Project

General

Profile

Bug #405

A strncmp call seems to be causing random occurences of buffer overflow

Added by Göran Wallin over 9 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Erik Lindahl
Category:
mdrun
Target version:
Affected version - extra info:
Affected version:
Difficulty:
uncategorized
Close

Description

Created an attachment (id=445)
'valgrind -v g_mdrun' output when Gromacs runs

N.B. Reported to packager, now moved to upstream. See https://bugzilla.redhat.com/show_bug.cgi?id=563629

Description of problem:
After installation of the Gromacs package on Fedora 11, all of the tested binaries crash with buffer overflow.

Steps to Reproduce and actual results:
$ sudo yum install gromacs
(Showing only g_luck here, but this happens with all binaries.)

$ g_luck
  • buffer overflow detected ***: g_luck terminated ======= Backtrace: =========
    /lib64/libc.so.6(_fortify_fail+0x37)[0x3a84cf7507]
    /lib64/libc.so.6[0x3a84cf5560]
    /lib64/libc.so.6[0x3a84cf4407]
    /usr/lib64/libgmx.so.5(get_libdir+0x24f)[0x3a8903a63f]
    /usr/lib64/libgmx.so.5(low_libfn+0x18c)[0x3a8903aeec]
    /usr/lib64/libgmx.so.5(low_libopen+0x15)[0x3a8903af55]
    /usr/lib64/libgmx.so.5[0x3a89030942]
    /usr/lib64/libgmx.so.5(cool_quote+0x6e)[0x3a89030a8e]
    /usr/lib64/libgmx.so.5(thanx+0x36)[0x3a89030d16]
    g_luck[0x40098b]
    /lib64/libc.so.6(
    _libc_start_main+0xfd)[0x3a84c1ea4d]
    g_luck[0x4007c9] ======= Memory map: ========
    00400000-00401000 r-xp 00000000 08:03
    1369963 /usr/bin/g_luck
    00600000-00604000 rw-p 00000000 08:03
    1369963 /usr/bin/g_luck
    02039000-0205a000 rw-p 00000000 00:00 0
    [heap]
    3a84800000-3a8481f000 r-xp 00000000 08:03
    2048013 /lib64/ld-2.10.2.so
    3a84a1e000-3a84a1f000 r--p 0001e000 08:03
    2048013 /lib64/ld-2.10.2.so
    3a84a1f000-3a84a20000 rw-p 0001f000 08:03
    2048013 /lib64/ld-2.10.2.so
    3a84c00000-3a84d64000 r-xp 00000000 08:03
    2048025 /lib64/libc-2.10.2.so
    3a84d64000-3a84f64000 ---p 00164000 08:03
    2048025 /lib64/libc-2.10.2.so
    3a84f64000-3a84f68000 r--p 00164000 08:03
    2048025 /lib64/libc-2.10.2.so
    3a84f68000-3a84f69000 rw-p 00168000 08:03
    2048025 /lib64/libc-2.10.2.so
    3a84f69000-3a84f6e000 rw-p 00000000 00:00 0
    3a85000000-3a85082000 r-xp 00000000 08:03
    2051801 /lib64/libm-2.10.2.so
    3a85082000-3a85281000 ---p 00082000 08:03
    2051801 /lib64/libm-2.10.2.so
    3a85281000-3a85282000 r--p 00081000 08:03
    2051801 /lib64/libm-2.10.2.so
    3a85282000-3a85283000 rw-p 00082000 08:03
    2051801 /lib64/libm-2.10.2.so
    3a85400000-3a85402000 r-xp 00000000 08:03
    2048173 /lib64/libdl-2.10.2.so
    3a85402000-3a85602000 ---p 00002000 08:03
    2048173 /lib64/libdl-2.10.2.so
    3a85602000-3a85603000 r--p 00002000 08:03
    2048173 /lib64/libdl-2.10.2.so
    3a85603000-3a85604000 rw-p 00003000 08:03
    2048173 /lib64/libdl-2.10.2.so
    3a85800000-3a85817000 r-xp 00000000 08:03
    2051800 /lib64/libpthread-2.10.2.so
    3a85817000-3a85a16000 ---p 00017000 08:03
    2051800 /lib64/libpthread-2.10.2.so
    3a85a16000-3a85a17000 r--p 00016000 08:03
    2051800 /lib64/libpthread-2.10.2.so
    3a85a17000-3a85a18000 rw-p 00017000 08:03
    2051800 /lib64/libpthread-2.10.2.so
    3a85a18000-3a85a1c000 rw-p 00000000 00:00 0
    3a85c00000-3a85c15000 r-xp 00000000 08:03
    2051809 /lib64/libz.so.1.2.3
    3a85c15000-3a85e14000 ---p 00015000 08:03
    2051809 /lib64/libz.so.1.2.3
    3a85e14000-3a85e15000 rw-p 00014000 08:03
    2051809 /lib64/libz.so.1.2.3
    3a86000000-3a8601a000 r-xp 00000000 08:03
    500341 /usr/lib64/libxcb.so.1.1.0
    3a8601a000-3a8621a000 ---p 0001a000 08:03
    500341 /usr/lib64/libxcb.so.1.1.0
    3a8621a000-3a8621b000 rw-p 0001a000 08:03
    500341 /usr/lib64/libxcb.so.1.1.0
    3a86400000-3a86402000 r-xp 00000000 08:03
    500340 /usr/lib64/libXau.so.6.0.0
    3a86402000-3a86601000 ---p 00002000 08:03
    500340 /usr/lib64/libXau.so.6.0.0
    3a86601000-3a86602000 rw-p 00001000 08:03
    500340 /usr/lib64/libXau.so.6.0.0
    3a86800000-3a86934000 r-xp 00000000 08:03
    500342 /usr/lib64/libX11.so.6.2.0
    3a86934000-3a86b33000 ---p 00134000 08:03
    500342 /usr/lib64/libX11.so.6.2.0
    3a86b33000-3a86b39000 rw-p 00133000 08:03
    500342 /usr/lib64/libX11.so.6.2.0
    3a86c00000-3a86c1d000 r-xp 00000000 08:03 2171182
    Avbruten (SIGABRT)

However, running in the gdb all binares work as they should.

$ gdb g_luck
GNU gdb (GDB) Fedora (6.8.50.20090302-40.fc11)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/&gt;...
(gdb) run
Starting program: /usr/bin/g_luck
[Thread debugging using libthread_db enabled]

gcq#84: "I Don't Want to Calm Down" (Throwing Muses)

Program exited normally.
(gdb)


Version-Release number of selected component (if applicable):
gromacs.x86_64-4.0.4-2.f11

How reproducible:
Crash occurs haphazardly and might happen in one invocation of a shell but not the other, when logged in as an ordinary user but not root et c.

Additional info:
Though the crash can't be captured by gdb, Valgrind will see it. I'm attaching the output from Valgrind when Gromacs runs normally and when crashing (on the same system with the same binaries and libraries). Here's an excerpt.

=====================================
Valgrind -v output when Gromacs fails =====================================

(...)
--(removed)-- REDIR: 0x3a84c7fae0 (strncmp) redirected to 0x4a08020 (strncmp)
--(removed)-- Reading syms from /lib64/libgcc_s-4.4.1-20090729.so.1
(0x3a8f800000)
--(removed)-- Reading debug info from
/usr/lib/debug/lib64/libgcc_s-4.4.1-20090729.so.1.debug ..
(removed)
(removed) Process terminating with default action of signal 6 (SIGABRT)
(removed) at 0x3A84C33275: raise (in /lib64/libc-2.10.2.so)
(removed) by 0x3A84C34A54: abort (in /lib64/libc-2.10.2.so)
(removed) by 0x3A84C6FB5A: __libc_message (in /lib64/libc-2.10.2.so)
(removed) by 0x3A84CF7506: __fortify_fail (in /lib64/libc-2.10.2.so)
(removed) by 0x3A84CF555F: __chk_fail (in /lib64/libc-2.10.2.so)
(removed) by 0x3A84CF4406: __strcat_chk (in /lib64/libc-2.10.2.so)
(removed) by 0x4F0DD9E: get_libdir (string3.h:145)
(removed) by 0x4F0E633: low_libfn (futil.c:505)
(removed) by 0x4F0E6AC: low_libopen (futil.c:543)
(removed) by 0x4F03F61: pukeit (copyrite.c:151)
(removed) by 0x4F04160: bromacs (copyrite.c:173)
(removed) by 0x4F041E0: CopyRight (copyrite.c:221)
--(removed)-- REDIR: 0x3a84c7bf20 (free) redirected to 0x4a06270 (free)
--(removed)-- Discarding syms at 0x3a8f802910-0x3a8f816418 in
/lib64/libgcc_s-4.4.1-20090729.so.1 due to munmap()

====================================
Valgrind -v output when Gromacs runs ====================================

(...)
--(removed)-- REDIR: 0x3a84c7fae0 (strncmp) redirected to 0x4a08020 (strncmp)
--(removed)-- REDIR: 0x3a84c7bf20 (free) redirected to 0x4a06270 (free)
--(removed)-- REDIR: 0x3a84c80e20 (memchr) redirected to 0x4a08180 (memchr)
--(removed)-- REDIR: 0x3a84c85370 (rawmemchr) redirected to 0x4a08d70
(rawmemchr)
--(removed)-- REDIR: 0xffffffffff600400 (???) redirected to 0x3803c8bd
(vgPlain_amd64_linux_REDIR_FOR_vtime)
--(removed)-- REDIR: 0x3a84c7fbb0 (strncpy) redirected to 0x4a07ed0 (strncpy)
Good ROcking Metal Altar for Chronical Sinners

:-)  VERSION 4.0.4  (-:
Written by David van der Spoel, Erik Lindahl, Berk Hess, and others.
Copyright (c) 1991-2000, University of Groningen, The Netherlands.
Copyright (c) 2001-2008, The GROMACS development team,
check out http://www.gromacs.org for more information.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
:-)  g_mdrun  (-:

It seems like a strncmp call is causing a random buffer overflow.

Please advise?

valgrind_output_when_gromacs_runs (15.1 KB) valgrind_output_when_gromacs_runs 'valgrind -v g_mdrun' output when Gromacs runs Göran Wallin, 04/07/2010 07:31 PM
valgrind_output_when_gromacs_runs (15.1 KB) valgrind_output_when_gromacs_runs 'valgrind -v g_mdrun' output when Gromacs crashes Göran Wallin, 04/07/2010 07:32 PM

History

#1 Updated by Göran Wallin over 9 years ago

Created an attachment (id=446)
'valgrind -v g_mdrun' output when Gromacs crashes

#2 Updated by Berk Hess over 9 years ago

This problem is due to one or two bugs in the Gromacs library path detection
that have already been fixed in 4.0.5.

Berk

Also available in: Atom PDF