Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value

To: Ygrex <bi@hl.ru>, 593558@bugs.debian.org, Debian Bug Tracking System <control@bugs.debian.org>
Subject: Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value
From: Matthias Klose <doko@debian.org>
Date: Mon, 23 Aug 2010 20:53:53 +0200
Message-id: <[🔎] 4C72C3C1.10402@debian.org>
Reply-to: Matthias Klose <doko@debian.org>, 593558@bugs.debian.org
In-reply-to: <[🔎] 20100819084841.4093.71749.reportbug@admin.hl.ru>
References: <[🔎] 20100819084841.4093.71749.reportbug@admin.hl.ru>

tag 593558 + moreinfo
thanks

On 19.08.2010 10:48, Ygrex wrote:

Package: libffi-dev
Version: 3.0.9-2
Severity: important

The test C-code is attached:
gcc-4.4 -lffi -lunistring -o test test.c

It can be compiled without libunistring as well (see notes, please):
1. comment out rows #7 and #8
2. uncomment #9
3. gcc-4.4 -lffi -o test test.c

What the code does:
1. creates a new ffi_type to emulate size_t;
2. allocates array of types of function arguments: (char *) and (size_t);
3. prepare CIF to call the size_t function with two arguments;
4. allocates array of pointers to two arguments: char *b and size_t a;
5. runs ffi_call and segfaults;


unable to reproduce on i386 unstable (without the library):

$ valgrind --track-origins=yes -q ./a.out
just before...
==13621== Conditional jump or move depends on uninitialised value(s)
==13621==    at 0x48DC040: strnlen (mc_replace_strmem.c:263)
==13621==    by 0x48FB54E: ffi_call_SYSV (in /usr/lib/libffi.so.5.0.10)
==13621==    by 0x48FB38D: ffi_call (in /usr/lib/libffi.so.5.0.10)
==13621==    by 0x80488FC: main (test.c:71)
==13621==  Uninitialised value was created by a heap allocation
==13621==    at 0x48DAF50: malloc (vg_replace_malloc.c:236)
==13621==    by 0x8048842: main (test.c:55)
==13621==
right after!
==13621== Use of uninitialised value of size 4
==13621==    at 0x49390FE: _itoa_word (_itoa.c:195)
==13621==    by 0x493C8EF: vfprintf (vfprintf.c:1613)
==13621==    by 0x4943FAF: printf (printf.c:35)
==13621==    by 0x804891F: main (test.c:80)
==13621==  Uninitialised value was created by a heap allocation
==13621==    at 0x48DAF50: malloc (vg_replace_malloc.c:236)
==13621==    by 0x8048842: main (test.c:55)
==13621==
==13621== Conditional jump or move depends on uninitialised value(s)
==13621==    at 0x4939106: _itoa_word (_itoa.c:195)
==13621==    by 0x493C8EF: vfprintf (vfprintf.c:1613)
==13621==    by 0x4943FAF: printf (printf.c:35)
==13621==    by 0x804891F: main (test.c:80)
==13621==  Uninitialised value was created by a heap allocation
==13621==    at 0x48DAF50: malloc (vg_replace_malloc.c:236)
==13621==    by 0x8048842: main (test.c:55)
==13621==
ret value: 0

Reply to:

Follow-Ups:
- Processed: Re: Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value
  - From: Igor Bogomazov <bi@hl.ru>

References:
- Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value
  - From: Ygrex <bi@hl.ru>

Prev by Date: Processed: bug 519006 is forwarded to http://gcc.gnu.org/bugzilla/show_bug.cgi?id=45387
Next by Date: Processed: Re: Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value
Previous by thread: Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value
Next by thread: Processed: Re: Bug#593558: libffi-dev: ffi_call segfault: read beyond the heap, allocated for return value
Index(es):
- Date
- Thread