coredumps with insmod at xrealloc_vector()

Harald Küthe harald-tuxbox at arcor.de
Thu Aug 28 19:15:36 UTC 2008 

> On Wednesday 27 August 2008 23:22, Harald Küthe wrote:
> > Hello list,
> >
> > I'm getting coredumps in bb-1.12.0 in obj_create_alloced_section at
> > xrealloc_vector at an insmod call.
> > It looks like xrealloc_vector() is assuming that the memory of
> > f->sections is quantisized
> > in steps as stated in the 2nd parameter of xrealloc_vector().
> > In insmod it seems that the inital malloc of f->sections is not.
> >
> > static struct obj_section *obj_create_alloced_section_first(struct
> > obj_file *f,...)
> > ...
> >     f->sections = xrealloc(f->sections, (newidx + 1) * sizeof(sec));
> >
> > At the 1st call of xrealloc_vector() no xrealloc is done.
>
> What do you mean?
Because of the    >>if (!(idx & (mask - 1)))<< not each call to
xrealloc_vector() is causing a realloc.
This implicit assumes that the memory is large enough to hold the next
element.
But since the first allocations are not done via xrealloc_vector()
but via a "normal" call to xrealloc without that shift stuff (see
obj_create_alloced_section_first())
or a xmalloc() call in obj_load() this might not be the case.
The the call to xrealloc_vector() does not reallocate but the memory is
used which corrupts it.
The next call does a real realloc but the memory management may be
corrupt so the coredump occurs.

>
> > Then the 2nd 
> > call is causing a memory error/coredump. (*** glibc detected ***
> > realloc(): invalid next size: 0x10068710Aborted (core dumped))
> > When I remove "if (!(idx & (mask - 1))) in xrealloc_vector_helper() so
> > that xrealloc is called each time things are running.
>
> Can you instrument it like this:
>
> void* FAST_FUNC xrealloc_vector_helper(void *vector, unsigned 
 > sizeof_and_shift, int idx)
> {
>         int mask = 1 << (uint8_t)sizeof_and_shift;
>
> bb_error_msg("xrealloc_vector_helper(v:%p, mask:%x, sizeof:%d, idx:%d",
> vector, mask, sizeof_and_shift >> 8, idx);
>
>         if (!(idx & (mask - 1))) {
>
> rebuild it, run insmod and post the result to ml?
> --
> vda

Here are the printouts on each allocation of the vector:
insmod: obj_load(v:0x100687f0, size:56, shnum:14)
insmod: obj_create_alloced_section_first(v:0x100687f0, size:60, newidx:14)
insmod: xrealloc_vector_helper(v:0x100687f0, mask:4, sizeof:4, idx:15)
insmod: xrealloc_vector_helper: no xrealloc!
insmod: xrealloc_vector_helper(v:0x100687f0, mask:4, sizeof:4, idx:16)
Aborted (core dumped)

Regards
Harald

More information about the busybox mailing list