public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug malloc/28256] New: Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init
@ 2021-08-21 13:47 rjones at redhat dot com
2021-08-22 13:08 ` [Bug malloc/28256] " rjones at redhat dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: rjones at redhat dot com @ 2021-08-21 13:47 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28256
Bug ID: 28256
Summary: Conditional jump or move depends on uninitialised
value(s) in __GI___tunables_init
Product: glibc
Version: 2.34
Status: NEW
Severity: normal
Priority: P2
Component: malloc
Assignee: unassigned at sourceware dot org
Reporter: rjones at redhat dot com
Target Milestone: ---
glibc-2.34-1.fc35.x86_64
I'm getting this when I run any program under valgrind with glibc tunables:
$ LD_PRELOAD=/usr/lib64/libc_malloc_debug.so.0
GLIBC_TUNABLES=glibc.malloc.check=1 valgrind ls
==2958662== Memcheck, a memory error detector
==2958662== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2958662== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==2958662== Command: ls
==2958662==
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662== at 0x4019615: parse_tunables (dl-tunables.c:211)
==2958662== by 0x4019615: __GI___tunables_init (dl-tunables.c:296)
==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662== by 0x400209E: _dl_start_final (rtld.c:490)
==2958662== by 0x400209E: _dl_start (rtld.c:583)
==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662==
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662== at 0x4019602: parse_tunables (dl-tunables.c:211)
==2958662== by 0x4019602: __GI___tunables_init (dl-tunables.c:296)
==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662== by 0x400209E: _dl_start_final (rtld.c:490)
==2958662== by 0x400209E: _dl_start (rtld.c:583)
==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662==
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662== at 0x401966C: parse_tunables (dl-tunables.c:255)
==2958662== by 0x401966C: __GI___tunables_init (dl-tunables.c:296)
==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662== by 0x400209E: _dl_start_final (rtld.c:490)
==2958662== by 0x400209E: _dl_start (rtld.c:583)
==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662==
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662== at 0x40194D2: parse_tunables (dl-tunables.c:185)
==2958662== by 0x40194D2: __GI___tunables_init (dl-tunables.c:296)
==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662== by 0x400209E: _dl_start_final (rtld.c:490)
==2958662== by 0x400209E: _dl_start (rtld.c:583)
==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662==
==2958662== Conditional jump or move depends on uninitialised value(s)
==2958662== at 0x40194DA: parse_tunables (dl-tunables.c:185)
==2958662== by 0x40194DA: __GI___tunables_init (dl-tunables.c:296)
==2958662== by 0x401D3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2958662== by 0x400209E: _dl_start_final (rtld.c:490)
==2958662== by 0x400209E: _dl_start (rtld.c:583)
==2958662== by 0x4001097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2958662==
aclocal.m4 config.log include missing server
autom4te.cache config.status install-sh nbdkit stamp-h1
bash config.sub libtool nbdkit-wrapper.o test-driver
BENCHMARKING configure LICENSE OTHER_PLUGINS tests
common configure.ac localconfigure plugins TODO
common-rules.mk depcomp ltmain.sh podwrapper.pl TODOTODO
compile docs m4 podwrapper.pl.in valgrind
config.guess filters Makefile README wrapper.c
config.h fuzzing Makefile.am scripts
config.h.in html Makefile.in SECURITY
==2958662==
==2958662== HEAP SUMMARY:
==2958662== in use at exit: 25,538 bytes in 55 blocks
==2958662== total heap usage: 90 allocs, 35 frees, 63,479 bytes allocated
==2958662==
==2958662== LEAK SUMMARY:
==2958662== definitely lost: 0 bytes in 0 blocks
==2958662== indirectly lost: 0 bytes in 0 blocks
==2958662== possibly lost: 0 bytes in 0 blocks
==2958662== still reachable: 25,538 bytes in 55 blocks
==2958662== suppressed: 0 bytes in 0 blocks
==2958662== Rerun with --leak-check=full to see details of leaked memory
==2958662==
==2958662== Use --track-origins=yes to see where uninitialised values come from
==2958662== For lists of detected and suppressed errors, rerun with: -s
==2958662== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)
In a slightly different test that I can't easily make a reproducer for
I also saw this which is slightly different and might indicate a
similar-but-different bug:
==2944389== Conditional jump or move depends on uninitialised value(s)
==2944389== at 0x8147602: __GI___tunables_init (dl-tunables.c:211)
==2944389== by 0x814B3B1: _dl_sysdep_start (dl-sysdep.c:232)
==2944389== by 0x813009E: _dl_start (rtld.c:490)
==2944389== by 0x812F097: ??? (in /usr/lib64/ld-linux-x86-64.so.2)
==2944389== by 0x1: ???
==2944389== by 0x1FFEFFBF5A: ???
==2944389== by 0x1FFEFFBF7E: ???
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/28256] Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init
2021-08-21 13:47 [Bug malloc/28256] New: Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init rjones at redhat dot com
@ 2021-08-22 13:08 ` rjones at redhat dot com
2021-08-23 8:58 ` fweimer at redhat dot com
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: rjones at redhat dot com @ 2021-08-22 13:08 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28256
--- Comment #1 from Richard Jones <rjones at redhat dot com> ---
https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/dl-tunables.c;h=8009e54ee5db32beb228e69b05352e80c809c42c;hb=HEAD#l205
Looking at the code it seems like you're adding the length
to the p pointer (line 205) and then referencing p[len] (line 211)
which is obviously going to reference far beyond the end
of the string in memory.
I don't think this is exploitable though - GLIBC_TUNABLES
is removed in setuid processes.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/28256] Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init
2021-08-21 13:47 [Bug malloc/28256] New: Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init rjones at redhat dot com
2021-08-22 13:08 ` [Bug malloc/28256] " rjones at redhat dot com
@ 2021-08-23 8:58 ` fweimer at redhat dot com
2021-08-23 13:33 ` schwab@linux-m68k.org
2023-08-30 16:21 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: fweimer at redhat dot com @ 2021-08-23 8:58 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28256
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security-
CC| |fweimer at redhat dot com
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Patch: https://sourceware.org/pipermail/libc-alpha/2021-August/130392.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/28256] Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init
2021-08-21 13:47 [Bug malloc/28256] New: Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init rjones at redhat dot com
2021-08-22 13:08 ` [Bug malloc/28256] " rjones at redhat dot com
2021-08-23 8:58 ` fweimer at redhat dot com
@ 2021-08-23 13:33 ` schwab@linux-m68k.org
2023-08-30 16:21 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: schwab@linux-m68k.org @ 2021-08-23 13:33 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28256
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.35
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Andreas Schwab <schwab@linux-m68k.org> ---
Fixed in 2.35.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug malloc/28256] Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init
2021-08-21 13:47 [Bug malloc/28256] New: Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init rjones at redhat dot com
` (2 preceding siblings ...)
2021-08-23 13:33 ` schwab@linux-m68k.org
@ 2023-08-30 16:21 ` mark at klomp dot org
3 siblings, 0 replies; 5+ messages in thread
From: mark at klomp dot org @ 2023-08-30 16:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=28256
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mark at klomp dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-08-30 16:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-21 13:47 [Bug malloc/28256] New: Conditional jump or move depends on uninitialised value(s) in __GI___tunables_init rjones at redhat dot com
2021-08-22 13:08 ` [Bug malloc/28256] " rjones at redhat dot com
2021-08-23 8:58 ` fweimer at redhat dot com
2021-08-23 13:33 ` schwab@linux-m68k.org
2023-08-30 16:21 ` mark at klomp dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).