Bug#567116: marked as done (reproducable segfault in printf / vfprintf)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 27 Jan 2010 14:38:15 +0100
with message-id <20100127133815.GA21302@hall.aurel32.net>
and subject line Re: Bug#567116: reproducable segfault in printf / vfprintf
has caused the Debian Bug report #567116,
regarding reproducable segfault in printf / vfprintf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
567116: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567116
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: reproducable segfault in printf / vfprintf
• From: Manfred Benesch <manfred.benesch@inf.tu-dresden.de>
• Date: Wed, 27 Jan 2010 13:28:42 +0100
• Message-id: <[🔎] 4B60317A.4080908@inf.tu-dresden.de>

Subject: libc6: reproducable segfault in printf / vfprintf
Package: libc6
Version: 2.10.2-2
Justification: breaks the whole system
Severity: critical

after found a segfault problem in libc6 i have tried to construct a minimal programm, that produce that error. the following code produces this segfault. changing the last %5$s to %1$s or removing one part, the segfaults disappear.

---------------------------------------------------------------------------------
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv)
{

printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s"

       ,"",1, "", "", "");

   return 0;
}
---------------------------------------------------------------------------------

compiled with gcc -g test.c (gcc-4.3.4-6)
---------------------------------------------------------------------------------
ldd a.out
       linux-vdso.so.1 =>  (0x00007fffccd3d000)
       libc.so.6 => /lib/libc.so.6 (0x00007f216fcfc000)
       /lib64/ld-linux-x86-64.so.2 (0x00007f217006c000)
---------------------------------------------------------------------------------

the check with valgrind :

---------------------------------------------------------------------------------
==3488== Conditional jump or move depends on uninitialised value(s)
==3488==    at 0x4E68595: vfprintf (vfprintf.c:1938)
==3488==    by 0x4E72599: printf (printf.c:35)
==3488==    by 0x400524: main (test.c:89)
==3488==  Uninitialised value was created by a stack allocation
==3488==    at 0x4E68B9E: vfprintf (vfprintf.c:1710)
==3488==
==3488== Use of uninitialised value of size 8
==3488==    at 0x4E6BBDE: vfprintf (vfprintf.c:1938)
==3488==    by 0x4E72599: printf (printf.c:35)
==3488==    by 0x400524: main (test.c:89)
==3488==  Uninitialised value was created by a stack allocation
==3488==    at 0x4E68B9E: vfprintf (vfprintf.c:1710)
==3488==
==3488== Invalid read of size 4
==3488==    at 0x4E6844D: vfprintf (vfprintf.c:1871)
==3488==    by 0x4E72599: printf (printf.c:35)
==3488==    by 0x400524: main (test.c:89)
==3488==  Address 0x7eeff9c20 is not stack'd, malloc'd or (recently) free'd
==3488==
==3488==
==3488== Process terminating with default action of signal 11 (SIGSEGV)
==3488==  Access not within mapped region at address 0x7EEFF9C20
==3488==    at 0x4E6844D: vfprintf (vfprintf.c:1871)
==3488==    by 0x4E72599: printf (printf.c:35)
==3488==    by 0x400524: main (test.c:89)
---------------------------------------------------------------------------------

i have verified that failure on various machines - clean squeeze debootstrap chroot.

-- System Information:
Debian Release: 5.0.3
 APT prefers testing
 APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.5-thinkpad (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6 depends on:
ii  libc-bin                      2.10.2-2   GNU C Library: Binaries
ii  libgcc1                       1:4.4.2-9  GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:

ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy

pn  glibc-doc                     <none>     (no description available)

ii locales 2.10.2-2 GNU C Library: National Language (

-- debconf information:
* glibc/upgrade: true
 glibc/disable-screensaver:
 glibc/restart-failed:
* glibc/restart-services: rsync cups cron

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--- End Message ---

--- Begin Message ---

• To: Manfred Benesch <manfred.benesch@inf.tu-dresden.de>, 567116-done@bugs.debian.org
• Subject: Re: Bug#567116: reproducable segfault in printf / vfprintf
• From: Aurelien Jarno <aurelien@aurel32.net>
• Date: Wed, 27 Jan 2010 14:38:15 +0100
• Message-id: <20100127133815.GA21302@hall.aurel32.net>
• In-reply-to: <[🔎] 4B60317A.4080908@inf.tu-dresden.de>
• References: <[🔎] 4B60317A.4080908@inf.tu-dresden.de>

On Wed, Jan 27, 2010 at 01:28:42PM +0100, Manfred Benesch wrote:
> Subject: libc6: reproducable segfault in printf / vfprintf
> Package: libc6
> Version: 2.10.2-2
> Justification: breaks the whole system
> Severity: critical
>
> after found a segfault problem in libc6 i have tried to construct a  
> minimal programm, that produce that error.
> the following code produces this segfault. changing the last %5$s to  
> %1$s or removing one part, the segfaults disappear.
>
> ---------------------------------------------------------------------------------
> #include <stdlib.h>
> #include <stdio.h>
> int main(int argc, char **argv)
> {
>     
> printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s"
>        ,"",1, "", "", "");
>
>    return 0;
> }
> ---------------------------------------------------------------------------------
>
> compiled with gcc -g test.c (gcc-4.3.4-6)

You forget compiling with -Wall. That will show you the problem is in
your code:

| test.c: In function ‘main’:
| test.c:7: warning: format argument 2 unused before used argument 5 in $-style format
| test.c:7: warning: format argument 3 unused before used argument 5 in $-style format
| test.c:7: warning: format argument 4 unused before used argument 5 in $-style format

And quoting the standard:

| The format can contain either numbered argument conversion
| specifications (that is, "%n$" and "*m$"), or unnumbered argument
| conversion specifications (that is, % and * ), but not both. The only
| exception to this is that %% can be mixed with the "%n$" form. The
| results of mixing numbered and unnumbered argument specifications in a
| format string are undefined. When numbered argument specifications are
| used, specifying the Nth argument requires that all the leading
| arguments, from the first to the (N-1)th, are specified in the format
| string.

Closing the bug.

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net

--- End Message ---