From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: dynlink.c: bug in reclaim_gaps leading to segfault in __libc_exit_fini
Date: Tue, 16 Feb 2016 19:21:24 -0500 [thread overview]
Message-ID: <20160217002123.GB9349@brightrain.aerifal.cx> (raw)
In-Reply-To: <CA+bHwpqFD-AEhEP4xQfKXsp=dTO4nrnAEOd+3=LoHyuWyvDivg@mail.gmail.com>
On Tue, Feb 16, 2016 at 07:05:27PM -0500, Hugues Bruant wrote:
> > > ==59== Invalid free() / delete / delete[] / realloc()
> > > ==59== at 0x4C92B0E: free (vg_replace_malloc.c:530)
> > > ==59== by 0x4056F68: reclaim_gaps (dynlink.c:488)
> > > ==59== by 0x405743D: map_library (dynlink.c:708)
> > > ==59== by 0x4057EF3: load_library (dynlink.c:1014)
> > > ==59== by 0x4058CA8: load_preload (dynlink.c:1112)
> > > ==59== by 0x4058CA8: __dls3 (dynlink.c:1581)
> > > ==59== by 0x405856A: __dls2 (dynlink.c:1383)
> > > ==59== by 0x405655E: ??? (in /lib/ld-musl-x86_64.so.1)
> > > ==59== by 0x3: ???
> > > ==59== by 0xFFF000E3A: ???
> > > ==59== by 0xFFF000E3E: ???
> > > ==59== by 0xFFF000E44: ???
> > > ==59== by 0xFFF000E86: ???
> > >
> > > Afterwards, the program proceeds with no issue, until it exists, at which
> > > point a segfault is triggered when cleaning up shared libraries:
> > >
> >
> > this is not a bug.
>
> How confident of that are you?
>
> Something is reliably overwriting 32 bytes of a dso struct. Valgrind
> supposedly catches out-of-bounds writes to heap-allocated arrays so
> unless I'm mistaken, the absence of any other errors until the segfault
> suggests that there is no out-of-bounds write and the logical conclusion
> is that an allocation overlaps with the corrupted dso struct.
>
> The program is not using any threads so if I understand correctly it sohuld
> not be negatively affected by the small default stack size. In any case, I
> enabled -fstack-protector-all and -fstack-check and this did not reveal any
> issue so at this point I'm ruling out stack overflow as the source of the
> corruption.
>
> Quite frankly I'm hoping that the root cause is in libdmg-hfsplus because
> it would be much easier to fix than musl but the evidence does not point
> in that direction.
>
> Any suggestions for further investigation would be appreciated.
Szabolcs Nagy has been trying to reproduce your crash but it doesn't
seem possible without valid input data for it to process. Could you
provide data that can be used to reproduce the crash?
Rich
next prev parent reply other threads:[~2016-02-17 0:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-16 21:30 Hugues Bruant
2016-02-16 21:55 ` Szabolcs Nagy
2016-02-16 22:02 ` Rich Felker
2016-02-17 0:05 ` Hugues Bruant
2016-02-17 0:21 ` Rich Felker [this message]
2016-02-17 6:16 ` Hugues Bruant
2016-02-17 6:27 ` Hugues Bruant
2016-02-17 7:03 ` Timo Teras
2016-02-17 9:15 ` Hugues Bruant
2016-02-17 15:25 ` Rich Felker
2016-02-17 17:34 ` Hugues Bruant
2016-02-17 18:14 ` Szabolcs Nagy
2016-02-17 18:46 ` Isaac Dunham
2016-02-17 10:19 ` Szabolcs Nagy
2016-02-18 18:05 ` Szabolcs Nagy
2016-02-18 18:33 ` Rich Felker
2016-02-17 15:17 ` Markus Wichmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160217002123.GB9349@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).