Use-after-free in test-perror2, test-strerror_r

[Florian Weimer]

The problem is visible with glibc 2.32 under valgrind:

==20== Invalid read of size 1
==20==    at 0x483DAB4: strcmp (vg_replace_strmem.c:847)
==20==    by 0x109414: main (test-perror2.c:84)
==20==  Address 0x4a1a3d0 is 0 bytes inside a block of size 17 free'd
==20==    at 0x483A9F5: free (vg_replace_malloc.c:538)
==20==    by 0x48E2134: strerror_l (in /usr/lib64/libc-2.32.so)
==20==    by 0x109328: main (test-perror2.c:72)
==20==  Block was alloc'd at
==20==    at 0x4839809: malloc (vg_replace_malloc.c:307)
==20==    by 0x48CA03F: __vasprintf_internal (in /usr/lib64/libc-2.32.so)
==20==    by 0x48A46F9: asprintf (in /usr/lib64/libc-2.32.so)
==20==    by 0x48E2184: strerror_l (in /usr/lib64/libc-2.32.so)
==20==    by 0x1092E2: main (test-perror2.c:67)
==20== 
==20== Invalid read of size 1
==20==    at 0x483DAC8: strcmp (vg_replace_strmem.c:847)
==20==    by 0x109414: main (test-perror2.c:84)
==20==  Address 0x4a1a3d1 is 1 bytes inside a block of size 17 free'd
==20==    at 0x483A9F5: free (vg_replace_malloc.c:538)
==20==    by 0x48E2134: strerror_l (in /usr/lib64/libc-2.32.so)
==20==    by 0x109328: main (test-perror2.c:72)
==20==  Block was alloc'd at
==20==    at 0x4839809: malloc (vg_replace_malloc.c:307)
==20==    by 0x48CA03F: __vasprintf_internal (in /usr/lib64/libc-2.32.so)
==20==    by 0x48A46F9: asprintf (in /usr/lib64/libc-2.32.so)
==20==    by 0x48E2184: strerror_l (in /usr/lib64/libc-2.32.so)
==20==    by 0x1092E2: main (test-perror2.c:67)

I think it's the test that's invalid.

This was reported as an actual grep test failure (without valgrind) on
32-bit Arm, where glibc malloc happens to return a different buffer
address for the internal allocation (so that msg3 != msg4).

test-strerror_r has the same issue.

Thanks,
Florian