From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 83E1938582A4; Wed, 3 Aug 2022 17:30:56 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 83E1938582A4 From: "leo at yuriev dot ru" To: glibc-bugs@sourceware.org Subject: [Bug libc/29444] New: gmon memory corruption due wrong calculation of required buffer size Date: Wed, 03 Aug 2022 17:30:56 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.38 X-Bugzilla-Keywords: X-Bugzilla-Severity: critical X-Bugzilla-Who: leo at yuriev dot ru X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2022 17:30:56 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D29444 Bug ID: 29444 Summary: gmon memory corruption due wrong calculation of required buffer size Product: glibc Version: 2.38 Status: UNCONFIRMED Severity: critical Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: leo at yuriev dot ru CC: drepper.fsp at gmail dot com Target Milestone: --- The `__monstartup()` allocates a buffer used to store all the data accumula= ted by the monitor. The size of this buffer depends on the size of the internal structures used= and the address range for which the monitor is activated, as well as on the max= imum density of call instuctions and/or callable functions that could be potenti= ally on a segment of executable code. In particular a hash table of arcs is placed at the end of this buffer. The size of this hash table is calculated in bytes as `p->fromssize =3D p->text= size / HASHFRACTION`, but actually should be `p->fromssize =3D ROUNDUP(p->textsize= / HASHFRACTION, sizeof(*p->froms))`. This results in writing beyond the end of the allocated buffer when an added arc corresponds to a call near from the end of the monitored address range, since `_mcount()` check the incoming caller address for monitored range but= not the intermediate result hash-like index that uses to write into the table. It should be noted that when the results are output to `gmon.out`, the tabl= e is read to the last element calculated from the allocated size in bytes, so the arcs stored outside the buffer boundary did not fall into `gprof` for analy= sis. Thus this "feature" help me to found this bug during working with Bug 2943= 8. Another minor error seems a related typo in the calculation of `kcountsize`. --=20 You are receiving this mail because: You are on the CC list for the bug.=