subject:"Bug#567116\: reproducable segfault in printf \/ vfprintf"

Bug#567116: reproducable segfault in printf / vfprintf

2010-01-27 Thread Manfred Benesch


Subject: libc6: reproducable segfault in printf / vfprintf
Package: libc6
Version: 2.10.2-2
Justification: breaks the whole system
Severity: critical

after found a segfault problem in libc6 i have tried to construct a 
minimal programm, that produce that error.
the following code produces this segfault. changing the last %5$s to 
%1$s or removing one part, the segfaults disappear.


-
#include stdlib.h
#include stdio.h
int main(int argc, char **argv)
{
   
printf(%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s

   ,,1, , , );

   return 0;
}
-

compiled with gcc -g test.c (gcc-4.3.4-6)
-
ldd a.out
   linux-vdso.so.1 =  (0x7fffccd3d000)
   libc.so.6 = /lib/libc.so.6 (0x7f216fcfc000)
   /lib64/ld-linux-x86-64.so.2 (0x7f217006c000)
-

the check with valgrind :

-
==3488== Conditional jump or move depends on uninitialised value(s)
==3488==at 0x4E68595: vfprintf (vfprintf.c:1938)
==3488==by 0x4E72599: printf (printf.c:35)
==3488==by 0x400524: main (test.c:89)
==3488==  Uninitialised value was created by a stack allocation
==3488==at 0x4E68B9E: vfprintf (vfprintf.c:1710)
==3488==
==3488== Use of uninitialised value of size 8
==3488==at 0x4E6BBDE: vfprintf (vfprintf.c:1938)
==3488==by 0x4E72599: printf (printf.c:35)
==3488==by 0x400524: main (test.c:89)
==3488==  Uninitialised value was created by a stack allocation
==3488==at 0x4E68B9E: vfprintf (vfprintf.c:1710)
==3488==
==3488== Invalid read of size 4
==3488==at 0x4E6844D: vfprintf (vfprintf.c:1871)
==3488==by 0x4E72599: printf (printf.c:35)
==3488==by 0x400524: main (test.c:89)
==3488==  Address 0x7eeff9c20 is not stack'd, malloc'd or (recently) free'd
==3488==
==3488==
==3488== Process terminating with default action of signal 11 (SIGSEGV)
==3488==  Access not within mapped region at address 0x7EEFF9C20
==3488==at 0x4E6844D: vfprintf (vfprintf.c:1871)
==3488==by 0x4E72599: printf (printf.c:35)
==3488==by 0x400524: main (test.c:89)
-

i have verified that failure on various machines - clean squeeze 
debootstrap chroot.



-- System Information:
Debian Release: 5.0.3
 APT prefers testing
 APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.5-thinkpad (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6 depends on:
ii  libc-bin  2.10.2-2   GNU C Library: Binaries
ii  libgcc1   1:4.4.2-9  GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0] 1.5.24 Debian configuration 
management sy

pn  glibc-doc none (no description available)
ii  locales   2.10.2-2   GNU C Library: National 
Language (


-- debconf information:
* glibc/upgrade: true
 glibc/disable-screensaver:
 glibc/restart-failed:
* glibc/restart-services: rsync cups cron


smime.p7s
Description: S/MIME Cryptographic Signature

Bug#567116: closed by Aurelien Jarno aurel...@aurel32.net (Re: Bug#567116: reproducable segfault in printf / vfprintf)

2010-01-27 Thread Manfred Benesch


Of cours,

you're right - compiling without -Wall -W was a mistake on reducing the 
real code to that minimal example. But correcting the sample code in the 
following way, so the argument order is correct doesn't help :


-

#include stdlib.h
#include stdio.h
int main(int argc, char **argv)
{ 
printf(%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%2$i%3$s%4$s%5$s

,,1, , , );
return 0;
}

-
compile with : gcc -Wall -W -g -Os test.c - no warnings except unused argc/argv
tried with gcc-4.3 and gcc-4.4 - nothing helps
it doesn't matter where the references for argument 2-5 are, even if the order 
is 1,2,3,4,5
changing all parameters to strings - same result
only removing at least one element works - why ?
valgrind - output looks like the one from first report



Debian Bug Tracking System schrieb:

This is an automatic notification regarding your Bug report
which was filed against the libc6 package:

#567116: reproducable segfault in printf / vfprintf

It has been closed by Aurelien Jarno aurel...@aurel32.net.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Aurelien Jarno 
aurel...@aurel32.net by
replying to this email.





Betreff:
Re: Bug#567116: reproducable segfault in printf / vfprintf
Von:
Aurelien Jarno aurel...@aurel32.net
Datum:
Wed, 27 Jan 2010 14:38:15 +0100
An:
Manfred Benesch manfred.bene...@inf.tu-dresden.de, 
567116-d...@bugs.debian.org


An:
Manfred Benesch manfred.bene...@inf.tu-dresden.de, 
567116-d...@bugs.debian.org



On Wed, Jan 27, 2010 at 01:28:42PM +0100, Manfred Benesch wrote:

Subject: libc6: reproducable segfault in printf / vfprintf
Package: libc6
Version: 2.10.2-2
Justification: breaks the whole system
Severity: critical

after found a segfault problem in libc6 i have tried to construct a  
minimal programm, that produce that error.
the following code produces this segfault. changing the last %5$s to  
%1$s or removing one part, the segfaults disappear.


-
#include stdlib.h
#include stdio.h
int main(int argc, char **argv)
{

printf(%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s

   ,,1, , , );

   return 0;
}
-

compiled with gcc -g test.c (gcc-4.3.4-6)


You forget compiling with -Wall. That will show you the problem is in
your code:

| test.c: In function ‘main’:
| test.c:7: warning: format argument 2 unused before used argument 5 in $-style 
format
| test.c:7: warning: format argument 3 unused before used argument 5 in $-style 
format
| test.c:7: warning: format argument 4 unused before used argument 5 in $-style 
format

And quoting the standard:

| The format can contain either numbered argument conversion
| specifications (that is, %n$ and *m$), or unnumbered argument
| conversion specifications (that is, % and * ), but not both. The only
| exception to this is that %% can be mixed with the %n$ form. The
| results of mixing numbered and unnumbered argument specifications in a
| format string are undefined. When numbered argument specifications are
| used, specifying the Nth argument requires that all the leading
| arguments, from the first to the (N-1)th, are specified in the format
| string.

Closing the bug.




Betreff:
reproducable segfault in printf / vfprintf
Von:
Manfred Benesch manfred.bene...@inf.tu-dresden.de
Datum:
Wed, 27 Jan 2010 13:28:42 +0100
An:
sub...@bugs.debian.org

An:
sub...@bugs.debian.org


Subject: libc6: reproducable segfault in printf / vfprintf
Package: libc6
Version: 2.10.2-2
Justification: breaks the whole system
Severity: critical

after found a segfault problem in libc6 i have tried to construct a 
minimal programm, that produce that error.
the following code produces this segfault. changing the last %5$s to 
%1$s or removing one part, the segfaults disappear.


- 


#include stdlib.h
#include stdio.h
int main(int argc, char **argv)
{
printf(%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s 


,,1, , , );

return 0;
}
- 



compiled with gcc -g test.c (gcc-4.3.4-6

Bug#567116: reproducable segfault in printf / vfprintf

Bug#567116: closed by Aurelien Jarno aurel...@aurel32.net (Re: Bug#567116: reproducable segfault in printf / vfprintf)

2 matches

Site Navigation

Mail list logo

Footer information