<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi, <br>
<br>
i just ran the test against a slight older version. I had no
problem. Three remarks:<br>
1) recompile with debug info<br>
2) use valgrind<br>
3) add a PHYSFS_deinit() to clean up. <br>
<br>
<br>
Am 01.05.2011 19:35, schrieb Patrick Matthäi:
<blockquote cite="mid:4DBD99F5.6010605@debian.org" type="cite">
<pre wrap="">Package: libphysfs1
Severity: critical
Version: 2.0.2-2
Hello,
I have just uploaded a hardened version of physfs to Debian (with
fortify source, relro, pie and stack canary enabled).
I have attached a test program of a bug submitter, with that physfs
crashs, because of a double free exception, on amd64 (but not on i386).
Save it somewhere and then run:
$ rm bug
$ mkdir -p
testdir/dirnumber{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20}
$ gcc bug.c -lphysfs -o bug
$ ./bug
=>
me@exez:~/build$ LC_ALL=C ./bug
*** glibc detected *** ./bug: double free or corruption (fasttop):
0x00000000015a13c0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71ab6)[0x7fb8ffe80ab6]
/lib/libc.so.6(cfree+0x6c)[0x7fb8ffe8582c]
/usr/lib/libphysfs.so.1(PHYSFS_freeList+0x29)[0x7fb900177fd9]
./bug[0x40074b]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7fb8ffe2dc4d]
./bug[0x400649]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:31 8765828
/home/me/build/bug
00600000-00601000 rw-p 00000000 08:31 8765828
/home/me/build/bug
01599000-015ba000 rw-p 00000000 00:00 0
[heap]
7fb8f8000000-7fb8f8021000 rw-p 00000000 00:00 0
7fb8f8021000-7fb8fc000000 ---p 00000000 00:00 0
7fb8ff9e2000-7fb8ff9f7000 r-xp 00000000 08:04 15343658
/lib/libgcc_s.so.1
7fb8ff9f7000-7fb8ffbf7000 ---p 00015000 08:04 15343658
/lib/libgcc_s.so.1
7fb8ffbf7000-7fb8ffbf8000 rw-p 00015000 08:04 15343658
/lib/libgcc_s.so.1
7fb8ffbf8000-7fb8ffc0f000 r-xp 00000000 08:04 21389585
/usr/lib/libz.so.1.2.3.4
7fb8ffc0f000-7fb8ffe0e000 ---p 00017000 08:04 21389585
/usr/lib/libz.so.1.2.3.4
7fb8ffe0e000-7fb8ffe0f000 rw-p 00016000 08:04 21389585
/usr/lib/libz.so.1.2.3.4
7fb8ffe0f000-7fb8fff67000 r-xp 00000000 08:04 15343758
/lib/libc-2.11.2.so
7fb8fff67000-7fb900167000 ---p 00158000 08:04 15343758
/lib/libc-2.11.2.so
7fb900167000-7fb90016b000 r--p 00158000 08:04 15343758
/lib/libc-2.11.2.so
7fb90016b000-7fb90016c000 rw-p 0015c000 08:04 15343758
/lib/libc-2.11.2.so
7fb90016c000-7fb900171000 rw-p 00000000 00:00 0
7fb900171000-7fb900192000 r-xp 00000000 08:04 21390125
/usr/lib/libphysfs.so.2.0.2
7fb900192000-7fb900392000 ---p 00021000 08:04 21390125
/usr/lib/libphysfs.so.2.0.2
7fb900392000-7fb900394000 r--p 00021000 08:04 21390125
/usr/lib/libphysfs.so.2.0.2
7fb900394000-7fb900395000 rw-p 00023000 08:04 21390125
/usr/lib/libphysfs.so.2.0.2
7fb900395000-7fb9003b3000 r-xp 00000000 08:04 24567820
/lib/ld-2.11.2.so
7fb900598000-7fb90059b000 rw-p 00000000 00:00 0
7fb9005b0000-7fb9005b2000 rw-p 00000000 00:00 0
7fb9005b2000-7fb9005b3000 r--p 0001d000 08:04 24567820
/lib/ld-2.11.2.so
7fb9005b3000-7fb9005b4000 rw-p 0001e000 08:04 24567820
/lib/ld-2.11.2.so
7fb9005b4000-7fb9005b5000 rw-p 00000000 00:00 0
7fffbfce6000-7fffbfd07000 rw-p 00000000 00:00 0
[stack]
7fffbfd3f000-7fffbfd40000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Abgebrochen
me@exez:~/build$
<=
gdb output:
=>
me@exez:~/build$ LC_ALL=C gdb ./bug
GNU gdb (GDB) 7.2-debian
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<a class="moz-txt-link-rfc2396E" href="http://gnu.org/licenses/gpl.html"><http://gnu.org/licenses/gpl.html></a>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<a class="moz-txt-link-rfc2396E" href="http://www.gnu.org/software/gdb/bugs/"><http://www.gnu.org/software/gdb/bugs/></a>...
Reading symbols from /home/me/build/bug...(no debugging symbols
found)...done.
(gdb) run
Starting program: /home/me/build/bug
*** glibc detected *** /home/me/build/bug: double free or corruption
(fasttop): 0x00000000006093c0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71ab6)[0x7ffff78caab6]
/lib/libc.so.6(cfree+0x6c)[0x7ffff78cf82c]
/usr/lib/libphysfs.so.1(PHYSFS_freeList+0x29)[0x7ffff7bc1fd9]
/home/me/build/bug[0x40074b]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7ffff7877c4d]
/home/me/build/bug[0x400649]
======= Memory map: ========
00400000-00401000 r-xp 00000000 08:31 8765828
/home/me/build/bug
00600000-00601000 rw-p 00000000 08:31 8765828
/home/me/build/bug
00601000-00622000 rw-p 00000000 00:00 0
[heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0
7ffff742c000-7ffff7441000 r-xp 00000000 08:04 15343658
/lib/libgcc_s.so.1
7ffff7441000-7ffff7641000 ---p 00015000 08:04 15343658
/lib/libgcc_s.so.1
7ffff7641000-7ffff7642000 rw-p 00015000 08:04 15343658
/lib/libgcc_s.so.1
7ffff7642000-7ffff7659000 r-xp 00000000 08:04 21389585
/usr/lib/libz.so.1.2.3.4
7ffff7659000-7ffff7858000 ---p 00017000 08:04 21389585
/usr/lib/libz.so.1.2.3.4
7ffff7858000-7ffff7859000 rw-p 00016000 08:04 21389585
/usr/lib/libz.so.1.2.3.4
7ffff7859000-7ffff79b1000 r-xp 00000000 08:04 15343758
/lib/libc-2.11.2.so
7ffff79b1000-7ffff7bb1000 ---p 00158000 08:04 15343758
/lib/libc-2.11.2.so
7ffff7bb1000-7ffff7bb5000 r--p 00158000 08:04 15343758
/lib/libc-2.11.2.so
7ffff7bb5000-7ffff7bb6000 rw-p 0015c000 08:04 15343758
/lib/libc-2.11.2.so
7ffff7bb6000-7ffff7bbb000 rw-p 00000000 00:00 0
7ffff7bbb000-7ffff7bdc000 r-xp 00000000 08:04 21390125
/usr/lib/libphysfs.so.2.0.2
7ffff7bdc000-7ffff7ddc000 ---p 00021000 08:04 21390125
/usr/lib/libphysfs.so.2.0.2
7ffff7ddc000-7ffff7dde000 r--p 00021000 08:04 21390125
/usr/lib/libphysfs.so.2.0.2
7ffff7dde000-7ffff7ddf000 rw-p 00023000 08:04 21390125
/usr/lib/libphysfs.so.2.0.2
7ffff7ddf000-7ffff7dfd000 r-xp 00000000 08:04 24567820
/lib/ld-2.11.2.so
7ffff7fe1000-7ffff7fe4000 rw-p 00000000 00:00 0
7ffff7ff9000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0
[vdso]
7ffff7ffc000-7ffff7ffd000 r--p 0001d000 08:04 24567820
/lib/ld-2.11.2.so
7ffff7ffd000-7ffff7ffe000 rw-p 0001e000 08:04 24567820
/lib/ld-2.11.2.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0
[stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Program received signal SIGABRT, Aborted.
0x00007ffff788b165 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00007ffff788b165 in raise () from /lib/libc.so.6
#1 0x00007ffff788df70 in abort () from /lib/libc.so.6
#2 0x00007ffff78c125b in ?? () from /lib/libc.so.6
#3 0x00007ffff78caab6 in ?? () from /lib/libc.so.6
#4 0x00007ffff78cf82c in free () from /lib/libc.so.6
#5 0x00007ffff7bc1fd9 in PHYSFS_freeList (list=0x609750) at
/tmp/buildd/libphysfs-2.0.2/physfs.c:872
#6 0x000000000040074b in main ()
(gdb)
<=
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
physfs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:physfs@icculus.org">physfs@icculus.org</a>
<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/physfs">http://icculus.org/mailman/listinfo/physfs</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Christoph Nelles
E-Mail : <a class="moz-txt-link-abbreviated" href="mailto:evilazrael@evilazrael.de">evilazrael@evilazrael.de</a>
Jabber : <a class="moz-txt-link-abbreviated" href="mailto:eazrael@evilazrael.net">eazrael@evilazrael.net</a> ICQ : 78819723
PGP-Key : ID 0x424FB55B on subkeys.pgp.net
or <a class="moz-txt-link-freetext" href="http://evilazrael.net/pgp.txt">http://evilazrael.net/pgp.txt</a>
</pre>
</body>
</html>