Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jun 2012 21:52:49 -0400
From: Rich Felker <dalias@...ifal.cx>
To: Bruno Haible <bruno@...sp.org>
Cc: bug-gnulib@....org, musl@...ts.openwall.com
Subject: Re: musl, printf out-of-memory test

On Tue, Jun 19, 2012 at 11:17:33PM +0200, Bruno Haible wrote:
> [...]
> The SIGSEGV occurs because d = 0x218b40 but the address ranges are these:
> 08048000-08049000 r-xp 00000000 08:05 26174991                           /data/bruno/tmp/testdir3/conftest
> 08049000-0804b000 rwxp 00000000 08:05 26174991                           /data/bruno/tmp/testdir3/conftest
> f7f84000-f7ff8000 r-xp 00000000 08:05 26168372                           /data/arch/x86-linux/inst-musl/lib/libc.so
> f7ff8000-f7ffa000 rwxp 00073000 08:05 26168372                           /data/arch/x86-linux/inst-musl/lib/libc.so
> f7ffa000-f7ffe000 rwxp 00000000 00:00 0 
> fffdc000-ffffe000 rwxp 00000000 00:00 0                                  [stack]
> ffffe000-fffff000 r-xp 00000000 00:00 0                                  [vdso]
> 
> > What if you run it under strace?
> 
> Yes. When it succeeds, the strace output looks normal. When it fails,
> it's this:
> 
> $ strace ./conftest
> execve("./conftest", ["./conftest"], [/* 133 vars */]) = 0
> [ Process PID=2858 runs in 32 bit mode. ]
> --- {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xe7664} (Segmentation fault) ---
> +++ killed by SIGSEGV (core dumped) +++
> Speicherzugriffsfehler (Speicherabzug geschrieben)
> 
> Hope this helps.

Yes, it helped a lot. Thanks! The problem was an obscure
pointer-arithmetic overflow that could only happen in 32-bit binaries
running on a 64-bit kernel where the stack pointer is near the 4GB
boundary. This is why I couldn't reproduce it: I'm on a 32-bit
kernel where the stack is at 3GB and there's no way an offset bounded
by INT_MAX/9 could reach past 4GB. That's my excuse for why it was
never noticed before, but it still doesn't justify the bug, which is a
nasty instance of UB (pointer arithmetic outside array bounds).

Anyway, it's fixed now.

Rich


P.S. I just realized - I meant to credit you for finding it in the
commit message but somehow I forgot to. Sorry about that!

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.