Bug#159633: marked as done (strncpy on alpha/libc broken)
Your message dated 04 Nov 2002 01:43:50 +0100
with message-id <874raytb95.fsf@student.uni-tuebingen.de>
and subject line strncpy on alpha/libc broken
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Sep 2002 18:29:19 +0000
>From doogie@brainfood.com Wed Sep 04 13:29:19 2002
Return-path: <doogie@brainfood.com>
Received: from boof.brainfood.com (gradall.private.brainfood.com) [65.125.64.189]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17metz-0003gn-00; Wed, 04 Sep 2002 13:29:19 -0500
Received: from localhost ([127.0.0.1])
by gradall.private.brainfood.com with esmtp (Exim 3.35 #1 (Debian))
id 17mexr-00074I-00
for <submit@bugs.debian.org>; Wed, 04 Sep 2002 13:33:19 -0500
Date: Wed, 4 Sep 2002 13:33:18 -0500 (CDT)
From: Adam Heath <doogie@debian.org>
X-X-Sender: <adam@gradall.private.brainfood.com>
To: <submit@bugs.debian.org>
Subject: strncpy on alpha/libc broken
Message-ID: <Pine.LNX.4.33.0209041250060.6356-100000@gradall.private.brainfood.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: submit@bugs.debian.org
package: libc6.1
version: 2.2.5-11.1
severity: serious
On lully, I have a repeatable segfault being caused by strncpy(which calls
__stxncpy).
dpkg calls strncpy to copy data from it's mmap'd buffer, into a tmp var, for
moving around. mmap on alpha aligns the end of the data segment with a page
boundary. Depending on the alignment of the source address passed to strncpy,
a segfault will occur inside the above function.
My guess is this is due to an optimization, trying to copy ints/words around,
instead of pure bytes.
Substituting memcpy or a for loop, allows the dpkg code to work. This shows
that the addresses and the length are both valid, and don't step into unknown
memory.
I have dpkg compiled on lully, and it doesn't require root to see the
bug(--admindir is enough). If you need help reproducing this, then just
respond.
In fact, here's a c program that shows the bug. Compile with CFLAGS=-g(of
course).
==
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#define LENGTH 12
#define TRAILING 2
int main(int argc, char **argv) {
int i, fd, pagesize;
char *data, *buf;
pagesize = getpagesize();
fd = open( "/dev/zero", O_RDONLY );
if ( fd == -1 ) {
perror( "open" );
exit( 1 );
}
data = mmap( NULL, pagesize, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0 );
if ( data == MAP_FAILED ) {
perror( "mmap" );
exit( 1 );
}
buf = (char *)malloc( LENGTH );
if ( buf == NULL ) {
perror( "malloc" );
exit( 1 );
}
for ( i = 0; i < pagesize; i++ )
data[ i ] = i % 256;
for ( i = 0; i < pagesize - LENGTH - TRAILING; i++ )
memcpy( buf, data + i, LENGTH );
for ( i = 0; i < pagesize - LENGTH - TRAILING; i++ )
strncpy( buf, data + i, LENGTH );
return 0;
}
==
The memcpy loop completes as expected. The strncpy loop segfaults. Here's
the gdb session info:
==
..
Program terminated with signal 11, Segmentation fault.
..
(gdb) bt
#0 0x200000e21e0 in __stxncpy () from /lib/libc.so.6.1
#1 0x120000a78 in main (argc=1, argv=0x11ffffc88) at bug.c:36
(gdb) f 1
#1 0x120000a78 in main (argc=1, argv=0x11ffffc88) at bug.c:36
36 strncpy( buf, data + i, LENGTH );
(gdb) p i
$1 = 8177
==
---------------------------------------
Received: (at 159633-done) by bugs.debian.org; 4 Nov 2002 00:43:57 +0000
>From falk.hueffner@student.uni-tuebingen.de Sun Nov 03 18:43:57 2002
Return-path: <falk.hueffner@student.uni-tuebingen.de>
Received: from mailout03.sul.t-online.com [194.25.134.81]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 188VLQ-0005Mb-00; Sun, 03 Nov 2002 18:43:56 -0600
Received: from fwd00.sul.t-online.de
by mailout03.sul.t-online.com with smtp
id 188VLP-0005WC-00; Mon, 04 Nov 2002 01:43:55 +0100
Received: from juist (520046482682-0001@[217.230.27.63]) by fmrl00.sul.t-online.com
with esmtp id 188VLP-059WpUC; Mon, 4 Nov 2002 01:43:55 +0100
Received: from falk by juist with local (Exim 3.36 #1 (Debian))
id 188VLL-0006Iv-00
for <159633-done@bugs.debian.org>; Mon, 04 Nov 2002 01:43:51 +0100
X-Face: "iUeUu$b*W_"w?tV83Y3*r:`rh&dRv}$YnZ3,LVeCZSYVuf[Gpo*5%_=/\_!gc_,SS}[~xZ
wY77I-M)xHIx:2f56g%/`SOw"Dx%4Xq0&f\Tj~>|QR|vGlU}TBYhiG(K:2<T^
To: 159633-done@bugs.debian.org
Subject: strncpy on alpha/libc broken
From: Falk Hueffner <falk.hueffner@student.uni-tuebingen.de>
Date: 04 Nov 2002 01:43:50 +0100
Message-ID: <874raytb95.fsf@student.uni-tuebingen.de>
Lines: 4
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.5 (broccoli)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Sender: 520046482682-0001@t-dialin.net
Delivered-To: 159633-done@bugs.debian.org
X-Spam-Status: No, hits=-3.1 required=5.0
tests=SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,USER_AGENT
version=2.41
X-Spam-Level:
This is fixed properly in glibc 2.3.
--
Falk
Reply to: