Bug 43599

Summary:	Balloc did not check mallocated pointer in libc/stdlib/strtod.c
Product:	Base System	Reporter:	Jin Guojun <jin>
Component:	kern	Assignee:	freebsd-bugs (Nobody) <bugs>
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	Unspecified
Hardware:	Any
OS:	Any

Description Jin Guojun 2002-10-02 22:40:01 UTC

	Program terminated with signal 11, Segmentation fault.
#0  0x80676ea in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
(xxgdb) print rv
$1 = (Bigint *) 0x0
(xxgdb) print x
$2 = 2
(xxgdb) print sizeof(Bigint)
$3 = 24
(xxgdb) print (x-1)*sizeof(long)
$4 = 4
(xxgdb) print sizeof(Bigint) + (x-1)*sizeof(long)
$5 = 28

 static Bigint *
Balloc
#ifdef KR_headers
	(k) int k;
#else
	(int k)
#endif
{
	int x;
	Bigint *rv;

	x = 1 << k;
	rv = (Bigint *)malloc(sizeof(Bigint) + (x-1)*sizeof(long));
***	rv->k = k;
	rv->maxwds = x;
	rv->sign = rv->wds = 0;
	return rv;
}

Fix: 

Check the rv after malloc.

Comment 1 Jin Guojun 2002-10-02 23:04:09 UTC

FreeBSD-gnats-submit@FreeBSD.org wrote:

> >Category:       kern
> >Responsible:    freebsd-bugs
> >Synopsis:       Balloc did not check mallocated pointer in libc/stdlib/strtod.c
> >Arrival-Date:   Wed Oct 02 14:40:01 PDT 2002

# define THREAD_LOCK()                if (__isthreaded) _SPINLOCK(&thread_lock);

The reason that causes malloc a piece of small memory failure is the malloc
THREAD_LOCK() failure. One printf() in a regular session is allocating memory,
and timeout (SIGALARM) starts another printf() which causes overtaking the
malloc() and returns 0 (NULL):

void *
malloc(size_t size)
{
    register void *r;

    THREAD_LOCK();
    malloc_func = " in malloc():";
    if (malloc_active++) {
        wrtwarning("recursive call\n");
        malloc_active--;
        THREAD_UNLOCK();
        return (0);
    }
...
}

In libc (not libc_r), THREAD_LOCK() may not exist, so above if {...} block sounds
like big under this situation.

Program terminated with signal 11, Segmentation fault.
#0  0x80676f2 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
(xxgdb) up
#1  0x80684e1 in d2b (d=0.18469299376010895, e=0xbfbfe81c, bits=0xbfbfe828) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1011
(xxgdb) where
#0  0x80676f2 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
#1  0x80684e1 in d2b (d=0.18469299376010895, e=0xbfbfe81c, bits=0xbfbfe828) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1011
#2  0x8069a6e in __dtoa (d=0.18469299376010895, mode=3, ndigits=4,
decpt=0xbfbfeae0, sign=0xbfbfe874, rve=0xbfbfe868, resultp=0xbfbfeacc) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1930
#3  0x8066c98 in cvt (value=0.18469299376010895, ndigits=4, flags=256,
sign=0xbfbfeaf2 "", decpt=0xbfbfeae0, ch=102, length=0xbfbfead8,
dtoaresultp=0xbfbfeacc) at /usr/src/lib/libc/../libc/stdio/vfprintf.c:1222
#4  0x80647bd in vfprintf (fp=0x8086338, fmt0=0x807e475 "%d  %.4f sec. %s%s\n",
ap=0xbfbfeb68 "¼ë¿¿àä\a\b\220ë¿¿lñ¿¿æò¿¿") at
/usr/src/lib/libc/../libc/stdio/vfprintf.c:603
#5  0x8063988 in fprintf (fp=0x8086338, fmt=0x807e475 "%d  %.4f sec. %s%s\n") at
/usr/src/lib/libc/../libc/stdio/fprintf.c:70
#6  0x804844f in timeout () at ../netest.c:191
#7   0xbfbfffac in ?? ()
#8  0x806cb88 in malloc (size=28) at /usr/src/lib/libc/../libc/stdlib/malloc.c:1076

#9  0x80676e4 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:386
#10 0x80684e1 in d2b (d=0.17467300593852997, e=0xbfbfef2c, bits=0xbfbfef38) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1011
#11 0x8069a6e in __dtoa (d=0.17467300593852997, mode=3, ndigits=4,
decpt=0xbfbff1f0, sign=0xbfbfef84, rve=0xbfbfef78, resultp=0xbfbff1dc) at
/usr/src/lib/libc/../libc/stdlib/strtod.c:1930
#12 0x8066c98 in cvt (value=0.17467300593852997, ndigits=4, flags=256,
sign=0xbfbff202 "", decpt=0xbfbff1f0, ch=102, length=0xbfbff1e8,
dtoaresultp=0xbfbff1dc) at /usr/src/lib/libc/../libc/stdio/vfprintf.c:1222
#13 0x80647bd in vfprintf (fp=0x8086338, fmt0=0x807e475 "%d  %.4f sec. %s%s\n",
ap=0xbfbff278 "Ìò¿¿àä\a\bN\226\004\b\n") at
/usr/src/lib/libc/../libc/stdio/vfprintf.c:603
#14 0x8063988 in fprintf (fp=0x8086338, fmt=0x807e475 "%d  %.4f sec. %s%s\n") at
/usr/src/lib/libc/../libc/stdio/fprintf.c:70
#15 0x804974c in main (argc=10, argv=0xbfbff370) at ../netest.c:191
#16 0x8048135 in _start ()

--
------------ Jin Guojun ----------- v --- j_guojun@lbl.gov ---
Distributed Systems Department          http://www.itg.lbl.gov/~jin
M/S 50B-2239                            Ph#:(510) 486-7531 Fax: 486-6363
Lawrence Berkeley National Laboratory,  Berkeley, CA 94720

Comment 2 wollman 2002-10-02 23:15:01 UTC

<<On Wed, 02 Oct 2002 15:04:09 -0700, "Jin Guojun [DSD]" <j_guojun@lbl.gov> said:

> and timeout (SIGALARM) starts another printf() which causes overtaking the
> malloc() and returns 0 (NULL):

Programmer error.  It is forbidden to call any stdio function from a
signal handler.

-GAWollman

Comment 3 Jin Guojun 2002-10-03 00:05:39 UTC

Garrett Wollman wrote:

> <<On Wed, 02 Oct 2002 15:04:09 -0700, "Jin Guojun [DSD]" <j_guojun@lbl.gov> said:
>
> > and timeout (SIGALARM) starts another printf() which causes overtaking the
> > malloc() and returns 0 (NULL):
>
> Programmer error.  It is forbidden to call any stdio function from a
> signal handler.
>
> -GAWollman

"man stdio" does not say this. Is this BSD specific?

--
------------ Jin Guojun ----------- v --- j_guojun@lbl.gov ---
Distributed Systems Department          http://www.itg.lbl.gov/~jin
M/S 50B-2239                            Ph#:(510) 486-7531 Fax: 486-6363
Lawrence Berkeley National Laboratory,  Berkeley, CA 94720

Comment 4 Maxim Konovalov freebsd_committer

2004-07-17 22:05:25 UTC

State Changed
From-To: open->closed

As Garrett Wollman states it is dangerous to call signal unsafe 
functions from the signal handler.  There is a list of async-signal safe 
functions in the sigaction(2) man page.