long string causes segmentation fault in ypclnt.c

Bug #1922985 reported by Xinmeng Xia on 2021-04-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
Undecided
Unassigned

Bug Description

Description of problem:

In Python, nis.cat() with long string argument will lead to crash of Python interpreter. But Python developers claim that it's a not a bug in Python but in glibc.

The related report in Python bug tracker:
https://bugs.python.org/issue43587

Steps to Reproduce:
1. install Python 3(CPython)
2. type the following code "import nis;nis.cat('/','abs/'*10000000)" and run it with Python

A Python example:
=====================================================
Python 3.10.0a6 (default, Mar 19 2021, 11:45:56) [GCC 7.5.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nis;
>>> nis.cat('/','abs/'*10000000)
Segmentation fault (core dumped)
=====================================================

Attached gdb result:
>>> import nis;
>>> nis.cat('/','abs/'*10000000)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff67bccdc in yp_bind_file (ysd=0x9b03c0,
    domain=0x7ffff4192040 "abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/"...) at ypclnt.c:84
84 ypclnt.c: No such file or directory.
(gdb)

Attached valgrind result:
>>> import nis
>>> nis.cat('/','abs/'*10000000)
==25360== Warning: client switching stacks? SP change: 0x1ffefff520 --> 0x1ffc9d9af8
==25360== to suppress, use: --max-stackframe=40000040 or greater
==25360== Invalid write of size 8
==25360== at 0x7E3FCDC: yp_bind_file (ypclnt.c:84)
==25360== by 0x7E3FCDC: __yp_bind.part.2 (ypclnt.c:179)
==25360== Address 0x1ffc9d9af8 is on thread 1's stack
==25360==
==25360==
==25360== Process terminating with default action of signal 11 (SIGSEGV)
==25360== Access not within mapped region at address 0x1FFC9D9AF8
==25360== at 0x7E3FCDC: yp_bind_file (ypclnt.c:84)
==25360== by 0x7E3FCDC: __yp_bind.part.2 (ypclnt.c:179)
==25360== If you believe this happened as a result of a stack
==25360== overflow in your program's main thread (unlikely but
==25360== possible), you can try to increase the size of the
==25360== main thread stack using the --main-stacksize= flag.
==25360== The main thread stack size used in this run was 8388608.
==25360== Invalid write of size 8
==25360== at 0x4A2867A: _vgnU_freeres (vg_preloaded.c:57)
==25360== Address 0x1ffc9d9af0 is on thread 1's stack
==25360==
==25360==
==25360== Process terminating with default action of signal 11 (SIGSEGV)
==25360== Access not within mapped region at address 0x1FFC9D9AF0
==25360== at 0x4A2867A: _vgnU_freeres (vg_preloaded.c:57)
==25360== If you believe this happened as a result of a stack
==25360== overflow in your program's main thread (unlikely but
==25360== possible), you can try to increase the size of the
==25360== main thread stack using the --main-stacksize= flag.
==25360== The main thread stack size used in this run was 8388608.
==25360==
==25360== HEAP SUMMARY:
==25360== in use at exit: 45,108,440 bytes in 33,832 blocks
==25360== total heap usage: 84,181 allocs, 50,349 frees, 54,298,362 bytes allocated
==25360==
==25360== LEAK SUMMARY:
==25360== definitely lost: 104 bytes in 1 blocks
==25360== indirectly lost: 0 bytes in 0 blocks
==25360== possibly lost: 44,967,758 bytes in 32,993 blocks
==25360== still reachable: 140,578 bytes in 838 blocks
==25360== suppressed: 0 bytes in 0 blocks
==25360== Rerun with --leak-check=full to see details of leaked memory
==25360==
==25360== For lists of detected and suppressed errors, rerun with: -s
==25360== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers