[Bug 1983554] Re: gmon memory corruption due wrong calculation of required buffer size

Ubuntu Foundations Team Bug Bot 1983554 at bugs.launchpad.net
Thu Aug 4 08:27:10 UTC 2022 

The attachment "0001-gmon-fix-memory-corruption-due-wrong-calculation-
of-.patch" seems to be a patch.  If it isn't, please remove the "patch"
flag from the attachment, remove the "patch" tag, and if you are a
member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by
~brian-murray, for any issues please contact him.]

** Tags added: patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1983554

Title:
  gmon memory corruption due wrong calculation of required buffer size

Status in glibc package in Ubuntu:
  New

Bug description:
  The `__monstartup()` allocates a buffer used to store all the data
  accumulated by the monitor.

  The size of this buffer depends on the size of the internal structures
  used and the address range for which the monitor is activated, as well
  as on the maximum density of call instuctions and/or callable
  functions that could be potentially on a segment of executable code.

  In particular a hash table of arcs is placed at the end of this
  buffer. The size of this hash table is calculated in bytes as
  `p->fromssize = p->textsize / HASHFRACTION`, but actually should be
  `p->fromssize = ROUNDUP(p->textsize / HASHFRACTION,
  sizeof(*p->froms))`.

  This results in writing beyond the end of the allocated buffer when an
  added arc corresponds to a call near from the end of the monitored
  address range, since `_mcount()` check the incoming caller address for
  monitored range but not the intermediate result hash-like index that
  uses to write into the table.

  It should be noted that when the results are output to `gmon.out`, the
  table is read to the last element calculated from the allocated size
  in bytes, so the arcs stored outside the buffer boundary did not fall
  into `gprof` for analysis. Thus this "feature" help me to found this
  bug during working with DSO-profiling
  (https://sourceware.org/bugzilla/show_bug.cgi?id=29438).

  Another minor error seems a related typo in the calculation of
  `kcountsize`.

  Upstream bugzilla ref:
  https://sourceware.org/bugzilla/show_bug.cgi?id=29444

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1983554/+subscriptions

More information about the foundations-bugs mailing list