Bug#570047: group_member() uses uninitialized data

To: submit@bugs.debian.org
Subject: Bug#570047: group_member() uses uninitialized data
From: Tanaka Akira <akr@fsij.org>
Date: Tue, 16 Feb 2010 12:56:58 +0900
Message-id: <49c17ca71002151956u4f2952b9u348193b532145aa7@mail.gmail.com>
Reply-to: Tanaka Akira <akr@fsij.org>, 570047@bugs.debian.org

Package: libc6
Version: 2.7-18lenny2

valgrind reports a problem in group_member() function.
I think it is a real bug.

% cat tst.c
#include <stdio.h>

#define __USE_GNU
#include <unistd.h>

int main(int argc, char *argv[])
{
  group_member(0);
  return 0;
}
% gcc -Wall tst.c
% valgrind ./a.out
==23982== Memcheck, a memory error detector.
==23982== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==23982== Using LibVEX rev 1854, a library for dynamic binary translation.
==23982== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==23982== Using valgrind-3.3.1-Debian, a dynamic binary
instrumentation framework.
==23982== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==23982== For more details, rerun with: -v
==23982==
==23982== Conditional jump or move depends on uninitialised value(s)
==23982==    at 0x40BD00F: group_member (group_member.c:45)
==23982==    by 0x80483C0: main (in /tmp/a/a.out)
==23982==
==23982== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 13 from 1)
==23982== malloc/free: in use at exit: 0 bytes in 0 blocks.
==23982== malloc/free: 0 allocs, 0 frees, 0 bytes allocated.
==23982== For counts of detected errors, rerun with: -v
==23982== All heap blocks were freed -- no leaks are possible.

I think the function is defined in glibc-2.7/posix/group_member.c.

    29  int
    30  __group_member (gid)
    31       gid_t gid;
    32  {
    33    int n, size;
    34    gid_t *groups;
    35
    36    size = NGROUPS_MAX;
    37    do
    38      {
    39        groups = __alloca (size * sizeof *groups);
    40        n = __getgroups (size, groups);
    41        size *= 2;
    42      } while (n == size / 2);
    43
    44    while (n >= 0)
    45      if (groups[n--] == gid)
    46        return 1;
    47
    48    return 0;
    49  }
    50  weak_alias (__group_member, group_member)

The line 45 is has groups[n--].
It access groups[n] at beginning of the loop.
Since n is the number of supplementary group IDs returned by __getgroups(),
__getgroups() sets groups[0] to groups[n-1].
So groups[n] is not defined and it should not be used.

% dpkg -l|grep libc6
ii  libc6                                2.7-18lenny2
GNU C Library: Shared libraries
ii  libc6-dbg                            2.7-18lenny2
GNU C Library: Libraries with debugging symbols
ii  libc6-dev                            2.7-18lenny2
GNU C Library: Development Libraries and Header Files
ii  libc6-i686                           2.7-18lenny2
GNU C Library: Shared libraries [i686 optimized]
-- 
Tanaka Akira

Reply to:

Prev by Date: r4200 - glibc-package/branches/eglibc-2.11/debian/testsuite-checking
Next by Date: r4201 - in glibc-package/trunk/debian: . patches/kfreebsd
Previous by thread: r4200 - glibc-package/branches/eglibc-2.11/debian/testsuite-checking
Next by thread: r4201 - in glibc-package/trunk/debian: . patches/kfreebsd
Index(es):
- Date
- Thread