Bug 107506
Summary: | iconv stuff seem to access freed memory | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Frediano Ziglio <freddyz77> | ||||||||
Component: | ElectricFence | Assignee: | Jakub Jelinek <jakub> | ||||||||
Status: | CLOSED RAWHIDE | QA Contact: | David Lawrence <dkl> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 9 | ||||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | i686 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2004-10-16 17:20:32 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Frediano Ziglio
2003-10-19 17:33:08 UTC
This is no glibc problem, there is something wrong with ElectricFence. Not surprising actually, a lot of the functionality it implements is fragile at best. What happens is that it somehow gets confused about the blocks it allocated. This is an excerpt from the strace run: mmap2(NULL, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xbf45b000 mprotect(0xbf45c000, 1044480, PROT_NONE) = 0 mprotect(0xbf45b000, 4096, PROT_READ|PROT_WRITE) = 0 mprotect(0xbf45c000, 4096, PROT_READ|PROT_WRITE) = 0 munmap(0xbf45d000, 4096) = 0 mprotect(0xbf45b000, 4096, PROT_NONE) = 0 The 0xbf45c000 allocation seems to be done in response to the malloc(100) call. The page at 0xbf45b000 seems to be some kind of administrative patch. Next comes this: mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xbf45d000 This is a mmap call made directly by libc, not EF. It's the allocation of the buffer for stdout. Not that it directly follows the already allocated block. Before the code crashes this can be seen: write(1, "line 34\n", 8) = 8 mprotect(0xbf45b000, 4096, PROT_READ|PROT_WRITE) = 0 munmap(0xbf45c000, 8192) = 0 mprotect(0xbf45b000, 4096, PROT_NONE) = 0 The munmap call is made in response to the free() call. Then the program crashes since the buffer for stdout at address 0xbf45d000 has also been freed. Incorrectly so. The problem seems to be that initial munmap() call above. Why did EF create this 4096 byte hole in mapping? It's probably meant to be some kind of protection for the block allocate just below and maybe this should actually be a mprotect() call. Anyway, reassigning to EF. Created attachment 95507 [details]
Output of libSegfault.so attached
The failing access is using %ecx
Created attachment 95508 [details]
Output of strace
Output of strace for the very same run. The end of the strace output shows
libSegFault at work.
I used
strace -o STRACE-OUT -E EF_PROTECT_FREE=1 -E LD_PRELOAD=debug/libSegFault.so
./i
Created attachment 95575 [details]
Updated ElectricFence package to fix free bug
I updated RawHide version.
freddy77
Should be fixed in ElectricFence-2.2.2-19 in rawhide. I actually took a different approach, calling Page_Delete for the guard pages (and in free) always, not just when EF_PROTECT_FREE and changing Page_Delete, so that it does Page_DenyAccess (== mprotect PROT_NONE) and madvise MADV_DONTNEED. |