Bug#548042: libc6-i386: Test program using iconv crashes on exit in __libc_freeres
Package: libc6-i386
Version: 2.7-18
Severity: normal
Compile the attached test program on lenny-amd64 with -m32 and run the
generated binary. It segfaults inside __libc_freeres:
#0 0xf7ec513f in free_derivation () from /lib32/libc.so.6
#1 0xf7e82cc0 in tdestroy () from /lib32/libc.so.6
#2 0xf7ec55a7 in free_mem () from /lib32/libc.so.6
#3 0xf7ec5c24 in __libc_freeres () from /lib32/libc.so.6
#4 0x08048472 in main ()
Removing the explicit call to __libc_freeres and running under
valgrind (which calls __libc_freeres itself) yields:
==16949== Invalid read of size 4
==16949== at 0x481D13F: free_derivation (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x47DACBF: tdestroy (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x481D5A6: free_mem (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x481DC23: __libc_freeres (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x46D9216: _vgnU_freeres (vg_preloaded.c:60)
==16949== by 0x472D274: exit (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x4715434: (below main) (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== Address 0xc is not stack'd, malloc'd or (recently) free'd
==16949==
==16949== Process terminating with default action of signal 11 (SIGSEGV)
==16949== Access not within mapped region at address 0xC
==16949== at 0x481D13F: free_derivation (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x47DACBF: tdestroy (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x481D5A6: free_mem (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x481DC23: __libc_freeres (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x46D9216: _vgnU_freeres (vg_preloaded.c:60)
==16949== by 0x472D274: exit (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== by 0x4715434: (below main) (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==
(among some other problems for which valgrind's suppressions don't
seem to be quite working.)
The problem seems to be forced by supplying an unknown encoding name
to iconv_open.
Compiling without -m32 or running the same binary inside a 32-bit
chroot makes the problem go away.
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-bpo.1-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libc6-i386 depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
libc6-i386 recommends no packages.
libc6-i386 suggests no packages.
ii valgrind 1:3.3.1-3 A memory debugger and profiler
-- no debconf information
#include <iconv.h>
extern void __libc_freeres(void);
int main()
{
iconv_t descriptor = iconv_open("UCS-4BE", "wibble");
if (descriptor != (iconv_t)-1)
iconv_close(descriptor);
__libc_freeres();
return 0;
}
Reply to: