Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jun 2012 22:04:57 +0200
From: Bruno Haible <bruno@...sp.org>
To: bug-gnulib@....org
Cc: Rich Felker <dalias@...ifal.cx>, musl@...ts.openwall.com
Subject: Re: musl, printf out-of-memory test

Rich Felker wrote:
> > but once I get
> > 
> >   configure:8979: /arch/x86-linux/inst-musl/bin/musl-gcc -o conftest -g -O2 -Wall  conftest.c  >&5
> >   configure:8982: $? = 0
> >   configure:8986: $? = 139
> >   configure:9031: result: no
> > 
> > So, apparently, under memory stress, musl's printf has a probability of
> > between 10% and 50% of crashing with SIGSEGV (139 = 128 + 11).
> 
> musl's printf does not do anything with memory except using a small
> constant amount of stack space (a few hundred bytes for non-float,
> somewhere around 5-7k for floating point). This is completely
> independent of the width/padding/precision; the implementation
> actually goes to a good bit of trouble to ensure that it can print any
> amount of padding efficiently without large or unbounded stack space
> usage.
> 
> Is there any way the rlimits put in place could be preventing the
> stack from expanding beyond even one page the current number of pages,
> etc.?

I can reduce the program and the compilation options:

=============================== conftest.c =============================
#include <stdio.h>
#include <errno.h>
int main()
{
  int ret;
  int err;
  ret = printf ("%.5000000f", 1.0);
  err = errno;
  fprintf (stderr, "printf's return value = %d, errno = %d\n", ret, err);
  return !(ret == 5000002 || (ret < 0 && err == ENOMEM));
}
========================================================================
$ musl-gcc -g -Wall  conftest.c -o conftest
$ ./conftest > /dev/null ; echo $?
printf's return value = 5000002, errno = 0
0
$ ./conftest > /dev/null ; echo $?
printf's return value = 5000002, errno = 0
0
$ ./conftest > /dev/null ; echo $?
printf's return value = 5000002, errno = 0
0
$ ./conftest > /dev/null ; echo $?
Speicherzugriffsfehler (Speicherabzug geschrieben)
139
$ ./conftest > /dev/null ; echo $?
Speicherzugriffsfehler (Speicherabzug geschrieben)
139

I couldn't get useful info from gdb.

This is on Linux, 32-bit mode on a 64-bit system. Can you reproduce this?

Bruno

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.