_open (conf.c:3403)
  ==30818==    by 0x506827D: snd_config_hook_load (conf.c:3528)
  ==30818==    by 0x64C8ACC: ???
  ==30818==    by 0x5068EBC: snd_config_hooks.constprop.26 (conf.c:3326)
  ==30818==    by 0x50694C3: snd_config_searcha_hooks (conf.c:3127)
  ==30818==    by 0x5069599: snd_config_searchva_hooks (conf.c:3164)
  ==30818==    by 0x5069675: snd1_config_search_alias_hooks (conf.c:3194)
  ==30818==    by 0x50687A1: snd_config_search_definition (conf.c:4782)
  ==30818== 
  ==30818== Invalid read of size 8
  ==30818==    at 0x506470E: snd_config_get_id (conf.c:1578)
  ==30818==    by 0x50706F7: snd_device_name_hint (namehint.c:508)
  ==30818==    by 0x403DE8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x4094A8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x556576C: (below main) (libc-start.c:226)
  ==30818==  Address 0x5e0c8d0 is 0 bytes inside a block of size 72 free'd
  ==30818==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==30818==    by 0x5065E94: snd_config_delete (conf.c:1850)
  ==30818==    by 0x5066425: parse_defs (conf.c:1200)
  ==30818==    by 0x50667E5: snd_config_load1 (conf.c:1661)
  ==30818==    by 0x5066A0C: config_file_open (conf.c:3403)
  ==30818==    by 0x506827D: snd_config_hook_load (conf.c:3528)
  ==30818==    by 0x64C8ACC: ???
  ==30818==    by 0x5068EBC: snd_config_hooks.constprop.26 (conf.c:3326)
  ==30818==    by 0x50694C3: snd_config_searcha_hooks (conf.c:3127)
  ==30818==    by 0x5069599: snd_config_searchva_hooks (conf.c:3164)
  ==30818==    by 0x5069675: snd1_config_search_alias_hooks (conf.c:3194)
  ==30818==    by 0x50687A1: snd_config_search_definition (conf.c:4782)
  ==30818== 
  ==30818== Invalid read of size 1
  ==30818==    at 0x558DDBA: vfprintf (vfprintf.c:1624)
  ==30818==    by 0x564B403: __vsprintf_chk (vsprintf_chk.c:86)
  ==30818==    by 0x564B34C: __sprintf_chk (sprintf_chk.c:33)
  ==30818==    by 0x506F50F: try_config (stdio2.h:34)
  ==30818==    by 0x5070722: snd_device_name_hint (namehint.c:512)
  ==30818==    by 0x403DE8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x4094A8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x556576C: (below main) (libc-start.c:226)
  ==30818==  Address 0x5e0c820 is 0 bytes inside a block of size 8 free'd
  ==30818==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==30818==    by 0x5065E8C: snd_config_delete (conf.c:1849)
  ==30818==    by 0x5066425: parse_defs (conf.c:1200)
  ==30818==    by 0x50667E5: snd_config_load1 (conf.c:1661)
  ==30818==    by 0x5066A0C: config_file_open (conf.c:3403)
  ==30818==    by 0x506827D: snd_config_hook_load (conf.c:3528)
  ==30818==    by 0x64C8ACC: ???
  ==30818==    by 0x5068EBC: snd_config_hooks.constprop.26 (conf.c:3326)
  ==30818==    by 0x50694C3: snd_config_searcha_hooks (conf.c:3127)
  ==30818==    by 0x5069599: snd_config_searchva_hooks (conf.c:3164)
  ==30818==    by 0x5069675: snd1_config_search_alias_hooks (conf.c:3194)
  ==30818==    by 0x50687A1: snd_config_search_definition (conf.c:4782)
  ==30818== 
  ==30818== Invalid read of size 1
  ==30818==    at 0x55BFB98: _IO_default_xsputn (genops.c:480)
  ==30818==    by 0x558DBED: vfprintf (vfprintf.c:1624)
  ==30818==    by 0x564B403: __vsprintf_chk (vsprintf_chk.c:86)
  ==30818==    by 0x564B34C: __sprintf_chk (sprintf_chk.c:33)
  ==30818==    by 0x506F50F: try_config (stdio2.h:34)
  ==30818==    by 0x5070722: snd_device_name_hint (namehint.c:512)
  ==30818==    by 0x403DE8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x4094A8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x556576C: (below main) (libc-start.c:226)
  ==30818==  Address 0x5e0c820 is 0 bytes inside a block of size 8 free'd
  ==30818==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==30818==    by 0x5065E8C: snd_config_delete (conf.c:1849)
  ==30818==    by 0x5066425: parse_defs (conf.c:1200)
  ==30818==    by 0x50667E5: snd_config_load1 (conf.c:1661)
  ==30818==    by 0x5066A0C: config_file_open (conf.c:3403)
  ==30818==    by 0x506827D: snd_config_hook_load (conf.c:3528)
  ==30818==    by 0x64C8ACC: ???
  ==30818==    by 0x5068EBC: snd_config_hooks.constprop.26 (conf.c:3326)
  ==30818==    by 0x50694C3: snd_config_searcha_hooks (conf.c:3127)
  ==30818==    by 0x5069599: snd_config_searchva_hooks (conf.c:3164)
  ==30818==    by 0x5069675: snd1_config_search_alias_hooks (conf.c:3194)
  ==30818==    by 0x50687A1: snd_config_search_definition (conf.c:4782)
  ==30818== 
  ==30818== Invalid read of size 1
  ==30818==    at 0x55BFBA7: _IO_default_xsputn (genops.c:479)
  ==30818==    by 0x558DBED: vfprintf (vfprintf.c:1624)
  ==30818==    by 0x564B403: __vsprintf_chk (vsprintf_chk.c:86)
  ==30818==    by 0x564B34C: __sprintf_chk (sprintf_chk.c:33)
  ==30818==    by 0x506F50F: try_config (stdio2.h:34)
  ==30818==    by 0x5070722: snd_device_name_hint (namehint.c:512)
  ==30818==    by 0x403DE8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x4094A8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x556576C: (below main) (libc-start.c:226)
  ==30818==  Address 0x5e0c822 is 2 bytes inside a block of size 8 free'd
  ==30818==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==30818==    by 0x5065E8C: snd_config_delete (conf.c:1849)
  ==30818==    by 0x5066425: parse_defs (conf.c:1200)
  ==30818==    by 0x50667E5: snd_config_load1 (conf.c:1661)
  ==30818==    by 0x5066A0C: config_file_open (conf.c:3403)
  ==30818==    by 0x506827D: snd_config_hook_load (conf.c:3528)
  ==30818==    by 0x64C8ACC: ???
  ==30818==    by 0x5068EBC: snd_config_hooks.constprop.26 (conf.c:3326)
  ==30818==    by 0x50694C3: snd_config_searcha_hooks (conf.c:3127)
  ==30818==    by 0x5069599: snd_config_searchva_hooks (conf.c:3164)
  ==30818==    by 0x5069675: snd1_config_search_alias_hooks (conf.c:3194)
  ==30818==    by 0x50687A1: snd_config_search_definition (conf.c:4782)
  ==30818== 
  ==30818== Invalid read of size 1
  ==30818==    at 0x4C2E439: __strcpy_chk (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==30818==    by 0x506F6BF: try_config (string3.h:105)
  ==30818==    by 0x5070722: snd_device_name_hint (namehint.c:512)
  ==30818==    by 0x403DE8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x4094A8: ??? (in /usr/bin/aplay)
  ==30818==    by 0x556576C: (below main) (libc-start.c:226)
  ==30818==  Address 0x5e0c820 is 0 bytes inside a block of size 8 free'd
  ==30818==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==30818==    by 0x5065E8C: snd_config_delete (conf.c:1849)
  ==30818==    by 0x5066425: parse_defs (conf.c:1200)
  ==30818==    by 0x50667E5: snd_config_load1 (conf.c:1661)
  ==30818==    by 0x5066A0C: config_file_open (conf.c:3403)
  ==30818==    by 0x506827D: snd_config_hook_load (conf.c:3528)
  ==30818==    by 0x64C8ACC: ???
  ==30818==    by 0x5068EBC: snd_config_hooks.constprop.26 (conf.c:3326)
  ==30818==    by 0x50694C3: snd_config_searcha_hooks (conf.c:3127)
  ==30818==    by 0x5069599: snd_config_searchva_hooks (conf.c:3164)
  ==30818==    by 0x5069675: snd1_config_search_alias_hooks (conf.c:3194)
  ==30818==    by 0x50687A1: snd_config_search_definition (conf.c:4782)
  ==30818== 
  default
      Playback/recording through the PulseAudio sound server
  null
      Discard all samples (playback) or generate zero samples (capture)
  pulse
      PulseAudio Sound Server
  default
      Playback/recording through the PulseAudio sound server
  sysdefault:CARD=I82801AAICH
      Intel 82801AA-ICH, Intel 82801AA-ICH
      Default Audio Device
  front:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      Front speakers
  surround40:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      4.0 Surround output to Front and Rear speakers
  surround41:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      4.1 Surround output to Front, Rear and Subwoofer speakers
  surround50:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      5.0 Surround output to Front, Center and Rear speakers
  surround51:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      5.1 Surround output to Front, Center, Rear and Subwoofer speakers
  iec958:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      IEC958 (S/PDIF) Digital Audio Output
  dmix:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      Direct sample mixing device
  dsnoop:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      Direct sample snooping device
  hw:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      Direct hardware device without any conversions
  plughw:CARD=I82801AAICH,DEV=0
      Intel 82801AA-ICH, Intel 82801AA-ICH
      Hardware device with all software conversions
  ==30818== 
  ==30818== HEAP SUMMARY:
  ==30818==     in use at exit: 32,284 bytes in 94 blocks
  ==30818==   total heap usage: 16,469 allocs, 16,375 frees, 719,816 bytes allocated
  ==30818== 
  ==30818== LEAK SUMMARY:
  ==30818==    definitely lost: 0 bytes in 0 blocks
  ==30818==    indirectly lost: 0 bytes in 0 blocks
  ==30818==      possibly lost: 0 bytes in 0 blocks
  ==30818==    still reachable: 32,284 bytes in 94 blocks
  ==30818==         suppressed: 0 bytes in 0 blocks
  ==30818== Rerun with --leak-check=full to see details of leaked memory
  ==30818== 
  ==30818== For counts of detected and suppressed errors, rerun with: -v
  ==30818== ERROR SUMMARY: 25 errors from 6 contexts (suppressed: 2 from 2)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/alsa-lib/+bug/1008600/+subscriptions