This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug stdio/22415] New: setvbuf can lead to invalid free/segfault
- From: "pekarekdaniel at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 09 Nov 2017 17:51:32 +0000
- Subject: [Bug stdio/22415] New: setvbuf can lead to invalid free/segfault
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22415
Bug ID: 22415
Summary: setvbuf can lead to invalid free/segfault
Product: glibc
Version: 2.26
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: stdio
Assignee: unassigned at sourceware dot org
Reporter: pekarekdaniel at gmail dot com
Target Milestone: ---
In some cases IO functions incorrectly free the buffer passed to setvbuf.
Steps to reproduce:
#include <stdio.h>
char buf[BUFSIZ];
int main(void)
{
FILE* f = tmpfile(); // alternatively: fopen("tmp", "w+b")
setvbuf(f, buf, _IOFBF, BUFSIZ);
ungetc('x', f);
fseek(f, 0L, SEEK_SET);
fputc('1', f); // this calls free(buf)
fclose(f);
return 0;
}
Result:
*** Error in `./setvbuf': free(): invalid pointer: 0x000055d102391080 ***
[1] 27592 abort (core dumped) ./setvbuf
valgrind output:
==22318== Invalid free() / delete / delete[] / realloc()
==22318== at 0x4C2E14B: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22318== by 0x4EB434B: _IO_free_backup_area (in /usr/lib/libc-2.26.so)
==22318== by 0x4EB397E: _IO_file_overflow@@GLIBC_2.2.5 (in
/usr/lib/libc-2.26.so)
==22318== by 0x10881F: main (setvbuf.c:11)
==22318== Address 0x309080 is 0 bytes inside data symbol "buf"
If the buffer is allocated with malloc, it also crashes:
==22713== Invalid write of size 1
==22713== at 0x4EB3805: _IO_file_overflow@@GLIBC_2.2.5 (in
/usr/lib/libc-2.26.so)
==22713== by 0x10886A: main (setvbuf.c:11)
==22713== Address 0x51f0040 is 0 bytes inside a block of size 8,192 free'd
==22713== at 0x4C2E14B: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22713== by 0x4EB434B: _IO_free_backup_area (in /usr/lib/libc-2.26.so)
==22713== by 0x4EB397E: _IO_file_overflow@@GLIBC_2.2.5 (in
/usr/lib/libc-2.26.so)
==22713== by 0x10886A: main (setvbuf.c:11)
==22713== Block was alloc'd at
==22713== at 0x4C2CE5F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22713== by 0x10880B: main (setvbuf.c:6)
==22713==
==22713== Syscall param write(buf) points to unaddressable byte(s)
==22713== at 0x4F208D4: write (in /usr/lib/libc-2.26.so)
==22713== by 0x4EB22CC: _IO_file_write@@GLIBC_2.2.5 (in
/usr/lib/libc-2.26.so)
==22713== by 0x4EB15AE: new_do_write (in /usr/lib/libc-2.26.so)
==22713== by 0x4EB34C8: _IO_do_write@@GLIBC_2.2.5 (in /usr/lib/libc-2.26.so)
==22713== by 0x4EB2CDF: _IO_file_close_it@@GLIBC_2.2.5 (in
/usr/lib/libc-2.26.so)
==22713== by 0x4EA5E7E: fclose@@GLIBC_2.2.5 (in /usr/lib/libc-2.26.so)
==22713== by 0x108876: main (setvbuf.c:12)
==22713== Address 0x51f0040 is 0 bytes inside a block of size 8,192 free'd
==22713== at 0x4C2E14B: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22713== by 0x4EB434B: _IO_free_backup_area (in /usr/lib/libc-2.26.so)
==22713== by 0x4EB397E: _IO_file_overflow@@GLIBC_2.2.5 (in
/usr/lib/libc-2.26.so)
==22713== by 0x10886A: main (setvbuf.c:11)
==22713== Block was alloc'd at
==22713== at 0x4C2CE5F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22713== by 0x10880B: main (setvbuf.c:6)
If the buf argument of setvbuf is NULL, the result is the same as if malloc was
used.
It looks like this problem only occurs if the file was opened in "w+b" mode.
--
You are receiving this mail because:
You are on the CC list for the bug.