This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug nscd/16185] New: nscd/pwdcache.c (cache_addpw): Possible allocate DATASET outside of the stack if it's too large


https://sourceware.org/bugzilla/show_bug.cgi?id=16185

            Bug ID: 16185
           Summary: nscd/pwdcache.c (cache_addpw): Possible allocate
                    DATASET outside of the stack if it's too large
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nscd
          Assignee: unassigned at sourceware dot org
          Reporter: nbthang_bk at yahoo dot com
                CC: drepper.fsp at gmail dot com

Sometime, nscd application got crash and generate a coredump. After analyzing
the coredump, it seems that the issue is caused by allocating buffer outside of
stack.

0  0x00007f6e4d250b35 in *__GI_raise (sig=<optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f6e4d252111 in *__GI_abort () at abort.c:92
#2  0x00007f6e4d28edef in __libc_message (do_abort=1, fmt=0x7f6e4d3597d4 "%s")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x00007f6e4d28eece in *__GI___libc_fatal (
    message=0x7f6e4d35b488 "*** %n in writable segment detected ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:197
#4  0x00007f6e4d26685f in _IO_vfprintf_internal (s=0x7f6e42629ef0, 
    format=0x7f6e4e02cc90 "%d%c%n%s", ap=0x7f6e4262a060) at vfprintf.c:1973
#5  0x00007f6e4d30b899 in ___vsnprintf_chk (s=0x7f6e4262a160 "1019", 
    maxlen=<optimized out>, flags=1, slen=<optimized out>, 
    format=0x7f6e4e02cc90 "%d%c%n%s", args=0x7f6e4262a060)
    at vsnprintf_chk.c:65
#6  0x00007f6e4d30b7db in ___snprintf_chk (
    s=0x5466 <Address 0x5466 out of bounds>, maxlen=8063, flags=6, 
    slen=18446744073709551615, 
    format=0x626174697277206e <Address 0x626174697277206e out of bounds>)
    at snprintf_chk.c:36
#7  0x00007f6e4e01ca7f in snprintf (__fmt=<optimized out>, 
    __n=<optimized out>, __s=<optimized out>) at ../libio/bits/stdio2.h:65
#8  cache_addpw (db=0x7f6e4e2310a0, fd=12, req=0x7f6e4262bde0, 
    key=0x7f6e4262b890, pwd=0x7f6e4262a7c0, owner=4294967295, he=0x0, dh=0x0, 
    errval=0) at pwdcache.c:184

A similar issue was encountered in the past and fixed in following commit:

https://sourceware.org/ml/libc-alpha/2012-06/txt00010.txt

I think that we need to apply a same fix for alloca on nscd/pwdcache.c.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]