Of cours,you're right - compiling without -Wall -W was a mistake on reducing the real code to that minimal example. But correcting the sample code in the following way, so the argument order is correct doesn't help :
--------------------------------------------------------------------------------- #include <stdlib.h> #include <stdio.h> int main(int argc, char **argv){ printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%2$i%3$s%4$s%5$s"
,"",1, "", "", ""); return 0; } --------------------------------------------------------------------------------- compile with : gcc -Wall -W -g -Os test.c - no warnings except unused argc/argv tried with gcc-4.3 and gcc-4.4 - nothing helps it doesn't matter where the references for argument 2-5 are, even if the order is 1,2,3,4,5 changing all parameters to strings - same result only removing at least one element works - why ? valgrind - output looks like the one from first report Debian Bug Tracking System schrieb:
This is an automatic notification regarding your Bug report which was filed against the libc6 package: #567116: reproducable segfault in printf / vfprintf It has been closed by Aurelien Jarno <aurel...@aurel32.net>. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Aurelien Jarno <aurel...@aurel32.net> by replying to this email. ------------------------------------------------------------------------ Betreff: Re: Bug#567116: reproducable segfault in printf / vfprintf Von: Aurelien Jarno <aurel...@aurel32.net> Datum: Wed, 27 Jan 2010 14:38:15 +0100 An:Manfred Benesch <manfred.bene...@inf.tu-dresden.de>, 567116-d...@bugs.debian.orgAn:Manfred Benesch <manfred.bene...@inf.tu-dresden.de>, 567116-d...@bugs.debian.orgOn Wed, Jan 27, 2010 at 01:28:42PM +0100, Manfred Benesch wrote:Subject: libc6: reproducable segfault in printf / vfprintf Package: libc6 Version: 2.10.2-2 Justification: breaks the whole system Severity: criticalafter found a segfault problem in libc6 i have tried to construct a minimal programm, that produce that error. the following code produces this segfault. changing the last %5$s to %1$s or removing one part, the segfaults disappear.--------------------------------------------------------------------------------- #include <stdlib.h> #include <stdio.h> int main(int argc, char **argv) {printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s","",1, "", "", ""); return 0; } --------------------------------------------------------------------------------- compiled with gcc -g test.c (gcc-4.3.4-6)You forget compiling with -Wall. That will show you the problem is in your code: | test.c: In function ‘main’: | test.c:7: warning: format argument 2 unused before used argument 5 in $-style format | test.c:7: warning: format argument 3 unused before used argument 5 in $-style format | test.c:7: warning: format argument 4 unused before used argument 5 in $-style format And quoting the standard: | The format can contain either numbered argument conversion | specifications (that is, "%n$" and "*m$"), or unnumbered argument | conversion specifications (that is, % and * ), but not both. The only | exception to this is that %% can be mixed with the "%n$" form. The | results of mixing numbered and unnumbered argument specifications in a | format string are undefined. When numbered argument specifications are | used, specifying the Nth argument requires that all the leading | arguments, from the first to the (N-1)th, are specified in the format | string. Closing the bug. ------------------------------------------------------------------------ Betreff: reproducable segfault in printf / vfprintf Von: Manfred Benesch <manfred.bene...@inf.tu-dresden.de> Datum: Wed, 27 Jan 2010 13:28:42 +0100 An: sub...@bugs.debian.org An: sub...@bugs.debian.org Subject: libc6: reproducable segfault in printf / vfprintf Package: libc6 Version: 2.10.2-2 Justification: breaks the whole system Severity: criticalafter found a segfault problem in libc6 i have tried to construct a minimal programm, that produce that error. the following code produces this segfault. changing the last %5$s to %1$s or removing one part, the segfaults disappear.---------------------------------------------------------------------------------#include <stdlib.h> #include <stdio.h> int main(int argc, char **argv) {printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s","",1, "", "", ""); return 0; }---------------------------------------------------------------------------------compiled with gcc -g test.c (gcc-4.3.4-6)---------------------------------------------------------------------------------ldd a.out linux-vdso.so.1 => (0x00007fffccd3d000) libc.so.6 => /lib/libc.so.6 (0x00007f216fcfc000) /lib64/ld-linux-x86-64.so.2 (0x00007f217006c000)---------------------------------------------------------------------------------the check with valgrind :---------------------------------------------------------------------------------==3488== Conditional jump or move depends on uninitialised value(s) ==3488== at 0x4E68595: vfprintf (vfprintf.c:1938) ==3488== by 0x4E72599: printf (printf.c:35) ==3488== by 0x400524: main (test.c:89) ==3488== Uninitialised value was created by a stack allocation ==3488== at 0x4E68B9E: vfprintf (vfprintf.c:1710) ==3488== ==3488== Use of uninitialised value of size 8 ==3488== at 0x4E6BBDE: vfprintf (vfprintf.c:1938) ==3488== by 0x4E72599: printf (printf.c:35) ==3488== by 0x400524: main (test.c:89) ==3488== Uninitialised value was created by a stack allocation ==3488== at 0x4E68B9E: vfprintf (vfprintf.c:1710) ==3488== ==3488== Invalid read of size 4 ==3488== at 0x4E6844D: vfprintf (vfprintf.c:1871) ==3488== by 0x4E72599: printf (printf.c:35) ==3488== by 0x400524: main (test.c:89)==3488== Address 0x7eeff9c20 is not stack'd, malloc'd or (recently) free'd==3488== ==3488== ==3488== Process terminating with default action of signal 11 (SIGSEGV) ==3488== Access not within mapped region at address 0x7EEFF9C20 ==3488== at 0x4E6844D: vfprintf (vfprintf.c:1871) ==3488== by 0x4E72599: printf (printf.c:35) ==3488== by 0x400524: main (test.c:89)---------------------------------------------------------------------------------i have verified that failure on various machines - clean squeeze debootstrap chroot.-- System Information: Debian Release: 5.0.3 APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32.5-thinkpad (SMP w/2 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libc6 depends on: ii libc-bin 2.10.2-2 GNU C Library: Binaries ii libgcc1 1:4.4.2-9 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy pn glibc-doc <none> (no description available) ii locales 2.10.2-2 GNU C Library: National Language ( -- debconf information: * glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: * glibc/restart-services: rsync cups cron
-- Dipl.-Inf. Manfred Benesch Technische Universität Dresden Fakultät Informatik Institut für Angewandte Informatik Lehrstuhl für Technische Informationssysteme D-01062 Dresden Besucheradresse : Nöthnitzer Str. 46, Zi. 1071 Tel. +49 351 463-42032 Fax. +49 351 463-38460
smime.p7s
Description: S/MIME Cryptographic Signature