Bug 470831 - [RHEL5] low-memory snprintf provokes internal segfault
[RHEL5] low-memory snprintf provokes internal segfault
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jakub Jelinek
Depends On:
  Show dependency treegraph
Reported: 2008-11-10 10:12 EST by Jim Meyering
Modified: 2016-11-24 07:06 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-07 15:10:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jim Meyering 2008-11-10 10:12:06 EST
Description of problem: libc6: low-memory snprintf provokes internal segfault
Note that the misbehavior is exhibited only when MALLOC_PERTURB_ is set to a nonzero value.

Version-Release number of selected component (if applicable):

How reproducible: every time
$ cat snprintf-test-debbug.c 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
main(int argc, char **argv)
  char buf[200];
  char *fmt = argv[1];
  if (argc < 2)
    abort ();
  int n = snprintf (buf, sizeof buf, fmt, 1);
  return 0;
$ gcc snprintf-test-debbug.c
$ zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=0 ./a.out %$[5*2**22]d'
$ zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=9 ./a.out %$[5*2**22]d'
zsh: segmentation fault  zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=9 ./a.out %$[5*2**22]d'
[Exit 139 (SEGV)]
$ dmesg |tail -1
a.out[28841]: segfault at 0000000000000000 rip 00000037fff75010 rsp 00007fffce9c1788 error 6

Steps to Reproduce: see above
Actual results: see above

Expected results: no segfault from a.out

Additional info:
Comment 1 Ulrich Drepper 2008-11-15 09:39:55 EST
Probably this upstream patch from 2007-12-11:

retrieving revision 1.181
retrieving revision 1.182
diff -u -r1.181 -r1.182
--- malloc/malloc.c     2 Oct 2007 03:52:03 -0000       1.181
+++ malloc/malloc.c     11 Dec 2007 23:46:31 -0000      1.182
@@ -4475,7 +4475,7 @@
       We require that av->top always exists (i.e., has size >=
       MINSIZE) after initialization, so if it would otherwise be
-      exhuasted by current request, it is replenished. (The main
+      exhausted by current request, it is replenished. (The main
       reason for ensuring it exists is that we may need MINSIZE space
       to put in fenceposts in sysmalloc.)
@@ -4515,7 +4515,7 @@
     else {
       void *p = sYSMALLOc(nb, av);
-      if (__builtin_expect (perturb_byte, 0))
+      if (p != NULL && __builtin_expect (perturb_byte, 0))
        alloc_perturb (p, bytes);
       return p;
Comment 2 Jakub Jelinek 2009-05-07 14:12:16 EDT
I can't reproduce this with glibc-2.5-34 on x86_64 RHEL5.3, additionally the above mentioned patch is in RHEL5 glibc for quite some time (since glibc-2.5-20).
Comment 3 Jim Meyering 2009-05-07 14:56:18 EDT
Oh!  the system on which I ran the above had this:

$ rpm -q glibc

I confirmed that on newer RHEL5, it's fixed.
Sorry I used an out of date system and didn't mention the version number.
Comment 4 Jakub Jelinek 2009-05-07 15:10:54 EDT
Not 2.5-11?  RHEL5 GA shipped 2.5-12, RHEL4 2.3.*, 2.4 was only in some Fedora version.  Anyway, closing as ERRATA.

Note You need to log in before you can comment on or make changes to this bug.