From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/13412 Path: news.gmane.org!.POSTED!not-for-mail From: CM Graff Newsgroups: gmane.linux.lib.musl.general Subject: Re: printf family handling of INT_MAX +1 tested on aarch64 Date: Wed, 7 Nov 2018 20:47:37 -0600 Message-ID: References: <20181107203121.GT5150@brightrain.aerifal.cx> <20181108020445.GZ5150@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Trace: blaine.gmane.org 1541645146 24538 195.159.176.226 (8 Nov 2018 02:45:46 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 8 Nov 2018 02:45:46 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-13428-gllmg-musl=m.gmane.org@lists.openwall.com Thu Nov 08 03:45:42 2018 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.84_2) (envelope-from ) id 1gKaKE-0006IM-1L for gllmg-musl@m.gmane.org; Thu, 08 Nov 2018 03:45:42 +0100 Original-Received: (qmail 7492 invoked by uid 550); 8 Nov 2018 02:47:51 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 7473 invoked from network); 8 Nov 2018 02:47:50 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Ka+70WcCrPijU0DMg419FDyckZ21c3ihys+L95lZX2w=; b=obhR0FkriaXJ9gSqwNZK1qN4HteZHc9/G84/z0hHt3TWdnGje1HIoAdqIOPvKATgLj Bp1pTxjZmtsziLfvyjCH3uQ5i4ShrK30ynTk+inC2MXVhLU+yS2Fs4RjBwTqyuTUO+fI JjTLDehmwN2jDnXRI8G8Xn8fK16AB8FZvm95r2hMvBDW6/7cKwXY57cD5ZjBoHGhRqvK T51ilQAlqksmdGP7g+aMTpBzmPP0MNmDDXR1Ews735mxPirRzS8pHtI/Whipd+qDrz9B jN5kf71mAv2W+q9TwvsyJpcSUWqraFbs5+E0pjItagTDH5i+lgNPcFj2xxq2grT4+SpJ prVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Ka+70WcCrPijU0DMg419FDyckZ21c3ihys+L95lZX2w=; b=StXRvkmkayDmYuLY8pft4wt/lT6DDbfHtIIm1fGbwN6+yW6xcb5w0SNPExMzUR+b1i 279nnhsNO/xqZfBYxBl+YBsj0j5BpwQL5zU8qmrIlhu6ZlNr0R1sV6T5lJ6eXZBSE1zZ YAO/CGgjX7qfE0NjjOnUy8AxeW5TEV4JHRxUO2+U0hZumsqGtqZLNF9RPSrpAy8Ys2n8 UdtRaHYk/6H+0fqEqW+To5MLfruHGS4fMaKh2AndsnHBXKeQkMTRr4wlakTUcDqMGb3x Nk53hy/W3gXFYGj2e0FLCqOE2Tg7YsM0AS8llHapW9kKCrOZ1noHoV/INg5PVQNwW6sS 79dA== X-Gm-Message-State: AGRZ1gI3Qv7ZUG28zaLsXrg0DbxFenFfw9HMdKs/oZpd43nDbBW5JuMz Ym39K6Fn0fCV6LPYh9NXjKBV98IyKPC0m7ZXdD0ac1A2 X-Google-Smtp-Source: AJdET5fmtxVrCenDKP0i+hAkbzW9eqIo9xCY7dVvtbzCHCKPpjiWqUIjYizfuH0aS3K7KTQC6Lgavlj5lVY7QjVUYjs= X-Received: by 2002:adf:bb0f:: with SMTP id r15-v6mr2398979wrg.24.1541645258103; Wed, 07 Nov 2018 18:47:38 -0800 (PST) In-Reply-To: <20181108020445.GZ5150@brightrain.aerifal.cx> Xref: news.gmane.org gmane.linux.lib.musl.general:13412 Archived-At: Rich, Ah you are right. Sorry about that. My test is off by one. Graff On 11/7/18, Rich Felker wrote: > On Wed, Nov 07, 2018 at 02:54:02PM -0600, CM Graff wrote: >> RIch, >> It just produces a segfault on debian aarch64 in my test case. Whereas >> INTMAX + 2 does not. So I thought it worth reporting. >> >> graff@hlib-debian-arm:~/hlibc-test/tests-emperical/musl$ >> ../usr/bin/musl-gcc ../printf_overflow.c >> graff@hlib-debian-arm:~/hlibc-test/tests-emperical/musl$ >> ../usr/bin/musl-gcc -static ../printf_overflow.c >> graff@hlib-debian-arm:~/hlibc-test/tests-emperical/musl$ ./a.out > >> logfile >> Segmentation fault >> graff@hlib-debian-arm:~/hlibc-test/tests-emperical/musl$ uname -a >> Linux hlib-debian-arm 4.9.0-8-arm64 #1 SMP Debian 4.9.110-3+deb9u6 >> (2018-10-08) aarch64 GNU/Linux >> graff@hlib-debian-arm:~/hlibc-test/tests-emperical/musl$ >> >> I can supply access to the 96 core 124 GB RAM aarch64 debian test box >> if it would help reproduce the segfault. Just email me a public key if >> you want access. > > The failure has nothing to do with printf. You're calling malloc(i) > then writing to s[i], which is one past the end of the allocated > buffer. I failed to notice this because you're only writing i-1 A's to > the buffer, and there already happens to be a nul byte at s[i-1] to > terminate them. > > Actually the crash has nothing to do with aarch64 vs x86_64 but rather > static vs dynamic linking. With dynamic linking, full malloc is used > and there happens to be padding space at the end of the allocation > because there was a header at the beginning and it has to be rounded > up to whole pages. But with static linking, simple_malloc (a bump > allocator) was used, and there are exactly i bytes in the allocation. > > Fix the s[i]=0 to be s[i-1]=0 instead and the test works as expected. > And please, when reporting crashes like this, at least try to identify > where the crash is occurring (e.g. with gdb or even just some trivial > printf debugging). > > Rich >