[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Use-after-free in test-perror2, test-strerror_r
From: |
Florian Weimer |
Subject: |
Use-after-free in test-perror2, test-strerror_r |
Date: |
Thu, 27 Aug 2020 09:41:34 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) |
The problem is visible with glibc 2.32 under valgrind:
==20== Invalid read of size 1
==20== at 0x483DAB4: strcmp (vg_replace_strmem.c:847)
==20== by 0x109414: main (test-perror2.c:84)
==20== Address 0x4a1a3d0 is 0 bytes inside a block of size 17 free'd
==20== at 0x483A9F5: free (vg_replace_malloc.c:538)
==20== by 0x48E2134: strerror_l (in /usr/lib64/libc-2.32.so)
==20== by 0x109328: main (test-perror2.c:72)
==20== Block was alloc'd at
==20== at 0x4839809: malloc (vg_replace_malloc.c:307)
==20== by 0x48CA03F: __vasprintf_internal (in /usr/lib64/libc-2.32.so)
==20== by 0x48A46F9: asprintf (in /usr/lib64/libc-2.32.so)
==20== by 0x48E2184: strerror_l (in /usr/lib64/libc-2.32.so)
==20== by 0x1092E2: main (test-perror2.c:67)
==20==
==20== Invalid read of size 1
==20== at 0x483DAC8: strcmp (vg_replace_strmem.c:847)
==20== by 0x109414: main (test-perror2.c:84)
==20== Address 0x4a1a3d1 is 1 bytes inside a block of size 17 free'd
==20== at 0x483A9F5: free (vg_replace_malloc.c:538)
==20== by 0x48E2134: strerror_l (in /usr/lib64/libc-2.32.so)
==20== by 0x109328: main (test-perror2.c:72)
==20== Block was alloc'd at
==20== at 0x4839809: malloc (vg_replace_malloc.c:307)
==20== by 0x48CA03F: __vasprintf_internal (in /usr/lib64/libc-2.32.so)
==20== by 0x48A46F9: asprintf (in /usr/lib64/libc-2.32.so)
==20== by 0x48E2184: strerror_l (in /usr/lib64/libc-2.32.so)
==20== by 0x1092E2: main (test-perror2.c:67)
I think it's the test that's invalid.
This was reported as an actual grep test failure (without valgrind) on
32-bit Arm, where glibc malloc happens to return a different buffer
address for the internal allocation (so that msg3 != msg4).
test-strerror_r has the same issue.
Thanks,
Florian
- Use-after-free in test-perror2, test-strerror_r,
Florian Weimer <=