From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/1206 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.comp.lib.gnulib.bugs,gmane.linux.lib.musl.general Subject: Re: musl, printf out-of-memory test Date: Tue, 19 Jun 2012 21:52:49 -0400 Message-ID: <20120620015249.GT163@brightrain.aerifal.cx> References: <20120609230541.47eac2de@newbook> <1959429.eYcVRAGVSA@linuix> <20120619200847.GR163@brightrain.aerifal.cx> <4210755.aMrNX6YhFs@linuix> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: dough.gmane.org 1340157419 15284 80.91.229.3 (20 Jun 2012 01:56:59 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Wed, 20 Jun 2012 01:56:59 +0000 (UTC) Cc: musl@lists.openwall.com, bug-gnulib@gnu.org To: Bruno Haible Original-X-From: bug-gnulib-bounces+gnu-bug-gnulib=m.gmane.org@gnu.org Wed Jun 20 03:56:58 2012 Return-path: Envelope-to: gnu-bug-gnulib@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1ShAAC-0007wy-9L for gnu-bug-gnulib@m.gmane.org; Wed, 20 Jun 2012 03:56:56 +0200 Original-Received: from localhost ([::1]:46095 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ShAAC-0002tw-3K for gnu-bug-gnulib@m.gmane.org; Tue, 19 Jun 2012 21:56:56 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:56589) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ShAA8-0002tV-Fz for bug-gnulib@gnu.org; Tue, 19 Jun 2012 21:56:53 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ShAA6-0000la-Qh for bug-gnulib@gnu.org; Tue, 19 Jun 2012 21:56:52 -0400 Original-Received: from 216-12-86-13.cv.mvl.ntelos.net ([216.12.86.13]:35509 helo=brightrain.aerifal.cx) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ShAA6-0000lB-Lg for bug-gnulib@gnu.org; Tue, 19 Jun 2012 21:56:50 -0400 Original-Received: from dalias by brightrain.aerifal.cx with local (Exim 3.15 #2) id 1ShA6D-0008M5-00; Wed, 20 Jun 2012 01:52:49 +0000 Content-Disposition: inline In-Reply-To: <4210755.aMrNX6YhFs@linuix> User-Agent: Mutt/1.5.21 (2010-09-15) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6, seldom 2.4 (older, 4) X-Received-From: 216.12.86.13 X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnulib-bounces+gnu-bug-gnulib=m.gmane.org@gnu.org Original-Sender: bug-gnulib-bounces+gnu-bug-gnulib=m.gmane.org@gnu.org Xref: news.gmane.org gmane.comp.lib.gnulib.bugs:31070 gmane.linux.lib.musl.general:1206 Archived-At: On Tue, Jun 19, 2012 at 11:17:33PM +0200, Bruno Haible wrote: > [...] > The SIGSEGV occurs because d = 0x218b40 but the address ranges are these: > 08048000-08049000 r-xp 00000000 08:05 26174991 /data/bruno/tmp/testdir3/conftest > 08049000-0804b000 rwxp 00000000 08:05 26174991 /data/bruno/tmp/testdir3/conftest > f7f84000-f7ff8000 r-xp 00000000 08:05 26168372 /data/arch/x86-linux/inst-musl/lib/libc.so > f7ff8000-f7ffa000 rwxp 00073000 08:05 26168372 /data/arch/x86-linux/inst-musl/lib/libc.so > f7ffa000-f7ffe000 rwxp 00000000 00:00 0 > fffdc000-ffffe000 rwxp 00000000 00:00 0 [stack] > ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso] > > > What if you run it under strace? > > Yes. When it succeeds, the strace output looks normal. When it fails, > it's this: > > $ strace ./conftest > execve("./conftest", ["./conftest"], [/* 133 vars */]) = 0 > [ Process PID=2858 runs in 32 bit mode. ] > --- {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xe7664} (Segmentation fault) --- > +++ killed by SIGSEGV (core dumped) +++ > Speicherzugriffsfehler (Speicherabzug geschrieben) > > Hope this helps. Yes, it helped a lot. Thanks! The problem was an obscure pointer-arithmetic overflow that could only happen in 32-bit binaries running on a 64-bit kernel where the stack pointer is near the 4GB boundary. This is why I couldn't reproduce it: I'm on a 32-bit kernel where the stack is at 3GB and there's no way an offset bounded by INT_MAX/9 could reach past 4GB. That's my excuse for why it was never noticed before, but it still doesn't justify the bug, which is a nasty instance of UB (pointer arithmetic outside array bounds). Anyway, it's fixed now. Rich P.S. I just realized - I meant to credit you for finding it in the commit message but somehow I forgot to. Sorry about that!