[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#567116: closed by Aurelien Jarno <aurelien@aurel32.net> (Re: Bug#567116: reproducable segfault in printf / vfprintf)

Of cours,
you're right - compiling without -Wall -W was a mistake on reducing the real code to that minimal example. But correcting the sample code in the following way, so the argument order is correct doesn't help : 

---------------------------------------------------------------------------------

#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv)
{ printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%2$i%3$s%4$s%5$s" 
,"",1, "", "", "");
return 0;
}

---------------------------------------------------------------------------------
compile with : gcc -Wall -W -g -Os test.c - no warnings except unused argc/argv
tried with gcc-4.3 and gcc-4.4 - nothing helps
it doesn't matter where the references for argument 2-5 are, even if the order is 1,2,3,4,5
changing all parameters to strings - same result
only removing at least one element works - why ?
valgrind - output looks like the one from first report



Debian Bug Tracking System schrieb:

This is an automatic notification regarding your Bug report
which was filed against the libc6 package:

#567116: reproducable segfault in printf / vfprintf

It has been closed by Aurelien Jarno <aurelien@aurel32.net>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Aurelien Jarno <aurelien@aurel32.net> by
replying to this email.



------------------------------------------------------------------------

Betreff:
Re: Bug#567116: reproducable segfault in printf / vfprintf
Von:
Aurelien Jarno <aurelien@aurel32.net>
Datum:
Wed, 27 Jan 2010 14:38:15 +0100
An:
Manfred Benesch <manfred.benesch@inf.tu-dresden.de>, 567116-done@bugs.debian.org 

An:
Manfred Benesch <manfred.benesch@inf.tu-dresden.de>, 567116-done@bugs.debian.org 


On Wed, Jan 27, 2010 at 01:28:42PM +0100, Manfred Benesch wrote:

Subject: libc6: reproducable segfault in printf / vfprintf
Package: libc6
Version: 2.10.2-2
Justification: breaks the whole system
Severity: critical
after found a segfault problem in libc6 i have tried to construct a minimal programm, that produce that error. the following code produces this segfault. changing the last %5$s to %1$s or removing one part, the segfaults disappear. 

---------------------------------------------------------------------------------
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv)
{
printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s" 
       ,"",1, "", "", "");

   return 0;
}
---------------------------------------------------------------------------------

compiled with gcc -g test.c (gcc-4.3.4-6)


You forget compiling with -Wall. That will show you the problem is in
your code:

| test.c: In function ‘main’:
| test.c:7: warning: format argument 2 unused before used argument 5 in $-style format
| test.c:7: warning: format argument 3 unused before used argument 5 in $-style format
| test.c:7: warning: format argument 4 unused before used argument 5 in $-style format

And quoting the standard:

| The format can contain either numbered argument conversion
| specifications (that is, "%n$" and "*m$"), or unnumbered argument
| conversion specifications (that is, % and * ), but not both. The only
| exception to this is that %% can be mixed with the "%n$" form. The
| results of mixing numbered and unnumbered argument specifications in a
| format string are undefined. When numbered argument specifications are
| used, specifying the Nth argument requires that all the leading
| arguments, from the first to the (N-1)th, are specified in the format
| string.

Closing the bug.


------------------------------------------------------------------------

Betreff:
reproducable segfault in printf / vfprintf
Von:
Manfred Benesch <manfred.benesch@inf.tu-dresden.de>
Datum:
Wed, 27 Jan 2010 13:28:42 +0100
An:
submit@bugs.debian.org

An:
submit@bugs.debian.org


Subject: libc6: reproducable segfault in printf / vfprintf
Package: libc6
Version: 2.10.2-2
Justification: breaks the whole system
Severity: critical
after found a segfault problem in libc6 i have tried to construct a minimal programm, that produce that error. the following code produces this segfault. changing the last %5$s to %1$s or removing one part, the segfaults disappear.
--------------------------------------------------------------------------------- 
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv)
{
printf("%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%1$s%5$s" 
,"",1, "", "", "");

return 0;
}
--------------------------------------------------------------------------------- 

compiled with gcc -g test.c (gcc-4.3.4-6)
--------------------------------------------------------------------------------- 
ldd a.out
linux-vdso.so.1 => (0x00007fffccd3d000)
libc.so.6 => /lib/libc.so.6 (0x00007f216fcfc000)
/lib64/ld-linux-x86-64.so.2 (0x00007f217006c000)
--------------------------------------------------------------------------------- 

the check with valgrind :
--------------------------------------------------------------------------------- 
==3488== Conditional jump or move depends on uninitialised value(s)
==3488== at 0x4E68595: vfprintf (vfprintf.c:1938)
==3488== by 0x4E72599: printf (printf.c:35)
==3488== by 0x400524: main (test.c:89)
==3488== Uninitialised value was created by a stack allocation
==3488== at 0x4E68B9E: vfprintf (vfprintf.c:1710)
==3488==
==3488== Use of uninitialised value of size 8
==3488== at 0x4E6BBDE: vfprintf (vfprintf.c:1938)
==3488== by 0x4E72599: printf (printf.c:35)
==3488== by 0x400524: main (test.c:89)
==3488== Uninitialised value was created by a stack allocation
==3488== at 0x4E68B9E: vfprintf (vfprintf.c:1710)
==3488==
==3488== Invalid read of size 4
==3488== at 0x4E6844D: vfprintf (vfprintf.c:1871)
==3488== by 0x4E72599: printf (printf.c:35)
==3488== by 0x400524: main (test.c:89)
==3488== Address 0x7eeff9c20 is not stack'd, malloc'd or (recently) free'd 
==3488==
==3488==
==3488== Process terminating with default action of signal 11 (SIGSEGV)
==3488== Access not within mapped region at address 0x7EEFF9C20
==3488== at 0x4E6844D: vfprintf (vfprintf.c:1871)
==3488== by 0x4E72599: printf (printf.c:35)
==3488== by 0x400524: main (test.c:89)
---------------------------------------------------------------------------------
i have verified that failure on various machines - clean squeeze debootstrap chroot. 


-- System Information:
Debian Release: 5.0.3
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.5-thinkpad (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libc6 depends on:
ii libc-bin 2.10.2-2 GNU C Library: Binaries
ii libgcc1 1:4.4.2-9 GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
pn glibc-doc <none> (no description available)
ii locales 2.10.2-2 GNU C Library: National Language (

-- debconf information:
* glibc/upgrade: true
glibc/disable-screensaver:
glibc/restart-failed:
* glibc/restart-services: rsync cups cron



--
Dipl.-Inf. Manfred Benesch

Technische Universität Dresden
Fakultät Informatik
Institut für Angewandte Informatik
Lehrstuhl für Technische Informationssysteme
D-01062 Dresden

Besucheradresse : Nöthnitzer Str. 46, Zi. 1071

Tel. +49 351 463-42032
Fax. +49 351 463-38460

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply to: