Package: mount Version: 2.19.1-4 Severity: normal mount seg faults when mounting /lib/init/rw as follows:
$ mount -n -t tmpfs -o nosuid,size=5242880,mode=755 tmpfs /lib/init/rw mount[27577]: segfault at b79000 ip 00007f63c842eb20 sp 00007fff63d5f998 error 6 in libc-2.13.so[7f63c83b4000+17a000] A backtrace and valgrind output are included below. I tracked it down to try_mount_one which starts out by setting mount_opts = extra_opts; If SELinux is enabled, it then calls append_context(..., &mount_opts); append_context reallocates mount_opts, so extra_opts now points to an invalid location. But try_mount_opts goes on to pass extra_opts to fix_opts_string. backtrace: #0 strcat () at ../sysdeps/x86_64/strcat.S:218 #1 0x000000000040b9c4 in xstrconcat3 ( s=0x618940 "rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,"..., t=0x40f6f4 ",", u=0x618940 "rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,"...) at sundries.c:58 #2 0x00000000004049cd in fix_opts_string (flags=0, extra_opts=0x618940 "rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,rw,nosuid,"..., user=0x0) at mount.c:619 #3 0x0000000000405fa7 in try_mount_one (spec0=0x618860 "tmpfs", node0=0x7fffffffe935 "/lib/init/rw", types0=0x7fffffffe909 "tmpfs", opts0=0x618830 "nosuid,size=5242880,mode=755", ro=0, pass=0, freq=0) at mount.c:1635 #4 0x00000000004079a6 in mount_one (spec=0x618860 "tmpfs", node=0x7fffffffe935 "/lib/init/rw", types=<value optimized out>, fstabopts=<value optimized out>, cmdlineopts=0x618800 "nosuid,size=5242880,mode=755", pass=0, freq=0) at mount.c:2028 #5 0x0000000000403d85 in main (argc=<value optimized out>, argv=<value optimized out>) at mount.c:2671 valgrind output: ==27521== Memcheck, a memory error detector ==27521== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. ==27521== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info ==27521== Command: debian/mount/bin/mount -n -t tmpfs -o nosuid,size=5242880,mode=755 tmpfs /lib/init/rw ==27521== ==27521== Invalid read of size 1 ==27521== at 0x404994: fix_opts_string (mount.c:618) ==27521== by 0x405FA6: try_mount_one.constprop.8 (mount.c:1635) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f0 is 0 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x4C28072: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40B987: xstrconcat3 (sundries.c:45) ==27521== by 0x4049CC: fix_opts_string (mount.c:619) ==27521== by 0x405FA6: try_mount_one.constprop.8 (mount.c:1635) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f0 is 0 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x4C28084: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40B987: xstrconcat3 (sundries.c:45) ==27521== by 0x4049CC: fix_opts_string (mount.c:619) ==27521== by 0x405FA6: try_mount_one.constprop.8 (mount.c:1635) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f1 is 1 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x4C27D89: strcat (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40B9C3: xstrconcat3 (sundries.c:58) ==27521== by 0x4049CC: fix_opts_string (mount.c:619) ==27521== by 0x405FA6: try_mount_one.constprop.8 (mount.c:1635) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f0 is 0 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x4C27DA2: strcat (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40B9C3: xstrconcat3 (sundries.c:58) ==27521== by 0x4049CC: fix_opts_string (mount.c:619) ==27521== by 0x405FA6: try_mount_one.constprop.8 (mount.c:1635) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f1 is 1 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x404994: fix_opts_string (mount.c:618) ==27521== by 0x405D1E: try_mount_one.constprop.8 (mount.c:1679) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f0 is 0 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x4C28072: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40B987: xstrconcat3 (sundries.c:45) ==27521== by 0x4049CC: fix_opts_string (mount.c:619) ==27521== by 0x405D1E: try_mount_one.constprop.8 (mount.c:1679) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f0 is 0 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x4C28084: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40B987: xstrconcat3 (sundries.c:45) ==27521== by 0x4049CC: fix_opts_string (mount.c:619) ==27521== by 0x405D1E: try_mount_one.constprop.8 (mount.c:1679) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f1 is 1 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x4C27D89: strcat (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40B9C3: xstrconcat3 (sundries.c:58) ==27521== by 0x4049CC: fix_opts_string (mount.c:619) ==27521== by 0x405D1E: try_mount_one.constprop.8 (mount.c:1679) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f0 is 0 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid read of size 1 ==27521== at 0x4C27DA2: strcat (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40B9C3: xstrconcat3 (sundries.c:58) ==27521== by 0x4049CC: fix_opts_string (mount.c:619) ==27521== by 0x405D1E: try_mount_one.constprop.8 (mount.c:1679) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f1 is 1 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== Invalid free() / delete / delete[] ==27521== at 0x4C268FE: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x405BFE: try_mount_one.constprop.8 (mount.c:1939) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== Address 0x5e585f0 is 0 bytes inside a block of size 22 free'd ==27521== at 0x4C27882: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==27521== by 0x40C288: xrealloc (xmalloc.c:31) ==27521== by 0x40B9A0: xstrconcat3 (sundries.c:54) ==27521== by 0x40504C: append_context (mount.c:410) ==27521== by 0x407192: try_mount_one.constprop.8 (mount.c:1619) ==27521== by 0x4079A5: mount_one.constprop.5 (mount.c:2028) ==27521== by 0x403D84: main (mount.c:2671) ==27521== ==27521== ==27521== HEAP SUMMARY: ==27521== in use at exit: 2,015 bytes in 25 blocks ==27521== total heap usage: 99 allocs, 75 frees, 15,500 bytes allocated ==27521== ==27521== LEAK SUMMARY: ==27521== definitely lost: 171 bytes in 3 blocks ==27521== indirectly lost: 1,671 bytes in 16 blocks ==27521== possibly lost: 0 bytes in 0 blocks ==27521== still reachable: 173 bytes in 6 blocks ==27521== suppressed: 0 bytes in 0 blocks ==27521== Rerun with --leak-check=full to see details of leaked memory ==27521== ==27521== For counts of detected and suppressed errors, rerun with: -v ==27521== ERROR SUMMARY: 91 errors from 11 contexts (suppressed: 4 from 4) -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39 (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mount depends on: ii libblkid1 2.19.1-4 block device id library ii libc6 2.13-10 Embedded GNU C Library: Shared lib ii libmount1 2.19.1-4 block device id library ii libselinux1 2.0.98-1.1 SELinux runtime shared libraries ii libsepol1 2.0.42-1 SELinux library for manipulating b mount recommends no packages. Versions of packages mount suggests: pn nfs-common <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org