Debian Bug report logs - #613803
bash: Please use system-provided malloc() implementation rather than internal one

version graph

Package: bash; Maintainer for bash is Matthias Klose <doko@debian.org>; Source for bash is src:bash.

Reported by: Karol Lewandowski <k.lewandowsk@samsung.com>

Date: Thu, 17 Feb 2011 11:45:02 UTC

Severity: normal

Found in version bash/4.1-3

Fixed in version 4.2-1

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#613803; Package bash. (Thu, 17 Feb 2011 11:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Karol Lewandowski <k.lewandowsk@samsung.com>:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (Thu, 17 Feb 2011 11:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Karol Lewandowski <k.lewandowsk@samsung.com>
To: submit@bugs.debian.org
Subject: bash: Please use system-provided malloc() implementation rather than internal one
Date: Thu, 17 Feb 2011 12:31:32 +0100
Package: bash
Version: 4.1-3
Severity: normal

Bash uses its own malloc implementation for unknown reasons (at least to 
me).

This implementation dates back to 4.2BSD (according to INSTALL) and
uses brk() which seems to be obsoleted interface.

In our complicated test scenario involving

  make -> scratchbox2 -> bash

we have ecountered situation when brk(), as used by bash's malloc,
fails causing SIGSEGV in bash.


Reading through strace(1) output I've come to following pattern
causing failure:

 0. Kernel's ASLR have to be disabled (kernel.randomize_va_space=0).
    This setting directly affects addresses as returned from kernel's
    mmap(2) system call (this is the root of problem).

    With ASLR enabled it also happens but bug insn't that evident
    (it's non-deterministic).


 1. Dynamic linker is run and loads all required libraries - dl uses
    mmap(2) to allocate required memory. mmap(2) from kernel returns
    addreses that are just one page after original program break, i.e.

      dl_mem = (uintptr_t)(sbrk(0) + getpagesize()) & ~(getpagesize() - 1)

 2. Bash is finnaly run and tries to allocate memory using brk(addr)

    This fails as memory above program break was already allocated by
    dynamic linker (see 2).

Please see (filtered) strace output below.

Solution seems rather simple - configure bash with --wihout-bash-malloc 
to use system/glibc-provided malloc.  From our testing this seems to fix 
this issue.

Thanks!

5328  execve("/home/lmctl/sbs/tools/lib/ld-linux.so.2", 
["/home/lmctl/sbs/tools/lib/ld-lin"..., "--rpath-prefix", 
"/home/lmctl/sbs/tools", "--nodefaultdirs", "--argv0", "/bin/bash", 
"/home/lmctl/sbs/tools/bin/bash", "-c", "echo bug"], [/* 68 vars */]) = 0
5328  brk(0)                            = 0x55573000
5328  open("/home/lmctl/sbs/tools/bin/bash", O_RDONLY) = 3
5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0P!\6\0104\0\0\0"..., 
512) = 512
5328  fstat64(3, {st_mode=S_IFREG|0755, st_size=811156, ...}) = 0
5328  mmap2(0x8048000, 794624, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x8048000
5328  mmap2(0x810a000, 20480, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc1) = 0x810a000
5328  mmap2(0x810f000, 19052, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x810f000
5328  close(3)                          = 0
5328  access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or 
directory)
5328  mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x55574000

[*] Please note the return address - it's just one page after sbrk(0).

....
5328  open("/home/lmctl/sbs/tools/usr/lib/libsb2/libsb2.so.1", O_RDONLY) = 3
5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`I\0\0004\0\0\0"..., 
512) = 512
5328  fstat64(3, {st_mode=S_IFREG|0644, st_size=360644, ...}) = 0
5328  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x55576000
5328  mmap2(NULL, 364308, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x55577000
5328  mmap2(0x555ce000, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x57) = 0x555ce000
5328  mmap2(0x555cf000, 3860, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x555cf000
5328  close(3)                          = 0
5328  access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or 
directory)
5328  open("/home/lmctl/sbs/tools/usr/lib/libsb2/libncurses.so.5", 
O_RDONLY) = -1 ENOENT (No such file or directory)


5328  open("/home/lmctl/sbs/tools/lib/libdl.so.2", O_RDONLY) = 3
5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\0004\0\0\0"..., 
512) = 512
5328  fstat64(3, {st_mode=S_IFREG|0644, st_size=9736, ...}) = 0
5328  mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 
3, 0) = 0x5560a000
5328  mmap2(0x5560c000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x5560c000
5328  close(3)                          = 0
5328  open("/home/lmctl/sbs/tools/usr/lib/libsb2/libc.so.6", O_RDONLY) = 
-1 ENOENT (No such file or directory)
5328 
open("/home/lmctl/sbs/tools/home/lmctl/sbs-install/lib/libsb2/libc.so.6", O_RDONLY) 
= -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/local/lib/libc.so.6", O_RDONLY) = 
-1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/lib/libfakeroot/libc.so.6", 
O_RDONLY) = -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/lib64/libfakeroot/libc.so.6", 
O_RDONLY) = -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/lib/libc.so.6", O_RDONLY) = 3
5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320m\1\0004\0\0\0"..., 
512) = 512
5328  fstat64(3, {st_mode=S_IFREG|0755, st_size=1315080, ...}) = 0
5328  mmap2(NULL, 1321288, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x5560e000
5328  mmap2(0x5574b000, 12288, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13d) = 0x5574b000
5328  mmap2(0x5574e000, 10568, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x5574e000
5328  close(3)                          = 0
5328  open("/home/lmctl/sbs/tools/usr/lib/libsb2/libm.so.6", O_RDONLY) = 
-1 ENOENT (No such file or directory)
5328 
open("/home/lmctl/sbs/tools/home/lmctl/sbs-install/lib/libsb2/libm.so.6", O_RDONLY) 
= -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/local/lib/libm.so.6", O_RDONLY) = 
-1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/lib/libfakeroot/libm.so.6", 
O_RDONLY) = -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/usr/lib64/libfakeroot/libm.so.6", 
O_RDONLY) = -1 ENOENT (No such file or directory)
5328  open("/home/lmctl/sbs/tools/lib/libm.so.6", O_RDONLY) = 3
5328  read(3, 
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`4\0\0004\0\0\0"..., 
512) = 512
5328  fstat64(3, {st_mode=S_IFREG|0644, st_size=149392, ...}) = 0
5328  mmap2(NULL, 151680, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x55751000
5328  mmap2(0x55775000, 8192, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x23) = 0x55775000
5328  close(3)                          = 0
5328  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x55777000
5328  mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 
-1, 0) = 0x55778000
5328  set_thread_area(0xffffd03c)       = 0
5328  mprotect(0x55775000, 4096, PROT_READ) = 0
5328  mprotect(0x5574b000, 8192, PROT_READ) = 0
5328  mprotect(0x5560c000, 4096, PROT_READ) = 0
5328  mprotect(0x55571000, 4096, PROT_READ) = 0
5328  brk(0)                            = 0x55573000
5328  brk(0x55574000)                   = 0x55573000

brk() fails as 0x55574000 was already mmapped - see above [*].


5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  gettimeofday({1297869657, 380116}, NULL) = 0
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  brk(0x55574000)                   = 0x55573000
5328  --- SIGSEGV (Segmentation fault) @ 0 (0) ---




-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) (ignored: 
LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bash depends on:
ii  base-files                6.0            Debian base system 
miscellaneous f
ii  dash                      0.5.5.1-7.4    POSIX-compliant shell
ii  debianutils               3.4            Miscellaneous utilities 
specific t
ii  libc6                     2.11.2-10      Embedded GNU C Library: 
Shared lib
ii  libncurses5               5.7+20100313-5 shared libraries for 
terminal hand

Versions of packages bash recommends:
ii  bash-completion               1:1.2-3    programmable completion for 
the ba

Versions of packages bash suggests:
pn  bash-doc                      <none>     (no description available)

-- no debconf information

-- 
Karol Lewandowski | Samsung Poland R&D Center | Linux/Platform




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#613803; Package bash. (Sat, 30 Apr 2011 18:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to javier--rdyaU8j5fHxshlsZPQiwHglzyYC0zy@jasp.net:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (Sat, 30 Apr 2011 18:09:03 GMT) Full text and rfc822 format available.

Message #10 received at 613803@bugs.debian.org (full text, mbox):

From: Javier Serrano Polo <javier@jasp.net>
To: Karol Lewandowski <k.lewandowsk@samsung.com>
Cc: 613803@bugs.debian.org
Subject: Re: bash: Please use system-provided malloc() implementation rather than internal one
Date: Sat, 30 Apr 2011 19:41:54 +0200
[Message part 1 (text/plain, inline)]
> Bash uses its own malloc implementation for unknown reasons (at least
> to me).

Performance in some environments.

> This implementation dates back to 4.2BSD (according to INSTALL) and
> uses brk() which seems to be obsoleted interface.

It is obsolete and not portable (man sbrk). Custom allocators should be
based on malloc.

> we have ecountered situation when brk(), as used by bash's malloc,
> fails causing SIGSEGV in bash.

The segfault is likely in libc (locale/findlocale.c) because it doesn't
expect to run out of memory at the beginning of the program.

Some other environments require --without-bash-malloc.
[smime.p7s (application/pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#613803; Package bash. (Fri, 23 Sep 2011 20:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Eero Tamminen <eerott@gmail.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (Fri, 23 Sep 2011 20:27:03 GMT) Full text and rfc822 format available.

Message #15 received at 613803@bugs.debian.org (full text, mbox):

From: Eero Tamminen <eerott@gmail.com>
To: 613803@bugs.debian.org
Subject: bash: Please use system-provided malloc() implementation rather than internal one
Date: Fri, 23 Sep 2011 23:22:34 +0300
> Performance in some environments.

In Debian?  Bash is an interactive shell, not something performance critical...




Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Wed, 30 Nov 2011 11:42:04 GMT) Full text and rfc822 format available.

Notification sent to Karol Lewandowski <k.lewandowsk@samsung.com>:
Bug acknowledged by developer. (Wed, 30 Nov 2011 11:42:08 GMT) Full text and rfc822 format available.

Message #20 received at 613803-done@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@debian.org>
To: Karol Lewandowski <k.lewandowsk@samsung.com>, 613803-done@bugs.debian.org
Subject: Re: Bug#613803: bash: Please use system-provided malloc() implementation rather than internal one
Date: Wed, 30 Nov 2011 12:38:11 +0100
Version: 4.2-1





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Jan 2012 07:31:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 12:59:25 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.