Your message dated 04 Nov 2002 01:43:50 +0100
with message-id <[EMAIL PROTECTED]>
and subject line strncpy on alpha/libc broken
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Sep 2002 18:29:19 +0000
>From [EMAIL PROTECTED] Wed Sep 04 13:29:19 2002
Return-path: <[EMAIL PROTECTED]>
Received: from boof.brainfood.com (gradall.private.brainfood.com)
[65.125.64.189]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17metz-0003gn-00; Wed, 04 Sep 2002 13:29:19 -0500
Received: from localhost ([127.0.0.1])
by gradall.private.brainfood.com with esmtp (Exim 3.35 #1 (Debian))
id 17mexr-00074I-00
for <[EMAIL PROTECTED]>; Wed, 04 Sep 2002 13:33:19 -0500
Date: Wed, 4 Sep 2002 13:33:18 -0500 (CDT)
From: Adam Heath <[EMAIL PROTECTED]>
X-X-Sender: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: strncpy on alpha/libc broken
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: [EMAIL PROTECTED]
package: libc6.1
version: 2.2.5-11.1
severity: serious
On lully, I have a repeatable segfault being caused by strncpy(which calls
__stxncpy).
dpkg calls strncpy to copy data from it's mmap'd buffer, into a tmp var, for
moving around. mmap on alpha aligns the end of the data segment with a page
boundary. Depending on the alignment of the source address passed to strncpy,
a segfault will occur inside the above function.
My guess is this is due to an optimization, trying to copy ints/words around,
instead of pure bytes.
Substituting memcpy or a for loop, allows the dpkg code to work. This shows
that the addresses and the length are both valid, and don't step into unknown
memory.
I have dpkg compiled on lully, and it doesn't require root to see the
bug(--admindir is enough). If you need help reproducing this, then just
respond.
In fact, here's a c program that shows the bug. Compile with CFLAGS=-g(of
course).
==
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#define LENGTH 12
#define TRAILING 2
int main(int argc, char **argv) {
int i, fd, pagesize;
char *data, *buf;
pagesize = getpagesize();
fd = open( "/dev/zero", O_RDONLY );
if ( fd == -1 ) {
perror( "open" );
exit( 1 );
}
data = mmap( NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0
);
if ( data == MAP_FAILED ) {
perror( "mmap" );
exit( 1 );
}
buf = (char *)malloc( LENGTH );
if ( buf == NULL ) {
perror( "malloc" );
exit( 1 );
}
for ( i = 0; i < pagesize; i++ )
data[ i ] = i % 256;
for ( i = 0; i < pagesize - LENGTH - TRAILING; i++ )
memcpy( buf, data + i, LENGTH );
for ( i = 0; i < pagesize - LENGTH - TRAILING; i++ )
strncpy( buf, data + i, LENGTH );
return 0;
}
==
The memcpy loop completes as expected. The strncpy loop segfaults. Here's
the gdb session info:
==
..
Program terminated with signal 11, Segmentation fault.
..
(gdb) bt
#0 0x200000e21e0 in __stxncpy () from /lib/libc.so.6.1
#1 0x120000a78 in main (argc=1, argv=0x11ffffc88) at bug.c:36
(gdb) f 1
#1 0x120000a78 in main (argc=1, argv=0x11ffffc88) at bug.c:36
36 strncpy( buf, data + i, LENGTH );
(gdb) p i
$1 = 8177
==
---------------------------------------
Received: (at 159633-done) by bugs.debian.org; 4 Nov 2002 00:43:57 +0000
>From [EMAIL PROTECTED] Sun Nov 03 18:43:57 2002
Return-path: <[EMAIL PROTECTED]>
Received: from mailout03.sul.t-online.com [194.25.134.81]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 188VLQ-0005Mb-00; Sun, 03 Nov 2002 18:43:56 -0600
Received: from fwd00.sul.t-online.de
by mailout03.sul.t-online.com with smtp
id 188VLP-0005WC-00; Mon, 04 Nov 2002 01:43:55 +0100
Received: from juist ([EMAIL PROTECTED]) by fmrl00.sul.t-online.com
with esmtp id 188VLP-059WpUC; Mon, 4 Nov 2002 01:43:55 +0100
Received: from falk by juist with local (Exim 3.36 #1 (Debian))
id 188VLL-0006Iv-00
for <[EMAIL PROTECTED]>; Mon, 04 Nov 2002 01:43:51 +0100
X-Face: "iUeUu$b*W_"w?tV83Y3*r:`rh&dRv}$YnZ3,LVeCZSYVuf[Gpo*5%_=/\_!gc_,SS}[~xZ
wY77I-M)xHIx:2f56g%/`SOw"Dx%4Xq0&f\Tj~>|QR|vGlU}TBYhiG(K:2<T^
To: [EMAIL PROTECTED]
Subject: strncpy on alpha/libc broken
From: Falk Hueffner <[EMAIL PROTECTED]>
Date: 04 Nov 2002 01:43:50 +0100
Message-ID: <[EMAIL PROTECTED]>
Lines: 4
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.5 (broccoli)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Sender: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=-3.1 required=5.0
tests=SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,USER_AGENT
version=2.41
X-Spam-Level:
This is fixed properly in glibc 2.3.
--
Falk
