Red Hat Bugzilla – Bug 470831
[RHEL5] low-memory snprintf provokes internal segfault
Last modified: 2016-11-24 07:06:53 EST
Description of problem: libc6: low-memory snprintf provokes internal segfault
Note that the misbehavior is exhibited only when MALLOC_PERTURB_ is set to a nonzero value.
Version-Release number of selected component (if applicable):
How reproducible: every time
$ cat snprintf-test-debbug.c
main(int argc, char **argv)
char *fmt = argv;
if (argc < 2)
int n = snprintf (buf, sizeof buf, fmt, 1);
$ gcc snprintf-test-debbug.c
$ zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=0 ./a.out %$[5*2**22]d'
$ zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=9 ./a.out %$[5*2**22]d'
zsh: segmentation fault zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=9 ./a.out %$[5*2**22]d'
[Exit 139 (SEGV)]
$ dmesg |tail -1
a.out: segfault at 0000000000000000 rip 00000037fff75010 rsp 00007fffce9c1788 error 6
Steps to Reproduce: see above
Actual results: see above
Expected results: no segfault from a.out
Probably this upstream patch from 2007-12-11:
retrieving revision 1.181
retrieving revision 1.182
diff -u -r1.181 -r1.182
--- malloc/malloc.c 2 Oct 2007 03:52:03 -0000 1.181
+++ malloc/malloc.c 11 Dec 2007 23:46:31 -0000 1.182
@@ -4475,7 +4475,7 @@
We require that av->top always exists (i.e., has size >=
MINSIZE) after initialization, so if it would otherwise be
- exhuasted by current request, it is replenished. (The main
+ exhausted by current request, it is replenished. (The main
reason for ensuring it exists is that we may need MINSIZE space
to put in fenceposts in sysmalloc.)
@@ -4515,7 +4515,7 @@
void *p = sYSMALLOc(nb, av);
- if (__builtin_expect (perturb_byte, 0))
+ if (p != NULL && __builtin_expect (perturb_byte, 0))
alloc_perturb (p, bytes);
I can't reproduce this with glibc-2.5-34 on x86_64 RHEL5.3, additionally the above mentioned patch is in RHEL5 glibc for quite some time (since glibc-2.5-20).
Oh! the system on which I ran the above had this:
$ rpm -q glibc
I confirmed that on newer RHEL5, it's fixed.
Sorry I used an out of date system and didn't mention the version number.
Not 2.5-11? RHEL5 GA shipped 2.5-12, RHEL4 2.3.*, 2.4 was only in some Fedora version. Anyway, closing as ERRATA.