This is the mail archive of the mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libmudflap/33591] New: mudflap gives warnings exceeding bounds on valid code, when using readdir(2) on large directories

When reading entries of a directory with readdir() on a directory 
containing many files, mudflap gives warning about out-of-bound writes.

mudflap.c: MF_VALIDATE_EXTENT (p, sizeof (*p), __MF_CHECK_WRITE, "readdir

mudflap checks that the entire struct dirent is writable, however the size of
struct dirent is undefined (according to the manpage).

I think it should only check that d_reclen bytes are accessible, instead of the
entire structure.

Bug initially discovered on directory with 76000 entries, reproduced on
directory with 1000 entries.

I have run the test on a reiserfs filesystem, but it can also be
reproduced by creating a directory with 1000 entries on a tmpfs filesystem
mounted on /tmp

Steps to reproduce:

$ mkdir test/
$ for i in `seq 1 1000`; do touch test/$i; done
$ gcc  -fmudflap mudflap_readdir.i -lmudflap -o mudflap_readdir
$ ./mudflap_readdir test/ 2>error_log
$ grep ^\  error_log|sort -u
      /lib/ [0x3dfd295d89]
      /lib/ [0x3dfd295e58]
      ./mudflap_readdir(main+0xc9) [0x400a11]
      /usr/lib/ [0x2b7f247ffdb1]
      /usr/lib/ [0x2b7f247ff8e1]
      /usr/lib/ [0x2b7f24804b91]
      /usr/lib/ [0x2b7f24800b8d]

Snippet of error_log:

mudflap violation 1 (check/write): time=1191088752.714610 ptr=0x7043c8 size=280
pc=0x2b7f247ffdb1 location=`(readdir result)'
      /usr/lib/ [0x2b7f247ffdb1]
      /usr/lib/ [0x2b7f24804b91]
      ./mudflap_readdir(main+0xc9) [0x400a11]
Nearby object 1: checked region begins 3896B into and ends 24B after
mudflap object 0x7044f0: name=`malloc region'
bounds=[0x703490,0x7044c7] size=4152 area=heap check=0r/163w liveness=163
alloc time=1191088752.713885 pc=0x2b7f247ff8e1
      /usr/lib/ [0x2b7f247ff8e1]
      /usr/lib/ [0x2b7f24800b8d]
      /lib/ [0x3dfd295d89]
      /lib/ [0x3dfd295e58]
number of nearby objects: 1

$ uname -a
Linux lightspeed2 2.6.23-rc8-hrt1-cfs-v22-g1bef7dc0-dirty #16 Sat Sep 29 
15:54:22 EEST 2007 x86_64 GNU/Linux

$ cat /etc/debian_version

$ gcc -v
Using built-in specs.
Target: x86_64-linux-gnu
Configured with: ../src/configure -v
--enable-languages=c,c++,fortran,objc,obj-c++,treelang --prefix=/usr
--enable-shared --with-system-zlib --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --enable-nls
--with-gxx-include-dir=/usr/include/c++/4.2 --program-suffix=-4.2
--enable-clocale=gnu --enable-libstdcxx-debug --enable-mpfr --disable-werror
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
Thread model: posix
gcc version 4.2.1 (Debian 4.2.1-5)

$ mount|grep /home
/dev/mapper/main-home on /home type reiserfs (rw,noatime,notail)

$ mount|grep tmp
tmpfs on /tmp type tmpfs (rw,nosuid,mode=1777)

           Summary: mudflap gives warnings exceeding bounds on valid code,
                    when using readdir(2) on large directories
           Product: gcc
           Version: 4.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libmudflap
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: edwintorok at gmail dot com
 GCC build triplet: x86_64-linux-gnu
  GCC host triplet: x86_64-linux-gnu
GCC target triplet: x86_64-linux-gnu

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]