Bug#457337: libc6: mremap() returns invalid address

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#457337: libc6: mremap() returns invalid address
From: Andreas Kloeckner <inform@tiker.net>
Date: Fri, 21 Dec 2007 12:15:43 -0500
Message-id: <[🔎] 20071221171543.20293.34899.reportbug@tuck.camp.tiker.net>
Reply-to: Andreas Kloeckner <inform@tiker.net>, 457337@bugs.debian.org

Package: libc6
Version: 2.7-4
Severity: normal

Here's a gdb transcript of a part of dlmalloc that is called from some
of my code. Observe how cp, the address returned by mremap, is invalid,
and the code segfaults on the first access to that pointer.

8< ----------------------------------------------------------------------------
Breakpoint 1, mmap_resize (m=0x2b6a5b236010, oldp=0x2b6a5bdb4000,
nb=406784) at src/gklib/dlmalloc.c:2358
2358        if (cp != CMFAIL) {
(gdb) l
2353        size_t offset = oldp->prev_foot & ~IS_MMAPPED_BIT;
2354        size_t oldmmsize = oldsize + offset + MMAP_FOOT_PAD;
2355        size_t newmmsize = mmap_align(nb + SIX_SIZE_T_SIZES +
CHUNK_ALIGN_MASK);
2356        char* cp = (char*)CALL_MREMAP((char*)oldp - offset,
2357                                      oldmmsize, newmmsize, 1);
2358        if (cp != CMFAIL) {
2359          mchunkptr newp = (mchunkptr)(cp + offset);
2360          size_t psize = newmmsize - offset - MMAP_FOOT_PAD;
2361          newp->head = (psize|CINUSE_BIT);
2362          mark_inuse_foot(m, newp, psize);
(gdb) p cp
$3 = 0x5bdb4000 <Address 0x5bdb4000 out of bounds>
(gdb) n
2359          mchunkptr newp = (mchunkptr)(cp + offset);
(gdb) 
2360          size_t psize = newmmsize - offset - MMAP_FOOT_PAD;
(gdb) 
2361          newp->head = (psize|CINUSE_BIT);
(gdb) 

Program received signal SIGSEGV, Segmentation fault.
0x00002b6a5a88849d in mmap_resize (m=0x2b6a5b236010,
oldp=0x2b6a5bdb4000, nb=406784) at src/gklib/dlmalloc.c:2361
2361          newp->head = (psize|CINUSE_BIT);
(gdb) p oldp
$4 = (mchunkptr) 0x2b6a5bdb4000
(gdb) p offset
$5 = 0
(gdb) 
8< ----------------------------------------------------------------------------

If you were wondering, CALL_MREMAP is just
8< ----------------------------------------------------------------------------
#define CALL_MREMAP(addr, osz, nsz, mv) ((void)(addr),(void)(osz), \
                                         (void)(nsz), (void)(mv),MFAIL)
8< ----------------------------------------------------------------------------

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.23 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6 depends on:
ii  libgcc1                       1:4.2.2-4  GCC support library

libc6 recommends no packages.

-- debconf information:
  glibc/restart-failed:
  glibc/restart-services:

Reply to:

Follow-Ups:
- Bug#457337: libc6: mremap() returns invalid address
  - From: Daniel Jacobowitz <drow@false.org>

Prev by Date: r2756 - in tzdata/trunk/debian: . po
Next by Date: Bug#457351: locales: Please add a locale file for Kashmiri/India
Previous by thread: r2756 - in tzdata/trunk/debian: . po
Next by thread: Bug#457337: libc6: mremap() returns invalid address
Index(es):
- Date
- Thread