Modify

Opened 6 years ago

Closed 6 months ago

#6886 closed defect (invalid)

uClibc segfault in getaddrinfo() when receiving long IPv6 DNS responses (probably stack corruption)

Reported by: jow Owned by: developers
Priority: highest Milestone: Backfire 10.03
Component: base system Version: Backfire 10.03 Beta
Keywords: uclibc getaddrinfo segfault Cc:

Description

Commands such as "nslookup ipv6.google.com", "ping ipv6.google.com" or "wget httpipv6.google.com/" trigger a segmentation fault with uClibc 0.9.30.

Testcase:

#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
 
#ifndef   NI_MAXHOST
#define   NI_MAXHOST 1025
#endif
 
int main(int argc, char *argv[])
{
    struct addrinfo * result;
    struct addrinfo * res;
    int error;
 
    /* resolve the domain name into a list of addresses */
    error = getaddrinfo(argv[1], NULL, NULL, &result);
 
    if (error != 0)
    {   
        fprintf(stderr, "error in getaddrinfo: %s\n", gai_strerror(error));
        return 1;
    }   

    printf("Malloc...\n");
    malloc(1024 * 1024);
    printf("... there\n");
 
    freeaddrinfo(result);

    return 0;
}

/*
root@OpenWrt:/# ./test ipv6.google.com
Malloc...
Aborted (core dumped)
*/

gdb backtrace:

Program received signal SIGSEGV, Segmentation fault.
0xb76d00b3 in __malloc_trim (pad=<value optimized out>, av=0xb76dfd20) at libc/stdlib/malloc-standard/free.c:69
69			if (released != 0) {
(gdb) bt
#0  0xb76d00b3 in __malloc_trim (pad=<value optimized out>, av=0xb76dfd20) at libc/stdlib/malloc-standard/free.c:69
#1  0x00000160 in ?? ()
#2  0x0000000b in ?? ()
#3  0x09f97060 in ?? ()
#4  0x00000030 in ?? ()
#5  0xb76b6c9a in _stdio_fopen (fname_or_mode=-1217758623, mode=<value optimized out>, stream=0x280, filedes=-1) at libc/stdio/_fopen.c:124
#6  0xb76b5568 in fgetpos (stream=0x0, pos=0xb76daff4) at libc/stdio/fgetpos.c:23
#7  0x00000003 in ?? ()
#8  0xb76dea80 in h.5065 () from /home/jow/devel/openwrt/trunk/scripts/../staging_dir/target-i386_uClibc-0.9.30.1/root-x86/lib/libc.so.0
#9  0xb76ccfcd in __read_etc_hosts_r (fp=0x0, name=0xbf8ea822 "2a00:1450:8006::69", type=10, action=GET_HOSTS_BYADDR, result_buf=0xb76dec58, 
    buf=0xb76d9640 "/etc/hosts", buflen=3077438772, result=0xbf8ea920, h_errnop=0xb76df170) at libc/inet/resolv.c:1625
#10 0xb76cd28c in __read_etc_hosts_r (fp=0x36303038, name=0x39363a3a <Address 0x39363a3a out of bounds>, type=-1081168896, action=3077271425, 
    result_buf=0xbf8ea8d4, buf=0xbf8ea822 "2a00:1450:8006::69", buflen=<value optimized out>, result=0xb76daff4, h_errnop=0x10) at libc/inet/resolv.c:1760
#11 0x3a303534 in ?? ()
#12 0x36303038 in ?? ()
#13 0x39363a3a in ?? ()
#14 0xbf8eac00 in ?? ()
#15 0xb76b6f81 in _stdio_init () at libc/stdio/_stdio.c:254
#16 0xb76cdfe4 in *__GI_gethostbyaddr_r (addr=0x313a3030, len=1, type=0, result_buf=0xb76daff4, buf=0x1c <Address 0x1c out of bounds>, buflen=3213798628, 
    result=0x804b488, h_errnop=0xb76ccec3) at libc/inet/resolv.c:2415
#17 0x00000000 in ?? ()
(gdb) bt full
#0  0xb76d00b3 in __malloc_trim (pad=<value optimized out>, av=0xb76dfd20) at libc/stdlib/malloc-standard/free.c:69
	top_size = 167342656
	extra = 167342656
	released = 808476978
	pagesz = <value optimized out>
#1  0x00000160 in ?? ()
No symbol table info available.
#2  0x0000000b in ?? ()
No symbol table info available.
#3  0x09f97060 in ?? ()
No symbol table info available.
#4  0x00000030 in ?? ()
No symbol table info available.
#5  0xb76b6c9a in _stdio_fopen (fname_or_mode=-1217758623, mode=<value optimized out>, stream=0x280, filedes=-1) at libc/stdio/_fopen.c:124
	open_mode = <value optimized out>
	i = -1217528524
#6  0xb76b5568 in fgetpos (stream=0x0, pos=0xb76daff4) at libc/stdio/fgetpos.c:23
	__infunc_pthread_cleanup_buffer = {__routine = 0xffffffff, __arg = 0x0, __canceltype = -1081169988, __prev = 0x8}
	retval = <value optimized out>
	__infunc_user_locking = 0
#7  0x00000003 in ?? ()
No symbol table info available.
#8  0xb76dea80 in h.5065 () from /home/jow/devel/openwrt/trunk/scripts/../staging_dir/target-i386_uClibc-0.9.30.1/root-x86/lib/libc.so.0
No symbol table info available.
#9  0xb76ccfcd in __read_etc_hosts_r (fp=0x0, name=0xbf8ea822 "2a00:1450:8006::69", type=10, action=GET_HOSTS_BYADDR, result_buf=0xb76dec58, 
    buf=0xb76d9640 "/etc/hosts", buflen=3077438772, result=0xbf8ea920, h_errnop=0xb76df170) at libc/inet/resolv.c:1625
	in = <value optimized out>
	addr_list = <value optimized out>
	in6 = <value optimized out>
	addr_list6 = <value optimized out>
	cp = <value optimized out>
	aliases = <value optimized out>
	i = -1217528524
	ret = <value optimized out>
#10 0xb76cd28c in __read_etc_hosts_r (fp=0x36303038, name=0x39363a3a <Address 0x39363a3a out of bounds>, type=-1081168896, action=3077271425, 
    result_buf=0xbf8ea8d4, buf=0xbf8ea822 "2a00:1450:8006::69", buflen=<value optimized out>, result=0xb76daff4, h_errnop=0x10) at libc/inet/resolv.c:1760
	in = (struct in_addr *) 0x2
	addr_list = (struct in_addr **) 0xb76dec58
	in6 = (struct in6_addr *) 0xb76dea80
	addr_list6 = (struct in6_addr **) 0x1d8
	cp = <value optimized out>
	aliases = 134526088
	i = <value optimized out>
	ret = -1081169632
#11 0x3a303534 in ?? ()
No symbol table info available.
#12 0x36303038 in ?? ()
No symbol table info available.
#13 0x39363a3a in ?? ()
No symbol table info available.
#14 0xbf8eac00 in ?? ()

valgrind log:

root@OpenWrt:/tmp/etc# valgrind ping ipv6.google.com
==1402== Memcheck, a memory error detector.
==1402== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==1402== Using LibVEX rev 1854, a library for dynamic binary translation.
==1402== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==1402== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==1402== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==1402== For more details, rerun with: -v
==1402== 
==1402== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==1402==    at 0x4040352: __socketcall (in /lib/libuClibc-0.9.30.1.so)
==1402==    by 0x406B70E: getifaddrs (in /lib/libuClibc-0.9.30.1.so)
==1402==    by 0x406A1B2: __check_pf (in /lib/libuClibc-0.9.30.1.so)
==1402==    by 0x406AF91: getaddrinfo (in /lib/libuClibc-0.9.30.1.so)
==1402==  Address 0xbebe2a11 is on thread 1's stack
==1402== 
==1402== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==1402==    at 0x4040352: __socketcall (in /lib/libuClibc-0.9.30.1.so)
==1402==    by 0x406B726: getifaddrs (in /lib/libuClibc-0.9.30.1.so)
==1402==    by 0x406A1B2: __check_pf (in /lib/libuClibc-0.9.30.1.so)
==1402==    by 0x406AF91: getaddrinfo (in /lib/libuClibc-0.9.30.1.so)
==1402==  Address 0xbebe2a11 is on thread 1's stack
PING ipv6.google.com (2a00:1450:8001::67): 56 data bytes
==1402== 
==1402== Invalid read of size 4
==1402==    at 0x40710B3: __malloc_consolidate (in /lib/libuClibc-0.9.30.1.so)
==1402==  Address 0x3030613a is not stack'd, malloc'd or (recently) free'd
==1402== 
==1402== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==1402==  Access not within mapped region at address 0x3030613A
==1402==    at 0x40710B3: __malloc_consolidate (in /lib/libuClibc-0.9.30.1.so)
==1402== 
==1402== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
==1402== malloc/free: in use at exit: 0 bytes in 0 blocks.
==1402== malloc/free: 0 allocs, 0 frees, 0 bytes allocated.
==1402== For counts of detected errors, rerun with: -v
==1402== All heap blocks were freed -- no leaks are possible.
Segmentation fault

Attachments (0)

Change History (5)

comment:1 Changed 6 years ago by thepeople

  • Milestone changed from Kamikaze to Backfire 10.03

comment:2 Changed 6 years ago by juhosg

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r20384.

comment:3 Changed 6 months ago by anonymous

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:4 Changed 6 months ago by anonymous

Why reopen? Please provide any logs or at least information why this bug been reopened.

comment:5 Changed 6 months ago by jow

  • Resolution set to invalid
  • Status changed from reopened to closed

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.