[Bug 1471029] Re: Segfault in xsltproc on i386
Douglas Bagnall
douglas at halo.gen.nz
Wed Jul 8 02:34:08 UTC 2015
For example, look at /bin/systemd, which has R_386_RELATIVE blocks:
$ objdump -R /bin/systemd |head -7
/bin/systemd: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
00148440 R_386_RELATIVE *ABS*
00148444 R_386_RELATIVE *ABS*
and it's memory looks like this:
$ sudo cat /proc/1/maps
b7268000-b726a000 rw-p 00000000 00:00 0
b726a000-b726e000 r-xp 00000000 fd:01 2167 /lib/i386-linux-gnu/libuuid.so.1.3.0
b726e000-b726f000 r--p 00003000 fd:01 2167 /lib/i386-linux-gnu/libuuid.so.1.3.0
b726f000-b7270000 rw-p 00004000 fd:01 2167 /lib/i386-linux-gnu/libuuid.so.1.3.0
b7270000-b72b3000 r-xp 00000000 fd:01 2120 /lib/i386-linux-gnu/libblkid.so.1.1.0
b72b3000-b72b6000 r--p 00043000 fd:01 2120 /lib/i386-linux-gnu/libblkid.so.1.1.0
b72b6000-b72b7000 rw-p 00046000 fd:01 2120 /lib/i386-linux-gnu/libblkid.so.1.1.0
b72b7000-b72b9000 rw-p 00000000 00:00 0
b72b9000-b72bc000 r-xp 00000000 fd:01 2130 /lib/i386-linux-gnu/libdl-2.21.so
b72bc000-b72bd000 r--p 00002000 fd:01 2130 /lib/i386-linux-gnu/libdl-2.21.so
b72bd000-b72be000 rw-p 00003000 fd:01 2130 /lib/i386-linux-gnu/libdl-2.21.so
b72be000-b732e000 r-xp 00000000 fd:01 2103 /lib/i386-linux-gnu/libpcre.so.3.13.1
b732e000-b732f000 r--p 0006f000 fd:01 2103 /lib/i386-linux-gnu/libpcre.so.3.13.1
b732f000-b7330000 rw-p 00070000 fd:01 2103 /lib/i386-linux-gnu/libpcre.so.3.13.1
b7330000-b7337000 r-xp 00000000 fd:01 2090 /lib/i386-linux-gnu/librt-2.21.so
b7337000-b7338000 r--p 00006000 fd:01 2090 /lib/i386-linux-gnu/librt-2.21.so
b7338000-b7339000 rw-p 00007000 fd:01 2090 /lib/i386-linux-gnu/librt-2.21.so
b7339000-b7385000 r-xp 00000000 fd:01 2154 /lib/i386-linux-gnu/libmount.so.1.1.0
b7385000-b7386000 r--p 0004b000 fd:01 2154 /lib/i386-linux-gnu/libmount.so.1.1.0
b7386000-b7387000 rw-p 0004c000 fd:01 2154 /lib/i386-linux-gnu/libmount.so.1.1.0
b7387000-b7388000 rw-p 00000000 00:00 0
b7388000-b7394000 r-xp 00000000 fd:01 2076 /lib/i386-linux-gnu/libapparmor.so.1.2.1
b7394000-b7395000 r--p 0000b000 fd:01 2076 /lib/i386-linux-gnu/libapparmor.so.1.2.1
b7395000-b7396000 rw-p 0000c000 fd:01 2076 /lib/i386-linux-gnu/libapparmor.so.1.2.1
b7396000-b7397000 rw-p 00000000 00:00 0
b7397000-b73b1000 r-xp 00000000 fd:01 2142 /lib/i386-linux-gnu/libkmod.so.2.2.8
b73b1000-b73b2000 r--p 00019000 fd:01 2142 /lib/i386-linux-gnu/libkmod.so.2.2.8
b73b2000-b73b3000 rw-p 0001a000 fd:01 2142 /lib/i386-linux-gnu/libkmod.so.2.2.8
b73b3000-b73cd000 r-xp 00000000 fd:01 2118 /lib/i386-linux-gnu/libaudit.so.1.0.0
b73cd000-b73ce000 r--p 00019000 fd:01 2118 /lib/i386-linux-gnu/libaudit.so.1.0.0
b73ce000-b73cf000 rw-p 0001a000 fd:01 2118 /lib/i386-linux-gnu/libaudit.so.1.0.0
b73cf000-b73d9000 rw-p 00000000 00:00 0
b73d9000-b73e7000 r-xp 00000000 fd:01 2097 /lib/i386-linux-gnu/libpam.so.0.83.1
b73e7000-b73e8000 r--p 0000d000 fd:01 2097 /lib/i386-linux-gnu/libpam.so.0.83.1
b73e8000-b73e9000 rw-p 0000e000 fd:01 2097 /lib/i386-linux-gnu/libpam.so.0.83.1
b73e9000-b73ed000 r-xp 00000000 fd:01 2067 /lib/i386-linux-gnu/libcap.so.2.24
b73ed000-b73ee000 r--p 00003000 fd:01 2067 /lib/i386-linux-gnu/libcap.so.2.24
b73ee000-b73ef000 rw-p 00004000 fd:01 2067 /lib/i386-linux-gnu/libcap.so.2.24
b73ef000-b7413000 r-xp 00000000 fd:01 2107 /lib/i386-linux-gnu/libselinux.so.1
b7413000-b7414000 r--p 00024000 fd:01 2107 /lib/i386-linux-gnu/libselinux.so.1
b7414000-b7415000 rw-p 00025000 fd:01 2107 /lib/i386-linux-gnu/libselinux.so.1
b7415000-b7417000 rw-p 00000000 00:00 0
b7417000-b75cb000 r-xp 00000000 fd:01 2086 /lib/i386-linux-gnu/libc-2.21.so
b75cb000-b75ce000 r--p 001b3000 fd:01 2086 /lib/i386-linux-gnu/libc-2.21.so
b75ce000-b75d0000 rw-p 001b6000 fd:01 2086 /lib/i386-linux-gnu/libc-2.21.so
b75d0000-b75d2000 rw-p 00000000 00:00 0
b75d2000-b75eb000 r-xp 00000000 fd:01 2079 /lib/i386-linux-gnu/libpthread-2.21.so
b75eb000-b75ec000 r--p 00018000 fd:01 2079 /lib/i386-linux-gnu/libpthread-2.21.so
b75ec000-b75ed000 rw-p 00019000 fd:01 2079 /lib/i386-linux-gnu/libpthread-2.21.so
b75ed000-b75ef000 rw-p 00000000 00:00 0
b75f3000-b75f6000 rw-p 00000000 00:00 0
b75f6000-b75f8000 r--p 00000000 00:00 0 [vvar]
b75f8000-b75f9000 r-xp 00000000 00:00 0 [vdso]
b75f9000-b761b000 r-xp 00000000 fd:01 2083 /lib/i386-linux-gnu/ld-2.21.so
b761b000-b761c000 r--p 00021000 fd:01 2083 /lib/i386-linux-gnu/ld-2.21.so
b761c000-b761d000 rw-p 00022000 fd:01 2083 /lib/i386-linux-gnu/ld-2.21.so
b761d000-b7765000 r-xp 00000000 fd:01 2742 /lib/systemd/systemd
b7765000-b7776000 r--p 00148000 fd:01 2742 /lib/systemd/systemd
b7776000-b7777000 rw-p 00159000 fd:01 2742 /lib/systemd/systemd
b956b000-b9602000 rw-p 00000000 00:00 0 [heap]
bfb57000-bfb78000 rw-p 00000000 00:00 0 [stack]
See where the head ended up! Now, here is a /sbin/agetty with no
RELATIVE bits:
$ objdump -R /sbin/agetty |grep RELATIVE
$ objdump -R /sbin/agetty |head -7
/sbin/agetty: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08050ffc R_386_GLOB_DAT __gmon_start__
08051200 R_386_COPY __progname
$ cat /proc/877/comm
agetty
$ sudo cat /proc/877/maps
08048000-08050000 r-xp 00000000 fd:01 3962 /sbin/agetty
08050000-08051000 r--p 00007000 fd:01 3962 /sbin/agetty
08051000-08052000 rw-p 00008000 fd:01 3962 /sbin/agetty
08052000-08054000 rw-p 00000000 00:00 0
08403000-08424000 rw-p 00000000 00:00 0 [heap]
b7512000-b751e000 r-xp 00000000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
b751e000-b751f000 r--p 0000b000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
b751f000-b7520000 rw-p 0000c000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
b7520000-b752b000 r-xp 00000000 fd:01 2082 /lib/i386-linux-gnu/libnss_nis-2.21.so
b752b000-b752c000 r--p 0000a000 fd:01 2082 /lib/i386-linux-gnu/libnss_nis-2.21.so
b752c000-b752d000 rw-p 0000b000 fd:01 2082 /lib/i386-linux-gnu/libnss_nis-2.21.so
b752d000-b7544000 r-xp 00000000 fd:01 2084 /lib/i386-linux-gnu/libnsl-2.21.so
b7544000-b7545000 r--p 00016000 fd:01 2084 /lib/i386-linux-gnu/libnsl-2.21.so
b7545000-b7546000 rw-p 00017000 fd:01 2084 /lib/i386-linux-gnu/libnsl-2.21.so
b7546000-b7548000 rw-p 00000000 00:00 0
b7548000-b7550000 r-xp 00000000 fd:01 2081 /lib/i386-linux-gnu/libnss_compat-2.21.so
b7550000-b7551000 r--p 00007000 fd:01 2081 /lib/i386-linux-gnu/libnss_compat-2.21.so
b7551000-b7552000 rw-p 00008000 fd:01 2081 /lib/i386-linux-gnu/libnss_compat-2.21.so
b7552000-b7553000 rw-p 00000000 00:00 0
b7553000-b7707000 r-xp 00000000 fd:01 2086 /lib/i386-linux-gnu/libc-2.21.so
b7707000-b770a000 r--p 001b3000 fd:01 2086 /lib/i386-linux-gnu/libc-2.21.so
b770a000-b770c000 rw-p 001b6000 fd:01 2086 /lib/i386-linux-gnu/libc-2.21.so
b770c000-b770e000 rw-p 00000000 00:00 0
b7713000-b7715000 rw-p 00000000 00:00 0
b7715000-b7717000 r--p 00000000 00:00 0 [vvar]
b7717000-b7718000 r-xp 00000000 00:00 0 [vdso]
b7718000-b773a000 r-xp 00000000 fd:01 2083 /lib/i386-linux-gnu/ld-2.21.so
b773a000-b773b000 r--p 00021000 fd:01 2083 /lib/i386-linux-gnu/ld-2.21.so
b773b000-b773c000 rw-p 00022000 fd:01 2083 /lib/i386-linux-gnu/ld-2.21.so
bf821000-bf842000 rw-p 00000000 00:00 0 [stack]
So agetty has room to grow.
Here is a snapshot of the processes that have their [heap] in the bXXXXXXX range, which seems to be a reliable marker. The memory line printed is the first, lowest one.
$ for x in $(sudo grep '\[heap\]' /proc/[0-9]*/maps |grep -e '-b' | cut -d/ -f3 );do echo $x;sudo cat /proc/$x/comm; sudo head -1 /proc/$x/maps;done
1
systemd
b7268000-b726a000 rw-p 00000000 00:00 0
16831
sshd
b6c3c000-b6d7c000 rw-s 00000000 00:05 1616525 /dev/zero (deleted)
16916
sshd
b6c3c000-b6d7c000 rw-s 00000000 00:05 1616525 /dev/zero (deleted)
16916
sshd
b6c3c000-b6d7c000 rw-s 00000000 00:05 1616525 /dev/zero (deleted)
17586
sh
b7581000-b7582000 rw-p 00000000 00:00 0
20457
cat: /proc/20457/comm: No such file or directory
head: cannot open '/proc/20457/maps' for reading: No such file or directory
20458
cat: /proc/20458/comm: No such file or directory
head: cannot open '/proc/20458/maps' for reading: No such file or directory
22780
jed
b7188000-b7360000 rw-p 00000000 00:00 0
308
systemd-journal
b699c000-b6eaa000 rw-s 00000000 00:11 1637684 /run/log/journal/5c2e1112ffe845f2ae4036c51c70fb3b/system.journal
314
systemd-udevd
b6d65000-b6d71000 r-xp 00000000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
414
systemd-timesyn
b6b00000-b6b21000 rw-p 00000000 00:00 0
523
systemd-logind
b7376000-b7382000 r-xp 00000000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
525
atd
b74a2000-b74ae000 r-xp 00000000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
650
dhclient
b6ee3000-b6eef000 r-xp 00000000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
8110
systemd
b7208000-b7214000 r-xp 00000000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
8111
(sd-pam)
b7180000-b7183000 r-xp 00000000 fd:01 2098 /lib/i386-linux-gnu/libpam_misc.so.0.82.0
868
sshd
b6eff000-b6f0b000 r-xp 00000000 fd:01 2080 /lib/i386-linux-gnu/libnss_files-2.21.so
And these ones have
$ for x in $(sudo grep '\[heap\]' /proc/[0-9]*/maps |grep -v -e '-b' | cut -d/ -f3 );do echo $x;sudo cat /proc/$x/comm; sudo head -1 /proc/$x/maps;done
16917
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
16937
screen
08048000-080b5000 r-xp 00000000 fd:01 50064 /usr/bin/screen
17587
tee
08048000-0804f000 r-xp 00000000 fd:01 49765 /usr/bin/tee
19249
screen
08048000-080b5000 r-xp 00000000 fd:01 50064 /usr/bin/screen
19249
screen
08048000-080b5000 r-xp 00000000 fd:01 50064 /usr/bin/screen
19250
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
19509
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
19568
tail
08048000-08058000 r-xp 00000000 fd:01 49727 /usr/bin/tail
20347
cat: /proc/20347/comm: No such file or directory
head: cannot open '/proc/20347/maps' for reading: No such file or directory
22801
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
24370
tail
08048000-08058000 r-xp 00000000 fd:01 49727 /usr/bin/tail
27206
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
27240
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
28162
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
31383
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
32736
tail
08048000-08058000 r-xp 00000000 fd:01 49727 /usr/bin/tail
524
accounts-daemon
08048000-08071000 r-xp 00000000 fd:01 57696 /usr/lib/accountsservice/accounts-daemon
538
cron
08048000-08052000 r-xp 00000000 fd:01 4085 /usr/sbin/cron
565
rsyslogd
08048000-080d5000 r-xp 00000000 fd:01 4125 /usr/sbin/rsyslogd
608
irqbalance
08048000-08052000 r-xp 00000000 fd:01 4149 /usr/sbin/irqbalance
648
dbus-daemon
08048000-080ca000 r-xp 00000000 fd:01 49898 /usr/bin/dbus-daemon
690
polkitd
08048000-0804a000 r-xp 00000000 fd:01 57657 /usr/lib/policykit-1/polkitd
8131
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
876
agetty
08048000-08050000 r-xp 00000000 fd:01 3962 /sbin/agetty
877
agetty
08048000-08050000 r-xp 00000000 fd:01 3962 /sbin/agetty
9801
bash
08048000-08151000 r-xp 00000000 fd:01 21 /bin/bash
It looks like a haphazard mix to me.
** Summary changed:
- Segfault in xsltproc on i386
+ ELF programs with R_386_RELATIVE blocks are badly mapped into memory
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1471029
Title:
ELF programs with R_386_RELATIVE blocks are badly mapped into memory
Status in glibc package in Ubuntu:
New
Bug description:
Running the Samba autobuild tests on a 15.04 openstack image results
in a segfault in this command:
/usr/bin/xsltproc --nonet -o default/docs-xml/manpages/smb.conf.5
/home/ubuntu/autobuild/b22271/samba/docs-xml/xslt/man.xsl default
/docs-xml/manpages/smb.conf.5.xml
I reported this upstream as a bug in xsltproc, but it was found to be
impossible to reproduce using upstream source on the openstack
instance:
https://bugzilla.gnome.org/show_bug.cgi?id=751764
Comment 8 (https://bugzilla.gnome.org/show_bug.cgi?id=751764#c8) is
particularly informative.
The stack trace below shows the segfault actually occurs in libxml's
xpath evaluation functions. I see no difference between xpath.c in
upstream 2.9.2 and Ubuntu's version.
(gdb) bt 12
#0 0xb760f874 in xmlXPathCompOpEval (ctxt=0xba25d3e8, op=0xb86bc818) at ../../xpath.c:13606
#1 0xb760f82e in xmlXPathCompOpEval (ctxt=0xba25d3e8, op=0xb86bc890) at ../../xpath.c:13598
#2 0xb7610244 in xmlXPathCompOpEval (ctxt=0xba25d3e8, op=0xb86bc8b8) at ../../xpath.c:13529
#3 0xb760f9d6 in xmlXPathCompOpEval (ctxt=0xba25d3e8, op=0xb86bc8e0) at ../../xpath.c:13977
#4 0xb7612735 in xmlXPathCompOpEval (op=<optimized out>, ctxt=0xba25d3e8) at ../../xpath.c:14552
#5 xmlXPathRunEval (ctxt=0xba25d3e8, toBool=<optimized out>) at ../../xpath.c:14552
#6 0xb76171ed in xmlXPathCompiledEvalInternal (toBool=0, resObj=<synthetic pointer>, ctxt=<optimized out>, comp=<optimized out>) at ../../xpath.c:14915
#7 xmlXPathCompiledEval__internal_alias (comp=0xb866a948, ctx=0xb99bd308) at ../../xpath.c:14978
#8 0xb7787260 in xsltEvalVariable (ctxt=ctxt at entry=0xb9836560, variable=variable at entry=0xba25d3b0, castedComp=0xb86a4238) at ../../../libxslt/variables.c:903
#9 0xb778759a in xsltBuildVariable (ctxt=0xb9836560, castedComp=0xb86a4238, tree=0xb86a6978) at ../../../libxslt/variables.c:1759
#10 0xb7788bfa in xsltParseStylesheetCallerParam (ctxt=0xb86a6978, inst=0xb86a6978) at ../../../libxslt/variables.c:1975
#11 0xb779b9db in xsltCallTemplate (ctxt=0xb9836560, node=0xb85efed8, inst=0xb86a6880, castedComp=0xb86a4148) at ../../../libxslt/transform.c:4739
(More stack frames follow...)
(gdb) bt -5
#3311 0xb779a7de in xsltProcessOneNode (ctxt=0xb9836560, contextNode=0xb97586a0, withParams=0x0) at ../../../libxslt/transform.c:2097
#3312 0xb779d818 in xsltApplyStylesheetInternal (style=0xba25d3e8, style at entry=0xb85ee200, doc=0xb86bc7f0, doc at entry=0xb97586a0, params=0xb77ed340 <params>,
output=0xb85e13e0 "default/docs-xml/manpages/smb.conf.5", profile=0x0, userCtxt=0xb9836560) at ../../../libxslt/transform.c:6159
#3313 0xb779df8d in xsltRunStylesheetUser (style=0xb85ee200, doc=0xb97586a0, params=0xb77ed340 <params>, output=0xb85e13e0 "default/docs-xml/manpages/smb.conf.5", SAX=0x0, IObuf=0x0,
profile=0x0, userCtxt=0xb9836560) at ../../../libxslt/transform.c:6449
#3314 0xb77ea12c in xsltProcess (doc=0xb97586a0, cur=0xb85ee200, filename=0xbfd59812 "default/docs-xml/manpages/smb.conf.5.xml") at ../../../xsltproc/xsltproc.c:483
#3315 0xb77e9298 in main (argc=6, argv=0xbfd58f94) at ../../../xsltproc/xsltproc.c:903
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1471029/+subscriptions
More information about the foundations-bugs
mailing list