Bug 14716 - memmem crash
Summary: memmem crash
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.17
: P2 normal
Target Milestone: 2.17
Assignee: Maxim Kuvyrkov
Depends on: 14602
  Show dependency treegraph
Reported: 2012-10-13 18:47 UTC by Jan Kratochvil
Modified: 2014-06-14 12:55 UTC (History)
8 users (show)

See Also:
Last reconfirmed:
fweimer: security-

GDB debug output (7.95 KB, text/plain)
2012-10-13 18:47 UTC, Jan Kratochvil
.tar.xz of core file, gdb binary, rpm -qa (Fedora Rawhide 2012-10-12) (9.44 MB, application/octet-stream)
2012-10-13 18:58 UTC, Jan Kratochvil
.c crash reproducer. (416 bytes, text/plain)
2012-10-14 06:21 UTC, Jan Kratochvil

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Kratochvil 2012-10-13 18:47:01 UTC
Created attachment 6683 [details]
GDB debug output

+++ This bug was initially created as a clone of Bug #14602 +++


Core was generated by `/unsafe/home/jkratoch/hammock/20121013Build-gdbcvs-rawhide/fedora-rawhide-x86_6'.
Program terminated with signal 11, Segmentation fault.
#0  two_way_short_needle (needle_len=<optimized out>, needle=<optimized out>, haystack_len=<optimized out>, haystack=<optimized out>) at str-two-way.h:309
309                   != (haystack_char = CANON_ELEMENT (*phaystack++)))

Detailed debug dump attached.

I do not have it reproducible by hand, it happened during nightly builds.

Regression by:
glibc-2.16.90-23.fc19.x86_64 -> glibc-2.16.90-24.fc19.x86_64
Comment 1 Jan Kratochvil 2012-10-13 18:58:13 UTC
Created attachment 6684 [details]
.tar.xz of core file, gdb binary, rpm -qa (Fedora Rawhide 2012-10-12)
Comment 2 Jan Kratochvil 2012-10-13 19:06:07 UTC
Reproduced it with FSF GDB HEAD:
cd gdb/testsuite; while runtest gdb.base/find.exp;do :;done

According to logs crashes also: gdb.python/py-inferior.exp
Comment 3 H.J. Lu 2012-10-13 21:08:34 UTC
Can you provide GDB command line option to trigger this?
Comment 4 H.J. Lu 2012-10-13 21:47:25 UTC
You can use a memmem wrapper to extract a testcase:

1. Copy simple_memmem from string/test-memmem.c in glibc.
2. Write a function to dump memmem input into a C source code, including
   address values.
3. Call simple_memmem to get correct result.
4. Compare result from memmem against simple_memmem.  If it fails,
   call the dumper to generate the testcase.
4. Link GDB against the memmem wrapper.

You can generate a testcase by

1. Dumper called on wrong result from memmem.
2. Run dumper by hand inside GDB when GDB segfaults
Comment 5 Jan Kratochvil 2012-10-14 06:21:54 UTC
Created attachment 6685 [details]
.c crash reproducer.
Comment 6 Maxim Kuvyrkov 2012-10-16 00:25:00 UTC
Fixed in e9f372520618161d7d73e028ca23818e83b88bbc.