Bug 12766 - SEGV in error_at_line(3)
Summary: SEGV in error_at_line(3)
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.13
: P2 critical
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
: 12767 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-05-16 01:48 UTC by Yaakov Selkowitz
Modified: 2014-06-13 14:42 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments
sample code (190 bytes, text/plain)
2011-05-16 01:48 UTC, Yaakov Selkowitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Yaakov Selkowitz 2011-05-16 01:48:47 UTC
Created attachment 5725 [details]
sample code

Description of problem:
If error_one_per_line is set to a non-zero value, and error_at_line(3) is called consecutively with the same lineno, once with a NULL filename and the other non-NULL (in either order), the program SEGVs.  GDB shows the function uses strcmp(3) without checking for NULL inputs.


Version-Release number of selected component (if applicable):
Fedora 14: glibc-2.13-1.i686


How reproducible:
Always.


Steps to Reproduce:
1. gcc -Wall error-segv.c && ./a.out


Actual results:
./a.out: error_at_line with NULL filename: No such file or directory
Segmentation fault (core dumped)

Program received signal SIGSEGV, Segmentation fault.
__strcmp_ia32 () at ../sysdeps/i386/i686/strcmp.S:39
39	L(oop):	movb	(%ecx), %al
(gdb) bt
#0  __strcmp_ia32 () at ../sysdeps/i386/i686/strcmp.S:39
#1  0x0070eea6 in __error_at_line (status=0, errnum=2, 
    file_name=0x80485b9 "error-segv.c", line_number=10, message=0x8048594 "%s")
    at error.c:275
#2  0x080484bf in error_at_line () at /usr/include/bits/error.h:72
#3  main () at error-segv.c:10


Expected results:
Since NULL != __FILE__, the error_one_per_line clause should not be triggered, and output should be generated.


Additional info:
Neither http://www.gnu.org/s/libc/manual/html_node/Error-Messages.html nor http://www.kernel.org/doc/man-pages/online/pages/man3/error.3.html give any indication that filename cannot be NULL; my tests show that without setting error_one_per_line, or even set with two consecutive NULL filenames, it works fine.
Comment 1 Yaakov Selkowitz 2011-05-16 03:29:08 UTC
(In reply to comment #0)
> My tests show that without setting error_one_per_line, or even set with two consecutive NULL filenames, it works fine.

Scratch that; it also SEGVs if called twice consecutively with NULL filenames as well.
Comment 2 Yaakov Selkowitz 2011-05-16 03:30:14 UTC
*** Bug 12767 has been marked as a duplicate of this bug. ***
Comment 3 Yaakov Selkowitz 2011-05-16 05:36:32 UTC
Confirmed with vanilla glibc-2.13; this is not Fedora-specific.
Comment 4 Ulrich Drepper 2011-05-16 13:11:11 UTC
I checked in a patch.