[Bug 901252] Re: atoi segfaults if the auxiliary vector was empty

Adam Conrad adconrad at 0c3.net
Sat Feb 9 23:54:41 UTC 2013 

I'm not sure how intentionally corrupting the stack with a debugger to
cause a segfault constitutes a glibc bug...

** Changed in: eglibc (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eglibc in Ubuntu.
https://bugs.launchpad.net/bugs/901252

Title:
  atoi segfaults if the auxiliary vector was empty

Status in “eglibc” package in Ubuntu:
  Invalid

Bug description:
  The auxiliary vector is put onto a process's stack by the kernel and
  it normally isn't empty. However, the C library is probably supposed
  to cope with the auxiliary vector being empty (you might be running
  the program under a different or a modified operating system).
  Therefore, it is probably a bug that atoi segfaults when the auxiliary
  vector was empty.

  I tested this with libc6-dev_2.13-0ubuntu13_armel.deb on a Panda
  Board. I haven't seen this bug on x86.

  To demonstrate the bug you have to use the debugger to hide the
  auxiliary vector. See the transcript below in which I:

  - Build a simple statically linked binary that calls atoi().
  - Find the entry point.
  - Run the program under GDB and stop it at the entry point.
  - Find the auxiliary vector on the stack and hide it by overwriting the first tag with 0.
  - Let the program continue to run: it segfaults in strtol.

  $ cat <<END > t.c
  #include <stdio.h>
  #include <stdlib.h>
  int main()
  {
    printf("%d\n", atoi("123"));
    return 0;
  }
  END
  $ gcc -Wall -O2 t.c -static
  $ readelf -l a.out | grep Entry
  Entry point 0x8171
  $ gdb a.out
  ...
  (gdb) b *0x8170
  Breakpoint 1 at 0x8170
  (gdb) r
  Starting program: /export/egrimley/a.out 

  Breakpoint 1, 0x00008170 in _start ()
  (gdb) info reg
  ...
  sp             0xbefff7d0...
  ...
  (gdb) x/64x 0xbefff7d0
  0xbefff7d0:	0x00000001	0xbefff8dc	0x00000000	0xbefff8f3
  0xbefff7e0:	0xbefff903	0xbefff90e	0xbefff95e	0xbefff97e
  0xbefff7f0:	0xbefff991	0xbefff99f	0xbefffe8f	0xbefffe9a
  0xbefff800:	0xbefffee7	0xbefffeff	0xbeffff0e	0xbeffff1b
  0xbefff810:	0xbeffff30	0xbeffff3d	0xbeffff46	0xbeffff5a
  0xbefff820:	0xbeffff62	0xbeffff73	0xbeffffa3	0xbeffffc3
  0xbefff830:	0x00000000	0x00000010	0x0000b8d7	0x00000006
  0xbefff840:	0x00001000	0x00000011	0x00000064	0x00000003
  ...
  (gdb) p *(int *)0xbefff834 = 0
  $1 = 0
  (gdb) c
  Continuing.

  Program received signal SIGSEGV, Segmentation fault.
  0x00008c1c in ____strtol_l_internal ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901252/+subscriptions

More information about the foundations-bugs mailing list