[Bug 901252] Re: atoi segfaults if the auxiliary vector was empty

Edmund Grimley Evans 901252 at bugs.launchpad.net
Sun Feb 10 11:07:17 UTC 2013 

Perhaps I should mention the keyword "locale" here. It seems pretty
clear that the segfault is caused by ____strtol_l_internal receiving a
null pointer as its locale argument. So the C library start-up code,
when presented with an empty auxiliary vector, is silently failing to
initialise the locale. Perhaps this is a simple oversight, or perhaps
there's a good reason why it's hard to set up a locale without certain
information from the auxiliary vector. (AT_PHDR, perhaps?)

-- IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy
the information in any medium.  Thank you.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/901252

Title:
  atoi segfaults if the auxiliary vector was empty

Status in “eglibc” package in Ubuntu:
  Invalid

Bug description:
  The auxiliary vector is put onto a process's stack by the kernel and
  it normally isn't empty. However, the C library is probably supposed
  to cope with the auxiliary vector being empty (you might be running
  the program under a different or a modified operating system).
  Therefore, it is probably a bug that atoi segfaults when the auxiliary
  vector was empty.

  I tested this with libc6-dev_2.13-0ubuntu13_armel.deb on a Panda
  Board. I haven't seen this bug on x86.

  To demonstrate the bug you have to use the debugger to hide the
  auxiliary vector. See the transcript below in which I:

  - Build a simple statically linked binary that calls atoi().
  - Find the entry point.
  - Run the program under GDB and stop it at the entry point.
  - Find the auxiliary vector on the stack and hide it by overwriting the first tag with 0.
  - Let the program continue to run: it segfaults in strtol.

  $ cat <<END > t.c
  #include <stdio.h>
  #include <stdlib.h>
  int main()
  {
    printf("%d\n", atoi("123"));
    return 0;
  }
  END
  $ gcc -Wall -O2 t.c -static
  $ readelf -l a.out | grep Entry
  Entry point 0x8171
  $ gdb a.out
  ...
  (gdb) b *0x8170
  Breakpoint 1 at 0x8170
  (gdb) r
  Starting program: /export/egrimley/a.out 

  Breakpoint 1, 0x00008170 in _start ()
  (gdb) info reg
  ...
  sp             0xbefff7d0...
  ...
  (gdb) x/64x 0xbefff7d0
  0xbefff7d0:	0x00000001	0xbefff8dc	0x00000000	0xbefff8f3
  0xbefff7e0:	0xbefff903	0xbefff90e	0xbefff95e	0xbefff97e
  0xbefff7f0:	0xbefff991	0xbefff99f	0xbefffe8f	0xbefffe9a
  0xbefff800:	0xbefffee7	0xbefffeff	0xbeffff0e	0xbeffff1b
  0xbefff810:	0xbeffff30	0xbeffff3d	0xbeffff46	0xbeffff5a
  0xbefff820:	0xbeffff62	0xbeffff73	0xbeffffa3	0xbeffffc3
  0xbefff830:	0x00000000	0x00000010	0x0000b8d7	0x00000006
  0xbefff840:	0x00001000	0x00000011	0x00000064	0x00000003
  ...
  (gdb) p *(int *)0xbefff834 = 0
  $1 = 0
  (gdb) c
  Continuing.

  Program received signal SIGSEGV, Segmentation fault.
  0x00008c1c in ____strtol_l_internal ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901252/+subscriptions

More information about the foundations-bugs mailing list