FS#61091 - Memory corrupt in libc

Attached to Project: Arch Linux
Opened by Fiodor (drfaust) - Saturday, 15 December 2018, 19:24 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Sunday, 23 June 2019, 09:19 GMT
Task Type Bug Report
Category System
Status Closed
Assigned To No-one
Architecture x86_64
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Segmentation fault or stack smashing when input wide char by fgetwc().


Additional info:
Linux archlinux 4.19.8-arch1-1-ARCH #1 SMP PREEMPT Sat Dec 8 13:49:11 UTC 2018 x86_64 GNU/Linux

/lib64/libc.so.6 -v
GNU C Library (GNU libc) stable release version 2.28.
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 8.2.1 20180831.
libc ABIs: UNIQUE IFUNC ABSOLUTE
For bug reporting instructions, please see:
<https://bugs.archlinux.org/>.

Steps to reproduce:
cat 1.c && gcc 1.c && ./a.out
#include <locale.h>
#include <wchar.h>
#include <stdio.h>

int main()
{
setlocale(LC_ALL, "ru_RU.UTF-8");
getwc(stdin);
return 0;
}
11111111111111111111
*** stack smashing detected ***: <unknown> terminated
Аварийный останов (стек памяти сброшен на диск)
[faust@archlinux]$ cat 1.c && clang 1.c && ./a.out
#include <locale.h>
#include <wchar.h>
#include <stdio.h>

int main()
{
setlocale(LC_ALL, "ru_RU.UTF-8");
getwc(stdin);
return 0;
}
222222222222222222
*** stack smashing detected ***: <unknown> terminated
Аварийный останов (стек памяти сброшен на диск)
[faust@archlinux]$ gdb ./a.out
GNU gdb (GDB) 8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./a.out...(no debugging symbols found)...done.
(gdb) r
Starting program: ./a.out
22222222222222222222222
*** stack smashing detected ***: <unknown> terminated

Program received signal SIGABRT, Aborted.
0x00007ffff7de7d7f in raise () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007ffff7de7d7f in raise () from /usr/lib/libc.so.6
#1 0x00007ffff7dd2672 in abort () from /usr/lib/libc.so.6
#2 0x00007ffff7e2a878 in __libc_message () from /usr/lib/libc.so.6
#3 0x00007ffff7ebd415 in __fortify_fail_abort () from /usr/lib/libc.so.6
#4 0x00007ffff7ebd3c6 in __stack_chk_fail () from /usr/lib/libc.so.6
#5 0x00007ffff7e282dc in do_length () from /usr/lib/libc.so.6
#6 0x00007ffff7e27ca5 in _IO_wfile_sync () from /usr/lib/libc.so.6
#7 0x00007ffff7e2ef26 in _IO_default_setbuf () from /usr/lib/libc.so.6
#8 0x00007ffff7e2babe in __GI__IO_file_setbuf () from /usr/lib/libc.so.6
#9 0x00007ffff7e2f9a1 in _IO_cleanup () from /usr/lib/libc.so.6
#10 0x00007ffff7dea552 in __run_exit_handlers () from /usr/lib/libc.so.6
#11 0x00007ffff7dea58e in exit () from /usr/lib/libc.so.6
#12 0x00007ffff7dd422a in __libc_start_main () from /usr/lib/libc.so.6
#13 0x000055555555507e in _start ()
(gdb) q
A debugging session is active.

Inferior 1 [process 2703] will be killed.

Quit anyway? (y or n) y
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Sunday, 23 June 2019, 09:19 GMT
Reason for closing:  Fixed
Additional comments about closing:  glibc 2.29-3
Comment by Fiodor (drfaust) - Saturday, 15 December 2018, 19:29 GMT
Possible patch by "prik" - http://www.cyberforum.ru/members/158409.html


--- glibc-2.28.old/libio/wfileops.c 2018-08-01 08:10:47.000000000 +0300
+++ glibc-2.28/libio/wfileops.c 2018-12-14 21:03:17.759346239 +0300
@@ -480,14 +480,14 @@
wint_t
_IO_wfile_sync (FILE *fp)
{
- ssize_t delta;
+ size_t delta;
wint_t retval = 0;

/* char* ptr = cur_ptr(); */
if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base)
if (_IO_do_flush (fp))
return WEOF;
- delta = fp->_wide_data->_IO_read_ptr - fp->_wide_data->_IO_read_end;
+ delta = fp->_wide_data->_IO_read_end - fp->_wide_data->_IO_read_ptr;
if (delta != 0)
{
/* We have to find out how many bytes we have to go back in the
Comment by loqs (loqs) - Saturday, 15 December 2018, 21:00 GMT Comment by Fiodor (drfaust) - Saturday, 15 December 2018, 21:51 GMT
Since 2016???
Comment by Mateusz (mati865) - Friday, 24 May 2019, 12:21 GMT
The fix has been commited by upstream for various branches including 2.29.

Loading...