public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "leo at yuriev dot ru" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug libc/29444] New: gmon memory corruption due wrong calculation of required buffer size Date: Wed, 03 Aug 2022 17:30:56 +0000 [thread overview] Message-ID: <bug-29444-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=29444 Bug ID: 29444 Summary: gmon memory corruption due wrong calculation of required buffer size Product: glibc Version: 2.38 Status: UNCONFIRMED Severity: critical Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: leo at yuriev dot ru CC: drepper.fsp at gmail dot com Target Milestone: --- The `__monstartup()` allocates a buffer used to store all the data accumulated by the monitor. The size of this buffer depends on the size of the internal structures used and the address range for which the monitor is activated, as well as on the maximum density of call instuctions and/or callable functions that could be potentially on a segment of executable code. In particular a hash table of arcs is placed at the end of this buffer. The size of this hash table is calculated in bytes as `p->fromssize = p->textsize / HASHFRACTION`, but actually should be `p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms))`. This results in writing beyond the end of the allocated buffer when an added arc corresponds to a call near from the end of the monitored address range, since `_mcount()` check the incoming caller address for monitored range but not the intermediate result hash-like index that uses to write into the table. It should be noted that when the results are output to `gmon.out`, the table is read to the last element calculated from the allocated size in bytes, so the arcs stored outside the buffer boundary did not fall into `gprof` for analysis. Thus this "feature" help me to found this bug during working with Bug 29438. Another minor error seems a related typo in the calculation of `kcountsize`. -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2022-08-03 17:30 UTC|newest] Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-08-03 17:30 leo at yuriev dot ru [this message] 2022-08-03 17:32 ` [Bug libc/29444] " leo at yuriev dot ru 2022-08-03 20:10 ` leo at yuriev dot ru 2022-12-16 19:56 ` pinskia at gcc dot gnu.org 2023-01-30 12:38 ` leo at yuriev dot ru 2023-01-30 16:24 ` adhemerval.zanella at linaro dot org 2023-02-04 12:12 ` leo at yuriev dot ru 2023-02-06 17:43 ` leo at yuriev dot ru 2023-02-06 19:29 ` leo at yuriev dot ru 2023-02-07 6:30 ` fweimer at redhat dot com 2023-02-07 8:40 ` ismail at i10z dot com 2023-02-07 8:41 ` fweimer at redhat dot com 2023-02-07 9:32 ` leo at yuriev dot ru 2023-02-07 15:00 ` siddhesh at sourceware dot org 2023-02-07 15:57 ` leo at yuriev dot ru 2023-02-07 16:01 ` siddhesh at sourceware dot org 2023-02-08 11:18 ` leo at yuriev dot ru 2023-02-08 11:51 ` siddhesh at sourceware dot org 2023-02-08 12:03 ` leo at yuriev dot ru 2023-02-08 13:00 ` siddhesh at sourceware dot org 2023-02-09 22:05 ` carnil at debian dot org 2023-02-09 22:27 ` siddhesh at sourceware dot org 2023-02-20 13:18 ` jamborm at gcc dot gnu.org 2023-02-23 7:36 ` leo at yuriev dot ru 2023-02-23 18:13 ` dj at redhat dot com 2023-03-04 10:44 ` linzhuorong at huawei dot com 2023-03-07 4:30 ` dj at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-29444-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).