This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18292] New: Invalid pointer dereference in nsswitch.c:nss_new_service()
- From: "jf at ownco dot net" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 22 Apr 2015 06:05:01 +0000
- Subject: [Bug libc/18292] New: Invalid pointer dereference in nsswitch.c:nss_new_service()
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18292
Bug ID: 18292
Summary: Invalid pointer dereference in
nsswitch.c:nss_new_service()
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: jf at ownco dot net
CC: drepper.fsp at gmail dot com
While making local modifications to the allocator, specifically one that
modifies the prev_size member for fastbin chunks and debugging the
modifications I noted that nss_new_service() increments a pointer to a pointer
incorrectly, which ends up causing the pointer to utilize a member of the
malloc_chunk structure, specifically the prev_size member (Why I am doing this
to the allocator will be the subject of another bug report later).
It appears that because this occurs in a loop that is bounded by NULL, this is
usually a non-issue, however, when its a non-NULL value, it causes a
dereference of that value.
Specifically the loop in question is:
800 while (*currentp != NULL)
801 {
802 if (strcmp ((*currentp)->name, name) == 0)
803 return *currentp;
804 currentp = &(*currentp)->next;
805 }
With the errant line occurring on line 804.
804 currentp = &(*currentp)->next;
(gdb) x/i $rip
=> 0x45c160 <__nss_lookup_function+480>: mov rax,QWORD PTR [rbx+0x10]
(gdb) x/x $rbx
0x6f9ce0: 0x006f9c20
(gdb) x/x $rbx+0x10
0x6f9cf0: 0x00000001
(gdb) x/x *($rbx)+0x10
0x6f9c30: 0x00000000
(gdb) p *(mchunkptr)0x6f9cf0
$43 = {prev_size = 1, size = 49, fd = 0x6f9d70, bk = 0x0, fd_nextsize = 0x0,
bk_nextsize = 0x322e6f732e75}
(gdb) n
800 while (*currentp != NULL)
(gdb)
802 if (strcmp ((*currentp)->name, name) == 0)
(gdb) x/i $rip
=> 0x45c170 <__nss_lookup_function+496>: mov rsi,QWORD PTR [rbp-0x40]
(gdb)
0x45c174 <__nss_lookup_function+500>: mov rdi,QWORD PTR [rbx]
(gdb) stepi
0x000000000045c174 802 if (strcmp ((*currentp)->name, name) ==
0)
(gdb) x/i $rip
=> 0x45c174 <__nss_lookup_function+500>: mov rdi,QWORD PTR [rbx]
(gdb) x/x $rbx
0x1: Cannot access memory at address 0x1
(gdb) stepi
Program received signal SIGSEGV, Segmentation fault.
0x000000000045c174 in nss_new_service (name=0x6f9c60 "giles",
database=<optimized out>) at nsswitch.c:802
802 if (strcmp ((*currentp)->name, name) == 0)
--
You are receiving this mail because:
You are on the CC list for the bug.