segv in free() called from getgrgid()

John David Anglin <dave@xxxxxxxxxxxxxxxxxx> · Sun, 10 May 2009 13:21:51 -0400

I had another segv this morning.  This one was on my c3750 running
64-bit 2.6.30-rc4.

Core was generated by `ls --color=auto -l'.
Program terminated with signal 11, Segmentation fault.
[New process 26322]
#0  0x405b7080 in free () from /lib/libc.so.6
(gdb) bt
#0  0x405b7080 in free () from /lib/libc.so.6
#1  0x405db534 in getgrgid () from /lib/libc.so.6
#2  0x0001cb34 in ?? ()
#3  0x00013854 in ?? ()
#4  0x00016e38 in ()
#5  0x000185c0 in main ()
(gdb) disass
Dump of assembler code for function free:
0x405b7024 <free+0>:	stw rp,-14(sp)
0x405b7028 <free+4>:	ldo 80(sp),sp
0x405b702c <free+8>:	addil L%1800,r19,r1
0x405b7030 <free+12>:	ldw 184(r1),ret0
0x405b7034 <free+16>:	stw r3,-6c(sp)
0x405b7038 <free+20>:	copy rp,r25
0x405b703c <free+24>:	stw r5,-74(sp)
0x405b7040 <free+28>:	stw r4,-70(sp)
0x405b7044 <free+32>:	stw r19,-20(sp)
0x405b7048 <free+36>:	ldw 0(ret0),r22
0x405b704c <free+40>:	cmpib,= 0,r22,0x405b7078 <free+84>
0x405b7050 <free+44>:	copy r26,r3
0x405b7054 <free+48>:	depwi 0,31,2,r25
0x405b7058 <free+52>:	b,l 0x405c2a74,r31
0x405b705c <free+56>:	copy r31,rp
0x405b7060 <free+60>:	ldw -94(sp),rp
0x405b7064 <free+64>:	ldw -74(sp),r5
0x405b7068 <free+68>:	ldw -70(sp),r4
0x405b706c <free+72>:	ldw -6c(sp),r3
0x405b7070 <free+76>:	bv r0(rp)
0x405b7074 <free+80>:	ldo -80(sp),sp
0x405b7078 <free+84>:	cmpib,= 0,r26,0x405b7060 <free+60>
0x405b707c <free+88>:	ldo -8(r26),r26
0x405b7080 <free+92>:	ldw 4(r26),r20
(gdb) p/x $r3
$2 = 0x40859008
(gdb) p/x $r26
$3 = 0x40859000

405b5000-405b8000 rwxp 0007a000 08:13 81660                              /lib/libm-2.7.so
40785000-40795000 r-xp 00000000 08:13 81661                              /lib/libpthread-0.10.so
40795000-40797000 rwxp 0000f000 08:13 81661                              /lib/libpthread-0.10.so
40797000-40859000 rwxp 00000000 00:00 0 
40942000-40a81000 r-xp 00000000 08:13 81635                              /lib/libc-2.7.so

Looking at getgrgid, it seems that the only time it calls free is when
the preceeding call to realloc fails.

  while (buffer != NULL
	 && (INTERNAL (REENTRANT_NAME) (ADD_VARIABLES, &resbuf, buffer,
					buffer_size, &result H_ERRNO_VAR)
	     == ERANGE)
#ifdef NEED_H_ERRNO
	 && h_errno_tmp == NETDB_INTERNAL
#endif
	)
    {
      char *new_buf;
      buffer_size *= 2;
      new_buf = (char *) realloc (buffer, buffer_size);
      if (new_buf == NULL)
	{
	  /* We are out of memory.  Free the current buffer so that the
	     process gets a chance for a normal termination.  */
	  free (buffer);
	   __set_errno (ENOMEM);
	}
      buffer = new_buf;
    }

The /proc/maps seems to indicate buffer is close to a region boundary.

0x405db510 <getgrgid+168>:	depw,z r25,30,31,r25
0x405db514 <getgrgid+172>:	ldw 0(r6),r26
0x405db518 <getgrgid+176>:	b,l 0x405c2b70,rp
0x405db51c <getgrgid+180>:	stw r25,0(r5)
0x405db520 <getgrgid+184>:	movb,<> ret0,r24,0x405db4e4 <getgrgid+124>
0x405db524 <getgrgid+188>:	copy r4,r19
0x405db528 <getgrgid+192>:	copy r19,r4
0x405db52c <getgrgid+196>:	b,l 0x405c2914,rp
0x405db530 <getgrgid+200>:	ldw 0(r6),r26
0x405db534 <getgrgid+204>:	stw r0,0(r6)

(gdb) p/x $r6
$4 = 0x406883cc
(gdb) x/x 0x406883cc
0x406883cc <buffer>:	0x40859008
(gdb) p/x $r5
$5 = 0x40689130
(gdb) x/x 0x40689130
0x40689130 <buffer_size.9811>:	0x00000000

  if (buffer == NULL)
    {
      buffer_size = BUFLEN;
      buffer = (char *) malloc (buffer_size);
    }

For some reason, I don't see the address of buffer or buffer_size in
the /proc/maps.  If buffer was corrupt in memory, then buffer_size would
be 0 as above.  I have to think there is a problem with vm regions.

Dave
-- 
J. David Anglin                                  dave.anglin@xxxxxxxxxxxxxx
National Research Council of Canada              (613) 990-0752 (FAX: 952-6602)
--
To unsubscribe from this list: send the line "unsubscribe linux-parisc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html