Subject: libc6: reproducable segfault in printf / vfprintf Package: libc6 Version: 2.10.2-2 Justification: breaks the whole system Severity: criticalafter found a segfault problem in libc6 i have tried to construct a minimal programm, that produce that error. the following code produces this segfault. changing the last %5$s to %1$s or removing one part, the segfaults disappear.
---------------------------------------------------------------------------------
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv)
{
printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s"
,"",1, "", "", "");
return 0;
}
---------------------------------------------------------------------------------
compiled with gcc -g test.c (gcc-4.3.4-6)
---------------------------------------------------------------------------------
ldd a.out
linux-vdso.so.1 => (0x00007fffccd3d000)
libc.so.6 => /lib/libc.so.6 (0x00007f216fcfc000)
/lib64/ld-linux-x86-64.so.2 (0x00007f217006c000)
---------------------------------------------------------------------------------
the check with valgrind :
---------------------------------------------------------------------------------
==3488== Conditional jump or move depends on uninitialised value(s)
==3488== at 0x4E68595: vfprintf (vfprintf.c:1938)
==3488== by 0x4E72599: printf (printf.c:35)
==3488== by 0x400524: main (test.c:89)
==3488== Uninitialised value was created by a stack allocation
==3488== at 0x4E68B9E: vfprintf (vfprintf.c:1710)
==3488==
==3488== Use of uninitialised value of size 8
==3488== at 0x4E6BBDE: vfprintf (vfprintf.c:1938)
==3488== by 0x4E72599: printf (printf.c:35)
==3488== by 0x400524: main (test.c:89)
==3488== Uninitialised value was created by a stack allocation
==3488== at 0x4E68B9E: vfprintf (vfprintf.c:1710)
==3488==
==3488== Invalid read of size 4
==3488== at 0x4E6844D: vfprintf (vfprintf.c:1871)
==3488== by 0x4E72599: printf (printf.c:35)
==3488== by 0x400524: main (test.c:89)
==3488== Address 0x7eeff9c20 is not stack'd, malloc'd or (recently) free'd
==3488==
==3488==
==3488== Process terminating with default action of signal 11 (SIGSEGV)
==3488== Access not within mapped region at address 0x7EEFF9C20
==3488== at 0x4E6844D: vfprintf (vfprintf.c:1871)
==3488== by 0x4E72599: printf (printf.c:35)
==3488== by 0x400524: main (test.c:89)
---------------------------------------------------------------------------------
i have verified that failure on various machines - clean squeeze
debootstrap chroot.
-- System Information: Debian Release: 5.0.3 APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32.5-thinkpad (SMP w/2 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libc6 depends on: ii libc-bin 2.10.2-2 GNU C Library: Binaries ii libgcc1 1:4.4.2-9 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests:ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
pn glibc-doc <none> (no description available)ii locales 2.10.2-2 GNU C Library: National Language (
-- debconf information: * glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: * glibc/restart-services: rsync cups cron
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature