Crash in gethostbyname() on congruent usage

Wed Dec 12 13:17:18 UTC 2012

Hi,

[Please keep me on CC:, I'm not subscribed]

I'm working with current uClibc on a system with 2 CPU cores and had problems
with gethostbyname() function if several threads will use it together.

The congruent usage of gethostbyname() (uClibc-9.32.1) by at least two threads
can cause a crash in resolv.c : __read_etc_hosts_r(). The crash occurs
independently from the "resolve" result.
Root cause is a NULL pointer dereference in strcasecmp().

Tool chain:

-uClibc-9.32.1
-Broadcom: stbgcc-4.5.3-2.4
-mipsel

Crash in function:

__read_etc_hosts_r(...)
...

/* <ip>[[:space:]][<aliases>] */
while (config_read(parser, &tok, MAXTOKENS, MINTOKENS, "# \t", PARSE_NORMAL)) {
      result_buf->h_aliases = alias = host_aliases = tok+1;
      if (action == GETHOSTENT) {
          /* Return whatever the next entry happens to be. */
          break;
      }
      if (action == GET_HOSTS_BYADDR) {
          if (strcmp(name, *tok) != 0)
              continue;
      } else { /* GET_HOSTS_BYNAME */
         while (*alias) {

      if (strcasecmp(name, *(alias++)) == 0) //edit: *alias == 0x0 = s2
-> crash
              goto found;
      }
      continue;
  }
...

Backtrace:

(gdb) bt full
#0  *__GI_strcasecmp (s1=0x1271e40 "/", s2=0x0) at libc/string/strcasecmp.c:58
        r = 0
#1  0x75fc46dc in __read_etc_hosts_r (parser=0x1a1b868, name=0x1271e40 "/",
type=2, action=GET_HOSTS_BYNAME, result_buf=0x7602fd80, buf=0x7602fd94
"\304\375\002v\314\375\002v", buflen=440, result=0x444cfd98, 
h_errnop=0x444d0938)
    at libc/inet/resolv.c:1653
        alias = 0x7602fd9c
        host_aliases = 0x7602fd98
        tok = 0x7602fd94
        h_addr0 = 0x0
        aliaslen = 48
        ret = 1
#2  0x75fc7768 in __get_hosts_byname_r (name=0x1271e40 "/", type=2,
result_buf=0x7602fd80, buf=0x7602fd94 "\304\375\002v\314\375\002v", buflen=440,
result=0x444cfd98, h_errnop=0x444d0938) at libc/inet/resolv.c:1719
No locals.
#3  0x75fc7f10 in *(int0_t, long double) (name=0x1271e40 "/",
result_buf=0x7602fd80, buf=0x7602fd94 "\304\375\002v\314\375\002v", buflen=440,
result=0x444cfd98, h_errnop=0x444d0938) at libc/inet/resolv.c:2026
        old_errno = 11
        packet = 0x0
        a = {dotted = 0x0, atype = 0, aclass = 0, ttl = 0, rdlength = 0, rdata =
0x0, rdoffset = 0, buf = 0x0, buflen = 0, add_count = 0}
        i = 0
        wrong_af = 0
#4  0x75fc8178 in *(int0_t, long double) (name=0x1271e40 "/", family=2,
result_buf=0x7602fd80, buf=0x7602fd94 "\304\375\002v\314\375\002v", buflen=440,
result=0x444cfd98, h_errnop=0x444d0938) at libc/inet/resolv.c:2239
        in = 0x32
        addr_list = 0x0
        packet = 0x444d04c0 "\001"
        a = {dotted = 0x7602b21c "", atype = 0, aclass = 1, ttl = 0, rdlength =
1979888156, rdata = 0x2 <Address 0x2 out of bounds>, rdoffset = 1, buf = 0x2
<Address 0x2 out of bounds>, buflen = 2, add_count = 0}
        i = 0
        nest = 0
        wrong_af = 0
#5  0x75fc88f4 in *__GI_gethostbyname2 (name=0x1271e40 "/", family=2) at
libc/inet/resolv.c:2623
        hoste = {h_name = 0x7602fdcc "ip6-localnet\t", h_aliases = 0x7602fd98,
h_addrtype = 0, h_length = 0, h_addr_list = 0x7602fdac}
        buf = "\304\375\002v\314\375\002v", '\000' <repeats 16 times>"\264,
\375\002v", '\000' <repeats 20 times>,
"fe00::0\000ip6-localnet\t\000localhost\000ip6-loopback", '\000' <repeats 347 
times>
        hp = 0x0
#6  0x75fc8864 in *__GI_gethostbyname (name=0x1271e40 "/") at
libc/inet/resolv.c:2649
No locals.
#7  0x0090f12c in _fTaskOne (argc=1, argv=0x0) at test_apps_gethostbyname.c:162
        i = 9
        j = 8
        pstHt = 0x0
        uwEvent = 1
#8  0x0062faf4 in _task_entry (data=0x1a1bfa0) at posix_oslayer.c:1085
        pstTask = 0x1a1bfa0
        taskHdl = 27377568
        __FUNCTION__ = "_task_entry"
#9  0x76189758 in sem_open () from /lib/libpthread.so.0

Did anybody already faced this problem?
Is there a solution available?

Thank you in advance,

Erik