This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug dynamic-link/15308] New: _dl_sort_fini reads memory already freed in dl-libc.c's libc_freeres

From: "dhatch at ilm dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Wed, 27 Mar 2013 07:45:33 +0000
Subject: [Bug dynamic-link/15308] New: _dl_sort_fini reads memory already freed in dl-libc.c's libc_freeres
Auto-submitted: auto-generated

http://sourceware.org/bugzilla/show_bug.cgi?id=15308

             Bug #: 15308
           Summary: _dl_sort_fini reads memory already freed in
                    dl-libc.c's libc_freeres
           Product: glibc
           Version: 2.12
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
        AssignedTo: unassigned@sourceware.org
        ReportedBy: dhatch@ilm.com
    Classification: Unclassified


Using current master/head from git://sourceware.org/git/glibc.git
(or installed ld.so from glibc 2.12 on rhel6.3 linux),
I was getting some sanity failures and crashes in _dl_sort_fini
in the elf/noload confidence test program during "make check".

Copy-pasting the command line that runs this program during "make check"
into the command shell, and inserting "valgrind" just before
ld.so, reveals the following error:
        ==11270== Invalid read of size 8
        ==11270==    at 0x116C19: _dl_sort_fini (dl-fini.c:222)
        ==11270==    by 0x1175EA: _dl_fini (dl-fini.c:650)
        ==11270==    by 0x504ADB1: exit (exit.c:78)
        ==11270==    by 0x5033CE3: (below main) (libc-start.c:258)
        ==11270==  Address 0x53aa620 is 0 bytes inside a block of size 72
free'd
        ==11270==    at 0x4A072BA: free (vg_replace_malloc.c:446)
        ==11270==    by 0x51550DB: free_mem (dl-glibc.c)
        ==11270==    by 0x5154BD1: __libc_freeres (set-freeres.c)
        ==11270==    by 0x504ADB1: exit (exit.c:78)
        ==11270==    by 0x5033CE3: (below main) (libc-start.c:258)

This error isn't normally encountered
since __libc_freeres isn't normally called;
however, it is called when running any program under valgrind,
and it's also called when mtrace() is being used
and the MALLOC_TRACE env var is set,
as is the case when this test is being run 
during "make check".

If I put a "l->l_initfini = NULL;" after the "free (l->l_initfini)"
in free_mem() in elf/dl-libc.c, the error goes away.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Follow-Ups:
- [Bug dynamic-link/15308] _dl_sort_fini reads memory already freed in dl-libc.c's libc_freeres
  - From: dhatch at ilm dot com
- [Bug dynamic-link/15308] _dl_sort_fini reads memory already freed in dl-libc.c's libc_freeres
  - From: carlos at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]