This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 85994 - SIGSEGV in malloc: __morecore clobbered by perror conflict with _IO_check_libio
SIGSEGV in malloc: __morecore clobbered by perror conflict with _IO_check_libio
Status: CLOSED UPSTREAM
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
9
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-03-11 17:36 EST by John Reiser
Modified: 2016-11-24 10:01 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-17 00:01:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Reiser 2003-03-11 17:36:18 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
malloc crashes with SIGSEGV at -1 when calling indirect through __morecore. 
__morecore was set to (int)_IO_pos_BAD by perror using a casted stderr, when the
value of stderr was _IO_stderr_ instead of _IO_2_1_stderr_
-----stdio-common/perror.c
    {
      /* We don't have to do any special hacks regarding the file
         position.  Since the stderr stream wasn't used so far we just
         write to the descriptor.  */
      perror_internal (fp, s, errnum);
      /* Close the stream.  */
      fclose (fp); 

      ((_IO_FILE *) stderr)->_offset = _IO_pos_BAD;
    }
-----

_dl_relocate_object first set stderr to _IO_2_1_stderr_, but the value of stderr
was changed to _IO_stderr_ by _IO_check_libio, called from __libc_global_ctors,
called from init, called from _dl_init_internal.
(_IO_stdin_used was 0, so _IO_check_libio [libio/oldstdfiles.c] changed stderr.)
 This created a problem because sizeof(_IO_stderr_) is less than
sizeof(_IO_2_1_stderr_); in particular the assignment by perror [using the
casted pointer] clobbers 4 bytes beyond _IO_stderr_, and those 4 bytes happen to
be __morecore.

Anyway, how can perror be sure that stderr is _IO_2_1_stderr_, and is not
_IO_stderr_ ?

This might be related to bug81259.

Version-Release number of selected component (if applicable):
glibc-2.3.1-46

How reproducible:
Always

Steps to Reproduce:
1. Run proprietary application linked on phoebe-3 (i686 [athlon] using
/lib/tls/libc-2.3.1.so).
2.
3.
    

Actual Results:  Program received signal SIGSEGV, Segmentation fault.
0xffffffff in ?? ()
(gdb) bt
#0  0xffffffff in ?? ()
#1  0x42074112 in malloc () from /lib/tls/libc.so.6
#2  0x42029552 in qsort () from /lib/tls/libc.so.6


Expected Results:  No SIGSEGV.

Additional info:
Comment 1 Ulrich Drepper 2003-04-17 00:01:12 EDT
Should be fixed in the CVS glibc version.
Comment 2 Ulrich Drepper 2003-11-04 16:33:31 EST
Should be fixed in RHL9 errata, test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/           
                                                                    

Note You need to log in before you can comment on or make changes to this bug.