Bug 85994

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
malloc crashes with SIGSEGV at -1 when calling indirect through __morecore. 
__morecore was set to (int)_IO_pos_BAD by perror using a casted stderr, when the
value of stderr was _IO_stderr_ instead of _IO_2_1_stderr_
-----stdio-common/perror.c
    {
      /* We don't have to do any special hacks regarding the file
         position.  Since the stderr stream wasn't used so far we just
         write to the descriptor.  */
      perror_internal (fp, s, errnum);
      /* Close the stream.  */
      fclose (fp); 

      ((_IO_FILE *) stderr)->_offset = _IO_pos_BAD;
    }
-----

_dl_relocate_object first set stderr to _IO_2_1_stderr_, but the value of stderr
was changed to _IO_stderr_ by _IO_check_libio, called from __libc_global_ctors,
called from init, called from _dl_init_internal.
(_IO_stdin_used was 0, so _IO_check_libio [libio/oldstdfiles.c] changed stderr.)
 This created a problem because sizeof(_IO_stderr_) is less than
sizeof(_IO_2_1_stderr_); in particular the assignment by perror [using the
casted pointer] clobbers 4 bytes beyond _IO_stderr_, and those 4 bytes happen to
be __morecore.

Anyway, how can perror be sure that stderr is _IO_2_1_stderr_, and is not
_IO_stderr_ ?

This might be related to bug81259.

Version-Release number of selected component (if applicable):
glibc-2.3.1-46

How reproducible:
Always

Steps to Reproduce:
1. Run proprietary application linked on phoebe-3 (i686 [athlon] using
/lib/tls/libc-2.3.1.so).
2.
3.
    

Actual Results:  Program received signal SIGSEGV, Segmentation fault.
0xffffffff in ?? ()
(gdb) bt
#0  0xffffffff in ?? ()
#1  0x42074112 in malloc () from /lib/tls/libc.so.6
#2  0x42029552 in qsort () from /lib/tls/libc.so.6


Expected Results:  No SIGSEGV.

Additional info: