Bug#207545: malloc bug in the most recent libc6?

[Laszlo Ladanyi <ladanyi@us.ibm.com>]

Package: libc6
Version: 2.3.2-3
Severity: important

I'm using Debian unstable, customized kernel 2.4.21-ac1, libc6 2.3.2-3.
The error occurs with Citrix ICAClient 6.30. It starts then stops with a
segmentation fault. The reason I think this is a fault in libc6 is that
a) it did not happen before 
b) if I run ICAClient with LD_PRELOAD=/usr/lib/libefence.so then the code runs
   without any problem. 
This leads me to believe that there is a problem with malloc in libc6.

I have appended more info below.

Thanks,
--Laci

LD_PRELOAD'ing /usr/lib/debug/libc.so.6 and running the code in gdb gives the
following backtrace:

(gdb) bt
#0  0x40071551 in _IO_seekpos_unlocked (fp=0x81f3fb0, pos=366, mode=3)
    at ioseekpos.c:46
#1  0x40077b46 in _IO_old_fsetpos (fp=0x81f3fb0, posp=0x0) at oldiofsetpos.c:42
#2  0x0808f2e1 in _start ()
#3  0x081f3fb0 in ?? ()
#4  0xbffff444 in ?? ()
#5  0x00000018 in ?? ()
#6  0x4012b09c in main_arena () from /usr/lib/debug/libc.so.6
#7  0x081f4020 in ?? ()
#8  0x081f4020 in ?? ()
#9  0xbffff5b4 in ?? ()
#10 0x4012b040 in __libc_tsd_MALLOC_data () from /usr/lib/debug/libc.so.6
#11 0x4012b040 in __libc_tsd_MALLOC_data () from /usr/lib/debug/libc.so.6
#12 0x4012b040 in __libc_tsd_MALLOC_data () from /usr/lib/debug/libc.so.6
#13 0xbffff488 in ?? ()
#14 0x00000001 in ?? ()
#15 0x00000017 in ?? ()
#16 0x0000016e in ?? ()
#17 0x4b32575b in ?? ()
#18 0x72655320 in ?? ()
#19 0x20726576 in ?? ()
#20 0x34323031 in ?? ()
#21 0x38363778 in ?? ()
#22 0x4000005d in ?? ()
#23 0x4012b09c in main_arena () from /usr/lib/debug/libc.so.6
#24 0x4012b040 in __libc_tsd_MALLOC_data () from /usr/lib/debug/libc.so.6
#25 0x4012b040 in __libc_tsd_MALLOC_data () from /usr/lib/debug/libc.so.6
#26 0x081f4060 in ?? ()
#27 0x00000001 in ?? ()
#28 0x00000208 in ?? ()
#29 0x4012b040 in __libc_tsd_MALLOC_data () from /usr/lib/debug/libc.so.6
#30 0x4012a5d0 in __DTOR_END__ () from /usr/lib/debug/libc.so.6
#31 0x4012b040 in __libc_tsd_MALLOC_data () from /usr/lib/debug/libc.so.6
#32 0x4012b040 in __libc_tsd_MALLOC_data () from /usr/lib/debug/libc.so.6
#33 0xbffff4b8 in ?? ()
#34 0x4007ecbe in __libc_malloc (bytes=136265832) at malloc.c:3292
#35 0x0808f425 in _start ()
#36 0x081f4068 in ?? ()
#37 0xbffff5b4 in ?? ()
#38 0x00000200 in ?? ()
#39 0x40084ccb in *__GI___strcasecmp (
    s1=0xbffff5b4 "?\037\bApplicationServers", s2=0x81f4020 "")
    at ../sysdeps/generic/strcasecmp.c:55
#40 0x0808f537 in _start ()
#41 0xbffff5b4 in ?? ()
#42 0x081f4020 in ?? ()
#43 0x081ee778 in ?? ()
#44 0x401c281c in widgetClassRec () from /usr/X11R6/lib/libXt.so.6
#45 0xbffff8a0 in ?? ()
#46 0x00000001 in ?? ()
#47 0x0804f400 in ?? ()
#48 0x00000001 in ?? ()
#49 0x401c47b0 in ?? () from /usr/X11R6/lib/libXt.so.6
#50 0x081f3fb0 in ?? ()
#51 0x6c707041 in ?? ()
#52 0x74616369 in ?? ()
#53 0x536e6f69 in ?? ()
#54 0x65767265 in ?? ()
#55 0x00007372 in ?? ()
#56 0x2a2a0000 in ?? ()
#57 0x2a2a2a2a in ?? ()
#58 0x2a2a2a2a in ?? ()
#59 0x2a2a2a2a in ?? ()
#60 0x2a2a2a2a in ?? ()
#61 0x2a2a2a2a in ?? ()
#62 0x2a2a2a2a in ?? ()
#63 0x2a2a2a2a in ?? ()
#64 0x2a2a2a2a in ?? ()
#65 0x2a2a2a2a in ?? ()
#66 0x2a2a2a2a in ?? ()
#67 0x2a2a2a2a in ?? ()
#68 0x2a2a2a2a in ?? ()
#69 0x2a2a2a2a in ?? ()
#70 0x002a2a2a in ?? ()
#71 0x401dcc00 in ?? () from /usr/X11R6/lib/libX11.so.6
#72 0x03709994 in ?? ()
#73 0x401d9e3c in ?? () from /usr/X11R6/lib/libX11.so.6
#74 0xbffff688 in ?? ()
#75 0x40012f88 in ?? ()
#76 0x0000000a in ?? ()
#77 0x00000001 in ?? ()
(gdb) 

The value of *fp at the time of the crash is:

(gdb) p *fp
$2 = {_flags = -72539000, 
  _IO_read_ptr = 0x4029002c "WinStationDriver=ICA 3.0\nTransportDriver=TCP/IP\nDisableCtrlAltDel=On\nDoNotUseDefaultCSL=On\nLocTcpBrowserAddress=ica.watson.ibm.com\nSSLEnable=Off\nBrowserProtocol=UDP\nEncryptionLevelSession=Basic\nCompre"..., 
  _IO_read_end = 0x402901d7 "tCSL=On\nLocTcpBrowserAddress=ica.watson.ibm.com\nSSLEnable=Off\nBrowserProtocol=UDP\nEncryptionLevelSession=Basic\nCompress=On\nTransportReconnectDefault=True\nProxyType=None\nProxyUseDefault=Off\nAudioBandwi"..., 
  _IO_read_base = 0x40290000 "W2K Server 1024x768=\n\n[W2K Server 1024x768]\nWinStationDriver=ICA 3.0\nTransportDriver=TCP/IP\nDisableCtrlAltDel=On\nDoNotUseDefaultCSL=On\nLocTcpBrowserAddress=ica.watson.ibm.com\nSSLEnable=Off\nBrowserProt"..., 
  _IO_write_base = 0x40290000 "W2K Server 1024x768=\n\n[W2K Server 1024x768]\nWinStationDriver=ICA 3.0\nTransportDriver=TCP/IP\nDisableCtrlAltDel=On\nDoNotUseDefaultCSL=On\nLocTcpBrowserAddress=ica.watson.ibm.com\nSSLEnable=Off\nBrowserProt"..., 
  _IO_write_ptr = 0x40290000 "W2K Server 1024x768=\n\n[W2K Server 1024x768]\nWinStationDriver=ICA 3.0\nTransportDriver=TCP/IP\nDisableCtrlAltDel=On\nDoNotUseDefaultCSL=On\nLocTcpBrowserAddress=ica.watson.ibm.com\nSSLEnable=Off\nBrowserProt"..., 
  _IO_write_end = 0x40290000 "W2K Server 1024x768=\n\n[W2K Server 1024x768]\nWinStationDriver=ICA 3.0\nTransportDriver=TCP/IP\nDisableCtrlAltDel=On\nDoNotUseDefaultCSL=On\nLocTcpBrowserAddress=ica.watson.ibm.com\nSSLEnable=Off\nBrowserProt"..., 
  _IO_buf_base = 0x40290000 "W2K Server 1024x768=\n\n[W2K Server 1024x768]\nWinStationDriver=ICA 3.0\nTransportDriver=TCP/IP\nDisableCtrlAltDel=On\nDoNotUseDefaultCSL=On\nLocTcpBrowserAddress=ica.watson.ibm.com\nSSLEnable=Off\nBrowserProt"...,
_IO_buf_end = 0x40291000 <Address 0x40291000 out of bounds>, 
  _IO_save_base = 0x0, _IO_backup_base = 0x0, _IO_save_end = 0x0, 
  _markers = 0x0, _chain = 0x81a3570, _fileno = 10, _flags2 = 0, 
  _old_offset = 815, _cur_column = 0, _vtable_offset = -72 '', 
  _shortbuf = "", _lock = 0x81f4000, _offset = 72057590817911104, 
  _codecvt = 0x0, _wide_data = 0x0, _mode = 1, 
  _unused2 = "\000\000\000\000\000\000\000\000\000!\000\000\000\000\000\000\000@@\037\b \000\000\000h@\037\b\000\000\000\000\000\002\000\000\000)\000\000\000Appl"}
(gdb)