Bug#691487: column: segfaults with a certain data and column -ets,
On Wed, 2016-03-09 at 16:30 +0100, Michael Meskes wrote: > I guess we can close it for now then. Should it re-appear feel free > to re-open or open a new one. Ok. The invalid reads/writes are concerning though, if you want to try finding crashes, the afl fuzzer is probably worth a try. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#691487: column: segfaults with a certain data and column -ets,
On Wed, 2016-03-09 at 11:09 +0100, Michael Meskes wrote: > Do you still this segfault with the latest version? I cannot reproduce it at > all and hope you don't see it either. I can't reproduce it any longer, not sure why, but valgrind still reports a bunch of invalid reads and invalid writes. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#691487: column: segfaults with a certain data and column -ets,
Do you still this segfault with the latest version? I cannot reproduce it at all and hope you don't see it either. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Meskes at (Debian|Postgresql) dot Org Jabber: michael at xmpp dot meskes dot org VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL signature.asc Description: PGP signature
Bug#691487: column: segfaults with a certain data and column -ets,
On Fri, Oct 26, 2012 at 04:56:56PM +0800, Paul Wise wrote: Sorry for the noise, this only happens when I turn on malloc checks: Do you still see the problem? valgrind also reports a problem: On my up-to-date Sid system valgrind reports no problems whatsoever: ... ==31376== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 4 from 4) Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691487: column: segfaults with a certain data and column -ets,
I still have the same problem on my wheezy system, the only difference to sid is that I have libc6 2.13-37 instead of 2.13-38 and an older version of valgrind. After upgrading libc6 the crash remains with the MALLOC_* variables set. The invalid read is there with both new and old valgrinds and with the MALLOC_* variables set and unset. -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#691487: column: segfaults with a certain data and column -ets,
On Thu, Jan 03, 2013 at 08:41:59PM +0800, Paul Wise wrote: I still have the same problem on my wheezy system, the only difference to sid is that I have libc6 2.13-37 instead of 2.13-38 and an older version of valgrind. After upgrading libc6 the crash remains with the MALLOC_* variables set. Like this? michael@feivel:~$ export MALLOC_CHECK_=2 michael@feivel:~$ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) michael@feivel:~$ column -ets, foo bar column: line too long No segfault whatsoever. BTW the line too long message disappears if I add a final CR but no still no segfault. I also tried on a Wheezy i386 system without getting it to segfault. What kernel do you run on? The original report talked about 3.5. I'm on our Wheezy 3.2 kernel. Maybe that makes a difference. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org Jabber: michael.meskes at gmail dot com VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#691487: column: segfaults with a certain data and column -ets,
On Thu, 2013-01-03 at 14:05 +0100, Michael Meskes wrote: Like this? michael@feivel:~$ export MALLOC_CHECK_=2 michael@feivel:~$ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) michael@feivel:~$ column -ets, foo bar column: line too long Correct. No segfault whatsoever. H. BTW the line too long message disappears if I add a final CR but no still no segfault. I also tried on a Wheezy i386 system without getting it to segfault. If I add a final LF the message disappears but the segfault does not. If I add a CR instead then neither disappears. I'm using amd64. What kernel do you run on? The original report talked about 3.5. I'm on our Wheezy 3.2 kernel. Maybe that makes a difference. Currently using 3.7 from experimental. Just now I rebooted into 3.2 and got the segfault too. After recompiling bsdmainutils with noopt nostrip, I got a more info from valgrind and gdb, maybe that helps debug this, see below. BTW: I suggest that you should use these instead of what you have: CFLAGS = $(shell dpkg-buildflags --get CFLAGS) CFLAGS += $(shell dpkg-buildflags --get CPPFLAGS) LDFLAGS = $(shell dpkg-buildflags --get LDFLAGS) pabs@chianamo ~ $ valgrind column -ets, foo bar ==29803== Memcheck, a memory error detector ==29803== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==29803== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==29803== Command: column -ets, ==29803== column: line too long ==29803== Invalid read of size 8 ==29803==at 0x401909: maketbl (column.c:314) ==29803==by 0x40119C: main (column.c:155) ==29803== Address 0x51be750 is 0 bytes after a block of size 0 alloc'd ==29803==at 0x4C272B8: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==29803==by 0x4016D1: maketbl (column.c:299) ==29803==by 0x40119C: main (column.c:155) ==29803== ==29803== ==29803== HEAP SUMMARY: ==29803== in use at exit: 13,752 bytes in 95 blocks ==29803== total heap usage: 126 allocs, 31 frees, 17,823 bytes allocated ==29803== ==29803== LEAK SUMMARY: ==29803==definitely lost: 1,020 bytes in 3 blocks ==29803==indirectly lost: 828 bytes in 60 blocks ==29803== possibly lost: 0 bytes in 0 blocks ==29803==still reachable: 11,904 bytes in 32 blocks ==29803== suppressed: 0 bytes in 0 blocks ==29803== Rerun with --leak-check=full to see details of leaked memory ==29803== ==29803== For counts of detected and suppressed errors, rerun with: -v ==29803== ERROR SUMMARY: 7 errors from 1 contexts (suppressed: 4 from 4) pabs@chianamo ~ $ column -ets, foo bar column: line too long Segmentation fault (core dumped) pabs@chianamo ~ $ gdb --core /var/cache/corefiles/core-31490-1000-1000-11-1357222585-chianamo-column `which column` GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/bin/column...done. [New LWP 31490] warning: Can't read pathname for load map: Input/output error. Core was generated by `column -ets,'. Program terminated with signal 11, Segmentation fault. #0 __wcslen (s=0x78 Address 0x78 out of bounds) at wcslen.c:30 30 wcslen.c: No such file or directory. (gdb) bt #0 __wcslen (s=0x78 Address 0x78 out of bounds) at wcslen.c:30 #1 0x7f002b4946fe in _IO_vfwprintf (s=0x7f002b7be7a0, format=0x401ec0 L%ls\n, ap=0x7fff68030fa0) at vfprintf.c:1623 #2 0x7f002b4abefa in __wprintf (format=0x401ec8 Ls\n) at wprintf.c:34 #3 0x00401941 in maketbl () at column.c:314 #4 0x0040119d in main (argc=0, argv=0x7fff68031238) at column.c:155 (gdb) thread apply all bt full Thread 1 (LWP 31490): #0 __wcslen (s=0x78 Address 0x78 out of bounds) at wcslen.c:30 len = optimized out #1 0x7f002b4946fe in _IO_vfwprintf (s=0x7f002b7be7a0, format=0x401ec0 L%ls\n, ap=0x7fff68030fa0) at vfprintf.c:1623 len = optimized out string_malloced = 1745030784 step0_jumps = {0, -13820, -13738, -13656, -13565, -13484, -13387, -13143, -12171, -12911, -12833, -12279, -11658, -1750, -2980, -1599, -1630, -1614, -10376, -9645, -1338, -11567, -7057, -2820, -2756, -1021, -7338, -1932, -1841, -13225} space = 0 is_short = 0 use_outdigits = 0 step1_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, -12911, -12833, -12279, -11658, -1750, -2980, -1599, -1630, -1614, -10376, -9645, -1338, -11567, -7057, -2820, -2756, -1021, -7338, -1932, -1841, 0} group = 0 prec = optimized out step2_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -12833, -12279, -11658, -1750, -2980, -1599, -1630, -1614, -10376, -9645, -1338,
Bug#691487: column: segfaults with a certain data and column -ets,
Package: bsdmainutils Version: 9.0.3 Severity: normal File: /usr/bin/column The attached text file and this command segfaults column: column -ets, foo bar I note however that this command or different data does not: column -ts, foo bar -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.5-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bsdmainutils depends on: ii bsdutils 1:2.20.1-5.2 ii debianutils 4.3.2 ii libc62.13-35 ii libncurses5 5.9-10 ii libtinfo55.9-10 Versions of packages bsdmainutils suggests: ii cpp 4:4.7.1-1 ii miscfiles [wordlist] 1.4.2.dfsg.1-9 pn vacation none ii wamerican [wordlist] 7.1-1 ii whois 5.0.18 ii wspanish [wordlist] 1.0.26 -- bye, pabs http://wiki.debian.org/PaulWise pos[0], -size[1]+pos[1], pos[2] pos[0], pos[1], pos[2] -size[0]+pos[0], pos[1], pos[2] pos[0], -size[1]+pos[1], pos[2] -size[0]+pos[0], pos[1], pos[2] -size[0]+pos[0], -size[1]+pos[1], pos[2] size[0]+pos[0], -size[1]+pos[1], pos[2] size[0]+pos[0], pos[1], pos[2] pos[0], pos[1], pos[2] size[0]+pos[0], -size[1]+pos[1], pos[2] pos[0], pos[1], pos[2] pos[0], -size[1]+pos[1], pos[2] size[0]+pos[0], pos[1], pos[2] size[0]+pos[0], size[1]+pos[1]+0.1, pos[2] pos[0], size[1]+pos[1]+0.1, pos[2] size[0]+pos[0], pos[1], pos[2] pos[0], size[1]+pos[1]+0.1, pos[2] pos[0], pos[1], pos[2] pos[0], pos[1], pos[2] pos[0], size[1]+pos[1]+0.1, pos[2] -size[0]+pos[0], size[1]+pos[1]+0.1, pos[2] pos[0], pos[1], pos[2] -size[0]+pos[0], size[1]+pos[1]+0.1, pos[2] -size[0]+pos[0], pos[1], pos[2] signature.asc Description: This is a digitally signed message part
Bug#691487: column: segfaults with a certain data and column -ets,
usertags 691487 + malloc retitle 691487 column: memory allocation issue with a certain data and column -ets, thanks The attached text file and this command segfaults column: column -ets, foo bar Sorry for the noise, this only happens when I turn on malloc checks: export MALLOC_CHECK_=2 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) valgrind also reports a problem: ==15631== Invalid read of size 8 ==15631==at 0x401704: ??? (in /usr/bin/column) ==15631==by 0x401004: ??? (in /usr/bin/column) ==15631==by 0x4E4DEAC: (below main) (libc-start.c:228) ==15631== Address 0x51bb310 is 0 bytes after a block of size 0 alloc'd ==15631==at 0x4C272B8: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==15631==by 0x4015AC: ??? (in /usr/bin/column) ==15631==by 0x401004: ??? (in /usr/bin/column) ==15631==by 0x4E4DEAC: (below main) (libc-start.c:228) -- bye, pabs http://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part