On Sun, 13 Apr 2014 15:48:23 +0200 Suvayu Ali <fatkasuvayu +linux@xxxxxxxxx> wrote: > On Sun, Apr 13, 2014 at 08:38:11AM -0500, Ranjan Maitra wrote: > > On Sun, 13 Apr 2014 09:15:04 -0400 Rahul Sundaram <metherid@xxxxxxxxx> > > wrote: > > > > > Hi > > > > > > > > > On Sun, Apr 13, 2014 at 6:23 AM, Timothy Murphy wrote: > > > > > > > Roger wrote: > > > > > > > > > It happened. It was known for years. > > > > > > > > Everything I have seen says it has been known for about 1 week. > > > > > > > > Incidentally, I am no programmer but I would have thought > > > > it would be relatively simple to set up a test > > > > to see if a "malloc"-ed space could be transgressed. > > > > > > > > > > Not in this case. openssl uses a custom malloc > > > > > > > So, a valgrind -tool=memcheck --leak-check=yes --show-reachable=yes > > --track-fds=yes --track-origins=yes would not have helped? > > AFAIU this is not a memory leak; it is a buffer overflow: lack of bounds > checking. I do not think valgrind (or any other tool) can help with > that. Feel free to correct me if I am wrong. Actually, in my experience, valgrind has picked up everything pretty much, including (amazingly!) logically incorrect statements (even when there was no memory leak). In other words, it reports no leaks possible but some errors. And if you go look with the -v option (on a -g compiled executable) one gets the line number and finds errors from there. Of course, I understand that this is no guarantee. Here is an example (on F20): /* file: testrealloc.c (note the access in the last element) */ #include <stdio.h> #include <stdlib.h> int main(void) { int n = 50; double *a, *p; a = malloc(n * sizeof( *a)); for (int i = 0; i < n; i++) a[i] = i; p = realloc(a, (n - 2) * sizeof( *p)); for (int i = (n - 4); i < (n - 1); i++) printf("%f ", p[i]); free(p); return EXIT_SUCCESS; } /* compile with: gcc -o testrealloc testrealloc.c -std=c99 -Wall -pedantic run valgrind: valgrind --tool=memcheck --leak-check=yes --show-reachable=yes --track-fds=yes --track-origins=yes -v ./testrealloc Here are the results: ......snipped.... --12324-- REDIR: 0x35bd018380 (index) redirected to 0x4a08f60 (index) --12324-- REDIR: 0x35bd018400 (strcmp) redirected to 0x4a0a040 (strcmp) --12324-- Reading syms from /usr/lib64/libc-2.18.so --12324-- REDIR: 0x35bd489b90 (strcasecmp) redirected to 0x4801716 (_vgnU_ifunc_wrapper) --12324-- REDIR: 0x35bd48be80 (strncasecmp) redirected to 0x4801716 (_vgnU_ifunc_wrapper) --12324-- REDIR: 0x35bd489360 (memcpy@GLIBC_2.2.5) redirected to 0x4801716 (_vgnU_ifunc_wrapper) --12324-- REDIR: 0x35bd488340 (__GI_strrchr) redirected to 0x4a08d80 (__GI_strrchr) --12324-- REDIR: 0x35bd47ff10 (malloc) redirected to 0x4a063d6 (malloc) --12324-- REDIR: 0x35bd480410 (realloc) redirected to 0x4a082e0 (realloc) --12324-- REDIR: 0x35bd48fe40 (strchrnul) redirected to 0x4a0bd30 (strchrnul) --12324-- REDIR: 0x35bd4865f0 (strlen) redirected to 0x4a092f0 (strlen) ==12324== Invalid read of size 8 ==12324== at 0x4006A8: main (in /tmp/testrealloc) ==12324== Address 0x4c2a390 is 0 bytes after a block of size 384 alloc'd ==12324== at 0x4A083AA: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==12324== by 0x400684: main (in /tmp/testrealloc) ==12324== --12324-- REDIR: 0x35bd480330 (free) redirected to 0x4a074f0 (free) 46.000000 47.000000 0.000000 ==12324== ==12324== FILE DESCRIPTORS: 3 open at exit. ==12324== Open file descriptor 2: /dev/pts/8 ==12324== <inherited from parent> ==12324== ==12324== Open file descriptor 1: /dev/pts/8 ==12324== <inherited from parent> ==12324== ==12324== Open file descriptor 0: /dev/pts/8 ==12324== <inherited from parent> ==12324== ==12324== ==12324== HEAP SUMMARY: ==12324== in use at exit: 0 bytes in 0 blocks ==12324== total heap usage: 2 allocs, 2 frees, 784 bytes allocated ==12324== ==12324== All heap blocks were freed -- no leaks are possible ==12324== ==12324== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2) ==12324== ==12324== 1 errors in context 1 of 1: ==12324== Invalid read of size 8 ==12324== at 0x4006A8: main (in /tmp/testrealloc) ==12324== Address 0x4c2a390 is 0 bytes after a block of size 384 alloc'd ==12324== at 0x4A083AA: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==12324== by 0x400684: main (in /tmp/testrealloc) ==12324== --12324-- --12324-- used_suppression: 2 glibc-2.5.x-on-SUSE-10.2-(PPC)-2a /usr/lib64/valgrind/default.supp:1286 ==12324== ==12324== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2) */ Btw, there are always 2 suppressed errors (from the compiled standard library, I guess). I wish that someone could look into these). I have become a great fan of valgrind. Of course, that in itself may be a problem if it lulls one to a false sense of complacency. Best wishes, Ranjan ____________________________________________________________ FREE 3D MARINE AQUARIUM SCREENSAVER - Watch dolphins, sharks & orcas on your desktop! Check it out at http://www.inbox.com/marineaquarium -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org