Package: libc6.1
Version: 2.9-6
Severity: important
This is another one from the clamav test suite, but this time the bug is easily
reproducible in isolation (therefore important, severity might be upgraded as
well as it breaks unrelated software).
The following simple snippet causes a segfault when run with electric-fence
preloaded:
#include <string.h>
int main() {
char * bla;
bla = strdup("aBaaaaaaaaaaax");
return 0!=strstr(bla, "B1x");
}
The string is somewhat special, it seems the following aspects must hold to
crash strstr (or actually memchr when called from within strstr):
- The char* must be allocated on the heap.
- The number of characters between the B and the final x must not be smaller
than shown here.
- There must be a chance of a match (that is, the string must contain a the
initial character of the string to be found).
Reproducing that is simple:
(sid)mt@albeniz:~/clamav-0.95+dfsg/unit_tests$ cat test.c
#include <string.h>
int main() {
char * bla;
bla = strdup("aBaaaaaaaaaaax");
return 0!=strstr(bla, "B1x");
}
(sid)mt@albeniz:~/clamav-0.95+dfsg/unit_tests$ gcc test.c ; LD_PRELOAD=/usr/lib/libefence.so ./a.out
Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens.
Segmentation fault
And gdb says:
(gdb) where
#0 0x00000200000d9470 in memchr () from /lib/libc.so.6.1
#1 0x00000200000d90c4 in *__GI_strstr (haystack_start=<value optimized out>, needle_start=<value optimized out>) at str-two-way.h:269
#2 0x00000001200005fc in main ()
There is one problem left: I'm not sure whether this is really libc's memchr or
a gcc builtin (in which case this might be a gcc bug).
Best,
Michael
Attachment:
pgpUQ3dX9YlSz.pgp
Description: PGP signature