Bug#457337: libc6: mremap() returns invalid address
Package: libc6
Version: 2.7-4
Severity: normal
Here's a gdb transcript of a part of dlmalloc that is called from some
of my code. Observe how cp, the address returned by mremap, is invalid,
and the code segfaults on the first access to that pointer.
8< ----------------------------------------------------------------------------
Breakpoint 1, mmap_resize (m=0x2b6a5b236010, oldp=0x2b6a5bdb4000,
nb=406784) at src/gklib/dlmalloc.c:2358
2358 if (cp != CMFAIL) {
(gdb) l
2353 size_t offset = oldp->prev_foot & ~IS_MMAPPED_BIT;
2354 size_t oldmmsize = oldsize + offset + MMAP_FOOT_PAD;
2355 size_t newmmsize = mmap_align(nb + SIX_SIZE_T_SIZES +
CHUNK_ALIGN_MASK);
2356 char* cp = (char*)CALL_MREMAP((char*)oldp - offset,
2357 oldmmsize, newmmsize, 1);
2358 if (cp != CMFAIL) {
2359 mchunkptr newp = (mchunkptr)(cp + offset);
2360 size_t psize = newmmsize - offset - MMAP_FOOT_PAD;
2361 newp->head = (psize|CINUSE_BIT);
2362 mark_inuse_foot(m, newp, psize);
(gdb) p cp
$3 = 0x5bdb4000 <Address 0x5bdb4000 out of bounds>
(gdb) n
2359 mchunkptr newp = (mchunkptr)(cp + offset);
(gdb)
2360 size_t psize = newmmsize - offset - MMAP_FOOT_PAD;
(gdb)
2361 newp->head = (psize|CINUSE_BIT);
(gdb)
Program received signal SIGSEGV, Segmentation fault.
0x00002b6a5a88849d in mmap_resize (m=0x2b6a5b236010,
oldp=0x2b6a5bdb4000, nb=406784) at src/gklib/dlmalloc.c:2361
2361 newp->head = (psize|CINUSE_BIT);
(gdb) p oldp
$4 = (mchunkptr) 0x2b6a5bdb4000
(gdb) p offset
$5 = 0
(gdb)
8< ----------------------------------------------------------------------------
If you were wondering, CALL_MREMAP is just
8< ----------------------------------------------------------------------------
#define CALL_MREMAP(addr, osz, nsz, mv) ((void)(addr),(void)(osz), \
(void)(nsz), (void)(mv),MFAIL)
8< ----------------------------------------------------------------------------
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.23 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libc6 depends on:
ii libgcc1 1:4.2.2-4 GCC support library
libc6 recommends no packages.
-- debconf information:
glibc/restart-failed:
glibc/restart-services:
Reply to: