Bug#548042: libc6-i386: Test program using iconv crashes on exit in __libc_freeres

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#548042: libc6-i386: Test program using iconv crashes on exit in __libc_freeres
From: Mike Crowe <mac@mcrowe.com>
Date: Wed, 23 Sep 2009 13:20:28 +0100
Message-id: <[🔎] 20090923122028.16833.65971.reportbug@lander.roku>
Reply-to: Mike Crowe <mac@mcrowe.com>, 548042@bugs.debian.org

Package: libc6-i386
Version: 2.7-18
Severity: normal


Compile the attached test program on lenny-amd64 with -m32 and run the
generated binary. It segfaults inside __libc_freeres:

#0  0xf7ec513f in free_derivation () from /lib32/libc.so.6
#1  0xf7e82cc0 in tdestroy () from /lib32/libc.so.6
#2  0xf7ec55a7 in free_mem () from /lib32/libc.so.6
#3  0xf7ec5c24 in __libc_freeres () from /lib32/libc.so.6
#4  0x08048472 in main ()

Removing the explicit call to __libc_freeres and running under
valgrind (which calls __libc_freeres itself) yields:

==16949== Invalid read of size 4
==16949==    at 0x481D13F: free_derivation (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x47DACBF: tdestroy (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x481D5A6: free_mem (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x481DC23: __libc_freeres (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x46D9216: _vgnU_freeres (vg_preloaded.c:60)
==16949==    by 0x472D274: exit (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x4715434: (below main) (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==  Address 0xc is not stack'd, malloc'd or (recently) free'd
==16949== 
==16949== Process terminating with default action of signal 11 (SIGSEGV)
==16949==  Access not within mapped region at address 0xC
==16949==    at 0x481D13F: free_derivation (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x47DACBF: tdestroy (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x481D5A6: free_mem (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x481DC23: __libc_freeres (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x46D9216: _vgnU_freeres (vg_preloaded.c:60)
==16949==    by 0x472D274: exit (in /emul/ia32-linux/lib/libc-2.7.so)
==16949==    by 0x4715434: (below main) (in /emul/ia32-linux/lib/libc-2.7.so)
==16949== 

(among some other problems for which valgrind's suppressions don't
seem to be quite working.)

The problem seems to be forced by supplying an unknown encoding name
to iconv_open.

Compiling without -m32 or running the same binary inside a 32-bit
chroot makes the problem go away.


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-bpo.1-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6-i386 depends on:
ii  libc6                         2.7-18     GNU C Library: Shared libraries

libc6-i386 recommends no packages.

libc6-i386 suggests no packages.

ii  valgrind                      1:3.3.1-3 A memory debugger and profiler

-- no debconf information

#include <iconv.h>
extern void __libc_freeres(void);

int main()
{
    iconv_t descriptor = iconv_open("UCS-4BE", "wibble");
    if (descriptor != (iconv_t)-1)
	iconv_close(descriptor);

    __libc_freeres();

    return 0;
}

Reply to:

Prev by Date: Arm Cross compiling problem
Next by Date: Processed: retitle 474479 to thousands_sep null in pt_BR locale
Previous by thread: Arm Cross compiling problem
Next by thread: Processed: retitle 474479 to thousands_sep null in pt_BR locale
Index(es):
- Date
- Thread