Download http://www.kernel.org/pub/linux/libs/klibc/ vesion 185 and try to build it. make ash will fail with segfault in /bin/sh 100% reproducible. Stock Fedora Core 2 with uptodate. I upgraded to glibc-2.3.3-53 from FC3 and fault is still there. > #0 0x00aac3bd in __gconv_transform_utf8_internal () from > /lib/tls/libc.so.6 > #1 0x00afec2c in mbrtowc () from /lib/tls/libc.so.6 > #2 0x0807aebc in word_list_remove_quoted_nulls () > #3 0x0807b4c6 in word_list_remove_quoted_nulls () > #4 0x0807daf9 in pat_subst () > #5 0x0807e73e in pat_subst () > #6 0x0807ebac in pat_subst () > #7 0x0807ec9f in pat_subst () > #8 0x0807fb3e in expand_words_shellexp () > #9 0x00000000 in ?? () > sh mknodes.sh nodetypes nodes.c.pat . ln -sf bltin/test.c test.c sh mkinit.sh arith.c arith_lex.c builtins.c cd.c echo.c error.c eval.c exec.c expand.c input.c jobs.c main.c memalloc.c miscbltin.c mystring.c nodes.c options.c parser.c redir.c show.c syntax.c trap.c output.c var.c test.c make[1]: *** [init.c] Segmentation fault make[1]: Leaving directory `/home/dri/klibc-0.185/ash' make: *** [all] Error 2 [jonsmirl@smirl klibc-0.185]$
I can't reproduce this. So, I need at least: 1) what locale are you using ($LANG and $LC_* env vars you have set) 2) run /bin/sh that dies under ltrace, need exact routine that is called immediately before the segfault (guess mbrtowc, but need to know what arguments have been passed to it 3) run it under strace to see what iconv modules have been loaded, what files statted etc.
Created attachment 105375 [details] strace
Created attachment 105376 [details] environment
ltrace has been running half an hour and the output is over 1GB. It still hasn't hit the segfault. It's getting millions of errors: <unfinished ...> malloc(112Error: call nesting too deep! <unfinished ...> strlen("["Error: call nesting too deep! <unfinished ...> __ctype_get_mb_cur_max(0x80e1198, 0xbfffd870, 0x80e7459, 0, 0xbfffd874Error: call nesting too deep! <unfinished ...> mbrtowc(0, 0x80e1198, 1, 0xbfffd8c8, 0xbfffd874Error: call nesting too deep! <unfinished ...> malloc(2Error: call nesting too deep!
ltrace still hadn't finished after 2GB of output. It was getting slower and slower so I killed it. Fault is on movzbl (%edx),%esi edx is wrong at 0x80fD000, it was loaded from a structure at +197 Here's a dissassembly Program received signal SIGSEGV, Segmentation fault. 0x422f43cd in __gconv_transform_utf8_internal () from /lib/tls/libc.so.6 (gdb) disas __gconv_transform_utf8_internal Dump of assembler code for function __gconv_transform_utf8_internal: 0x422f42d0 <__gconv_transform_utf8_internal+0>: push %ebp 0x422f42d1 <__gconv_transform_utf8_internal+1>: mov %esp,%ebp 0x422f42d3 <__gconv_transform_utf8_internal+3>: push %edi 0x422f42d4 <__gconv_transform_utf8_internal+4>: push %esi 0x422f42d5 <__gconv_transform_utf8_internal+5>: push %ebx 0x422f42d6 <__gconv_transform_utf8_internal+6>: sub $0xe4,%esp 0x422f42dc <__gconv_transform_utf8_internal+12>: mov 0xc(%ebp),%edx 0x422f42df <__gconv_transform_utf8_internal+15>: movl $0x0,0xffffffc8(%ebp) 0x422f42e6 <__gconv_transform_utf8_internal+22>: mov 0x8(%ebp),%eax 0x422f42e9 <__gconv_transform_utf8_internal+25>: call 0x422ee901 <__i686.get_pc_thunk.bx> 0x422f42ee <__gconv_transform_utf8_internal+30>: add $0x105d0e,%ebx 0x422f42f4 <__gconv_transform_utf8_internal+36>: mov 0xc(%ebp),%edi 0x422f42f7 <__gconv_transform_utf8_internal+39>: mov 0x8(%edx),%ecx 0x422f42fa <__gconv_transform_utf8_internal+42>: add $0x3c,%eax 0x422f42fd <__gconv_transform_utf8_internal+45>: mov %eax,0xffffffd0(%ebp) 0x422f4300 <__gconv_transform_utf8_internal+48>: add $0x24,%edi 0x422f4303 <__gconv_transform_utf8_internal+51>: mov 0x20(%ebp),%esi 0x422f4306 <__gconv_transform_utf8_internal+54>: mov %edi,0xffffffcc(%ebp) 0x422f4309 <__gconv_transform_utf8_internal+57>: test $0x1,%cl 0x422f430c <__gconv_transform_utf8_internal+60>: mov %ecx,0xffffff68(%ebp) 0x422f4312 <__gconv_transform_utf8_internal+66>: jne 0x422f431a <__gconv_transform_utf8_internal+74> 0x422f4314 <__gconv_transform_utf8_internal+68>: mov 0x14(%eax),%eax 0x422f4317 <__gconv_transform_utf8_internal+71>: mov %eax,0xffffffc8(%ebp) 0x422f431a <__gconv_transform_utf8_internal+74>: test %esi,%esi 0x422f431c <__gconv_transform_utf8_internal+76>: jne 0x422f4856 <__gconv_transform_utf8_internal+1414> 0x422f4322 <__gconv_transform_utf8_internal+82>: mov 0x18(%ebp),%ecx 0x422f4325 <__gconv_transform_utf8_internal+85>: mov 0x10(%ebp),%edx 0x422f4328 <__gconv_transform_utf8_internal+88>: test %ecx,%ecx 0x422f432a <__gconv_transform_utf8_internal+90>: mov (%edx),%edi 0x422f432c <__gconv_transform_utf8_internal+92>: jne 0x422f48bb <__gconv_transform_utf8_internal+1515> 0x422f4332 <__gconv_transform_utf8_internal+98>: mov 0xc(%ebp),%eax 0x422f4335 <__gconv_transform_utf8_internal+101>: mov (%eax),%esi 0x422f4337 <__gconv_transform_utf8_internal+103>: mov %esi,0xffffffc0(%ebp) 0x422f433a <__gconv_transform_utf8_internal+106>: movl $0x0,0xffffffb4(%ebp) 0x422f4341 <__gconv_transform_utf8_internal+113>: mov 0xc(%ebp),%eax 0x422f4344 <__gconv_transform_utf8_internal+116>: mov 0xffffffc0(%ebp),%ecx 0x422f4347 <__gconv_transform_utf8_internal+119>: movl $0x0,0xffffffe0(%ebp) 0x422f434e <__gconv_transform_utf8_internal+126>: mov 0x1c(%ebp),%edx 0x422f4351 <__gconv_transform_utf8_internal+129>: mov 0x4(%eax),%esi 0x422f4354 <__gconv_transform_utf8_internal+132>: mov %ecx,0xffffff4c(%ebp) 0x422f435a <__gconv_transform_utf8_internal+138>: lea 0xffffffdc(%ebp),%eax 0x422f435d <__gconv_transform_utf8_internal+141>: test %edx,%edx 0x422f435f <__gconv_transform_utf8_internal+143>: mov %ecx,0xffffffdc(%ebp) 0x422f4362 <__gconv_transform_utf8_internal+146>: lea 0xffffffe0(%ebp),%ecx 0x422f4365 <__gconv_transform_utf8_internal+149>: cmove 0xffffffb4(%ebp),%ecx 0x422f4369 <__gconv_transform_utf8_internal+153>: mov %esi,0xffffffbc(%ebp) 0x422f436c <__gconv_transform_utf8_internal+156>: mov 0x24(%ebp),%esi 0x422f436f <__gconv_transform_utf8_internal+159>: mov %eax,0xffffff60(%ebp) 0x422f4375 <__gconv_transform_utf8_internal+165>: mov %ecx,0xffffffb4(%ebp) 0x422f4378 <__gconv_transform_utf8_internal+168>: test %esi,%esi 0x422f437a <__gconv_transform_utf8_internal+170>: jne 0x422f44ec <__gconv_transform_utf8_internal+540> 0x422f4380 <__gconv_transform_utf8_internal+176>: mov %edi,0xffffffc4(%ebp) 0x422f4383 <__gconv_transform_utf8_internal+179>: mov 0x14(%ebp),%eax 0x422f4386 <__gconv_transform_utf8_internal+182>: mov 0xffffff4c(%ebp),%edx 0x422f438c <__gconv_transform_utf8_internal+188>: movl $0x4,0xffffff94(%ebp) 0x422f4393 <__gconv_transform_utf8_internal+195>: cmp %eax,%edi 0x422f4395 <__gconv_transform_utf8_internal+197>: mov %edx,0xffffffb8(%ebp) 0x422f4398 <__gconv_transform_utf8_internal+200>: mov %edi,0xffffff30(%ebp) 0x422f439e <__gconv_transform_utf8_internal+206>: mov %edx,0xffffff90(%ebp) 0x422f43a1 <__gconv_transform_utf8_internal+209>: je 0x422f4400 <__gconv_transform_utf8_internal+304> 0x422f43a3 <__gconv_transform_utf8_internal+211>: lea 0x0(%esi),%esi 0x422f43a9 <__gconv_transform_utf8_internal+217>: lea 0x0(%edi),%edi 0x422f43b0 <__gconv_transform_utf8_internal+224>: mov 0xffffff90(%ebp),%edi 0x422f43b3 <__gconv_transform_utf8_internal+227>: mov 0xffffffbc(%ebp),%esi 0x422f43b6 <__gconv_transform_utf8_internal+230>: add $0x4,%edi 0x422f43b9 <__gconv_transform_utf8_internal+233>: mov %edi,0xffffff50(%ebp) 0x422f43bf <__gconv_transform_utf8_internal+239>: cmp %esi,%edi 0x422f43c1 <__gconv_transform_utf8_internal+241>: ja 0x422f480b <__gconv_transform_utf8_internal+1339> 0x422f43c7 <__gconv_transform_utf8_internal+247>: mov 0xffffff30(%ebp),%edx 0x422f43cd <__gconv_transform_utf8_internal+253>: movzbl (%edx),%esi 0x422f43d0 <__gconv_transform_utf8_internal+256>: cmp $0x7f,%esi 0x422f43d3 <__gconv_transform_utf8_internal+259>: ja 0x422f4646 <__gconv_transform_utf8_internal+886> 0x422f43d9 <__gconv_transform_utf8_internal+265>: inc %edx 0x422f43da <__gconv_transform_utf8_internal+266>: mov %edx,0xffffff30(%ebp) 0x422f43e0 <__gconv_transform_utf8_internal+272>: mov 0xffffff90(%ebp),%ecx 0x422f43e3 <__gconv_transform_utf8_internal+275>: mov %esi,(%ecx) 0x422f43e5 <__gconv_transform_utf8_internal+277>: mov 0xffffff50(%ebp),%esi 0x422f43eb <__gconv_transform_utf8_internal+283>: mov %esi,0xffffff90(%ebp) 0x422f43ee <__gconv_transform_utf8_internal+286>: mov 0x14(%ebp),%eax 0x422f43f1 <__gconv_transform_utf8_internal+289>: cmp %eax,0xffffff30(%ebp) 0x422f43f7 <__gconv_transform_utf8_internal+295>: jne 0x422f43b0 <__gconv_transform_utf8_internal+224> 0x422f43f9 <__gconv_transform_utf8_internal+297>: lea 0x0(%esi),%esi 0x422f4400 <__gconv_transform_utf8_internal+304>: mov 0xffffff60(%ebp),%edi 0x422f4406 <__gconv_transform_utf8_internal+310>: mov 0xffffff30(%ebp),%eax 0x422f440c <__gconv_transform_utf8_internal+316>: mov 0x10(%ebp),%ecx 0x422f440f <__gconv_transform_utf8_internal+319>: mov 0xffffff90(%ebp),%esi 0x422f4412 <__gconv_transform_utf8_internal+322>: mov %eax,(%ecx) 0x422f4414 <__gconv_transform_utf8_internal+324>: mov %esi,(%edi) 0x422f4416 <__gconv_transform_utf8_internal+326>: mov 0xffffff94(%ebp),%edi 0x422f4419 <__gconv_transform_utf8_internal+329>: mov 0x18(%ebp),%edx 0x422f441c <__gconv_transform_utf8_internal+332>: test %edx,%edx 0x422f441e <__gconv_transform_utf8_internal+334>: jne 0x422f4784 <__gconv_transform_utf8_internal+1204> 0x422f4424 <__gconv_transform_utf8_internal+340>: mov 0xc(%ebp),%ecx 0x422f4427 <__gconv_transform_utf8_internal+343>: mov 0x20(%ecx),%esi 0x422f442a <__gconv_transform_utf8_internal+346>: test %esi,%esi 0x422f442c <__gconv_transform_utf8_internal+348>: je 0x422f4442 <__gconv_transform_utf8_internal+370> 0x422f442e <__gconv_transform_utf8_internal+350>: mov %esi,%esi 0x422f4430 <__gconv_transform_utf8_internal+352>: mov 0x4(%esi),%eax 0x422f4433 <__gconv_transform_utf8_internal+355>: test %eax,%eax 0x422f4435 <__gconv_transform_utf8_internal+357>: jne 0x422f47d1 <__gconv_transform_utf8_internal+1281> 0x422f443b <__gconv_transform_utf8_internal+363>: mov 0x10(%esi),%esi 0x422f443e <__gconv_transform_utf8_internal+366>: test %esi,%esi 0x422f4440 <__gconv_transform_utf8_internal+368>: jne 0x422f4430 <__gconv_transform_utf8_internal+352> 0x422f4442 <__gconv_transform_utf8_internal+370>: mov 0xc(%ebp),%eax 0x422f4445 <__gconv_transform_utf8_internal+373>: incl 0xc(%eax) 0x422f4448 <__gconv_transform_utf8_internal+376>: testb $0x1,0x8(%eax) 0x422f444c <__gconv_transform_utf8_internal+380>: jne 0x422f4970 <__gconv_transform_utf8_internal+1696> 0x422f4452 <__gconv_transform_utf8_internal+386>: mov 0xffffff4c(%ebp),%esi 0x422f4458 <__gconv_transform_utf8_internal+392>: cmp %esi,0xffffffdc(%ebp) 0x422f445b <__gconv_transform_utf8_internal+395>: jbe 0x422f44c3 <__gconv_transform_utf8_internal+499> 0x422f445d <__gconv_transform_utf8_internal+397>: mov (%eax),%edx 0x422f445f <__gconv_transform_utf8_internal+399>: mov 0xffffffc8(%ebp),%eax 0x422f4462 <__gconv_transform_utf8_internal+402>: mov %edx,0xffffffd4(%ebp) 0x422f4465 <__gconv_transform_utf8_internal+405>: mov %eax,(%esp) 0x422f4468 <__gconv_transform_utf8_internal+408>: call 0x423d19a0 <_dl_mcount_wrapper_check> 0x422f446d <__gconv_transform_utf8_internal+413>: mov 0x24(%ebp),%esi 0x422f4470 <__gconv_transform_utf8_internal+416>: xor %eax,%eax 0x422f4472 <__gconv_transform_utf8_internal+418>: xor %ecx,%ecx 0x422f4474 <__gconv_transform_utf8_internal+420>: mov %eax,0x10(%esp) 0x422f4478 <__gconv_transform_utf8_internal+424>: mov 0x1c(%ebp),%edx 0x422f447b <__gconv_transform_utf8_internal+427>: mov 0xffffffd0(%ebp),%eax 0x422f447e <__gconv_transform_utf8_internal+430>: mov %esi,0x1c(%esp) 0x422f4482 <__gconv_transform_utf8_internal+434>: mov 0xffffffdc(%ebp),%esi 0x422f4485 <__gconv_transform_utf8_internal+437>: mov %edx,0x14(%esp) 0x422f4489 <__gconv_transform_utf8_internal+441>: mov 0xffffffcc(%ebp),%edx 0x422f448c <__gconv_transform_utf8_internal+444>: mov %ecx,0x18(%esp) 0x422f4490 <__gconv_transform_utf8_internal+448>: lea 0xffffffd4(%ebp),%ecx 0x422f4493 <__gconv_transform_utf8_internal+451>: mov %esi,0xc(%esp) 0x422f4497 <__gconv_transform_utf8_internal+455>: mov %ecx,0x8(%esp) 0x422f449b <__gconv_transform_utf8_internal+459>: mov %edx,0x4(%esp) 0x422f449f <__gconv_transform_utf8_internal+463>: mov %eax,(%esp) 0x422f44a2 <__gconv_transform_utf8_internal+466>: call *0xffffffc8(%ebp) 0x422f44a5 <__gconv_transform_utf8_internal+469>: mov %eax,0xffffff88(%ebp) 0x422f44a8 <__gconv_transform_utf8_internal+472>: cmp $0x4,%eax 0x422f44ab <__gconv_transform_utf8_internal+475>: je 0x422f4817 <__gconv_transform_utf8_internal+1351> 0x422f44b1 <__gconv_transform_utf8_internal+481>: mov 0xffffffd4(%ebp),%edi 0x422f44b4 <__gconv_transform_utf8_internal+484>: cmp 0xffffffdc(%ebp),%edi 0x422f44b7 <__gconv_transform_utf8_internal+487>: mov %edi,0xffffff84(%ebp) 0x422f44ba <__gconv_transform_utf8_internal+490>: jne 0x422f48c8 <__gconv_transform_utf8_internal+1528> 0x422f44c0 <__gconv_transform_utf8_internal+496>: mov 0xffffff88(%ebp),%edi 0x422f44c3 <__gconv_transform_utf8_internal+499>: test %edi,%edi 0x422f44c5 <__gconv_transform_utf8_internal+501>: jne 0x422f4980 <__gconv_transform_utf8_internal+1712> 0x422f44cb <__gconv_transform_utf8_internal+507>: mov 0xc(%ebp),%edi 0x422f44ce <__gconv_transform_utf8_internal+510>: mov 0x10(%ebp),%ecx 0x422f44d1 <__gconv_transform_utf8_internal+513>: mov (%edi),%eax 0x422f44d3 <__gconv_transform_utf8_internal+515>: mov 0x8(%edi),%edx 0x422f44d6 <__gconv_transform_utf8_internal+518>: mov %eax,0xffffffdc(%ebp) 0x422f44d9 <__gconv_transform_utf8_internal+521>: mov (%ecx),%edi 0x422f44db <__gconv_transform_utf8_internal+523>: mov %eax,0xffffff4c(%ebp) 0x422f44e1 <__gconv_transform_utf8_internal+529>: mov %edx,0xffffff68(%ebp) 0x422f44e7 <__gconv_transform_utf8_internal+535>: jmp 0x422f4380 <__gconv_transform_utf8_internal+176> 0x422f44ec <__gconv_transform_utf8_internal+540>: mov 0xc(%ebp),%esi 0x422f44ef <__gconv_transform_utf8_internal+543>: mov 0x14(%esi),%edx 0x422f44f2 <__gconv_transform_utf8_internal+546>: mov (%edx),%eax 0x422f44f4 <__gconv_transform_utf8_internal+548>: mov %edx,0xffffffb0(%ebp) 0x422f44f7 <__gconv_transform_utf8_internal+551>: test $0x7,%al 0x422f44f9 <__gconv_transform_utf8_internal+553>: je 0x422f4380 <__gconv_transform_utf8_internal+176> 0x422f44ff <__gconv_transform_utf8_internal+559>: movl $0x0,0xffffffa4(%ebp) 0x422f4506 <__gconv_transform_utf8_internal+566>: mov 0xffffff4c(%ebp),%edx 0x422f450c <__gconv_transform_utf8_internal+572>: movzbl %al,%esi 0x422f450f <__gconv_transform_utf8_internal+575>: mov %edi,0xffffffd8(%ebp) 0x422f4512 <__gconv_transform_utf8_internal+578>: mov 0xffffffb0(%ebp),%ecx 0x422f4515 <__gconv_transform_utf8_internal+581>: mov %edx,0xffffffa0(%ebp) 0x422f4518 <__gconv_transform_utf8_internal+584>: mov 0x4(%ecx),%edx 0x422f451b <__gconv_transform_utf8_internal+587>: mov %eax,%ecx 0x422f451d <__gconv_transform_utf8_internal+589>: sar $0x8,%ecx 0x422f4520 <__gconv_transform_utf8_internal+592>: movzbl 0xfffe1017(%ebx,%ecx,1),%eax 0x422f4528 <__gconv_transform_utf8_internal+600>: mov %al,0xffffffe4(%ebp) 0x422f452b <__gconv_transform_utf8_internal+603>: dec %ecx 0x422f452c <__gconv_transform_utf8_internal+604>: cmp %esi,%ecx 0x422f452e <__gconv_transform_utf8_internal+606>: jae 0x422f453a <__gconv_transform_utf8_internal+618> 0x422f4530 <__gconv_transform_utf8_internal+608>: mov %dl,%al 0x422f4532 <__gconv_transform_utf8_internal+610>: and $0x3f,%al 0x422f4534 <__gconv_transform_utf8_internal+612>: or $0x80,%al 0x422f4536 <__gconv_transform_utf8_internal+614>: mov %al,0xffffffe4(%ebp,%ecx,1) 0x422f453a <__gconv_transform_utf8_internal+618>: shr $0x6,%edx 0x422f453d <__gconv_transform_utf8_internal+621>: cmp $0x1,%ecx 0x422f4540 <__gconv_transform_utf8_internal+624>: ja 0x422f452b <__gconv_transform_utf8_internal+603> 0x422f4542 <__gconv_transform_utf8_internal+626>: or 0xffffffe4(%ebp),%dl 0x422f4545 <__gconv_transform_utf8_internal+629>: mov 0xffffffd8(%ebp),%ecx 0x422f4548 <__gconv_transform_utf8_internal+632>: mov %ecx,%eax 0x422f454a <__gconv_transform_utf8_internal+634>: mov %dl,0xffffffe4(%ebp) 0x422f454d <__gconv_transform_utf8_internal+637>: sub %esi,%eax 0x422f454f <__gconv_transform_utf8_internal+639>: inc %eax 0x422f4550 <__gconv_transform_utf8_internal+640>: cmp 0x14(%ebp),%eax 0x422f4553 <__gconv_transform_utf8_internal+643>: ja 0x422f4c4d <__gconv_transform_utf8_internal+2429> 0x422f4559 <__gconv_transform_utf8_internal+649>: mov 0xffffffc0(%ebp),%eax 0x422f455c <__gconv_transform_utf8_internal+652>: mov 0xffffffbc(%ebp),%edx 0x422f455f <__gconv_transform_utf8_internal+655>: add $0x4,%eax 0x422f4562 <__gconv_transform_utf8_internal+658>: mov %eax,0xffffff48(%ebp) 0x422f4568 <__gconv_transform_utf8_internal+664>: mov $0x5,%eax 0x422f456d <__gconv_transform_utf8_internal+669>: cmp %edx,0xffffff48(%ebp) 0x422f4573 <__gconv_transform_utf8_internal+675>: ja 0x422f461f <__gconv_transform_utf8_internal+847>
The instruction in question is: ch = *inptr in: /* Next input byte. */ \ ch = *inptr; \ \ if (ch < 0x80) \ { \ /* One byte sequence. */ \ cnt = 1; \ ++inptr; \ } \ else ... Can you as soon as it segfaults on another console cat /proc/<PID>/maps and verify there is a valid memory area right before %edx and %edx is a start of not mapped page? If yes, then it is likely a fault of the caller that hasn't specified the length of the source string properly. So, the arguments passed to mbrtowc plus the /proc/<PID>/maps content at the time of the crash are the information that is needed. It is very likely it is the shell passing wrong arguments to mbrtowc (mbrtowcs simply takes address of the pointer passed to it and s + n and passes that to __gconv_transform_utf8_internal, so it is very unlikely there is a bug there), in which case this would be a shell bug, not glibc bug (but you should in that case verify first whether it hasn't been fixed in sh already).
It's a bug in bash that has been fixed. Broken in FC2 - bash-2.05b-38 Fixed in FC3 - bash-3.0-16