Subject: libc6: reproducable segfault in printf / vfprintf Package: libc6 Version: 2.10.2-2 Justification: breaks the whole system Severity: critical
after found a segfault problem in libc6 i have tried to construct a minimal programm, that produce that error. the following code produces this segfault. changing the last %5$s to %1$s or removing one part, the segfaults disappear.
--------------------------------------------------------------------------------- #include <stdlib.h> #include <stdio.h> int main(int argc, char **argv) {printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s"
,"",1, "", "", ""); return 0; } --------------------------------------------------------------------------------- compiled with gcc -g test.c (gcc-4.3.4-6) --------------------------------------------------------------------------------- ldd a.out linux-vdso.so.1 => (0x00007fffccd3d000) libc.so.6 => /lib/libc.so.6 (0x00007f216fcfc000) /lib64/ld-linux-x86-64.so.2 (0x00007f217006c000) --------------------------------------------------------------------------------- the check with valgrind : --------------------------------------------------------------------------------- ==3488== Conditional jump or move depends on uninitialised value(s) ==3488== at 0x4E68595: vfprintf (vfprintf.c:1938) ==3488== by 0x4E72599: printf (printf.c:35) ==3488== by 0x400524: main (test.c:89) ==3488== Uninitialised value was created by a stack allocation ==3488== at 0x4E68B9E: vfprintf (vfprintf.c:1710) ==3488== ==3488== Use of uninitialised value of size 8 ==3488== at 0x4E6BBDE: vfprintf (vfprintf.c:1938) ==3488== by 0x4E72599: printf (printf.c:35) ==3488== by 0x400524: main (test.c:89) ==3488== Uninitialised value was created by a stack allocation ==3488== at 0x4E68B9E: vfprintf (vfprintf.c:1710) ==3488== ==3488== Invalid read of size 4 ==3488== at 0x4E6844D: vfprintf (vfprintf.c:1871) ==3488== by 0x4E72599: printf (printf.c:35) ==3488== by 0x400524: main (test.c:89) ==3488== Address 0x7eeff9c20 is not stack'd, malloc'd or (recently) free'd ==3488== ==3488== ==3488== Process terminating with default action of signal 11 (SIGSEGV) ==3488== Access not within mapped region at address 0x7EEFF9C20 ==3488== at 0x4E6844D: vfprintf (vfprintf.c:1871) ==3488== by 0x4E72599: printf (printf.c:35) ==3488== by 0x400524: main (test.c:89) ---------------------------------------------------------------------------------i have verified that failure on various machines - clean squeeze debootstrap chroot.
-- System Information: Debian Release: 5.0.3 APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32.5-thinkpad (SMP w/2 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libc6 depends on: ii libc-bin 2.10.2-2 GNU C Library: Binaries ii libgcc1 1:4.4.2-9 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests:ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
pn glibc-doc <none> (no description available)ii locales 2.10.2-2 GNU C Library: National Language (
-- debconf information: * glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: * glibc/restart-services: rsync cups cron
smime.p7s
Description: S/MIME Cryptographic Signature