From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/4431
Path: news.gmane.org!not-for-mail
From: David Wuertele <dave+gmane@wuertele.com>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: NULL deref SEGV in malloc.c:unbin()
Date: Mon, 30 Dec 2013 19:17:49 +0000 (UTC)
Message-ID: <loom.20131230T200524-937@post.gmane.org>
References: <loom.20131227T193125-746@post.gmane.org> <20131227190544.GF24286@brightrain.aerifal.cx> <loom.20131227T204354-150@post.gmane.org> <20131227221345.GG24286@brightrain.aerifal.cx> <loom.20131228T011533-391@post.gmane.org> <loom.20131228T022556-831@post.gmane.org> <20131229000112.GY1685@port70.net>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1388431103 31334 80.91.229.3 (30 Dec 2013 19:18:23 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 30 Dec 2013 19:18:23 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-4435-gllmg-musl=m.gmane.org@lists.openwall.com Mon Dec 30 20:18:30 2013
Return-path: <musl-return-4435-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@plane.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-4435-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1VxiM8-0005WM-OL
	for gllmg-musl@plane.gmane.org; Mon, 30 Dec 2013 20:18:28 +0100
Original-Received: (qmail 9510 invoked by uid 550); 30 Dec 2013 19:18:28 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 9502 invoked from network); 30 Dec 2013 19:18:28 -0000
X-Injected-Via-Gmane: http://gmane.org/
Original-Lines: 16
Original-X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: sea.gmane.org
User-Agent: Loom/3.14 (http://gmane.org/)
X-Loom-IP: 205.234.27.227 (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36)
Xref: news.gmane.org gmane.linux.lib.musl.general:4431
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/4431>

I found the root cause of the SEGV, I was calling closedir() on the
same dir pointer twice (quite some time before the SEGV).

I assume that the behavior of closedir() is undefined when used this
way, so my program now makes sure not to do that.

But it seems a poor implementation that a double call to closedir
should result in memory corruption, and it seems a bug in malloc()
that a closedir/opendir sequence can cause it to SEGV.

I tried to reduce my program to just this behavior so that I could
give you a test case, but the SEGV did not occur with just the
opendir/closedir sequence my program calls.

Dave