Summary: | Probable buffer overrun in strtold() | ||
---|---|---|---|
Product: | glibc | Reporter: | Nix <nix> |
Component: | libc | Assignee: | Ulrich Drepper <drepper.fsp> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | fweimer, glibc-bugs |
Priority: | P2 | Flags: | fweimer:
security+
|
Version: | unspecified | ||
Target Milestone: | --- | ||
Host: | i686-pc-linux-gnu | Target: | i686-pc-linux-gnu |
Build: | i686-pc-linux-gnu | Last reconfirmed: | |
Attachments: | One-liner reproducing the crash |
Description
Nix
2008-12-04 00:49:09 UTC
Created attachment 3090 [details]
One-liner reproducing the crash
Backtrace with this one-liner, with glibc compiled with -fstack-protector-all:
Program received signal SIGABRT, Aborted.
0xb804a424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb804a424 in __kernel_vsyscall ()
#1 0x08054a4b in __stack_chk_fail () at stack_chk_fail.c:295
#2 0x0804ad96 in ____strtold_l_internal (nptr=0x80ad488 "42.", '0' <repeats 19
times>, "1", endptr=0x0, group=0, loc=0x80cb0a0) at ../stdlib/strtod_l.c:1571
#3 0x08048cb7 in strtold (nptr=0x80ad488 "42.", '0' <repeats 19 times>, "1",
endptr=0x0) at strtod.c:70
#4 0x08048255 in main (argc=1, argv=0xbfa47364) at strtold-crash.c:7
Are you compiling with -std=c99 or similar? (i.e. do you have the correct prototype?) It's using the same compile line that glibc's 'make check' uses, which passes -std=gnu99 (IIRC: I don't have a build tree at the right point to verify this right now). The original testcase in glibc calls strtold() with many different inputs: only this one crashes under -fstack-protector-all, and the corrupted stack is not in the testing function but within glibc itself. So I don't see how e.g. pointer width differences (not applicable on x86-32 anyway as far as I can see) could cause a problem. It's not as if this is a varargs function on AIX or something. Should be handled in git. |