FS#61091 - Memory corrupt in libc
Attached to Project:
Arch Linux
Opened by Fiodor (drfaust) - Saturday, 15 December 2018, 19:24 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Sunday, 23 June 2019, 09:19 GMT
Opened by Fiodor (drfaust) - Saturday, 15 December 2018, 19:24 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Sunday, 23 June 2019, 09:19 GMT
|
Details
Description:
Segmentation fault or stack smashing when input wide char by fgetwc(). Additional info: Linux archlinux 4.19.8-arch1-1-ARCH #1 SMP PREEMPT Sat Dec 8 13:49:11 UTC 2018 x86_64 GNU/Linux /lib64/libc.so.6 -v GNU C Library (GNU libc) stable release version 2.28. Copyright (C) 2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 8.2.1 20180831. libc ABIs: UNIQUE IFUNC ABSOLUTE For bug reporting instructions, please see: <https://bugs.archlinux.org/>. Steps to reproduce: cat 1.c && gcc 1.c && ./a.out #include <locale.h> #include <wchar.h> #include <stdio.h> int main() { setlocale(LC_ALL, "ru_RU.UTF-8"); getwc(stdin); return 0; } 11111111111111111111 *** stack smashing detected ***: <unknown> terminated Аварийный останов (стек памяти сброшен на диск) [faust@archlinux]$ cat 1.c && clang 1.c && ./a.out #include <locale.h> #include <wchar.h> #include <stdio.h> int main() { setlocale(LC_ALL, "ru_RU.UTF-8"); getwc(stdin); return 0; } 222222222222222222 *** stack smashing detected ***: <unknown> terminated Аварийный останов (стек памяти сброшен на диск) [faust@archlinux]$ gdb ./a.out GNU gdb (GDB) 8.2 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ./a.out...(no debugging symbols found)...done. (gdb) r Starting program: ./a.out 22222222222222222222222 *** stack smashing detected ***: <unknown> terminated Program received signal SIGABRT, Aborted. 0x00007ffff7de7d7f in raise () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007ffff7de7d7f in raise () from /usr/lib/libc.so.6 #1 0x00007ffff7dd2672 in abort () from /usr/lib/libc.so.6 #2 0x00007ffff7e2a878 in __libc_message () from /usr/lib/libc.so.6 #3 0x00007ffff7ebd415 in __fortify_fail_abort () from /usr/lib/libc.so.6 #4 0x00007ffff7ebd3c6 in __stack_chk_fail () from /usr/lib/libc.so.6 #5 0x00007ffff7e282dc in do_length () from /usr/lib/libc.so.6 #6 0x00007ffff7e27ca5 in _IO_wfile_sync () from /usr/lib/libc.so.6 #7 0x00007ffff7e2ef26 in _IO_default_setbuf () from /usr/lib/libc.so.6 #8 0x00007ffff7e2babe in __GI__IO_file_setbuf () from /usr/lib/libc.so.6 #9 0x00007ffff7e2f9a1 in _IO_cleanup () from /usr/lib/libc.so.6 #10 0x00007ffff7dea552 in __run_exit_handlers () from /usr/lib/libc.so.6 #11 0x00007ffff7dea58e in exit () from /usr/lib/libc.so.6 #12 0x00007ffff7dd422a in __libc_start_main () from /usr/lib/libc.so.6 #13 0x000055555555507e in _start () (gdb) q A debugging session is active. Inferior 1 [process 2703] will be killed. Quit anyway? (y or n) y |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Sunday, 23 June 2019, 09:19 GMT
Reason for closing: Fixed
Additional comments about closing: glibc 2.29-3
Sunday, 23 June 2019, 09:19 GMT
Reason for closing: Fixed
Additional comments about closing: glibc 2.29-3
--- glibc-2.28.old/libio/wfileops.c 2018-08-01 08:10:47.000000000 +0300
+++ glibc-2.28/libio/wfileops.c 2018-12-14 21:03:17.759346239 +0300
@@ -480,14 +480,14 @@
wint_t
_IO_wfile_sync (FILE *fp)
{
- ssize_t delta;
+ size_t delta;
wint_t retval = 0;
/* char* ptr = cur_ptr(); */
if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base)
if (_IO_do_flush (fp))
return WEOF;
- delta = fp->_wide_data->_IO_read_ptr - fp->_wide_data->_IO_read_end;
+ delta = fp->_wide_data->_IO_read_end - fp->_wide_data->_IO_read_ptr;
if (delta != 0)
{
/* We have to find out how many bytes we have to go back in the