Re: Segmentation fault with mpz_inp_raw on gcc45
On 2021-09-15 17:34:01 +0200, Vincent Lefevre wrote:
> On 2021-09-15 17:05:42 +0200, Paul Zimmermann wrote:
> > sorry the test_dummy2.save is attached. It was generated by (under /bin/sh,
> > not /bin/bash):
> >
> > echo -e "\n\r\n\r# this is a comment line and should be ignored" >
> > test_dummy2.save
>
> I can reproduce the segfault only with a 32-bit ABI.
>
> read(3, "-e \n\r\n\r# this is a comment line "..., 4096) = 54
> mmap2(NULL, 224735232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xea604000
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xca604012} ---
>
> If I understand correctly, the read system call comes from the initial
> fread() to get the size, and the mmap2 comes from the allocation.
In mpz/inp_raw.c, I think that abs_csize*8 yields an integer overflow
on large sizes.
--
Vincent Lefèvre - Web:
Re: Segmentation fault with mpz_inp_raw on gcc45
On 2021-09-15 17:05:42 +0200, Paul Zimmermann wrote:
> sorry the test_dummy2.save is attached. It was generated by (under /bin/sh,
> not /bin/bash):
>
> echo -e "\n\r\n\r# this is a comment line and should be ignored" >
> test_dummy2.save
I can reproduce the segfault only with a 32-bit ABI.
read(3, "-e \n\r\n\r# this is a comment line "..., 4096) = 54
mmap2(NULL, 224735232, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0xea604000
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xca604012} ---
If I understand correctly, the read system call comes from the initial
fread() to get the size, and the mmap2 comes from the allocation.
--
Vincent Lefèvre - Web:
Re: Segmentation fault with mpz_inp_raw on gcc45
sorry the test_dummy2.save is attached. It was generated by (under /bin/sh, not /bin/bash): echo -e "\n\r\n\r# this is a comment line and should be ignored" > test_dummy2.save Paul test_dummy2.save Description: Binary data ___ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs
Re: Segmentation fault with mpz_inp_raw on gcc45
On 2021-09-15 16:13:55 +0200, Torbjorn Granlund wrote:
> I tried to reproduce this on several systems. I failed; mpz_inp_raw
> returns 0 for me as it should.
>
> I cannot be sure I got test_dummy2.save right. I did include the line
> that asked to be ignored. Should I have ignored it? I added LF at each
> appparent line end, including the ignore line.
You may need a bigger file, as shown by strace output:
openat(AT_FDCWD, "test_dummy2.save", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=51, ...}) = 0
read(3, "-e\n\n# this is a comment line and"..., 4096) = 51
mmap(NULL, 761597952, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f267cd4a000
read(3, "", 761593856) = 0
i.e. if there is any issue in GMP, the test_dummy2.save file is too
small as nothing is read from read(3, "", 761593856).
Paul should give more details.
--
Vincent Lefèvre - Web:
Re: Segmentation fault with mpz_inp_raw on gcc45
I tried to reproduce this on several systems. I failed; mpz_inp_raw returns 0 for me as it should. I cannot be sure I got test_dummy2.save right. I did include the line that asked to be ignored. Should I have ignored it? I added LF at each appparent line end, including the ignore line. -- Torbjörn Please encrypt, key id 0xC8601622 ___ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs
Re: Segmentation fault with mpz_inp_raw on gcc45
> OK, so you deliberately sen d junk to mpz_inp_raw. That is fine, but it > was not clear from your report. it was not completely deliberate. The long story is that I tested "make check" of GMP-ECM on gcc45 with some recent merge request, and with /bin/sh the command echo -e "..." > xxx did put the '-e' into the file xxx, which produced the reported Seg fault. Paul ___ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs
Re: Segmentation fault with mpz_inp_raw on gcc45
Paul Zimmermann writes: I was thus expecting it to return 0 in case of an invalid file. OK, so you deliberately sen d junk to mpz_inp_raw. That is fine, but it was not clear from your report. -- Torbjörn Please encrypt, key id 0xC8601622 ___ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs
Re: Segmentation fault with mpz_inp_raw on gcc45
Dear Torbjörn, > $ cat test_dummy2.save > -e > > # this is a comment line and should be ignored > > You do understand that mpz_inp_raw expects a binary file with a size > field followed by that many byytes of data, don't you? > > The file contents above make no sense. the documentation says: -- Function: size_t mpz_inp_raw (mpz_t ROP, FILE *STREAM) Input from stdio stream STREAM in the format written by 'mpz_out_raw', and put the result in ROP. Return the number of bytes read, or if an error occurred, return 0. I was thus expecting it to return 0 in case of an invalid file. Paul ___ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs
Re: Segmentation fault with mpz_inp_raw on gcc45
Paul Zimmermann writes: $ cat test_dummy2.save -e # this is a comment line and should be ignored You do understand that mpz_inp_raw expects a binary file with a size field followed by that many byytes of data, don't you? The file contents above make no sense. -- Torbjörn Please encrypt, key id 0xC8601622 ___ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs
Segmentation fault with mpz_inp_raw on gcc45
Hi,
with gmp-6.2.1 and the following program:
zimmerma@gcc45:~/ecm$ cat test.c
#include
#include
#include
main()
{
mpz_t s;
FILE *file;
int ret;
mpz_init (s);
file = fopen ("test_dummy2.save", "rb");
ret = mpz_inp_raw (s, file);
}
I get a Segmentation fault on gcc45 with the following file:
$ cat test_dummy2.save
-e
# this is a comment line and should be ignored
gdb says:
Program received signal SIGSEGV, Segmentation fault.
__mempcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../mempcpy.S:50
50 ../sysdeps/i386/i686/multiarch/../mempcpy.S: No such file or directory.
(gdb) where
#0 __mempcpy_ia32 () at ../sysdeps/i386/i686/multiarch/../mempcpy.S:50
#1 0xb7e72388 in __GI__IO_file_xsgetn (fp=0x804a008, data=0x8a7b200a,
n=761596426) at fileops.c:1388
#2 0xb7e74138 in __GI__IO_sgetn (fp=fp@entry=0x804a008,
data=data@entry=0x8a7b200a, n=n@entry=761596426) at genops.c:495
#3 0xb7e67a19 in __GI__IO_fread (buf=0x8a7b200a, size=761596426, count=1,
fp=0x804a008) at iofread.c:42
#4 0x080486f4 in __gmpz_inp_raw ()
#5 0x08048602 in main () at test.c:12
I suspect the issue is due to "-e" in the first line, since there is no error
if I remove that line.
Paul
___
gmp-bugs mailing list
gmp-bugs@gmplib.org
https://gmplib.org/mailman/listinfo/gmp-bugs
