Bug#613803: bash: Please use system-provided malloc() implementation rather than internal one

Thu, 17 Feb 2011 03:45:23 -0800 

Package: bash
Version: 4.1-3
Severity: normal
Bash uses its own malloc implementation for unknown reasons (at least to me). 

This implementation dates back to 4.2BSD (according to INSTALL) and
uses brk() which seems to be obsoleted interface.

In our complicated test scenario involving

  make -> scratchbox2 -> bash

we have ecountered situation when brk(), as used by bash's malloc,
fails causing SIGSEGV in bash.


Reading through strace(1) output I've come to following pattern
causing failure:

 0. Kernel's ASLR have to be disabled (kernel.randomize_va_space=0).
    This setting directly affects addresses as returned from kernel's
    mmap(2) system call (this is the root of problem).

    With ASLR enabled it also happens but bug insn't that evident
    (it's non-deterministic).


 1. Dynamic linker is run and loads all required libraries - dl uses
    mmap(2) to allocate required memory. mmap(2) from kernel returns
    addreses that are just one page after original program break, i.e.

      dl_mem = (uintptr_t)(sbrk(0) + getpagesize()) & ~(getpagesize() - 1)

 2. Bash is finnaly run and tries to allocate memory using brk(addr)

    This fails as memory above program break was already allocated by
    dynamic linker (see 2).

Please see (filtered) strace output below.


Solution seems rather simple - configure bash with --wihout-bash-malloc 
to use system/glibc-provided malloc.  From our testing this seems to fix 
this issue.


Thanks!


5328  execve("/home/lmctl/sbs/tools/lib/ld-linux.so.2", 
["/home/lmctl/sbs/tools/lib/ld-lin"..., "--rpath-prefix", 
"/home/lmctl/sbs/tools", "--nodefaultdirs", "--argv0", "/bin/bash", 
"/home/lmctl/sbs/tools/bin/bash", "-c", "echo bug"], [/* 68 vars */]) = 0

5328  brk(0)                            = 0x55573000
5328  open("/home/lmctl/sbs/tools/bin/bash", O_RDONLY) = 3

5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0P!\6\0104\0\0\0"..., 
512) = 512

5328  fstat64(3, {st_mode=S_IFREG|0755, st_size=811156, ...}) = 0

5328  mmap2(0x8048000, 794624, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x8048000
5328  mmap2(0x810a000, 20480, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc1) = 0x810a000
5328  mmap2(0x810f000, 19052, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x810f000

5328  close(3)                          = 0

5328  access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or 
directory)
5328  mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x55574000


[*] Please note the return address - it's just one page after sbrk(0).

....
5328  open("/home/lmctl/sbs/tools/usr/lib/libsb2/libsb2.so.1", O_RDONLY) = 3

5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`I\0\0004\0\0\0"..., 
512) = 512

5328  fstat64(3, {st_mode=S_IFREG|0644, st_size=360644, ...}) = 0

5328  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x55576000
5328  mmap2(NULL, 364308, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x55577000
5328  mmap2(0x555ce000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x57) = 0x555ce000
5328  mmap2(0x555cf000, 3860, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x555cf000

5328  close(3)                          = 0

5328  access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or 
directory)
5328  open("/home/lmctl/sbs/tools/usr/lib/libsb2/libncurses.so.5", 
O_RDONLY) = -1 ENOENT (No such file or directory)



5328  open("/home/lmctl/sbs/tools/lib/libdl.so.2", O_RDONLY) = 3

5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\0004\0\0\0"..., 
512) = 512

5328  fstat64(3, {st_mode=S_IFREG|0644, st_size=9736, ...}) = 0

5328  mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
3, 0) = 0x5560a000
5328  mmap2(0x5560c000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x5560c000

5328  close(3)                          = 0

5328  open("/home/lmctl/sbs/tools/usr/lib/libsb2/libc.so.6", O_RDONLY) = 
-1 ENOENT (No such file or directory)
5328 
open("/home/lmctl/sbs/tools/home/lmctl/sbs-install/lib/libsb2/libc.so.6", O_RDONLY) 
= -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/local/lib/libc.so.6", O_RDONLY) = 
-1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/lib/libfakeroot/libc.so.6", 
O_RDONLY) = -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/lib64/libfakeroot/libc.so.6", 
O_RDONLY) = -1 ENOENT (No such file or directory)

5328  open("/home/lmctl/sbs/tools/lib/libc.so.6", O_RDONLY) = 3

5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320m\1\0004\0\0\0"..., 
512) = 512

5328  fstat64(3, {st_mode=S_IFREG|0755, st_size=1315080, ...}) = 0

5328  mmap2(NULL, 1321288, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x5560e000
5328  mmap2(0x5574b000, 12288, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13d) = 0x5574b000
5328  mmap2(0x5574e000, 10568, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x5574e000

5328  close(3)                          = 0

5328  open("/home/lmctl/sbs/tools/usr/lib/libsb2/libm.so.6", O_RDONLY) = 
-1 ENOENT (No such file or directory)
5328 
open("/home/lmctl/sbs/tools/home/lmctl/sbs-install/lib/libsb2/libm.so.6", O_RDONLY) 
= -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/local/lib/libm.so.6", O_RDONLY) = 
-1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/lib/libfakeroot/libm.so.6", 
O_RDONLY) = -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/lib64/libfakeroot/libm.so.6", 
O_RDONLY) = -1 ENOENT (No such file or directory)

5328  open("/home/lmctl/sbs/tools/lib/libm.so.6", O_RDONLY) = 3

5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`4\0\0004\0\0\0"..., 
512) = 512

5328  fstat64(3, {st_mode=S_IFREG|0644, st_size=149392, ...}) = 0

5328  mmap2(NULL, 151680, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x55751000
5328  mmap2(0x55775000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x23) = 0x55775000

5328  close(3)                          = 0

5328  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x55777000
5328  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x55778000

5328  set_thread_area(0xffffd03c)       = 0
5328  mprotect(0x55775000, 4096, PROT_READ) = 0
5328  mprotect(0x5574b000, 8192, PROT_READ) = 0
5328  mprotect(0x5560c000, 4096, PROT_READ) = 0
5328  mprotect(0x55571000, 4096, PROT_READ) = 0
5328  brk(0)                            = 0x55573000
5328  brk(0x55574000)                   = 0x55573000

brk() fails as 0x55574000 was already mmapped - see above [*].


5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  gettimeofday({1297869657, 380116}, NULL) = 0
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  --- SIGSEGV (Segmentation fault) @ 0 (0) ---




-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-trunk-amd64 (SMP w/4 CPU cores)

Locale: LANG=en_US.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) (ignored: 
LC_ALL set to en_US.UTF-8)

Shell: /bin/sh linked to /bin/dash

Versions of packages bash depends on:

ii  base-files                6.0            Debian base system 
miscellaneous f

ii  dash                      0.5.5.1-7.4    POSIX-compliant shell

ii  debianutils               3.4            Miscellaneous utilities 
specific t
ii  libc6                     2.11.2-10      Embedded GNU C Library: 
Shared lib
ii  libncurses5               5.7+20100313-5 shared libraries for 
terminal hand


Versions of packages bash recommends:

ii  bash-completion               1:1.2-3    programmable completion for 
the ba


Versions of packages bash suggests:
pn  bash-doc                      <none>     (no description available)

-- no debconf information

--
Karol Lewandowski | Samsung Poland R&D Center | Linux/Platform



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org















    











					Reply via email to