Bug 14716

Summary: memmem crash
Product: glibc Reporter: Jan Kratochvil <jan>
Component: libcAssignee: Maxim Kuvyrkov <maxim.kuvyrkov>
Status: RESOLVED FIXED    
Severity: normal CC: allan, drepper.fsp, eblake, hjl.tools, jan, law, maxim.kuvyrkov, ppluzhnikov
Priority: P2 Flags: fweimer: security-
Version: 2.17   
Target Milestone: 2.17   
Host: Target:
Build: Last reconfirmed:
Bug Depends on: 14602    
Bug Blocks:    
Attachments: GDB debug output
.tar.xz of core file, gdb binary, rpm -qa (Fedora Rawhide 2012-10-12)
.c crash reproducer.

Description Jan Kratochvil 2012-10-13 18:47:01 UTC
Created attachment 6683 [details]
GDB debug output

+++ This bug was initially created as a clone of Bug #14602 +++

glibc-2.16.90-24.fc19.x86_64
https://koji.fedoraproject.org/koji/buildinfo?buildID=359617

Core was generated by `/unsafe/home/jkratoch/hammock/20121013Build-gdbcvs-rawhide/fedora-rawhide-x86_6'.
Program terminated with signal 11, Segmentation fault.
#0  two_way_short_needle (needle_len=<optimized out>, needle=<optimized out>, haystack_len=<optimized out>, haystack=<optimized out>) at str-two-way.h:309
309                   != (haystack_char = CANON_ELEMENT (*phaystack++)))

Detailed debug dump attached.

I do not have it reproducible by hand, it happened during nightly builds.

Regression by:
glibc-2.16.90-23.fc19.x86_64 -> glibc-2.16.90-24.fc19.x86_64
Comment 1 Jan Kratochvil 2012-10-13 18:58:13 UTC
Created attachment 6684 [details]
.tar.xz of core file, gdb binary, rpm -qa (Fedora Rawhide 2012-10-12)
Comment 2 Jan Kratochvil 2012-10-13 19:06:07 UTC
Reproduced it with FSF GDB HEAD:
cd gdb/testsuite; while runtest gdb.base/find.exp;do :;done

According to logs crashes also: gdb.python/py-inferior.exp
Comment 3 H.J. Lu 2012-10-13 21:08:34 UTC
Can you provide GDB command line option to trigger this?
Comment 4 H.J. Lu 2012-10-13 21:47:25 UTC
You can use a memmem wrapper to extract a testcase:

1. Copy simple_memmem from string/test-memmem.c in glibc.
2. Write a function to dump memmem input into a C source code, including
   address values.
3. Call simple_memmem to get correct result.
4. Compare result from memmem against simple_memmem.  If it fails,
   call the dumper to generate the testcase.
4. Link GDB against the memmem wrapper.

You can generate a testcase by

1. Dumper called on wrong result from memmem.
2. Run dumper by hand inside GDB when GDB segfaults
Comment 5 Jan Kratochvil 2012-10-14 06:21:54 UTC
Created attachment 6685 [details]
.c crash reproducer.
Comment 6 Maxim Kuvyrkov 2012-10-16 00:25:00 UTC
Fixed in e9f372520618161d7d73e028ca23818e83b88bbc.