[Bug libc/18502] New: mksquashfs occasionally triggering a segmentation fault

[Bug libc/18502] New: mksquashfs occasionally triggering a segmentation fault

[mgorman at suse dot de]

https://sourceware.org/bugzilla/show_bug.cgi?id=18502

            Bug ID: 18502
           Summary: mksquashfs occasionally triggering a segmentation
                    fault
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: mgorman at suse dot de
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

mksquashfs triggered segmentation faults in a fork of glibc that includes the
patch "malloc: Consistently apply trim_threshold to all heaps [BZ #17195]". The
core dump shows the crash is within _int_malloc

#0  _int_malloc (av=0x7fff84000020, bytes=131152) at malloc.c:3768
#1  0x00007ffff715692e in __GI___libc_malloc (bytes=131152) at malloc.c:2894
#2  0x00000000004178e1 in cache_alloc (cache=0x7ffff7ea6010) at
caches-queues-lists.c:378
....

The top of the area is pointing into unmapped space.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18502] mksquashfs occasionally triggering a segmentation fault

[mgorman at suse dot de]

https://sourceware.org/bugzilla/show_bug.cgi?id=18502

Mel Gorman <mgorman at suse dot de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at sourceware dot org   |mgorman at suse dot de

--- Comment #1 from Mel Gorman <mgorman at suse dot de> ---
Created attachment 8352
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8352&action=edit
[v2] malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE
[BZ #18502]

Candidate fix for review v2

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18502] mksquashfs occasionally triggering a segmentation fault

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18502

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18502] mksquashfs occasionally triggering a segmentation fault

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18502

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.22

--- Comment #2 from Andreas Schwab <schwab@linux-m68k.org> ---
Fixed for 2.22.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug libc/18502] mksquashfs occasionally triggering a segmentation fault

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18502

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  f8ef472c0ff4644445ec716036d31430b4fa4bab (commit)
      from  a2057c984e4314c3740f04cf54e36c824e4c8f32 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f8ef472c0ff4644445ec716036d31430b4fa4bab

commit f8ef472c0ff4644445ec716036d31430b4fa4bab
Author: Mel Gorman <mgorman@suse.de>
Date:   Mon Jun 8 13:36:13 2015 +0100

    malloc: Do not corrupt the top of a threaded heap if top chunk is MINSIZE
[BZ #18502]

    mksquashfs was reported in openSUSE to be causing segmentation faults when
    creating installation images. Testing showed that mksquashfs sometimes
    failed and could be reproduced within 10 attempts. The core dump looked
    like the heap top was corrupted and was pointing to an unmapped area. In
    other cases, this has been due to an application corrupting glibc
structures
    but mksquashfs appears to be fine in this regard.

    The problem is that heap_trim is "growing" the top into unmapped space.
    If the top chunk == MINSIZE then top_area is -1 and this check does not
    behave as expected due to a signed/unsigned comparison

      if (top_area <= pad)
        return 0;

    The next calculation extra = ALIGN_DOWN(top_area - pad, pagesz) calculates
    extra as a negative number which also is unnoticed due to a signed/unsigned
    comparison. We then call shrink_heap(heap, negative_number) which crashes
    later. This patch adds a simple check against MINSIZE to make sure extra
    does not become negative. It adds a cast to hint to the reader that this
    is a signed vs unsigned issue.

    Without the patch, mksquash fails within 10 attempts. With it applied, it
    completed 1000 times without error. The standard test suite "make check"
    showed no changes in the summary of test results.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog      |    6 ++++++
 NEWS           |    8 ++++----
 malloc/arena.c |    2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.