github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3662] free(): invalid pointer with --ip=dhcp #2306

New issue

Open

opened 2026-05-05 08:59:44 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 08:59:44 -06:00

Owner

Originally created by @kris7t on GitHub (Oct 10, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3662

Originally assigned to: @kris7t on GitHub.

Bug and expected behavior
When running Firejail with --ip=dhcp, it dumps core after the jailed application exits normally (here /usr/bin/true is used as an program that exits immediately):

$ firejail --net=br-untrusted --ip=dhcp --noprofile /usr/bin/true
Parent pid 2198151, child pid 2198153

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP

Child process initialized in 627.41 ms
free(): invalid pointer
[1]    2198151 abort (core dumped)  firejail --net=br-untrusted --ip=dhcp --noprofile /usr/bin/true

The core dump is caused by line 3088 of firejail/main.c:

$ coredumpctl gdb
           PID: 2198151 (firejail)
           UID: 1000 (kris)
           GID: 1000 (kris)
        Signal: 6 (ABRT)
     Timestamp: Sat 2020-10-10 21:06:07 CEST (2s ago)
  Command Line: firejail --net=br-untrusted --ip=dhcp --noprofile /usr/bin/true
    Executable: /usr/bin/firejail
 Control Group: /user.slice/user-1000.slice/session-3.scope
          Unit: session-3.scope
         Slice: user-1000.slice
       Session: 3
     Owner UID: 1000 (kris)
       Boot ID: <REDACTED>
    Machine ID: <REDACTED>
      Hostname: blushweaver.marussy.com
       Storage: /var/lib/systemd/coredump/core.firejail.1000.28030ec480a04a598419e379fbeb7cc7.2198151.1602356767000000.zst
       Message: Process 2198151 (firejail) of user 1000 dumped core.

                Stack trace of thread 2198151:
                #0  0x00007fc5f9472615 raise (libc.so.6 + 0x3d615)
                #1  0x00007fc5f945b862 abort (libc.so.6 + 0x26862)
                #2  0x00007fc5f94b45e8 __libc_message (libc.so.6 + 0x7f5e8)
                #3  0x00007fc5f94bc27a malloc_printerr (libc.so.6 + 0x8727a)
                #4  0x00007fc5f94bd64c _int_free (libc.so.6 + 0x8864c)
                #5  0x0000564cce1be0fe main (firejail + 0xd0fe)
                #6  0x00007fc5f945d152 __libc_start_main (libc.so.6 + 0x28152)
                #7  0x0000564cce1c487e _start (firejail + 0x1387e)

GNU gdb (GDB) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/firejail...
[New LWP 2198151]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `firejail --net=br-untrusted --ip=dhcp --noprofile /usr/bin/true'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007fc5f9472615 in raise () from /usr/lib/libc.so.6
(gdb) ba
#0  0x00007fc5f9472615 in raise () from /usr/lib/libc.so.6
#1  0x00007fc5f945b862 in abort () from /usr/lib/libc.so.6
#2  0x00007fc5f94b45e8 in __libc_message () from /usr/lib/libc.so.6
#3  0x00007fc5f94bc27a in malloc_printerr () from /usr/lib/libc.so.6
#4  0x00007fc5f94bd64c in _int_free () from /usr/lib/libc.so.6
#5  0x0000564cce1be0fe in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at main.c:3088

Seems like we're trying to free a profile line that was already freed:

7fb7e4227e/src/firejail/main.c (L3083-L3093)

Oddly enough, I don't have the same crash with --ip6=dhcp (i.e. use ARP scanning to determine the IPv4 address, but use dhcpcd for IPv6).

According to git bisect, the commit that introduced the crash is 81b2c7aa07.

Reproduce
Steps to reproduce the behavior:

Run in bash firejail with --ip=dhcp.
Let the jailed program exit.
See the core being dumped.

Environment

Arch Linux Linux 5.8.13-arch1-1 #1 SMP PREEMPT Thu, 01 Oct 2020 20:40:35 +0000 x86_64 GNU/Linux
On firejail git commit 9bf6e0ead189b924e5fca099b35d88be091bd009

Originally created by @kris7t on GitHub (Oct 10, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3662 Originally assigned to: @kris7t on GitHub. **Bug and expected behavior** When running Firejail with `--ip=dhcp`, it dumps core after the jailed application exits normally (here `/usr/bin/true` is used as an program that exits immediately): ``` $ firejail --net=br-untrusted --ip=dhcp --noprofile /usr/bin/true Parent pid 2198151, child pid 2198153 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP Child process initialized in 627.41 ms free(): invalid pointer [1] 2198151 abort (core dumped) firejail --net=br-untrusted --ip=dhcp --noprofile /usr/bin/true ``` The core dump is caused by line 3088 of `firejail/main.c`: ``` $ coredumpctl gdb PID: 2198151 (firejail) UID: 1000 (kris) GID: 1000 (kris) Signal: 6 (ABRT) Timestamp: Sat 2020-10-10 21:06:07 CEST (2s ago) Command Line: firejail --net=br-untrusted --ip=dhcp --noprofile /usr/bin/true Executable: /usr/bin/firejail Control Group: /user.slice/user-1000.slice/session-3.scope Unit: session-3.scope Slice: user-1000.slice Session: 3 Owner UID: 1000 (kris) Boot ID: <REDACTED> Machine ID: <REDACTED> Hostname: blushweaver.marussy.com Storage: /var/lib/systemd/coredump/core.firejail.1000.28030ec480a04a598419e379fbeb7cc7.2198151.1602356767000000.zst Message: Process 2198151 (firejail) of user 1000 dumped core. Stack trace of thread 2198151: #0 0x00007fc5f9472615 raise (libc.so.6 + 0x3d615) #1 0x00007fc5f945b862 abort (libc.so.6 + 0x26862) #2 0x00007fc5f94b45e8 __libc_message (libc.so.6 + 0x7f5e8) #3 0x00007fc5f94bc27a malloc_printerr (libc.so.6 + 0x8727a) #4 0x00007fc5f94bd64c _int_free (libc.so.6 + 0x8864c) #5 0x0000564cce1be0fe main (firejail + 0xd0fe) #6 0x00007fc5f945d152 __libc_start_main (libc.so.6 + 0x28152) #7 0x0000564cce1c487e _start (firejail + 0x1387e) GNU gdb (GDB) 9.2 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/firejail... [New LWP 2198151] [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Core was generated by `firejail --net=br-untrusted --ip=dhcp --noprofile /usr/bin/true'. Program terminated with signal SIGABRT, Aborted. #0 0x00007fc5f9472615 in raise () from /usr/lib/libc.so.6 (gdb) ba #0 0x00007fc5f9472615 in raise () from /usr/lib/libc.so.6 #1 0x00007fc5f945b862 in abort () from /usr/lib/libc.so.6 #2 0x00007fc5f94b45e8 in __libc_message () from /usr/lib/libc.so.6 #3 0x00007fc5f94bc27a in malloc_printerr () from /usr/lib/libc.so.6 #4 0x00007fc5f94bd64c in _int_free () from /usr/lib/libc.so.6 #5 0x0000564cce1be0fe in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at main.c:3088 ``` Seems like we're trying to free a profile line that was already freed: https://github.com/netblue30/firejail/blob/7fb7e4227ee756387f3f038ec2bbc8b844664a60/src/firejail/main.c#L3083-L3093 Oddly enough, I don't have the same crash with `--ip6=dhcp` (i.e. use ARP scanning to determine the IPv4 address, but use `dhcpcd` for IPv6). According to `git bisect`, the commit that introduced the crash is 81b2c7aa07e5a0657398a7a34a4dc01e87eeb6ac. **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail` with `--ip=dhcp`. 2. Let the jailed program exit. 3. See the core being dumped. **Environment** - Arch Linux `Linux 5.8.13-arch1-1 #1 SMP PREEMPT Thu, 01 Oct 2020 20:40:35 +0000 x86_64 GNU/Linux` - On firejail git commit `9bf6e0ead189b924e5fca099b35d88be091bd009`

gitea-mirror added the

networking

label 2026-05-05 08:59:44 -06:00

gitea-mirror commented

2026-05-05 08:59:47 -06:00

Author

Owner

@kris7t commented on GitHub (Oct 11, 2020):

@netblue30 I have a bit of a hard time understanding this:

f373fe14e5/src/firejail/main.c (L1050-L1057)

Doesn't profile_add take ownership of its argument? Maybe we'd need something like profile_add_dup, which first calls strdup on its argument and then passes it to profile_add (lest we try to free a string literal later when the profile entries are freed).
Do we need to noblacklist /sbin before parsing the rest of the arguments? I am on Arch where /sbin and /usr/sbin are just symlinks to /usr/bin, so I can't really test this.
Would we also want to do the same thing for --ip6=dhcp? What about ip dhcp and ip6 dhcp in profiles?

@kris7t commented on GitHub (Oct 11, 2020): @netblue30 I have a bit of a hard time understanding this: https://github.com/netblue30/firejail/blob/f373fe14e591ee988dcf3fc857554c965c057290/src/firejail/main.c#L1050-L1057 1. Doesn't `profile_add` take ownership of its argument? Maybe we'd need something like `profile_add_dup`, which first calls `strdup` on its argument and then passes it to `profile_add` (lest we try to `free` a string literal later when the profile entries are freed). 2. Do we need to `noblacklist /sbin` before parsing the rest of the arguments? I am on Arch where `/sbin` and `/usr/sbin` are just symlinks to `/usr/bin`, so I can't really test this. 3. Would we also want to do the same thing for `--ip6=dhcp`? What about `ip dhcp` and `ip6 dhcp` in profiles?

gitea-mirror commented

2026-05-05 08:59:48 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 12, 2020):

blacklist follows symliks. Test with firejail --noprofile --blacklist=/sbin ls -ld /usr/sbin.

@rusty-snake commented on GitHub (Oct 12, 2020): 2. `blacklist` follows symliks. Test with `firejail --noprofile --blacklist=/sbin ls -ld /usr/sbin`.

gitea-mirror commented

2026-05-05 08:59:49 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 13, 2020):

The profile free code is 6 years old, the original intent was long lost. We put it in to keep tools like valgrind quiet, but on the way valgind got broken. I commented it out for now, it doesn't make sense in this moment since the sandbox is already closed.

@netblue30 commented on GitHub (Oct 13, 2020): The profile free code is 6 years old, the original intent was long lost. We put it in to keep tools like valgrind quiet, but on the way valgind got broken. I commented it out for now, it doesn't make sense in this moment since the sandbox is already closed.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2306

No description provided.

Rows
Columns