[bug-libunistring] SIGSEGV on malloc() failure

bug-libunistring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-libunistring] SIGSEGV on malloc() failure

From:	Tim Rühsen
Subject:	[bug-libunistring] SIGSEGV on malloc() failure
Date:	Sat, 26 Jan 2019 18:26:16 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0

Hi,

I just tested random malloc() failures and stumbled upon a SIGSEGV
(details below).

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7dd1f61 in __gconv_close (cd=0x0) at gconv_close.c:34
34      gconv_close.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  0x00007ffff7dd1f61 in __gconv_close (cd=0x0) at gconv_close.c:34
#1  0x00007ffff7dd185f in iconv_close (cd=<optimized out>) at
iconv_close.c:35
#2  0x00007ffff7c3ddc3 in libunistring_iconveh_open () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#3  0x00007ffff7c3dfcd in libunistring_mem_iconveh () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#4  0x00007ffff7c3e2af in ?? () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#5  0x00007ffff7c3e6fb in libunistring_mem_iconveha () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#6  0x00007ffff7c46064 in u8_conv_from_encoding () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#7  0x00007ffff7c46318 in u8_strconv_from_encoding () from
/usr/lib/x86_64-linux-gnu/libunistring.so.2
#8  0x00007ffff7f71413 in idn2_lookup_ul () from
/usr/lib/x86_64-linux-gnu/libidn2.so.0
#9  0x0000555555555387 in main ()

$ ldd a.out
        linux-vdso.so.1 (0x00007fffe8b35000)
        libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0
(0x00007f0fc30f4000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f0fc2f33000)
        libunistring.so.2 => /usr/lib/x86_64-linux-gnu/libunistring.so.2
(0x00007f0fc2daf000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f0fc315b000)

This is on Debian unstable with latest libunistring
ii  libunistring-dev:amd64 0.9.10-1     amd64
ii  libunistring2:amd64    0.9.10-1     amd64
ii  libc6:amd64     2.28-5       amd64
ii  libidn2-0:amd64     2.0.5-1      amd64

A reproducer written in C is attached.
Compile with 'gcc crash.c -lidn2', run with ./a.out.
It sometimes doesn't crash, but very often does.

Libidn2 doesn't really matter, but it creates a certain sequence of
malloc() calls. Any other versions of libraries might need different
input and the reproducer might not work then.

I know this report is a bit obscure (generating random malloc()
failures), just wanted to let you know about it. I couldn't find the
issue by looking at the source code (gnulib/libunistring) in the time I
had. gconv_close() crashes if given a NULL pointer, but I could not see
how that is done in iconv_close().

Ah yes, valgrind doesn't show any issue - I guess since it uses it's own
malloc() functionality.

Regards, Tim

crash.c
Description: Text Data

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-libunistring] SIGSEGV on malloc() failure, Tim Rühsen <=
- Re: [bug-libunistring] SIGSEGV on malloc() failure, Bruno Haible, 2019/01/26
  - Re: [bug-libunistring] SIGSEGV on malloc() failure, Tim Rühsen, 2019/01/26

Next by Date: Re: [bug-libunistring] SIGSEGV on malloc() failure
Next by thread: Re: [bug-libunistring] SIGSEGV on malloc() failure
Index(es):
- Date
- Thread