[Gambas-user] [Fwd: Gambas3 Pointers example] signal #6
Demosthenes Koptsis
demosthenesk at ...626...
Mon Jan 10 00:16:41 CET 2011
1) Ok, i found why this function is dangerous.
https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/760-BSI.html
"Since the user cannot specify the length of the buffer passed to
getwd(), use of this function is discouraged. The length of a pathname
described in {PATH_MAX} is file system-dependent and may vary from one
mount point to another, or might even be unlimited. It is possible to
overflow this buffer in such a way as to cause applications to fail or
possible system security violations."
But here i make a test no real life project.
2) So, i found in /usr/include/linux/limits.h
Line Number: 12
#define PATH_MAX 4096 /* # chars in a path name including nul */
is this the value?
i tried this value in my example with no success, i make somewhere else
the mistake.
---------------
' Gambas module file
' Gambas module file
'char *getwd(char *buf);
Extern getwd(buf As Pointer) As Pointer In "libc:6"
Public Sub Main()
Dim pBuf As Pointer
Dim pFunc As Pointer
Dim sWorkingDirectory As String
'getwd
pBuf = Alloc(4096)
pFunc = Alloc(4096)
pFunc = getwd(pBuf)
sWorkingDirectory = Str@(pFunc)
Free(pFunc)
Free(pBuf)
Print sWorkingDirectory
End
---------------
signal #6
----------------
*** glibc detected *** Pointers5: double free or corruption (!prev):
0x0893f498 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(+0x6b591)[0x17b591]
/lib/tls/i686/cmov/libc.so.6(+0x6cde8)[0x17cde8]
/lib/tls/i686/cmov/libc.so.6(cfree+0x6d)[0x17fecd]
Pointers5[0x805ed2e]
Pointers5[0x8076a6a]
Pointers5[0x8050a99]
Pointers5[0x80513d8]
Pointers5[0x80689cd]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x126bd6]
Pointers5[0x804b151]
======= Memory map: ========
00110000-00263000 r-xp 00000000 08:04
2019753 /lib/tls/i686/cmov/libc-2.11.1.so
00263000-00264000 ---p 00153000 08:04
2019753 /lib/tls/i686/cmov/libc-2.11.1.so
00264000-00266000 r--p 00153000 08:04
2019753 /lib/tls/i686/cmov/libc-2.11.1.so
00266000-00267000 rw-p 00155000 08:04
2019753 /lib/tls/i686/cmov/libc-2.11.1.so
00267000-0026a000 rw-p 00000000 00:00 0
00428000-00438000 r-xp 00000000 08:04
1906544 /usr/local/lib/gambas3/gb.eval.so.0.0.0
00438000-00439000 r--p 0000f000 08:04
1906544 /usr/local/lib/gambas3/gb.eval.so.0.0.0
00439000-0043b000 rw-p 00010000 08:04
1906544 /usr/local/lib/gambas3/gb.eval.so.0.0.0
0043b000-0043c000 rw-p 00000000 00:00 0
0046e000-0046f000 r-xp 00000000 00:00 0 [vdso]
006c9000-006ce000 r-xp 00000000 08:04
688690 /usr/lib/libffi.so.5.0.10
006ce000-006cf000 ---p 00005000 08:04
688690 /usr/lib/libffi.so.5.0.10
006cf000-006d0000 r--p 00005000 08:04
688690 /usr/lib/libffi.so.5.0.10
006d0000-006d1000 rw-p 00006000 08:04
688690 /usr/lib/libffi.so.5.0.10
00739000-0075d000 r-xp 00000000 08:04
2019761 /lib/tls/i686/cmov/libm-2.11.1.so
0075d000-0075e000 r--p 00023000 08:04
2019761 /lib/tls/i686/cmov/libm-2.11.1.so
0075e000-0075f000 rw-p 00024000 08:04
2019761 /lib/tls/i686/cmov/libm-2.11.1.so
00aa5000-00ac2000 r-xp 00000000 08:04 1995027 /lib/libgcc_s.so.1
00ac2000-00ac3000 r--p 0001c000 08:04 1995027 /lib/libgcc_s.so.1
00ac3000-00ac4000 rw-p 0001d000 08:04 1995027 /lib/libgcc_s.so.1
00bca000-00bcc000 r-xp 00000000 08:04
2019759 /lib/tls/i686/cmov/libdl-2.11.1.so
00bcc000-00bcd000 r--p 00001000 08:04
2019759 /lib/tls/i686/cmov/libdl-2.11.1.so
00bcd000-00bce000 rw-p 00002000 08:04
2019759 /lib/tls/i686/cmov/libdl-2.11.1.so
00c25000-00c3a000 r-xp 00000000 08:04
2019772 /lib/tls/i686/cmov/libpthread-2.11.1.so
00c3a000-00c3b000 r--p 00014000 08:04
2019772 /lib/tls/i686/cmov/libpthread-2.11.1.so
00c3b000-00c3c000 rw-p 00015000 08:04
2019772 /lib/tls/i686/cmov/libpthread-2.11.1.so
00c3c000-00c3e000 rw-p 00000000 00:00 0
00dc3000-00dc7000 r-xp 00000000 08:04
1906676 /usr/local/lib/gambas3/gb.debug.so.0.0.0
00dc7000-00dc8000 r--p 00003000 08:04
1906676 /usr/local/lib/gambas3/gb.debug.so.0.0.0
00dc8000-00dc9000 rw-p 00004000 08:04
1906676 /usr/local/lib/gambas3/gb.debug.so.0.0.0
00eeb000-00f06000 r-xp 00000000 08:04 1996732 /lib/ld-2.11.1.so
00f06000-00f07000 r--p 0001a000 08:04 1996732 /lib/ld-2.11.1.so
00f07000-00f08000 rw-p 0001b000 08:04 1996732 /lib/ld-2.11.1.so
08048000-0807e000 r-xp 00000000 08:04 1785292 /usr/local/bin/gbx3
0807e000-0807f000 r--p 00035000 08:04 1785292 /usr/local/bin/gbx3
0807f000-08084000 rw-p 00036000 08:04 1785292 /usr/local/bin/gbx3
08084000-08086000 rw-p 00000000 00:00 0
08932000-08953000 rw-p 00000000 00:00 0 [heap]
b7500000-b7521000 rw-p 00000000 00:00 0
b7521000-b7600000 ---p 00000000 00:00 0
b768a000-b76c9000 r--p 00000000 08:04
737484 /usr/lib/locale/en_US.utf8/LC_CTYPE
b76c9000-b77e7000 r--p 00000000 08:04
737483 /usr/lib/locale/en_US.utf8/LC_COLLATE
b77e7000-b77e9000 rw-p 00000000 00:00 0
b77f1000-b77f2000 r--p 00000000 08:04
737500 /usr/lib/locale/en_US.utf8/LC_NUMERIC
b77f2000-b77f3000 r--p 00000000 08:04
735917 /usr/lib/locale/en_US.utf8/LC_TIME
b77f3000-b77f4000 r--p 00000000 08:04
735918 /usr/lib/locale/en_US.utf8/LC_MONETARY
b77f4000-b77f5000 r--p 00000000 08:04
752258 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b77f5000-b77f6000 r--p 00000000 08:04
737523 /usr/lib/locale/en_US.utf8/LC_PAPER
b77f6000-b77f7000 r--p 00000000 08:04
737455 /usr/lib/locale/en_US.utf8/LC_NAME
b77f7000-b77f8000 r--p 00000000 08:04
735919 /usr/lib/locale/en_US.utf8/LC_ADDRESS
b77f8000-b77f9000 r--p 00000000 08:04
735920 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
b77f9000-b77fa000 r--p 00000000 08:04
737398 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
b77fa000-b7801000 r--s 00000000 08:04
1619066 /usr/lib/gconv/gconv-modules.cache
b7801000-b7802000 r--p 00000000 08:04
735921 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
b7802000-b7806000 rw-p 00000000 00:00 0
bfa53000-bfa68000 rw-p 00000000 00:00 0 [stack]
----------------
i saw that the first line says
*** glibc detected *** Pointers5: double free or corruption (!prev)
and i rem the one Free().
now i get
--------------
gbx3: warning: 1 allocation(s) non freed.
��m^@^@^@^@^@^@^@^@^@ocuments/Development/Gambas3/Pointers5
--------------
but no crash.
i played with the values of Alloc and i found that in my case a 29 bytes
are ok but with one Free() or else i get signal #11.
is there a bug with
Free(pBuf)
Free(pFunc)
?
3) On the other hand, i have a general question.
How to deal with char *pointers when their length is not known?
4) For example i try to use
'char *get_current_dir_name(void);
Extern get_current_dir_name() As Pointer In "libc:6"
again with no success.
in manuall says:
get_current_dir_name() will malloc(3) an array big enough to hold the
absolute pathname of the current working directory.
in my example:
---------------------
' Gambas module file
'char *get_current_dir_name(void);
Extern get_current_dir_name() As Pointer In "libc:6"
Public Sub Main()
Dim pFunc As Pointer
Dim sWorkingDirectory As String
'get_current_dir_name
pFunc = Alloc(4096)
pFunc = get_current_dir_name()
sWorkingDirectory = Str@(pFunc)
' Free(pFunc)
Print sWorkingDirectory
End
---------------------
if i use
Free(pFunc)
i get signal #11
gambas3-svn3418, ubuntu 10.04
On Sun, 2011-01-09 at 21:37 +0100, Benoît Minisini wrote:
> > so what can i do for
> >
> > char *getwd(char *buf);
> >
> > ?
> >
>
> You must know C programming first, and understand how getwd works. By typing
> 'man getwd', you will learn that you must not use that function, it is
> dangerous and so deprecated.
>
> Then you will read that buf must be a pointer to a memory allocation of
> PATH_MAX bytes. You must find the value of this constant inside the standard C
> header files.
>
> SizeOf(gb.String) is 4 (on 32 bits system). It is the number of bytes used by
> Gambas to store a pointer to a Gambas string. This is the reason why you get a
> crash.
>
> Regards,
>
--
Regards,
Demosthenes
More information about the User
mailing list