Bug#550625: libc6: Realloc sometimes fails to copy all memory correctly
On Sun, 11 Oct 2009, Peter Palfrader wrote:
> On Sun, 11 Oct 2009, Sebastian Hahn wrote:
>
> > I'm not sure why the test programs referenced don't trigger the bug on Lenny
> > for me, but when patching the Tor source to manually compare the last few bytes
> > of a buffer before it is realloc'ed to afterwards exhibits the issue.
>
> It triggers for me on an 8-way amd64 system. Not always immediatly, but
> still:
>
> | weasel@thelma:~/glibc$ for i in `seq 1 20`; do time ./a.out; done
> | a.out: corruption.c:17: MyThread: Assertion `array[i] == i % 256' failed.
> | zsh: abort ./a.out
> | ./a.out 108.72s user 54.81s system 625% cpu 26.156 total
So, I rebuilt glibc on that box with the linked patch and that
corruption.c test seems to no longer fail assertions.
diff -u glibc-2.7/debian/changelog glibc-2.7/debian/changelog
--- glibc-2.7/debian/changelog
+++ glibc-2.7/debian/changelog
@@ -1,3 +1,10 @@
+glibc (2.7-18aaa.weasel.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add 486bdb886330a250af76cbb12af55d2c67ec0981.
+
+ -- Peter Palfrader <weasel@came.sbg.ac.at> Sun, 11 Oct 2009 19:50:05 +0200
+
glibc (2.7-18) unstable; urgency=low
* patches/localedata/mt_MT_euro.diff, patches/localedata/el_CY_euro.diff:
diff -u glibc-2.7/debian/patches/series glibc-2.7/debian/patches/series
--- glibc-2.7/debian/patches/series
+++ glibc-2.7/debian/patches/series
@@ -233,0 +234,2 @@
+
+any/486bdb886330a250af76cbb12af55d2c67ec0981.diff -p1
only in patch2:
unchanged:
--- glibc-2.7.orig/debian/patches/any/486bdb886330a250af76cbb12af55d2c67ec0981.diff
+++ glibc-2.7/debian/patches/any/486bdb886330a250af76cbb12af55d2c67ec0981.diff
@@ -0,0 +1,22 @@
+2008-11-02 Ulrich Drepper <drepper@redhat.com>
+
+ * malloc/malloc.c (public_rEALLOc): When new arena is used, copy
+ really all bytes. Patch by Denys Vlasenko <dvlasenk@redhat.com>.
+
+http://repo.or.cz/w/glibc.git?a=commitdiff_plain;h=486bdb886330a250af76cbb12af55d2c67ec0981
+
+Only the malloc/mallo.c hunk - the sunrpc/rpc_main.c is already included.
+
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index feca2cb..d6102a4 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3717,7 +3717,7 @@ public_rEALLOc(Void_t* oldmem, size_t bytes)
+ newp = public_mALLOc(bytes);
+ if (newp != NULL)
+ {
+- MALLOC_COPY (newp, oldmem, oldsize - 2 * SIZE_SZ);
++ MALLOC_COPY (newp, oldmem, oldsize - SIZE_SZ);
+ #if THREAD_STATS
+ if(!mutex_trylock(&ar_ptr->mutex))
+ ++(ar_ptr->stat_lock_direct);
[the interdiff also lists a couple of debian/control.in/* files]
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
Reply to: