bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1


From: Dominique Martinet
Subject: Re: Using systemd-249's libnss_systemd.so.2 triggers a crash in bash-5.1's malloc.c
Date: Tue, 5 Oct 2021 09:39:20 +0900

Dominique Martinet wrote on Tue, Oct 05, 2021 at 09:15:48AM +0900:
>  - I could reproduce the same as Julien, with -DDISABLE_MALLOC_WRAPPERS
> the crash still happens when bash is run directly but nothing complains
> in valgrind.
> This could mean that systemd is overflowing bash malloc safeguards as
> you pointed out (I just don't understand why it wouldn't overflow with
> internal malloc), but it could also mean that the memory has been
> allocated somewhere else (e.g. libc's malloc) and freed by bash malloc.
> 
> nss systemd has started using reallocarray() since v247 and that is not
> tracked by bash, I would think that's a good candidate?
> 
> I don't have time right now, but I think adding an implementation for
> reallocarray (wrapper around realloc which does exist) would be the next
> thing to do.

grmbl, curiosity killed the cat so I actually took a moment to try, and
while reallocarray *is* called, it doesn't seem to change anything, and
already was used plenty before (not sure how that works? bash internal
malloc just passes to free pointers it doesn't know about?)

So back to square one.


Here's the patch I used if anyone cares:
----
diff --git a/lib/malloc/malloc.c b/lib/malloc/malloc.c
index 439f8ef11af2..8819cadca3a7 100644
--- a/lib/malloc/malloc.c
+++ b/lib/malloc/malloc.c
@@ -1440,6 +1440,20 @@ realloc (mem, nbytes)
   return internal_realloc (mem, nbytes, (char *)NULL, 0, 0);
 }
 
+PTR_T
+reallocarray (mem, nmemb, size)
+       PTR_T mem;
+       size_t  nmemb;
+       size_t size;
+{
+  size_t nbytes;
+  if (__builtin_mul_overflow(nmemb, size, &nbytes)) {
+         errno = ENOMEM;
+         return 0;
+  }
+  return internal_realloc (mem, nbytes, (char *)NULL, 0, 0);
+}
+
 void
 free (mem)
      PTR_T mem;
----
-- 
Dominique



reply via email to

[Prev in Thread] Current Thread [Next in Thread]