Package: libc6
Version: 2.40-2
Severity: minor
I have an executable that I compiled for i386 in (probably) 1998,
which I have been running in a faily cron job until now. Today it
failed to open a file, and strace showed that the filename was
partially corrupted.
Since the executable predates the use of ASLR, the memory corruption
is reliably reproducible and I was able to catch it with gdb.
The memory watchpoint is hit in __GI__IO_link_in() at:
123 _IO_list_all->file._prevchain = &fp->file._chain;
0xf7de4a44 <+612>: lea 0x34(%esi),%ebp
0xf7de4a47 <+615>: mov %ebp,0x64(%ecx)
=> 0xf7de4a4a <+618>: jmp 0xf7de498a <__GI__IO_link_in+426>
0xf7de4a4f <+623>: nop
The backtrace is:
#0 0xf7de4a4a in __GI__IO_link_in (fp=0x804a1a0) at ./libio/genops.c:123
#1 0xf7ed9267 in _IO_old_file_init_internal (fp=0x804a1a0)
at ./libio/oldfileops.c:106
#2 0xf7ed7e5b in _IO_old_fopen (
filename=0x8049c9c <base_n> "/home/ben/.base-ԡ\004\b", mode=0x8048b43 "r")
at ./libio/oldiofopen.c:54
#3 0x0804887a in main ()
At this point _IO_list_all points to _IO_stderr_, which for some
reason is *in the executable's BSS section*:
08049c48 l d .bss 00000000 .bss
08049c9c l O .bss 00000100 base_n.4
08049d9c l O .bss 00000100 rand_n.5
08049e9c l O .bss 00000100 sig_n.6
08049c48 g O .bss 00000050 _IO_stderr_
08049c98 w .bss 00000004 _environ
08049c98 g O .bss 00000004 __environ
08049c48 g O *ABS* 00000000 __bss_start
The size allocated for _IO_stderr_ in the executable appears to be 80
bytes, which is rather smaller than the current size of struct
_IO_FILE_plus (152 bytes), so the assignment to
_IO_list_all->file._prevchain overwrites the following static data
(base_n) containing the filename.
I'm just going to recompile the executable, but I will keep the old
one around for a while in case anyone feels like investigating
further.
Ben.
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'oldstable-updates'), (500, 'oldstable-security'),
(500, 'oldoldstable-updates'), (500, 'oldoldstable'), (500, 'unstable'), (500,
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.10.6-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libc6 depends on:
ii libgcc-s1 14.2.0-4
Versions of packages libc6 recommends:
ii libidn2-0 2.3.7-2
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.87
ii glibc-doc 2.40-2
ii libc-l10n 2.40-2
ii libnss-nis 3.1-5
ii libnss-nisplus 1.3-5+b1
ii locales 2.40-2
-- debconf-show failed
