public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug nis/10692] New: NIS: getgrent() *** glibc detected *** double free or corruption (!prev)
@ 2009-09-24 2:43 jlanders at vmware dot com
2009-09-24 2:44 ` [Bug nis/10692] " jlanders at vmware dot com
2009-10-30 3:01 ` drepper at redhat dot com
0 siblings, 2 replies; 3+ messages in thread
From: jlanders at vmware dot com @ 2009-09-24 2:43 UTC (permalink / raw)
To: glibc-bugs
The following program will cause glibc to report a double free or corruption
when the length of a group return from NIS is the maximum 1024 bytes.
#include <sys/types.h>
#include <grp.h>
#include <stdio.h>
main(){
struct group *gp;
while (gp = getgrent()) {
printf("%s %d\n", gp->gr_name, gp->gr_gid);
}
}
For batch reads, the internal_nis_getgrent_r function in nis/nss_nis/nis-grp.c
sets the "result" variable to the start of the group string and uses strlen() to
compute its length.
When the length of a NIS group entry is a maximum 1024 bytes, the test on the
string length + 1 with the supplied buflen near line 205 fails. Consequently,
the code tries to free() the result buffer. Unfortunately, the result buffer is
not at the start of the block allocated by _nis_saveit(). This causes free() to
fail with a double free or corruption error.
*** glibc detected *** getgrent: double free or corruption (!prev):
0x0000000000605340 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2aaaaab2ed42]
/lib64/libc.so.6(cfree+0x8c)[0x2aaaaab3298c]
/lib64/libnss_nis.so.2(_nss_nis_getgrent_r+0x2b0)[0x2aaaab033880]
/lib64/libc.so.6[0x2aaaaaba12ae]
/lib64/libc.so.6(getgrent_r+0x9c)[0x2aaaaab5425c]
/lib64/libc.so.6[0x2aaaaaba0f2b]
/lib64/libc.so.6(getgrent+0x52)[0x2aaaaab53b62]
/root/pr472113[0x400514]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2aaaaaada974]
/getgrent[0x400439]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:21 287491
/root/pr472113
00600000-00601000 rw-p 00000000 08:21 287491
/root/pr472113
00601000-00622000 rw-p 00601000 00:00 0 [heap]
339ec00000-339ec1c000 r-xp 00000000 08:21 239687
/lib64/ld-2.5.so
339ee1b000-339ee1c000 r--p 0001b000 08:21 239687
/lib64/ld-2.5.so
339ee1c000-339ee1d000 rw-p 0001c000 08:21 239687
/lib64/ld-2.5.so
33a0c00000-33a0c15000 r-xp 00000000 08:21 246879
/lib64/libnsl-2.5.so
33a0c15000-33a0e14000 ---p 00015000 08:21 246879
/lib64/libnsl-2.5.so
33a0e14000-33a0e15000 r--p 00014000 08:21 246879
/lib64/libnsl-2.5.so
33a0e15000-33a0e16000 rw-p 00015000 08:21 246879
/lib64/libnsl-2.5.so
33a0e16000-33a0e18000 rw-p 33a0e16000 00:00 0
33a1400000-33a140d000 r-xp 00000000 08:21 246907
/lib64/libgcc_s-4.1.2-20080102.so.1
33a140d000-33a160d000 ---p 0000d000 08:21 246907
/lib64/libgcc_s-4.1.2-20080102.so.1
33a160d000-33a160e000 rw-p 0000d000 08:21 246907
/lib64/libgcc_s-4.1.2-20080102.so.1
2aaaaaaab000-2aaaaaaae000 rw-p 2aaaaaaab000 00:00 0
2aaaaaabc000-2aaaaaabd000 rw-p 2aaaaaabc000 00:00 0
2aaaaaabd000-2aaaaac09000 r-xp 00000000 08:21 256376
/lib64/libc-2.5.so
2aaaaac09000-2aaaaae09000 ---p 0014c000 08:21 256376
/lib64/libc-2.5.so
2aaaaae09000-2aaaaae0d000 r--p 0014c000 08:21 256376
/lib64/libc-2.5.so
2aaaaae0d000-2aaaaae0e000 rw-p 00150000 08:21 256376
/lib64/libc-2.5.so
2aaaaae0e000-2aaaaae14000 rw-p 2aaaaae0e000 00:00 0
2aaaaae14000-2aaaaae1e000 r-xp 00000000 08:21 243606
/lib64/libnss_files-2.5.so
2aaaaae1e000-2aaaab01d000 ---p 0000a000 08:21 243606
/lib64/libnss_files-2.5.so
2aaaab01d000-2aaaab01e000 r--p 00009000 08:21 243606
/lib64/libnss_files-2.5.so
2aaaab01e000-2aaaab01f000 rw-p 0000a000 08:21 243606
/lib64/libnss_files-2.5.so
2aaaab02f000-2aaaab038000 r-xp 00000000 08:21 246925
/lib64/libnss_nis.so.2
2aaaab038000-2aaaab238000 ---p 00009000 08:21 246925
/lib64/libnss_nis.so.2
2aaaab238000-2aaaab239000 r--p 00009000 08:21 246925
/lib64/libnss_nis.so.2
2aaaab239000-2aaaab23a000 rw-p 0000a000 08:21 246925
/lib64/libnss_nis.so.2
2aaaac000000-2aaaac021000 rw-p 2aaaac000000 00:00 0
2aaaac021000-2aaab0000000 ---p 2aaaac021000 00:00 0
7ffffffea000-7ffffffff000 rw-p 7ffffffea000 00:00 0 [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso]
Aborted (core dumped)
This issue exists in other releases prior to glibc-2.10, including glibc-2.5 on
RHEL 5.3.
The easiest fix is to skip the call to free() on batch reads.
--- a/nis/nss_nis/nis-grp.c 2006-05-01 15:22:09.000000000 -0700
+++ b/nis/nss_nis/nis-grp.c 2009-09-23 18:44:07.000000000 -0700
@@ -204,7 +204,8 @@
if (__builtin_expect ((size_t) (len + 1) > buflen, 0))
{
- free (result);
+ if (!batch_read)
+ free (result);
*errnop = ERANGE;
return NSS_STATUS_TRYAGAIN;
}
Thanks,
Joe
--
Summary: NIS: getgrent() *** glibc detected *** double free or
corruption (!prev)
Product: glibc
Version: 2.10
Status: NEW
Severity: normal
Priority: P2
Component: nis
AssignedTo: kukuk at suse dot de
ReportedBy: jlanders at vmware dot com
CC: glibc-bugs at sources dot redhat dot com
GCC build triplet: x86_64-linuxnptl
GCC host triplet: x86_64-linuxnptl
GCC target triplet: x86_64-linuxnptl
http://sourceware.org/bugzilla/show_bug.cgi?id=10692
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug nis/10692] NIS: getgrent() *** glibc detected *** double free or corruption (!prev)
2009-09-24 2:43 [Bug nis/10692] New: NIS: getgrent() *** glibc detected *** double free or corruption (!prev) jlanders at vmware dot com
@ 2009-09-24 2:44 ` jlanders at vmware dot com
2009-10-30 3:01 ` drepper at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: jlanders at vmware dot com @ 2009-09-24 2:44 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From jlanders at vmware dot com 2009-09-24 02:43 -------
Created an attachment (id=4226)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=4226&action=view)
Proposed pathc
Attached proposed patch.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=10692
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug nis/10692] NIS: getgrent() *** glibc detected *** double free or corruption (!prev)
2009-09-24 2:43 [Bug nis/10692] New: NIS: getgrent() *** glibc detected *** double free or corruption (!prev) jlanders at vmware dot com
2009-09-24 2:44 ` [Bug nis/10692] " jlanders at vmware dot com
@ 2009-10-30 3:01 ` drepper at redhat dot com
1 sibling, 0 replies; 3+ messages in thread
From: drepper at redhat dot com @ 2009-10-30 3:01 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From drepper at redhat dot com 2009-10-30 03:00 -------
I've applied the patch.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
http://sourceware.org/bugzilla/show_bug.cgi?id=10692
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-10-30 3:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-09-24 2:43 [Bug nis/10692] New: NIS: getgrent() *** glibc detected *** double free or corruption (!prev) jlanders at vmware dot com
2009-09-24 2:44 ` [Bug nis/10692] " jlanders at vmware dot com
2009-10-30 3:01 ` drepper at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).