[Bug 901252] [NEW] atoi segfaults if the auxiliary vector was empty
Edmund Grimley Evans
901252 at bugs.launchpad.net
Wed Dec 7 14:36:29 UTC 2011
Public bug reported:
The auxiliary vector is put onto a process's stack by the kernel and it
normally isn't empty. However, the C library is probably supposed to
cope with the auxiliary vector being empty (you might be running the
program under a different or a modified operating system). Therefore, it
is probably a bug that atoi segfaults when the auxiliary vector was
empty.
I tested this with libc6-dev_2.13-0ubuntu13_armel.deb on a Panda Board.
I haven't seen this bug on x86.
To demonstrate the bug you have to use the debugger to hide the
auxiliary vector. See the transcript below in which I:
- Build a simple statically linked binary that calls atoi().
- Find the entry point.
- Run the program under GDB and stop it at the entry point.
- Find the auxiliary vector on the stack and hide it by overwriting the first tag with 0.
- Let the program continue to run: it segfaults in strtol.
$ cat <<END > t.c
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("%d\n", atoi("123"));
return 0;
}
END
$ gcc -Wall -O2 t.c -static
$ readelf -l a.out | grep Entry
Entry point 0x8171
$ gdb a.out
...
(gdb) b *0x8170
Breakpoint 1 at 0x8170
(gdb) r
Starting program: /export/egrimley/a.out
Breakpoint 1, 0x00008170 in _start ()
(gdb) info reg
...
sp 0xbefff7d0...
...
(gdb) x/64x 0xbefff7d0
0xbefff7d0: 0x00000001 0xbefff8dc 0x00000000 0xbefff8f3
0xbefff7e0: 0xbefff903 0xbefff90e 0xbefff95e 0xbefff97e
0xbefff7f0: 0xbefff991 0xbefff99f 0xbefffe8f 0xbefffe9a
0xbefff800: 0xbefffee7 0xbefffeff 0xbeffff0e 0xbeffff1b
0xbefff810: 0xbeffff30 0xbeffff3d 0xbeffff46 0xbeffff5a
0xbefff820: 0xbeffff62 0xbeffff73 0xbeffffa3 0xbeffffc3
0xbefff830: 0x00000000 0x00000010 0x0000b8d7 0x00000006
0xbefff840: 0x00001000 0x00000011 0x00000064 0x00000003
...
(gdb) p *(int *)0xbefff834 = 0
$1 = 0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00008c1c in ____strtol_l_internal ()
** Affects: eglibc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/901252
Title:
atoi segfaults if the auxiliary vector was empty
Status in “eglibc” package in Ubuntu:
New
Bug description:
The auxiliary vector is put onto a process's stack by the kernel and
it normally isn't empty. However, the C library is probably supposed
to cope with the auxiliary vector being empty (you might be running
the program under a different or a modified operating system).
Therefore, it is probably a bug that atoi segfaults when the auxiliary
vector was empty.
I tested this with libc6-dev_2.13-0ubuntu13_armel.deb on a Panda
Board. I haven't seen this bug on x86.
To demonstrate the bug you have to use the debugger to hide the
auxiliary vector. See the transcript below in which I:
- Build a simple statically linked binary that calls atoi().
- Find the entry point.
- Run the program under GDB and stop it at the entry point.
- Find the auxiliary vector on the stack and hide it by overwriting the first tag with 0.
- Let the program continue to run: it segfaults in strtol.
$ cat <<END > t.c
#include <stdio.h>
#include <stdlib.h>
int main()
{
printf("%d\n", atoi("123"));
return 0;
}
END
$ gcc -Wall -O2 t.c -static
$ readelf -l a.out | grep Entry
Entry point 0x8171
$ gdb a.out
...
(gdb) b *0x8170
Breakpoint 1 at 0x8170
(gdb) r
Starting program: /export/egrimley/a.out
Breakpoint 1, 0x00008170 in _start ()
(gdb) info reg
...
sp 0xbefff7d0...
...
(gdb) x/64x 0xbefff7d0
0xbefff7d0: 0x00000001 0xbefff8dc 0x00000000 0xbefff8f3
0xbefff7e0: 0xbefff903 0xbefff90e 0xbefff95e 0xbefff97e
0xbefff7f0: 0xbefff991 0xbefff99f 0xbefffe8f 0xbefffe9a
0xbefff800: 0xbefffee7 0xbefffeff 0xbeffff0e 0xbeffff1b
0xbefff810: 0xbeffff30 0xbeffff3d 0xbeffff46 0xbeffff5a
0xbefff820: 0xbeffff62 0xbeffff73 0xbeffffa3 0xbeffffc3
0xbefff830: 0x00000000 0x00000010 0x0000b8d7 0x00000006
0xbefff840: 0x00001000 0x00000011 0x00000064 0x00000003
...
(gdb) p *(int *)0xbefff834 = 0
$1 = 0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00008c1c in ____strtol_l_internal ()
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901252/+subscriptions
More information about the foundations-bugs
mailing list