When reading entries of a directory with readdir() on a directory
containing many files, mudflap gives warning about out-of-bound writes.
mudflap.c: MF_VALIDATE_EXTENT (p, sizeof (*p), __MF_CHECK_WRITE, "readdir
result");
mudflap checks that the entire struct dirent is writable, however the size of
struct dirent is undefined (according to the manpage).
I think it should only check that d_reclen bytes are accessible, instead of the
entire structure.
Bug initially discovered on directory with 76000 entries, reproduced on
directory with 1000 entries.
I have run the test on a reiserfs filesystem, but it can also be
reproduced by creating a directory with 1000 entries on a tmpfs filesystem
mounted on /tmp
Steps to reproduce:
$ mkdir test/
$ for i in `seq 1 1000`; do touch test/$i; done
$ gcc -fmudflap mudflap_readdir.i -lmudflap -o mudflap_readdir
$ ./mudflap_readdir test/ 2>error_log
$ grep ^\ error_log|sort -u
/lib/libc.so.6 [0x3dfd295d89]
/lib/libc.so.6(opendir+0x58) [0x3dfd295e58]
./mudflap_readdir(main+0xc9) [0x400a11]
/usr/lib/libmudflap.so.0(__mf_check+0x41) [0x2b7f247ffdb1]
/usr/lib/libmudflap.so.0(__mf_register+0x41) [0x2b7f247ff8e1]
/usr/lib/libmudflap.so.0(__mfwrap_readdir+0x91) [0x2b7f24804b91]
/usr/lib/libmudflap.so.0(__wrap_malloc+0xdd) [0x2b7f24800b8d]
Snippet of error_log:
*******
mudflap violation 1 (check/write): time=1191088752.714610 ptr=0x7043c8 size=280
pc=0x2b7f247ffdb1 location=`(readdir result)'
/usr/lib/libmudflap.so.0(__mf_check+0x41) [0x2b7f247ffdb1]
/usr/lib/libmudflap.so.0(__mfwrap_readdir+0x91) [0x2b7f24804b91]
./mudflap_readdir(main+0xc9) [0x400a11]
Nearby object 1: checked region begins 3896B into and ends 24B after
mudflap object 0x7044f0: name=`malloc region'
bounds=[0x703490,0x7044c7] size=4152 area=heap check=0r/163w liveness=163
alloc time=1191088752.713885 pc=0x2b7f247ff8e1
/usr/lib/libmudflap.so.0(__mf_register+0x41) [0x2b7f247ff8e1]
/usr/lib/libmudflap.so.0(__wrap_malloc+0xdd) [0x2b7f24800b8d]
/lib/libc.so.6 [0x3dfd295d89]
/lib/libc.so.6(opendir+0x58) [0x3dfd295e58]
number of nearby objects: 1
*******
Environment:
$ uname -a
Linux lightspeed2 2.6.23-rc8-hrt1-cfs-v22-g1bef7dc0-dirty #16 Sat Sep 29
15:54:22 EEST 2007 x86_64 GNU/Linux
$ cat /etc/debian_version
lenny/sid
$ gcc -v
Using built-in specs.
Target: x86_64-linux-gnu
Configured with: ../src/configure -v
--enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.2 --program-suffix=-4.2
--enable-clocale=gnu --enable-libstdcxx-debug --enable-mpfr --disable-werror
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model: posix
gcc version 4.2.1 (Debian 4.2.1-5)
$ mount|grep /home
/dev/mapper/main-home on /home type reiserfs (rw,noatime,notail)
$ mount|grep tmp
tmpfs on /tmp type tmpfs (rw,nosuid,mode=1777)
--
Summary: mudflap gives warnings exceeding bounds on valid code,
when using readdir(2) on large directories
Product: gcc
Version: 4.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: libmudflap
AssignedTo: unassigned at gcc dot gnu dot org
ReportedBy: edwintorok at gmail dot com
GCC build triplet: x86_64-linux-gnu
GCC host triplet: x86_64-linux-gnu
GCC target triplet: x86_64-linux-gnu
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=33591
