From jin@gracie.lbl.gov  Wed Oct  2 14:38:15 2002
Return-Path: <jin@gracie.lbl.gov>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 23E8337B404
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  2 Oct 2002 14:38:15 -0700 (PDT)
Received: from gracie.lbl.gov (gracie.lbl.gov [131.243.2.175])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9AD0C43E42
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  2 Oct 2002 14:38:14 -0700 (PDT)
	(envelope-from jin@gracie.lbl.gov)
Received: (from root@localhost)
	by gracie.lbl.gov (8.11.6/8.11.6) id g92Lc9526855;
	Wed, 2 Oct 2002 14:38:09 -0700 (PDT)
	(envelope-from jin)
Message-Id: <200210022138.g92Lc9526855@gracie.lbl.gov>
Date: Wed, 2 Oct 2002 14:38:09 -0700 (PDT)
From: Jin Guojun (DSD staff) <jin@gracie.lbl.gov>
Reply-To: j_guojun@lbl.gov
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Balloc did not check mallocated pointer in libc/stdlib/strtod.c
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         43599
>Category:       kern
>Synopsis:       Balloc did not check mallocated pointer in libc/stdlib/strtod.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 02 14:40:01 PDT 2002
>Closed-Date:    Sat Jul 17 21:10:02 GMT 2004
>Last-Modified:  Sat Jul 17 21:10:02 GMT 2004
>Originator:     Jin Guojun (DSD staff)
>Release:        FreeBSD 4.x-RELEASE i386
>Organization:
>Environment:


	4.x-RELEASE /usr/src/lib/libc/stdlib/strtod.c

>Description:

	Program terminated with signal 11, Segmentation fault.
#0  0x80676ea in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
(xxgdb) print rv
$1 = (Bigint *) 0x0
(xxgdb) print x
$2 = 2
(xxgdb) print sizeof(Bigint)
$3 = 24
(xxgdb) print (x-1)*sizeof(long)
$4 = 4
(xxgdb) print sizeof(Bigint) + (x-1)*sizeof(long)
$5 = 28

 static Bigint *
Balloc
#ifdef KR_headers
	(k) int k;
#else
	(int k)
#endif
{
	int x;
	Bigint *rv;

	x = 1 << k;
	rv = (Bigint *)malloc(sizeof(Bigint) + (x-1)*sizeof(long));
***	rv->k = k;
	rv->maxwds = x;
	rv->sign = rv->wds = 0;
	return rv;
}

>How-To-Repeat:
	
>Fix:

	Check the rv after malloc.


>Release-Note:
>Audit-Trail:

From: "Jin Guojun [DSD]" <j_guojun@lbl.gov>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: kern/43599: Balloc did not check mallocated pointer in 
 libc/stdlib/strtod.c
Date: Wed, 02 Oct 2002 15:04:09 -0700

 FreeBSD-gnats-submit@FreeBSD.org wrote:
 
 > >Category:       kern
 > >Responsible:    freebsd-bugs
 > >Synopsis:       Balloc did not check mallocated pointer in libc/stdlib/strtod.c
 > >Arrival-Date:   Wed Oct 02 14:40:01 PDT 2002
 
 # define THREAD_LOCK()                if (__isthreaded) _SPINLOCK(&thread_lock);
 
 The reason that causes malloc a piece of small memory failure is the malloc
 THREAD_LOCK() failure. One printf() in a regular session is allocating memory,
 and timeout (SIGALARM) starts another printf() which causes overtaking the
 malloc() and returns 0 (NULL):
 
 void *
 malloc(size_t size)
 {
     register void *r;
 
     THREAD_LOCK();
     malloc_func = " in malloc():";
     if (malloc_active++) {
         wrtwarning("recursive call\n");
         malloc_active--;
         THREAD_UNLOCK();
         return (0);
     }
 ...
 }
 
 In libc (not libc_r), THREAD_LOCK() may not exist, so above if {...} block sounds
 like big under this situation.
 
 Program terminated with signal 11, Segmentation fault.
 #0  0x80676f2 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
 (xxgdb) up
 #1  0x80684e1 in d2b (d=0.18469299376010895, e=0xbfbfe81c, bits=0xbfbfe828) at
 /usr/src/lib/libc/../libc/stdlib/strtod.c:1011
 (xxgdb) where
 #0  0x80676f2 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:387
 #1  0x80684e1 in d2b (d=0.18469299376010895, e=0xbfbfe81c, bits=0xbfbfe828) at
 /usr/src/lib/libc/../libc/stdlib/strtod.c:1011
 #2  0x8069a6e in __dtoa (d=0.18469299376010895, mode=3, ndigits=4,
 decpt=0xbfbfeae0, sign=0xbfbfe874, rve=0xbfbfe868, resultp=0xbfbfeacc) at
 /usr/src/lib/libc/../libc/stdlib/strtod.c:1930
 #3  0x8066c98 in cvt (value=0.18469299376010895, ndigits=4, flags=256,
 sign=0xbfbfeaf2 "", decpt=0xbfbfeae0, ch=102, length=0xbfbfead8,
 dtoaresultp=0xbfbfeacc) at /usr/src/lib/libc/../libc/stdio/vfprintf.c:1222
 #4  0x80647bd in vfprintf (fp=0x8086338, fmt0=0x807e475 "%d  %.4f sec. %s%s\n",
 ap=0xbfbfeb68 "뿿\a\b\220뿿l") at
 /usr/src/lib/libc/../libc/stdio/vfprintf.c:603
 #5  0x8063988 in fprintf (fp=0x8086338, fmt=0x807e475 "%d  %.4f sec. %s%s\n") at
 /usr/src/lib/libc/../libc/stdio/fprintf.c:70
 #6  0x804844f in timeout () at ../netest.c:191
 #7   0xbfbfffac in ?? ()
 #8  0x806cb88 in malloc (size=28) at /usr/src/lib/libc/../libc/stdlib/malloc.c:1076
 
 #9  0x80676e4 in Balloc (k=1) at /usr/src/lib/libc/../libc/stdlib/strtod.c:386
 #10 0x80684e1 in d2b (d=0.17467300593852997, e=0xbfbfef2c, bits=0xbfbfef38) at
 /usr/src/lib/libc/../libc/stdlib/strtod.c:1011
 #11 0x8069a6e in __dtoa (d=0.17467300593852997, mode=3, ndigits=4,
 decpt=0xbfbff1f0, sign=0xbfbfef84, rve=0xbfbfef78, resultp=0xbfbff1dc) at
 /usr/src/lib/libc/../libc/stdlib/strtod.c:1930
 #12 0x8066c98 in cvt (value=0.17467300593852997, ndigits=4, flags=256,
 sign=0xbfbff202 "", decpt=0xbfbff1f0, ch=102, length=0xbfbff1e8,
 dtoaresultp=0xbfbff1dc) at /usr/src/lib/libc/../libc/stdio/vfprintf.c:1222
 #13 0x80647bd in vfprintf (fp=0x8086338, fmt0=0x807e475 "%d  %.4f sec. %s%s\n",
 ap=0xbfbff278 "\a\bN\226\004\b\n") at
 /usr/src/lib/libc/../libc/stdio/vfprintf.c:603
 #14 0x8063988 in fprintf (fp=0x8086338, fmt=0x807e475 "%d  %.4f sec. %s%s\n") at
 /usr/src/lib/libc/../libc/stdio/fprintf.c:70
 #15 0x804974c in main (argc=10, argv=0xbfbff370) at ../netest.c:191
 #16 0x8048135 in _start ()
 
 --
 ------------ Jin Guojun ----------- v --- j_guojun@lbl.gov ---
 Distributed Systems Department          http://www.itg.lbl.gov/~jin
 M/S 50B-2239                            Ph#:(510) 486-7531 Fax: 486-6363
 Lawrence Berkeley National Laboratory,  Berkeley, CA 94720
 
 
 

From: Garrett Wollman <wollman@lcs.mit.edu>
To: "Jin Guojun [DSD]" <j_guojun@lbl.gov>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG
Subject: Re: kern/43599: Balloc did not check mallocated pointer in 
 libc/stdlib/strtod.c
Date: Wed, 2 Oct 2002 18:15:01 -0400 (EDT)

 <<On Wed, 02 Oct 2002 15:04:09 -0700, "Jin Guojun [DSD]" <j_guojun@lbl.gov> said:
 
 > and timeout (SIGALARM) starts another printf() which causes overtaking the
 > malloc() and returns 0 (NULL):
 
 Programmer error.  It is forbidden to call any stdio function from a
 signal handler.
 
 -GAWollman
 

From: "Jin Guojun [DSD]" <j_guojun@lbl.gov>
To: Garrett Wollman <wollman@lcs.mit.edu>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG
Subject: Re: kern/43599: Balloc did not check mallocated pointer in 
 libc/stdlib/strtod.c
Date: Wed, 02 Oct 2002 16:05:39 -0700

 Garrett Wollman wrote:
 
 > <<On Wed, 02 Oct 2002 15:04:09 -0700, "Jin Guojun [DSD]" <j_guojun@lbl.gov> said:
 >
 > > and timeout (SIGALARM) starts another printf() which causes overtaking the
 > > malloc() and returns 0 (NULL):
 >
 > Programmer error.  It is forbidden to call any stdio function from a
 > signal handler.
 >
 > -GAWollman
 
 "man stdio" does not say this. Is this BSD specific?
 
 --
 ------------ Jin Guojun ----------- v --- j_guojun@lbl.gov ---
 Distributed Systems Department          http://www.itg.lbl.gov/~jin
 M/S 50B-2239                            Ph#:(510) 486-7531 Fax: 486-6363
 Lawrence Berkeley National Laboratory,  Berkeley, CA 94720
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Sat Jul 17 21:05:25 GMT 2004 
State-Changed-Why:  
As Garrett Wollman states it is dangerous to call signal unsafe 
functions from the signal handler.  There is a list of async-signal safe 
functions in the sigaction(2) man page. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43599 
>Unformatted:
