Bug 154504 - Segmentation fault in initstate_r () from /lib/tls/libc.so.6
Segmentation fault in initstate_r () from /lib/tls/libc.so.6
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: glibc (Show other bugs)
3
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
: 154505 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-12 06:12 EDT by Mateusz Ploskon
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.3.5-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-28 08:39:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mateusz Ploskon 2005-04-12 06:12:40 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) (KHTML, like Gecko)

Description of problem:
// following code compiled with 
// gcc -g -O3 -ansi -pedantic -save-temps test.c 
// causes: 
// Program received signal SIGSEGV, Segmentation fault. 
// 0x0040d130 in initstate_r () from /lib/tls/libc.so.6 
 
#include<stdio.h> 
#include<string.h> 
 
int main() 
{ 
  char s[255]; 
  sprintf(s, "%s", "ala ma kota"); 
 
  strfry(s); 
  return 0; 
} 
 

Version-Release number of selected component (if applicable):
libc-2.3.5.so

How reproducible:
Always

Steps to Reproduce:
1.compile the description 
2.run a.out 
3. 
   

Additional info:

> gcc -v 
Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.2/specs 
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --enable-shared --enable-threads=posix 
--disable-checking --with-system-zlib --enable-__cxa_atexit 
--disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux 
Thread model: posix 
gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)
Comment 1 Mateusz Ploskon 2005-04-12 06:51:50 EDT
*** Bug 154505 has been marked as a duplicate of this bug. ***
Comment 2 Jakub Jelinek 2005-04-12 10:43:36 EDT
This ought to be fixed by
http://sources.redhat.com/bugzilla/show_bug.cgi?id=710#c5
Comment 3 Marcus Sharpe 2005-04-14 08:55:56 EDT
(In reply to comment #2)
> This ought to be fixed by
> http://sources.redhat.com/bugzilla/show_bug.cgi?id=710#c5

The last patch added to that bug report (glibc-2.3.4-fix-initstate_r.patch) has
an extra check to ensure buf->state is non-NULL before saving the state. This
extra check doesn't seem to have made it into glibc 2.3.5, and so I get the
following backtrace with the above test app:

Program received signal SIGSEGV, Segmentation fault.
__initstate_r (seed=3898788, arg_state=0x3b7dc0 "", n=32, buf=0x3b7da4)
    at random_r.c:252
252         old_state[-1] = TYPE_0;
(gdb) bt
#0  __initstate_r (seed=3898788, arg_state=0x3b7dc0 "", n=32, buf=0x3b7da4)
    at random_r.c:252
#1  0x002fab5c in strfry (string=0xbffff570 "ala ma kota") at strfry.c:35
#2  0x080483a1 in main () at test.c:9
(gdb) p old_state
$1 = (int32_t *) 0x0
(gdb) p buf->state
$2 = (int32_t *) 0x0

This is with glibc-2.3.5-0.fc3.1
Comment 4 Jakub Jelinek 2005-04-15 14:32:25 EDT
The fix was committed to glibc CVS on Apr, 12th, so it is not in any glibc
rpm yet.
Comment 5 Jakub Jelinek 2005-04-28 08:39:45 EDT
Should be fixed in glibc-2.3.5-1 in rawhide.

Note You need to log in before you can comment on or make changes to this bug.