Bug 470831 - [RHEL5] low-memory snprintf provokes internal segfault
Summary: [RHEL5] low-memory snprintf provokes internal segfault
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: glibc
Version: 5.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jakub Jelinek
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-10 15:12 UTC by Jim Meyering
Modified: 2016-11-24 12:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-07 19:10:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jim Meyering 2008-11-10 15:12:06 UTC 
Description of problem: libc6: low-memory snprintf provokes internal segfault
Note that the misbehavior is exhibited only when MALLOC_PERTURB_ is set to a nonzero value.

Version-Release number of selected component (if applicable):


How reproducible: every time
$ cat snprintf-test-debbug.c 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int
main(int argc, char **argv)
{
  char buf[200];
  char *fmt = argv[1];
  if (argc < 2)
    abort ();
  int n = snprintf (buf, sizeof buf, fmt, 1);
  return 0;
}
$ gcc snprintf-test-debbug.c
$ zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=0 ./a.out %$[5*2**22]d'
$ zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=9 ./a.out %$[5*2**22]d'
zsh: segmentation fault  zsh -f -c 'ulimit -v 5000; MALLOC_PERTURB_=9 ./a.out %$[5*2**22]d'
[Exit 139 (SEGV)]
$ dmesg |tail -1
a.out[28841]: segfault at 0000000000000000 rip 00000037fff75010 rsp 00007fffce9c1788 error 6
$ 


Steps to Reproduce: see above
1.
2.
3.
  
Actual results: see above


Expected results: no segfault from a.out


Additional info:
Comment 1 Ulrich Drepper 2008-11-15 14:39:55 UTC 
Probably this upstream patch from 2007-12-11:

retrieving revision 1.181
retrieving revision 1.182
diff -u -r1.181 -r1.182
--- malloc/malloc.c     2 Oct 2007 03:52:03 -0000       1.181
+++ malloc/malloc.c     11 Dec 2007 23:46:31 -0000      1.182
@@ -4475,7 +4475,7 @@
 
       We require that av->top always exists (i.e., has size >=
       MINSIZE) after initialization, so if it would otherwise be
-      exhuasted by current request, it is replenished. (The main
+      exhausted by current request, it is replenished. (The main
       reason for ensuring it exists is that we may need MINSIZE space
       to put in fenceposts in sysmalloc.)
     */
@@ -4515,7 +4515,7 @@
     */
     else {
       void *p = sYSMALLOc(nb, av);
-      if (__builtin_expect (perturb_byte, 0))
+      if (p != NULL && __builtin_expect (perturb_byte, 0))
        alloc_perturb (p, bytes);
       return p;
     }
Comment 2 Jakub Jelinek 2009-05-07 18:12:16 UTC 
I can't reproduce this with glibc-2.5-34 on x86_64 RHEL5.3, additionally the above mentioned patch is in RHEL5 glibc for quite some time (since glibc-2.5-20).
Comment 3 Jim Meyering 2009-05-07 18:56:18 UTC 
Oh!  the system on which I ran the above had this:

$ rpm -q glibc
glibc-2.4-11

I confirmed that on newer RHEL5, it's fixed.
Sorry I used an out of date system and didn't mention the version number.
Comment 4 Jakub Jelinek 2009-05-07 19:10:54 UTC 
Not 2.5-11?  RHEL5 GA shipped 2.5-12, RHEL4 2.3.*, 2.4 was only in some Fedora version.  Anyway, closing as ERRATA.
Note You need to log in before you can comment on or make changes to this bug.