Package: libc6 Version: 2.7-18 I have found that getservbyname() can corrupt the caller's stack when looking up information in NIS.
Given the following simple program: #include <stdio.h> #include <netdb.h> int main(void) { char **a; struct servent *entry = getservbyname("afsprot", NULL); if (entry == NULL) { printf("No entry found for afsprot\n"); return 1; } printf("Service: %s\n\tPort: %d/%s\n", entry->s_name, ntohs(entry->s_port), entry->s_proto); if (entry->s_aliases && *(entry->s_aliases)) { printf("\tAliases:"); for (a=entry->s_aliases; *a; a++) { printf(" %s", *a); } } return 0; } and a line service: db files nis in /etc/nsswitch.conf, I get the valgrind errors in the first attachment (valgrind.out). An affected application is aklog (from the openafs-krb5 package; I'm building an OpenAFS 1.4.8 version of that package). In this case, the program segfaults with a very similar valgrind trace (aklog.out). It terminates successfully if I invoke aklog with the -noprdb option, which bypasses the getservbyname() call. That the stack is smashed can also be verified in gdb. This kept me from getting a backtrace from gdb. An strace, however, confirms that the crash occurs in getservbyname() code.
==32343== Memcheck, a memory error detector. ==32343== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==32343== Using LibVEX rev 1854, a library for dynamic binary translation. ==32343== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==32343== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework. ==32343== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==32343== For more details, rerun with: -v ==32343== ==32343== Invalid read of size 4 ==32343== at 0x4015847: (within /lib/ld-2.7.so) ==32343== by 0x4153131: (within /lib/i686/cmov/libc-2.7.so) ==32343== by 0x400DA15: (within /lib/ld-2.7.so) ==32343== by 0x41532F4: __libc_dlopen_mode (in /lib/i686/cmov/libc-2.7.so) ==32343== by 0x412B6DF: __nss_lookup_function (in /lib/i686/cmov/libc-2.7.so) ==32343== by 0x412B7CF: (within /lib/i686/cmov/libc-2.7.so) ==32343== by 0x412D565: __nss_services_lookup (in /lib/i686/cmov/libc-2.7.so) ==32343== by 0x4133D98: getservbyname_r (in /lib/i686/cmov/libc-2.7.so) ==32343== by 0x4133AFD: getservbyname (in /lib/i686/cmov/libc-2.7.so) ==32343== by 0x8048429: main (in /home/gelato/src/experiments/AFS/a.out) ==32343== Address 0x419532c is 44 bytes inside a block of size 46 alloc'd ==32343== at 0x4022D6E: malloc (vg_replace_malloc.c:207) ==32343== by 0x400DB23: (within /lib/ld-2.7.so) ==32343== by 0x4008555: (within /lib/ld-2.7.so) ==32343== by 0x4011B46: (within /lib/ld-2.7.so) ==32343== by 0x400DA15: (within /lib/ld-2.7.so) ==32343== by 0x401154D: (within /lib/ld-2.7.so) ==32343== by 0x4153131: (within /lib/i686/cmov/libc-2.7.so) ==32343== by 0x400DA15: (within /lib/ld-2.7.so) ==32343== by 0x41532F4: __libc_dlopen_mode (in /lib/i686/cmov/libc-2.7.so) ==32343== by 0x412B6DF: __nss_lookup_function (in /lib/i686/cmov/libc-2.7.so) ==32343== by 0x412B7CF: (within /lib/i686/cmov/libc-2.7.so) ==32343== by 0x412D565: __nss_services_lookup (in /lib/i686/cmov/libc-2.7.so) Service: afsprot Port: 7002/udp ==32343== ==32343== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 34 from 3) ==32343== malloc/free: in use at exit: 0 bytes in 0 blocks. ==32343== malloc/free: 74 allocs, 74 frees, 24,186 bytes allocated. ==32343== For counts of detected errors, rerun with: -v ==32343== All heap blocks were freed -- no leaks are possible.
==32333== Memcheck, a memory error detector. ==32333== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al. ==32333== Using LibVEX rev 1854, a library for dynamic binary translation. ==32333== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP. ==32333== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation framework. ==32333== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al. ==32333== For more details, rerun with: -v ==32333== ==32333== Invalid read of size 4 ==32333== at 0x4015847: (within /lib/ld-2.7.so) ==32333== by 0x422A131: (within /lib/i686/cmov/libc-2.7.so) ==32333== by 0x400DA15: (within /lib/ld-2.7.so) ==32333== by 0x422A2F4: __libc_dlopen_mode (in /lib/i686/cmov/libc-2.7.so) ==32333== by 0x42026DF: __nss_lookup_function (in /lib/i686/cmov/libc-2.7.so) ==32333== by 0x42027CF: (within /lib/i686/cmov/libc-2.7.so) ==32333== by 0x4204565: __nss_services_lookup (in /lib/i686/cmov/libc-2.7.so) ==32333== by 0x420AD98: getservbyname_r (in /lib/i686/cmov/libc-2.7.so) ==32333== by 0x420AAFD: getservbyname (in /lib/i686/cmov/libc-2.7.so) ==32333== by 0x80590FB: (within /usr/bin/aklog) ==32333== by 0x8059721: (within /usr/bin/aklog) ==32333== by 0x804DCD5: (within /usr/bin/aklog) ==32333== Address 0x42d775c is 44 bytes inside a block of size 46 alloc'd ==32333== at 0x4022D6E: malloc (vg_replace_malloc.c:207) ==32333== by 0x400DB23: (within /lib/ld-2.7.so) ==32333== by 0x4008555: (within /lib/ld-2.7.so) ==32333== by 0x4011B46: (within /lib/ld-2.7.so) ==32333== by 0x400DA15: (within /lib/ld-2.7.so) ==32333== by 0x401154D: (within /lib/ld-2.7.so) ==32333== by 0x422A131: (within /lib/i686/cmov/libc-2.7.so) ==32333== by 0x400DA15: (within /lib/ld-2.7.so) ==32333== by 0x422A2F4: __libc_dlopen_mode (in /lib/i686/cmov/libc-2.7.so) ==32333== by 0x42026DF: __nss_lookup_function (in /lib/i686/cmov/libc-2.7.so) ==32333== by 0x42027CF: (within /lib/i686/cmov/libc-2.7.so) ==32333== by 0x4204565: __nss_services_lookup (in /lib/i686/cmov/libc-2.7.so) ==32333== Warning: client switching stacks? SP change: 0xBEABFB4C --> 0x4D08186C ==32333== to suppress, use: --max-stackframe=1906565856 or greater ==32333== ==32333== Process terminating with default action of signal 11 (SIGSEGV) ==32333== Access not within mapped region at address 0x4D081868 ==32333== at 0x8075C6B: (within /usr/bin/aklog) ==32333== ==32333== Process terminating with default action of signal 11 (SIGSEGV) ==32333== Access not within mapped region at address 0x4D081864 ==32333== at 0x401D200: _vgnU_freeres (vg_preloaded.c:56) ==32333== ==32333== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 50 from 3) ==32333== malloc/free: in use at exit: 336,444 bytes in 579 blocks. ==32333== malloc/free: 817 allocs, 238 frees, 486,062 bytes allocated. ==32333== For counts of detected errors, rerun with: -v ==32333== searching for pointers to 579 not-freed blocks. ==32333== checked 626,900 bytes. ==32333== ==32333== LEAK SUMMARY: ==32333== definitely lost: 79 bytes in 5 blocks. ==32333== possibly lost: 0 bytes in 0 blocks. ==32333== still reachable: 336,365 bytes in 574 blocks. ==32333== suppressed: 0 bytes in 0 blocks. ==32333== Rerun with --leak-check=full to see details of leaked memory.