GNU bug report logs - #46330
Guile-provided GMP allocators interfere with GnuTLS

Message received at 46330 <at> debbugs.gnu.org:

Received: (at 46330) by debbugs.gnu.org; 5 Feb 2021 17:13:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 05 12:13:23 2021
Received: from localhost ([127.0.0.1]:44626 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1l84fR-0007Yn-K8
	for submit <at> debbugs.gnu.org; Fri, 05 Feb 2021 12:13:23 -0500
Received: from eggs.gnu.org ([209.51.188.92]:60050)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1l84fP-0007YY-6R
 for 46330 <at> debbugs.gnu.org; Fri, 05 Feb 2021 12:13:12 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:48355)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>) id 1l84fK-00016C-1C
 for 46330 <at> debbugs.gnu.org; Fri, 05 Feb 2021 12:13:06 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=36232 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1l84fH-0004iD-Gv
 for 46330 <at> debbugs.gnu.org; Fri, 05 Feb 2021 12:13:04 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: 46330 <at> debbugs.gnu.org
Subject: Re: bug#46330: Guile-provided GMP allocators interfere with GnuTLS
References: <87v9b61md4.fsf@HIDDEN>
Date: Fri, 05 Feb 2021 18:13:02 +0100
In-Reply-To: <87v9b61md4.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22?=
 =?utf-8?Q?'s?= message of "Fri, 05 Feb 2021 17:59:51 +0100")
Message-ID: <87im761lr5.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 46330
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ludovic Court=C3=A8s <ludo@HIDDEN> skribis:

> In a nutshell, Guile installs its own GMP memory allocation routines
> (when =E2=80=98scm_install_gmp_memory_functions=E2=80=99 is true, which i=
s the default)
> so that GMP allocates via libgc.  GnuTLS uses Nettle, which uses GMP, so
> Nettle too ends up allocating via libgc; however, since pointers to that
> memory are not scanned by libgc, they end up being reclaimed early.

One of the solutions is to set:

  scm_install_gmp_memory_functions =3D 0;

in Guile, as Andy suggested on IRC, but it incurs a performance hit on
bignum-heavy applications such as the compiler:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D964284#78

However, since Guix now uses its own =E2=80=98guile=E2=80=99 binary, we can=
 work around
the issue like so:


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

diff --git a/gnu/packages/aux-files/guile-launcher.c b/gnu/packages/aux-fil=
es/guile-launcher.c
index 1dd5d77e66..814084e032 100644
--- a/gnu/packages/aux-files/guile-launcher.c
+++ b/gnu/packages/aux-files/guile-launcher.c
@@ -1,5 +1,5 @@
 /* GNU Guix --- Functional package management for GNU
-   Copyright 1996-1997,2000-2001,2006,2008,2011,2013,2018,2020
+   Copyright 1996-1997,2000-2001,2006,2008,2011,2013,2018,2020,2021
       Free Software Foundation, Inc.
    Copyright (C) 2020 Ludovic Court=C3=A8s <ludo@HIDDEN>
=20
@@ -82,7 +82,10 @@ main (int argc, char **argv)
   unsetenv ("GUILE_LOAD_PATH");
   unsetenv ("GUILE_LOAD_COMPILED_PATH");
=20
-  scm_install_gmp_memory_functions =3D 1;
+  /* XXX: Do not let GMP allocate via libgc as this can lead to memory
+     corruption in GnuTLS/Nettle: <https://issues.guix.gnu.org/46330>.  */
+  scm_install_gmp_memory_functions =3D 0;
+
   scm_boot_guile (argc, argv, inner_main, 0);
   return 0; /* never reached */
 }

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


The advantage of this hack is that we still get to use upstream =E2=80=98gu=
ile=E2=80=99
for compilation purposes (with no performance hit), and we use our own
=E2=80=9Csafe=E2=80=9D =E2=80=98guile=E2=80=99 executable for stuff that ma=
y use GnuTLS, in particular
=E2=80=98guix substitute=E2=80=99 and =E2=80=98guix perform-download=E2=80=
=99.

There may still be a few cases where we=E2=80=99d use stock =E2=80=98guile=
=E2=80=99 together
with GnuTLS.  The only example that comes to mind is when calling
=E2=80=98download-nar=E2=80=99 or =E2=80=98swh-download=E2=80=99 as a fallb=
ack in (guix git-download).
That=E2=80=99s quite rare though.

So I think that the above is a workaround we could deploy right away.
It should allow us to wait until we have Guile on mini-GMP.

Thoughts?

Ludo=E2=80=99.

--=-=-=--

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 5 Feb 2021 16:59:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 05 11:59:58 2021
Received: from localhost ([127.0.0.1]:44605 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1l84Sc-0007Bw-93
	for submit <at> debbugs.gnu.org; Fri, 05 Feb 2021 11:59:58 -0500
Received: from lists.gnu.org ([209.51.188.17]:53766)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1l84Sa-0007Bp-RA
 for submit <at> debbugs.gnu.org; Fri, 05 Feb 2021 11:59:57 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:45634)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1l84Sa-00068X-FS
 for bug-guix@HIDDEN; Fri, 05 Feb 2021 11:59:56 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:47942)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@HIDDEN>) id 1l84Sa-0003lK-6R
 for bug-guix@HIDDEN; Fri, 05 Feb 2021 11:59:56 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=36220 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@HIDDEN>) id 1l84SX-0008Bh-6o
 for bug-guix@HIDDEN; Fri, 05 Feb 2021 11:59:54 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: bug-guix@HIDDEN
Subject: Guile-provided GMP allocators interfere with GnuTLS
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 17 =?utf-8?Q?Pluvi=C3=B4se?= an 229 de la
 =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Fri, 05 Feb 2021 17:59:51 +0100
Message-ID: <87v9b61md4.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Fellow Debian hackers identified a bug causing memory corruption in
Nettle data structures used by GnuTLS when GnuTLS is used from Guile:

  https://bugs.debian.org/964284

In a nutshell, Guile installs its own GMP memory allocation routines
(when =E2=80=98scm_install_gmp_memory_functions=E2=80=99 is true, which is =
the default)
so that GMP allocates via libgc.  GnuTLS uses Nettle, which uses GMP, so
Nettle too ends up allocating via libgc; however, since pointers to that
memory are not scanned by libgc, they end up being reclaimed early.

In practice, memory corruption is relatively rare, to the point that we
did not notice it in Guix.  In Debian, it would lead to a failure of the
=E2=80=98tests/reauth.scm=E2=80=99 test in GnuTLS.  With minor modification=
s to the
test, as noted in the thread above, I can reproduce it on Guix as well.

The thread above mentions possible workaround, but there=E2=80=99s nothing
satisfactory.

The longer-term solution is to use mini-GMP in Guile (which is also nice
as a way to reduce dependencies).

To be continued=E2=80=A6

Ludo=E2=80=99.