[Bug 1922985] [NEW] long string causes segmentation fault in ypclnt.c
Xinmeng Xia
1922985 at bugs.launchpad.net
Thu Apr 8 04:01:52 UTC 2021
Public bug reported:
Description of problem:
In Python, nis.cat() with long string argument will lead to crash of Python interpreter. But Python developers claim that it's a not a bug in Python but in glibc.
The related report in Python bug tracker:
https://bugs.python.org/issue43587
Steps to Reproduce:
1. install Python 3(CPython)
2. type the following code "import nis;nis.cat('/','abs/'*10000000)" and run it with Python
A Python example:
=====================================================
Python 3.10.0a6 (default, Mar 19 2021, 11:45:56) [GCC 7.5.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nis;
>>> nis.cat('/','abs/'*10000000)
Segmentation fault (core dumped)
=====================================================
Attached gdb result:
>>> import nis;
>>> nis.cat('/','abs/'*10000000)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff67bccdc in yp_bind_file (ysd=0x9b03c0,
domain=0x7ffff4192040 "abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/"...) at ypclnt.c:84
84 ypclnt.c: No such file or directory.
(gdb)
Attached valgrind result:
>>> import nis
>>> nis.cat('/','abs/'*10000000)
==25360== Warning: client switching stacks? SP change: 0x1ffefff520 --> 0x1ffc9d9af8
==25360== to suppress, use: --max-stackframe=40000040 or greater
==25360== Invalid write of size 8
==25360== at 0x7E3FCDC: yp_bind_file (ypclnt.c:84)
==25360== by 0x7E3FCDC: __yp_bind.part.2 (ypclnt.c:179)
==25360== Address 0x1ffc9d9af8 is on thread 1's stack
==25360==
==25360==
==25360== Process terminating with default action of signal 11 (SIGSEGV)
==25360== Access not within mapped region at address 0x1FFC9D9AF8
==25360== at 0x7E3FCDC: yp_bind_file (ypclnt.c:84)
==25360== by 0x7E3FCDC: __yp_bind.part.2 (ypclnt.c:179)
==25360== If you believe this happened as a result of a stack
==25360== overflow in your program's main thread (unlikely but
==25360== possible), you can try to increase the size of the
==25360== main thread stack using the --main-stacksize= flag.
==25360== The main thread stack size used in this run was 8388608.
==25360== Invalid write of size 8
==25360== at 0x4A2867A: _vgnU_freeres (vg_preloaded.c:57)
==25360== Address 0x1ffc9d9af0 is on thread 1's stack
==25360==
==25360==
==25360== Process terminating with default action of signal 11 (SIGSEGV)
==25360== Access not within mapped region at address 0x1FFC9D9AF0
==25360== at 0x4A2867A: _vgnU_freeres (vg_preloaded.c:57)
==25360== If you believe this happened as a result of a stack
==25360== overflow in your program's main thread (unlikely but
==25360== possible), you can try to increase the size of the
==25360== main thread stack using the --main-stacksize= flag.
==25360== The main thread stack size used in this run was 8388608.
==25360==
==25360== HEAP SUMMARY:
==25360== in use at exit: 45,108,440 bytes in 33,832 blocks
==25360== total heap usage: 84,181 allocs, 50,349 frees, 54,298,362 bytes allocated
==25360==
==25360== LEAK SUMMARY:
==25360== definitely lost: 104 bytes in 1 blocks
==25360== indirectly lost: 0 bytes in 0 blocks
==25360== possibly lost: 44,967,758 bytes in 32,993 blocks
==25360== still reachable: 140,578 bytes in 838 blocks
==25360== suppressed: 0 bytes in 0 blocks
==25360== Rerun with --leak-check=full to see details of leaked memory
==25360==
==25360== For lists of detected and suppressed errors, rerun with: -s
==25360== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
** Affects: glibc (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1922985
Title:
long string causes segmentation fault in ypclnt.c
Status in glibc package in Ubuntu:
New
Bug description:
Description of problem:
In Python, nis.cat() with long string argument will lead to crash of Python interpreter. But Python developers claim that it's a not a bug in Python but in glibc.
The related report in Python bug tracker:
https://bugs.python.org/issue43587
Steps to Reproduce:
1. install Python 3(CPython)
2. type the following code "import nis;nis.cat('/','abs/'*10000000)" and run it with Python
A Python example:
=====================================================
Python 3.10.0a6 (default, Mar 19 2021, 11:45:56) [GCC 7.5.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nis;
>>> nis.cat('/','abs/'*10000000)
Segmentation fault (core dumped)
=====================================================
Attached gdb result:
>>> import nis;
>>> nis.cat('/','abs/'*10000000)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff67bccdc in yp_bind_file (ysd=0x9b03c0,
domain=0x7ffff4192040 "abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/"...) at ypclnt.c:84
84 ypclnt.c: No such file or directory.
(gdb)
Attached valgrind result:
>>> import nis
>>> nis.cat('/','abs/'*10000000)
==25360== Warning: client switching stacks? SP change: 0x1ffefff520 --> 0x1ffc9d9af8
==25360== to suppress, use: --max-stackframe=40000040 or greater
==25360== Invalid write of size 8
==25360== at 0x7E3FCDC: yp_bind_file (ypclnt.c:84)
==25360== by 0x7E3FCDC: __yp_bind.part.2 (ypclnt.c:179)
==25360== Address 0x1ffc9d9af8 is on thread 1's stack
==25360==
==25360==
==25360== Process terminating with default action of signal 11 (SIGSEGV)
==25360== Access not within mapped region at address 0x1FFC9D9AF8
==25360== at 0x7E3FCDC: yp_bind_file (ypclnt.c:84)
==25360== by 0x7E3FCDC: __yp_bind.part.2 (ypclnt.c:179)
==25360== If you believe this happened as a result of a stack
==25360== overflow in your program's main thread (unlikely but
==25360== possible), you can try to increase the size of the
==25360== main thread stack using the --main-stacksize= flag.
==25360== The main thread stack size used in this run was 8388608.
==25360== Invalid write of size 8
==25360== at 0x4A2867A: _vgnU_freeres (vg_preloaded.c:57)
==25360== Address 0x1ffc9d9af0 is on thread 1's stack
==25360==
==25360==
==25360== Process terminating with default action of signal 11 (SIGSEGV)
==25360== Access not within mapped region at address 0x1FFC9D9AF0
==25360== at 0x4A2867A: _vgnU_freeres (vg_preloaded.c:57)
==25360== If you believe this happened as a result of a stack
==25360== overflow in your program's main thread (unlikely but
==25360== possible), you can try to increase the size of the
==25360== main thread stack using the --main-stacksize= flag.
==25360== The main thread stack size used in this run was 8388608.
==25360==
==25360== HEAP SUMMARY:
==25360== in use at exit: 45,108,440 bytes in 33,832 blocks
==25360== total heap usage: 84,181 allocs, 50,349 frees, 54,298,362 bytes allocated
==25360==
==25360== LEAK SUMMARY:
==25360== definitely lost: 104 bytes in 1 blocks
==25360== indirectly lost: 0 bytes in 0 blocks
==25360== possibly lost: 44,967,758 bytes in 32,993 blocks
==25360== still reachable: 140,578 bytes in 838 blocks
==25360== suppressed: 0 bytes in 0 blocks
==25360== Rerun with --leak-check=full to see details of leaked memory
==25360==
==25360== For lists of detected and suppressed errors, rerun with: -s
==25360== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1922985/+subscriptions
More information about the foundations-bugs
mailing list