Bug 85994 - SIGSEGV in malloc: __morecore clobbered by perror conflict with _IO_check_libio
Summary: SIGSEGV in malloc: __morecore clobbered by perror conflict with _IO_check_libio
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 9
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-03-11 22:36 UTC by John Reiser
Modified: 2016-11-24 15:01 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-04-17 04:01:12 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:325 0 normal SHIPPED_LIVE : Updated glibc packages provide security and bug fixes 2003-11-12 05:00:00 UTC

Description John Reiser 2003-03-11 22:36:18 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
malloc crashes with SIGSEGV at -1 when calling indirect through __morecore. 
__morecore was set to (int)_IO_pos_BAD by perror using a casted stderr, when the
value of stderr was _IO_stderr_ instead of _IO_2_1_stderr_
-----stdio-common/perror.c
    {
      /* We don't have to do any special hacks regarding the file
         position.  Since the stderr stream wasn't used so far we just
         write to the descriptor.  */
      perror_internal (fp, s, errnum);
      /* Close the stream.  */
      fclose (fp); 

      ((_IO_FILE *) stderr)->_offset = _IO_pos_BAD;
    }
-----

_dl_relocate_object first set stderr to _IO_2_1_stderr_, but the value of stderr
was changed to _IO_stderr_ by _IO_check_libio, called from __libc_global_ctors,
called from init, called from _dl_init_internal.
(_IO_stdin_used was 0, so _IO_check_libio [libio/oldstdfiles.c] changed stderr.)
 This created a problem because sizeof(_IO_stderr_) is less than
sizeof(_IO_2_1_stderr_); in particular the assignment by perror [using the
casted pointer] clobbers 4 bytes beyond _IO_stderr_, and those 4 bytes happen to
be __morecore.

Anyway, how can perror be sure that stderr is _IO_2_1_stderr_, and is not
_IO_stderr_ ?

This might be related to bug81259.

Version-Release number of selected component (if applicable):
glibc-2.3.1-46

How reproducible:
Always

Steps to Reproduce:
1. Run proprietary application linked on phoebe-3 (i686 [athlon] using
/lib/tls/libc-2.3.1.so).
2.
3.
    

Actual Results:  Program received signal SIGSEGV, Segmentation fault.
0xffffffff in ?? ()
(gdb) bt
#0  0xffffffff in ?? ()
#1  0x42074112 in malloc () from /lib/tls/libc.so.6
#2  0x42029552 in qsort () from /lib/tls/libc.so.6


Expected Results:  No SIGSEGV.

Additional info:

Comment 1 Ulrich Drepper 2003-04-17 04:01:12 UTC
Should be fixed in the CVS glibc version.

Comment 2 Ulrich Drepper 2003-11-04 21:33:31 UTC
Should be fixed in RHL9 errata, test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/           
                                                                    



Note You need to log in before you can comment on or make changes to this bug.