getaddrinfo_a stack overflow on 64bit - hardy

Bug #268195 reported by Patrick McManus on 2008-09-09
Affects Status Importance Assigned to Milestone
Fix Released
glibc (Debian)
Fix Released
glibc (Ubuntu)

Bug Description

/home/mcmanus/t/t>lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04

/home/mcmanus/t/t>apt-cache policy libc6
  Installed: 2.7-10ubuntu3
  Candidate: 2.7-10ubuntu3
  Version table:
 *** 2.7-10ubuntu3 0
        500 hardy/main Packages
        100 /var/lib/dpkg/status


I think this is an upstream bug.

This sample program crashes due to a stack overflow on a thread spawned by glibc. I am not sure if that is also true on 32bit.
 (Complile as gcc poc.c -lresolv -ldl -lpthread -lanl )

#define _GNU_SOURCE
#include <netdb.h>
#include <string.h>

    struct gaicb gb, *list[1];
    struct addrinfo hints;

    memset (&hints, 0 , sizeof (hints));
    list[0] = &gb;
    memset (&gb, 0, sizeof (gb));
    gb.ar_name = "";
    gb.ar_service = NULL;
    gb.ar_request = &hints;
    gb.ar_result = NULL;
    getaddrinfo_a (GAI_WAIT, list, 1, NULL);

    return 0;

In addition to the SEGV, valgrind reports
==21077== Process terminating with default action of signal 11 (SIGSEGV)
==21077== Bad permissions for mapped region at address 0x4023A88
==21077== at 0x57477CC: __res_vinit (res_init.c:571)
==21077== by 0x7FF0005FF: ???
==21077== by 0x802BF: ???

The following patch to libc lets the program run without error and gets valgrind a clean bill of health.

diff -ur glibc-2.7/nptl/sysdeps/pthread/gai_misc.h ../../glibc-2.7/nptl/sysdeps/pthread/gai_misc.h
--- glibc-2.7/nptl/sysdeps/pthread/gai_misc.h 2007-07-28 15:30:21.000000000 -0400
+++ ../../glibc-2.7/nptl/sysdeps/pthread/gai_misc.h 2008-09-09 11:02:59.293997492 -0400
@@ -97,7 +97,7 @@
   pthread_attr_setdetachstate (&attr, PTHREAD_CREATE_DETACHED);

   /* The helper thread needs only very little resources. */
- (void) pthread_attr_setstacksize (&attr, PTHREAD_STACK_MIN);
+ (void) pthread_attr_setstacksize (&attr, 24*1024);

   /* Block all signals in the helper thread. To do this thoroughly we
      temporarily have to block all signals here. */

The following code segfaults with at least glibc >= 2.7 (and CVS). It works
correctly with versions 2.3.X. I have tested versions in between.

#define _GNU_SOURCE

#include <string.h>
#include <netdb.h>
#include <signal.h>
#include <stdio.h>

main (void)
#define N 10
  struct gaicb reqmem[N];
  struct gaicb *req[N];
  int n;

  for (n = 0; n < N; ++n)
      asprintf (&reqmem[n].ar_name, "", 140 + n);
      reqmem[n].ar_service = NULL;
      reqmem[n].ar_request = NULL;
      reqmem[n].ar_result = NULL;
      req[n] = &reqmem[n];

  getaddrinfo_a (GAI_NOWAIT, req, N, NULL);

  return 0;

Matthias Klose (doko) on 2008-09-09
Changed in glibc:
importance: Undecided → Medium
status: New → Triaged
Changed in glibc:
status: Unknown → Confirmed
Changed in glibc:
status: Unknown → Confirmed

Fixed in cvs.

Changed in glibc:
status: Confirmed → Fix Released
Changed in glibc:
importance: Unknown → Medium
Changed in glibc (Debian):
status: Confirmed → Fix Released
Adam Conrad (adconrad) on 2015-03-14
Changed in glibc (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.