From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-locales-return-6935-listarch-libc-locales=sources.redhat.com@sourceware.org>
Received: (qmail 55504 invoked by alias); 20 Dec 2019 15:05:10 -0000
Mailing-List: contact libc-locales-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-locales.sourceware.org>
List-Subscribe: <mailto:libc-locales-subscribe@sourceware.org>
List-Post: <mailto:libc-locales@sourceware.org>
List-Help: <mailto:libc-locales-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: libc-locales-owner@sourceware.org
Received: (qmail 55494 invoked by uid 89); 20 Dec 2019 15:05:09 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy=News, our
X-HELO: mail-io1-f53.google.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=8N9eJYUnscypUXQBZsbnyfYZv9oCUQALl1XJgdCiA5E=;
        b=l3XGZid+yfqJkRF7+rMbJcR1OnGdDUyytnHKmM8cAfXrKGTLHW/GYYDwoBQjrrH4yQ
         A0e3yo9PsvO1FX/U3o3UU6BWJfGsAG6n8dgS5eUxRnxOP4HrwMlK2csKgHPmqWrmxxYP
         2D0FKvwBgUyVXNTJrtEE9l6ndED7hjpunZSSlCE8LP2BhUSygiwBExJcHzRajOiwwrgi
         3p8zl/rQXx6Vhv4ymXP5YvmrM3sbZbZR07jCsRKLJ+2vxA1zWtKzerfUo8+EMUFJt/at
         CoR0NB4J7B5RCi/Ev2kbzAJaP32FdBHLtfgIvNmGu0p8nwtiIE+12MMopNRAM9zbgyZt
         cZUA==
MIME-Version: 1.0
References: <CALmqtCWYWMUm51HhL0VM3YgBJagyC8T3uCGxiUCjXA0KBB-h8w@mail.gmail.com>
 <87bltiv10t.fsf@oldenburg2.str.redhat.com> <CALmqtCWfnPZ=B2=_VM=uqAgMWqh3FbGjxXLcbg466Tgct+dUVw@mail.gmail.com>
 <CALmqtCVBCb2vJ+XNb6WZa1csNZaisLmqoG5nTn-QUU0MO=UbPw@mail.gmail.com>
 <877e42cqfo.fsf@oldenburg2.str.redhat.com> <CALmqtCVKqf53j7=SbUA-k8jHu4AydsoFfN6SZVX8Hv=iYVBLuQ@mail.gmail.com>
 <CALmqtCU6KB6qu1c7R4ngZh=0v+jvqOVjUT431zJoVsKhiNQdbw@mail.gmail.com> <875ziledsy.fsf@oldenburg2.str.redhat.com>
In-Reply-To: <875ziledsy.fsf@oldenburg2.str.redhat.com>
From: Abhidnya Joshi <abhidnyachirmule@gmail.com>
Date: Fri, 20 Dec 2019 15:05:00 -0000
Message-ID: <CALmqtCXvsdTWQindGNsgVVtMdsWW0dNW+FAttrogeH4uenk_iw@mail.gmail.com>
Subject: Re: Crash in gconv_db.c
To: Florian Weimer <fweimer@redhat.com>
Cc: libc-locales@sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-SW-Source: 2019-q4/txt/msg00094.txt.bz2

Hi Florian,

Good News! We are able to reproduce it using continuous readdirs.
(Where reply involved encoding to UTF-16)
The stack is exactly same as shared earlier. It did overflowed counter.

Do you have any suggestion on the fix? We can test the fix using our test.

Thanks and Regards
Abhidnya Joshi

On Thu, Dec 12, 2019 at 9:28 PM Florian Weimer <fweimer@redhat.com> wrote:
>
> * Abhidnya Joshi:
>
> > In increment_counter function, do we have to handle integer overflow like this?
> >
> >
> > if (step->__counter == INT_MAX)
> > {
> > step->__counter = 1
> > }
> > if (step->__counter++ == 0)
> > { ....
> > }
> >
> > I do not understand what will be impact of this on different "steps".
> > If step->__counter gets set to 0 and step->__modname is NULL
> > then we see the segfault as mentioned earlier.
>
> The steps array has reference counts in the array *elements*, which is
> wrong.  We ran into this a couple of months ago when we tried to fix a
> memory leak.  This is the reason why I have limited confidence in the
> correctness of the reference counting.
>
> I looked at what it would take to reproduce the overflow with repeated
> iconv_open calls, and I estimate that 1.2 TiB of RAM are required, so I
> have not reproduced that yet.
>
> But there could be more subtle ways to trigger counter overflow, like
> uselocale followed by pthread_exit.  Without a reproducer, we are in the
> dark here unfortunately.
>
> Thanks,
> Florian
>