[Tickets] [Initng] #794: Incorrect usage of va_list in event handlers causes segfault on x86_64
Initng
trac at initng.org
Fri Sep 21 19:12:05 CEST 2007
#794: Incorrect usage of va_list in event handlers causes segfault on x86_64
-----------------------------------+----------------------------------------
Reporter: dae | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Bugs in initng source | Version: initng-0.6.10
Severity: normal | Keywords:
-----------------------------------+----------------------------------------
The event type s_event_error_message_data contains a va_list. The va_list
is initialized once in initng_event.c using va_copy, and then destroyed
(using va_end) after all event handlers have been called.
The problem is that the event handlers don't do va_copy themselves before
using the va_list. Thus, the same va_list may be used several times,
depending on the number of event handlers.
This caused initng to segfault on me as soon as an warning/error message
was printed; first the cpout plugin was called, which succeeded. Then the
syslog plugin was called and crashed.
Note, the tests I have done suggests that the current usage of va_list
works on x86 (out of pure luck, really), but it does _not_ work on x86_64.
The following code snippet illustrates the problem:
#include <stdio.h>
#include <stdarg.h>
struct out_data {
const char *fmt;
va_list va;
};
void output(struct out_data *out)
{
vprintf(out->fmt, out->va);
}
void foo(const char *fmt, ...)
{
struct out_data out;
out.fmt = fmt;
va_start(out.va, fmt);
output(&out);
output(&out);
va_end(out.va);
}
int main(int argc, char **argv)
{
foo("%s %d\n", "hello world", 12345678);
}
On x86:
$ ./foo
hello world 12345678
hello world 12345678
On x86_64:
$ ./foo
hello world 12345678
H\$�d$Hl$��L% 4195904
--
Ticket URL: </ticket/794>
Initng <>
The next generation init system
More information about the Tickets
mailing list