long string causes segmentation fault in ypclnt.c

Bug #1922985 reported by Xinmeng Xia
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
New
Undecided
Unassigned

Bug Description

Description of problem:

In Python, nis.cat() with long string argument will lead to crash of Python interpreter. But Python developers claim that it's a not a bug in Python but in glibc.

The related report in Python bug tracker:
https://bugs.python.org/issue43587

Steps to Reproduce:
1. install Python 3(CPython)
2. type the following code "import nis;nis.cat('/','abs/'*10000000)" and run it with Python

A Python example:
=====================================================
Python 3.10.0a6 (default, Mar 19 2021, 11:45:56) [GCC 7.5.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import nis;
>>> nis.cat('/','abs/'*10000000)
Segmentation fault (core dumped)
=====================================================

Attached gdb result:
>>> import nis;
>>> nis.cat('/','abs/'*10000000)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff67bccdc in yp_bind_file (ysd=0x9b03c0,
    domain=0x7ffff4192040 "abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/abs/"...) at ypclnt.c:84
84 ypclnt.c: No such file or directory.
(gdb)

Attached valgrind result:
>>> import nis
>>> nis.cat('/','abs/'*10000000)
==25360== Warning: client switching stacks? SP change: 0x1ffefff520 --> 0x1ffc9d9af8
==25360== to suppress, use: --max-stackframe=40000040 or greater
==25360== Invalid write of size 8
==25360== at 0x7E3FCDC: yp_bind_file (ypclnt.c:84)
==25360== by 0x7E3FCDC: __yp_bind.part.2 (ypclnt.c:179)
==25360== Address 0x1ffc9d9af8 is on thread 1's stack
==25360==
==25360==
==25360== Process terminating with default action of signal 11 (SIGSEGV)
==25360== Access not within mapped region at address 0x1FFC9D9AF8
==25360== at 0x7E3FCDC: yp_bind_file (ypclnt.c:84)
==25360== by 0x7E3FCDC: __yp_bind.part.2 (ypclnt.c:179)
==25360== If you believe this happened as a result of a stack
==25360== overflow in your program's main thread (unlikely but
==25360== possible), you can try to increase the size of the
==25360== main thread stack using the --main-stacksize= flag.
==25360== The main thread stack size used in this run was 8388608.
==25360== Invalid write of size 8
==25360== at 0x4A2867A: _vgnU_freeres (vg_preloaded.c:57)
==25360== Address 0x1ffc9d9af0 is on thread 1's stack
==25360==
==25360==
==25360== Process terminating with default action of signal 11 (SIGSEGV)
==25360== Access not within mapped region at address 0x1FFC9D9AF0
==25360== at 0x4A2867A: _vgnU_freeres (vg_preloaded.c:57)
==25360== If you believe this happened as a result of a stack
==25360== overflow in your program's main thread (unlikely but
==25360== possible), you can try to increase the size of the
==25360== main thread stack using the --main-stacksize= flag.
==25360== The main thread stack size used in this run was 8388608.
==25360==
==25360== HEAP SUMMARY:
==25360== in use at exit: 45,108,440 bytes in 33,832 blocks
==25360== total heap usage: 84,181 allocs, 50,349 frees, 54,298,362 bytes allocated
==25360==
==25360== LEAK SUMMARY:
==25360== definitely lost: 104 bytes in 1 blocks
==25360== indirectly lost: 0 bytes in 0 blocks
==25360== possibly lost: 44,967,758 bytes in 32,993 blocks
==25360== still reachable: 140,578 bytes in 838 blocks
==25360== suppressed: 0 bytes in 0 blocks
==25360== Rerun with --leak-check=full to see details of leaked memory
==25360==
==25360== For lists of detected and suppressed errors, rerun with: -s
==25360== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.