dmalloc stack overflow #7

drok · 2020-03-27T09:51:16Z

When running the unit test base.buffer.kitchen-sink.test with dmalloc 5.5.2 and cmocka 1.0.1, the following stack overflow happens when the test ends:

__kernel_vsyscall () at null:
raise () at null:
abort () at null:
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:657
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\", args=0xbfffcbb8 \"\\304\\263\\362\\267\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\") at /tmp/dmalloc/compat.c:171
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:635
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\", args=0xbfffd3c8 \"\\304\\263\\362\\267\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\") at /tmp/dmalloc/compat.c:171
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:635
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\", args=0xbfffdbd8 \"\\304\\263\\362\\267\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\") at /tmp/dmalloc/compat.c:171
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:635
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\", args=0xbfffe3e8 \"\\304\\263\\362\\267mx\\376\\267\\304\\357\\377\\267D\\351\\377\\277\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\") at /tmp/dmalloc/compat.c:171
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:635
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xbfffed00 \"ra=0xb7dc880e\", buf_size=164, format=0xb7f2ac28 \"ra=%#lx\", args=0xbfffebf8 \"\\016\\210\\334\\267\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xbfffed00 \"ra=0xb7dc880e\", buf_size=164, format=0xb7f2ac28 \"ra=%#lx\") at /tmp/dmalloc/compat.c:171
_dmalloc_chunk_desc_pnt (buf=0xbfffed00 \"ra=0xb7dc880e\", buf_size=164, file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0) at /tmp/dmalloc/chunk.c:1935
_dmalloc_chunk_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, user_pnt=0x0, func_id=17) at /tmp/dmalloc/chunk.c:2550
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:974
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
__vsnprintf_chk () at null:
vprint_message () at null:
print_message () at null:
_cmocka_run_group_tests () at null:
main (argc=2, argv=0xbffffb54) at u:\proj/openvpn/tests/unit/buffer/test.c:421

In order to get _dmalloc_die to stop looping, I instrumented it to detect loops and abort after the 4th loop:

diff --git a/error.c b/error.c
index 86a3fbe..c87e5b6 100644
--- a/error.c
+++ b/error.c
@@ -619,7 +619,10 @@ void       _dmalloc_die(const int silent_b)
 {
   char *stop_str;
   int  len;
-
+       static loop_detect = 0;
+       if (++loop_detect > 4)
+                abort();
+
   if (! silent_b) {
     if (BIT_IS_SET(_dmalloc_flags, DEBUG_ERROR_ABORT)) {
       stop_str = "dumping";

The host OS is CentOS6 32 bit with the following libc* :

vzdummy-glibc-2.12-1.7.el6.noarch
libcmocka-devel-1.0.1-1.el6.i686
glibc-2.12-1.209.el6_9.2.i686
glibc-common-2.12-1.209.el6_9.2.i686
libcmocka-1.0.1-1.el6.i686
libcgroup-0.40.rc1-24.el6_9.i686
glibc-devel-2.12-1.209.el6_9.2.i686

The text was updated successfully, but these errors were encountered:

drok · 2020-03-27T10:33:05Z

Reported to upstream dmalloc project as j256/dmalloc#4

This test fails for me due to an apparent bug in dmalloc triggered by cmocka (#7) so it is marked as XFAIL This will allow the test suite (make check) to continue past the failing test. At some point in the future, dmalloc will be fixed, and somone may run into an unexpected pass. When this happens, please revert this commit, and to the commit message the version of dmalloc that is fixed, and cherry-pick it into the tests repo. It is possible that even after dmalloc is fixed, the test will still fail, but due to an actual bug in the buffer implementation. To prepare for this eventuality, a genuine implementation bug will be reported as a HARD_ERROR, so the XFAIL mark will be ignored, and the test suite will report the bug. When dmalloc is fixed, and this commit is reverted, the test will no longer be XFAIL (expected to fail), and any bugs will be reported as normal errors, not HARD_ERRORs.

j256 · 2020-11-21T20:24:55Z

This has been hopefully fixed with a impl of snprintf: j256/dmalloc@313cd95

drok mentioned this issue Mar 27, 2020

stack overflow in dmalloc_die j256/dmalloc#4

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

dmalloc stack overflow #7

dmalloc stack overflow #7

drok commented Mar 27, 2020 •

edited

Loading

drok commented Mar 27, 2020

j256 commented Nov 21, 2020

dmalloc stack overflow #7

dmalloc stack overflow #7

Comments

drok commented Mar 27, 2020 • edited Loading

drok commented Mar 27, 2020

j256 commented Nov 21, 2020

drok commented Mar 27, 2020 •

edited

Loading