Crash in gconv_db.c
Abhidnya Joshi
abhidnyachirmule@gmail.com
Fri Dec 20 15:05:00 GMT 2019
Hi Florian,
Good News! We are able to reproduce it using continuous readdirs.
(Where reply involved encoding to UTF-16)
The stack is exactly same as shared earlier. It did overflowed counter.
Do you have any suggestion on the fix? We can test the fix using our test.
Thanks and Regards
Abhidnya Joshi
On Thu, Dec 12, 2019 at 9:28 PM Florian Weimer <fweimer@redhat.com> wrote:
>
> * Abhidnya Joshi:
>
> > In increment_counter function, do we have to handle integer overflow like this?
> >
> >
> > if (step->__counter == INT_MAX)
> > {
> > step->__counter = 1
> > }
> > if (step->__counter++ == 0)
> > { ....
> > }
> >
> > I do not understand what will be impact of this on different "steps".
> > If step->__counter gets set to 0 and step->__modname is NULL
> > then we see the segfault as mentioned earlier.
>
> The steps array has reference counts in the array *elements*, which is
> wrong. We ran into this a couple of months ago when we tried to fix a
> memory leak. This is the reason why I have limited confidence in the
> correctness of the reference counting.
>
> I looked at what it would take to reproduce the overflow with repeated
> iconv_open calls, and I estimate that 1.2 TiB of RAM are required, so I
> have not reproduced that yet.
>
> But there could be more subtle ways to trigger counter overflow, like
> uselocale followed by pthread_exit. Without a reproducer, we are in the
> dark here unfortunately.
>
> Thanks,
> Florian
>
More information about the Libc-locales
mailing list