[Bug libc/2337] New: libio in wide mode deallocates user supplied buffer

[Bug libc/2337] New: libio in wide mode deallocates user supplied buffer

[Petr dot Salinger at seznam dot cz]

Hello.

Please try to run attached source under "strace -e trace=mmap2,munmap"
At the end there will be something like:

hello.
buf = 0x8049160, fp = 0x804a008,  fp+delta = 0x804a04f
munmap(0x804a04f, 4096)                 = -1 EINVAL (Invalid argument)

On file close libio tries to free buffer, which have not been allocated by libio.
In first case it is internal 1byte buffer, but it can be also user specified buffer,
just compile with  -DUSER_BUF.  It leads to crashes.

Petr

-- 
           Summary: libio in wide mode deallocates user supplied buffer
           Product: glibc
           Version: 2.3.6
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: Petr dot Salinger at seznam dot cz
                CC: glibc-bugs at sources dot redhat dot com
  GCC host triplet: i486-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[Petr dot Salinger at seznam dot cz]

------- Additional Comments From Petr dot Salinger at seznam dot cz  2006-02-14 17:07 -------
Created an attachment (id=864)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=864&action=view)
code snippet


-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[Petr dot Salinger at seznam dot cz]

------- Additional Comments From Petr dot Salinger at seznam dot cz  2006-03-02 14:06 -------
Bug 2337 - libio in wide mode deallocates user supplied buffer, 
same behaviour also for post 2.3.91 CVS snapshot

Attached code snippet compiled with -DUSER_BUF still segfaults, 
can also be used for testsuite.

Petr

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|libio in wide mode          |libio in wide mode
                   |deallocates user supplied   |deallocates user supplied
                   |buffer                      |buffer


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[Petr dot Salinger at seznam dot cz]

------- Additional Comments From Petr dot Salinger at seznam dot cz  2006-05-03 11:30 -------
libio deallocates user supplied buffer - same behaviour also for  glibc-20060501
CVS snapshot

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.3.6                       |unspecified


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[rsa at us dot ibm dot com]

------- Additional Comments From rsa at us dot ibm dot com  2006-10-04 16:46 -------
I've identified two problems with the glibc src code:

1.) The first fwprintf() invocation automatically reorients the FILE stream as
'wide' using _IO_fwide().  The user provided buffer (_IO_FILE->_IO_buf_base) is
NOT USED as the wide character buffer(_IO_FILE->_wide_data->_IO_buf_base).  This
causes vfprintf to detect an empty buffer and __woverflow allocates an internal
wide character buffer the size of the file system blk_size (i.e. 1024) to use
for wide character vfprintf.  This is not directly related to the spurious
deallocation of the user supplied buffer.

2.) When fclose is called _IO_new_fclose() invokes INT_USE(_IO_file_close_it())
which zeros the _IO_FILE struct _flags field:

fp->_flags = _IO_MAGIC|CLOSED_FILEBUF_FLAGS;

following which _IO_new_fclose() invokes _IO_FINISH(fp) which calls
_IO_new_file_finish() (the _IO_wfile_jumps entry for __finish) which detects an
unset _IO_USER_BUF and free's the buffer spuriously.

Possible solutions:
1.) When the stream is reoriented set _IO_FILE->_wide_data->_IO_buf_base =
_IO_FILE->_IO_buf_base; _IO_FILE->_IO_buf_base = NULL;  This will cause wide
character printf to use the user supplied buffer.
 
2a.) Reset the _IO_USER_BUF bit flag to '1' after clearing _IO_FILE->_flags if
it was set before the clearing the _flags in _IO_file_close_it().

2b.) Provide a wide character centric 'finish' function and adjust the
_IO_wfile_jumps jump table entry to use the new function rather than reusing the
non-wide character centric version, i.e.:

JUMP_INIT(finish, _IO_wfile_finish),

instead of what currently exists:

JUMP_INIT(finish, _IO_new_file_finish),

Then, since the FILE stream has been reoriented to 'wide' the _IO_wfile_finish()
would properly only care about the wide character allocated buffer in the manner
of _IO_wsetb().

I'll investigate the specifications to see if wide character usage is supposed
to use the user supplied buffer.

In the meantime I can provide a patch for solution 2a).  It may not be the right
decision but we'll investigate.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[rsa at us dot ibm dot com]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|drepper at redhat dot com   |rsa at us dot ibm dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[rsa at us dot ibm dot com]

------- Additional Comments From rsa at us dot ibm dot com  2006-10-06 06:00 -------
Created an attachment (id=1351)
 --> (http://sourceware.org/bugzilla/attachment.cgi?id=1351&action=view)
libio patch to prevent spurious deallocation of user supplied buffer.

Directing wide-character IO to use the user supplied buffer proved to be
problematic because the wide character operations make use of the non-wide
character buffer for write operations.

The least intrusive solution was to clean up the IO file finish path.  The wide
character jump vtable is initialized such that wide-character IO uses the
default (non-wide) _IO_file_finish() function (probably an oversight) which
invokes _IO_default_finish().  This ends up checking and clearing the non-wide
user buffer spuriously in _IO_new_fclose().

I created a wide-character oriented file finish function _IO_wfile_finish()
which calls the already existing _IO_wdefault_finish() function and I added it
to the wide IO jump table as the default IO file finish function.

This solved the problem and wide character IO now finishes in a manner
consistent with the IO orientation.

I've only tested this on PowerPC thus far.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[rsa at us dot ibm dot com]

------- Additional Comments From rsa at us dot ibm dot com  2006-10-06 17:09 -------
Per this thread on libc-alpha Ulrich has suggested that this bug be left to him:

http://sources.redhat.com/ml/libc-alpha/2006-10/msg00014.html

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|rsa at us dot ibm dot com   |drepper at redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[drepper at redhat dot com]

------- Additional Comments From drepper at redhat dot com  2006-12-13 23:18 -------
Fixed in CVS.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug libc/2337] libio in wide mode deallocates user supplied buffer

[cvs-commit at gcc dot gnu dot org]

------- Additional Comments From cvs-commit at gcc dot gnu dot org  2007-01-12 17:25 -------
Subject: Bug 2337

CVSROOT:	/cvs/glibc
Module name:	libc
Branch: 	glibc-2_5-branch
Changes by:	jakub@sourceware.org	2007-01-12 17:25:39

Modified files:
	.              : ChangeLog 
	libio          : Makefile fileops.c genops.c libio.h 
	                 wfiledoalloc.c wgenops.c wmemstream.c wstrops.c 
Added files:
	libio          : tst-setvbuf1.c 

Log message:
	[BZ #2337]
	* libio/Makefile (tests): Add tst-setvbuf1.
	* libio/tst-setvbuf1.c: New file.
	
	[BZ #2337]
	* libio/genops.c (__uflow): Fix a typo.
	* libio/wfiledoalloc.c (_IO_wfile_doallocate): Don't stat
	nor set _IO_LINE_BUF bit here.  Size the wide buffer based on
	the narrow buffer size.
	
	[BZ #2337]
	* libio/libio.h (_IO_FLAGS2_USER_WBUF): Define.
	* libio/wgenops.c (_IO_wsetb, _IO_wdefault_finish): Test and set
	_IO_FLAGS2_USER_WBUF bit in _flags2 instead of _IO_USER_BUF bit
	in _flags.
	* libio/wstrops.c (_IO_wstr_overflow, enlarge_userbuf,
	_IO_wstr_finish): Likewise.
	* libio/wmemstream.c (open_wmemstream): Likewise.
	* libio/fileops.c (_IO_new_file_close_it): Call _IO_set[bgp]
	even for wide streams.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.10362.2.21&r2=1.10362.2.22
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/tst-setvbuf1.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=NONE&r2=1.1.4.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/Makefile.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.86&r2=1.86.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/fileops.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.110&r2=1.110.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/genops.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.70&r2=1.70.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/libio.h.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.64&r2=1.64.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/wfiledoalloc.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.6&r2=1.6.8.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/wgenops.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.14&r2=1.14.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/wmemstream.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.3&r2=1.3.2.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/libio/wstrops.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.11&r2=1.11.2.1



-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=2337

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.