grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: double free() with grub-probe

From: Jeroen Dekkers
Subject: Re: double free() with grub-probe
Date: Wed, 16 May 2007 22:29:17 +0200
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (Shijō) APEL/10.7 Emacs/22.0.95 (x86_64-pc-linux-gnu) MULE/5.0 (SAKAKI) 
At Wed, 16 May 2007 22:01:01 +0200,
Robert Millan wrote:
> 
> We got this bug report from Debian BTS.  It seems to be related to LVM.
> 
> The argc address in last line looks very suspicious; stack corruption?

It's possible, but it can also be a compiler optimalisation that
confuses gdb.
 
> > Program received signal SIGABRT, Aborted.
> > 0xffffe410 in __kernel_vsyscall ()
> > (gdb) bt
> > #0  0xffffe410 in __kernel_vsyscall ()
> > #1  0xb7dfcd60 in raise () from /lib/i686/cmov/libc.so.6
> > #2  0xb7dfe5b1 in abort () from /lib/i686/cmov/libc.so.6
> > #3  0xb7e3308b in __libc_message () from /lib/i686/cmov/libc.so.6
> > #4  0xb7e3aeed in _int_free () from /lib/i686/cmov/libc.so.6
> > #5  0xb7e3e530 in free () from /lib/i686/cmov/libc.so.6
> > #6  0x0804bc8f in grub_disk_read (disk=0x8064078, sector=4000189, offset=0, 
> > size=194560, buf=0xb7da2008 "")
> >     at kern/disk.c:480

That's the free of tmp_buf, but I just looked at the code and as far
as I can see the only place where tmp_buf can get freed is at that
place. So I'm a bit puzzled how a double free() can happen there.

Jeroen Dekkers
reply via email to
[Prev in Thread] Current Thread [Next in Thread]