[BusyBox 0001120]: patch crashes on BusyBox 1.2.2 patching glibc-2.4

bugs at busybox.net bugs at busybox.net
Sun Dec 17 00:33:56 UTC 2006 

The following issue has been CLOSED 
====================================================================== 
http://busybox.net/bugs/view.php?id=1120 
====================================================================== 
Reported By:                cziom
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   1120
Category:                   Other
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     closed
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             12-16-2006 14:40 PST
Last Modified:              12-16-2006 16:33 PST
====================================================================== 
Summary:                    patch crashes on BusyBox 1.2.2 patching glibc-2.4
Description: 
Executing busybox 'patch' applet encounters a double free error and
crashes.

On a LinuxFromScratch pure64 build on an AMD Opteron system, kernel
2.6.19, patching glibc-2.4 with the glibc-2.4-localedef_segfault-1.patch
using the gnu patch utility produces the following correct results:

patching file locale/programs/3level.h
Hunk http://busybox.net/bugs/view.php?id=1 succeeded at 311 with fuzz 2 (offset
107 lines).

However, when using the BusyBox patch applet, the following occurs:

patching file locale/programs/3level.h
patch: Hunk http://busybox.net/bugs/view.php?id=1 FAILED at 204.
patch: 1 out of 1 hunk FAILED
*** glibc detected *** patch: double free or corruption (!prev):
0x00000000005cf280 ***
======= Backtrace: =========
/tools/lib/libc.so.6[0x2af46ff640ad]
/tools/lib/libc.so.6(__libc_free+0x6c)[0x2af46ff656ac]
patch[0x46854f]
patch[0x478bae]
patch[0x478c13]
/tools/lib/libc.so.6(__libc_start_main+0xf4)[0x2af46ff18094]
patch[0x407569]
======= Memory map: ========
00400000-004b9000 r-xp 00000000 08:01 8699915                           
/usr/bin/patch
005b9000-005bc000 rw-p 000b9000 08:01 8699915                           
/usr/bin/patch
005bc000-005f0000 rw-p 005bc000 00:00 0                                 
[heap]
2af46fb2b000-2af46fb45000 r-xp 00000000 08:01 6456809                   
/tools/lib/ld-2.4.so
2af46fb45000-2af46fb46000 rw-p 2af46fb45000 00:00 0
2af46fc44000-2af46fc45000 r--p 00019000 08:01 6456809                   
/tools/lib/ld-2.4.so
2af46fc45000-2af46fc46000 rw-p 0001a000 08:01 6456809                   
/tools/lib/ld-2.4.so
2af46fc46000-2af46fc4b000 r-xp 00000000 08:01 6456720                   
/tools/lib/libcrypt-2.4.so
2af46fc4b000-2af46fd4a000 ---p 00005000 08:01 6456720                   
/tools/lib/libcrypt-2.4.so
2af46fd4a000-2af46fd4b000 r--p 00004000 08:01 6456720                   
/tools/lib/libcrypt-2.4.so
2af46fd4b000-2af46fd4c000 rw-p 00005000 08:01 6456720                   
/tools/lib/libcrypt-2.4.so
2af46fd4c000-2af46fd7b000 rw-p 2af46fd4c000 00:00 0
2af46fd7b000-2af46fdfa000 r-xp 00000000 08:01 6456556                   
/tools/lib/libm-2.4.so
2af46fdfa000-2af46fef9000 ---p 0007f000 08:01 6456556                   
/tools/lib/libm-2.4.so
2af46fef9000-2af46fefa000 r--p 0007e000 08:01 6456556                   
/tools/lib/libm-2.4.so
2af46fefa000-2af46fefb000 rw-p 0007f000 08:01 6456556                   
/tools/lib/libm-2.4.so
2af46fefb000-2af47001a000 r-xp 00000000 08:01 6456035                   
/tools/lib/libc-2.4.so
2af47001a000-2af47011a000 ---p 0011f000 08:01 6456035                   
/tools/lib/libc-2.4.so
2af47011a000-2af47011e000 r--p 0011f000 08:01 6456035                   
/tools/lib/libc-2.4.so
2af47011e000-2af47011f000 rw-p 00123000 08:01 6456035                   
/tools/lib/libc-2.4.so
2af47011f000-2af470128000 rw-p 2af47011f000 00:00 0
2af470200000-2af470221000 rw-p 2af470200000 00:00 0
2af470221000-2af470300000 ---p 2af470221000 00:00 0
2af470300000-2af47030d000 r-xp 00000000 08:01 6456846                   
/tools/lib/libgcc_s.so.1
2af47030d000-2af47040c000 ---p 0000d000 08:01 6456846                   
/tools/lib/libgcc_s.so.1
2af47040c000-2af47040d000 rw-p 0000c000 08:01 6456846                   
/tools/lib/libgcc_s.so.1
7fff3af69000-7fff3af7f000 rw-p 7fff3af69000 00:00 0                     
[stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                 
[vdso]
Aborted

BusyBox patch does not specify if it supports fuzz=2. It should not crash
in any case. I have not attempted to replicate this error on a standard 32
bit system. It is unknown whether similar behavior will occur in other
environments.
====================================================================== 

---------------------------------------------------------------------- 
 vda - 12-16-06 15:54  
---------------------------------------------------------------------- 
Attachment bbox_patch_crash.tar.bz2 seems corrupted:

/usr/bin/bzip2 -t bbox_patch_crash.tar.bz2
bzip2: bbox_patch_crash.tar.bz2: data integrity (CRC) error in data
...

# /usr/bin/bzip2 --help
bzip2, a block-sorting file compressor.  Version 1.0.2, 30-Dec-2001.
... 

---------------------------------------------------------------------- 
 vda - 12-16-06 16:02  
---------------------------------------------------------------------- 
Corrected archive is uploaded 

---------------------------------------------------------------------- 
 vda - 12-16-06 16:31  
---------------------------------------------------------------------- 
Fix:

                                                        bb_error_msg("hunk
#%d FAILED at %d", hunk_count, hunk_offset_start);
                                                        hunk_error++;
                                                        free(patch_line);
+                                                       patch_line =
NULL;
                                                        break;
                                                }
                                                free(src_line);

It doesn't crash anymore.
However bbox patch is still failing to apply the patch, while
patch 2.5.4 succeeds:
patching file 3level.h
Hunk http://busybox.net/bugs/view.php?id=1 succeeded at 202 (offset -2 lines). 

---------------------------------------------------------------------- 
 vda - 12-16-06 16:33  
---------------------------------------------------------------------- 
Fixed in rev 16978 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
12-16-06 14:40  cziom          New Issue                                    
12-16-06 14:40  cziom          Status                   new => assigned     
12-16-06 14:40  cziom          Assigned To               => BusyBox         
12-16-06 14:40  cziom          File Added: bbox_patch_crash.tar.bz2             
      
12-16-06 15:54  vda            Note Added: 0001870                          
12-16-06 16:01  vda            File Added: bbox_patch-p3_crash.tar.bz2          
         
12-16-06 16:02  vda            Note Added: 0001871                          
12-16-06 16:31  vda            Note Added: 0001872                          
12-16-06 16:33  vda            Status                   assigned => closed  
12-16-06 16:33  vda            Note Added: 0001873                          
======================================================================

More information about the busybox-cvs mailing list